Four months for enabling $100 billion in criminal flows. The personal liability question in AML isn't settled.

Issue #7 | June 10, 2026 | 7 min read

On April 30, 2024, Changpeng Zhao was sentenced to four months in federal prison. He pled guilty to willful failure to maintain an effective AML program. The institution he founded paid $4.3 billion in criminal penalties. CZ served 112 days.

That gap is one of the main questions in AML enforcement. The DOJ has been building toward individual accountability for a decade. This issue looks at what that's produced and what it actually changes inside compliance programs.

REGULATORY INTELLIGENCE

The direction of travel is toward individual liability. The outcomes suggest we're not there yet.

The Yates Memo landed in September 2015 with a clear directive: corporate wrongdoing implicates people, and federal prosecutors should identify and charge those people, not just the institution. It didn't create new authority. It signaled how the DOJ intended to use existing tools. Every major corporate enforcement announcement since has included language about ongoing investigations of individuals.

What that looks like in practice has varied.

The Binance case

Changpeng Zhao founded Binance in 2017. By 2023, when the DOJ's statement of facts was filed, the platform had processed what prosecutors described as more than $100 billion in transactions, including transfers for customers in Iran, North Korea, Cuba, and Syria, and funds linked to ransomware, terrorist financing, and child sexual abuse material. Binance filed zero SARs during the relevant period.

CZ pled guilty to willful failure to maintain an effective AML program. Prosecutors sought three years. He was sentenced to four months.

BitMEX

In October 2020, the DOJ charged three BitMEX co-founders with Bank Secrecy Act violations for running a crypto exchange with no AML controls. The platform had processed over $11 billion in trading volume. Arthur Hayes and Benjamin Delo pleaded guilty in 2022 and received two years of probation each. Samuel Reed received probation as well. No one served prison time.

TD Bank

The October 2024 consent order against TD Bank documented a compliance culture in which internal risk-raising was treated as an obstacle to business operations. The OCC's findings cited internal communications showing compliance concerns were known at senior levels and set aside. The $3.09 billion settlement is the largest BSA penalty in U.S. history for a bank.

No senior executives were criminally charged in connection with the AML program failures. Four employees were arrested for accepting bribes from drug trafficking networks to facilitate account openings. Those were operational actors, not compliance leadership.

What the pattern shows

Individual charges in AML cases follow documented willfulness. CZ's own written assessment of Binance's legal exposure appeared in a federal criminal filing. The BitMEX executives built a platform with no AML infrastructure and documented their approach to avoiding U.S. regulators. The pattern isn't random; individuals get charged when there's clear evidence of personal knowledge combined with a decision not to act on it.

Where that documentation of senior-level knowledge exists but charges haven't followed, TD Bank being the most visible example, the institutional penalty may be functioning as a substitute for individual accountability rather than a complement to it.

The deterrent effect of individual charges is real but time-limited. When CZ was sentenced, compliance programs at crypto-adjacent institutions tightened and SAR filing processes got reviewed. Enforcement announcements create a visible reference point that raises organizational attention. Over time, absent a charge significant enough to stay in institutional memory, the effect fades. Business operations resume. A four-month sentence for enabling $100 billion in criminal flows may not clear that threshold.

The question your institution's leadership is implicitly asking, even if no one says it plainly: is the individual risk real enough to change how decisions get made?

The compliance professional's position

Individual liability for BSA officers and compliance managers is less a matter of headline enforcement actions and more a function of what's in your documentation. The cases where individuals below the C-suite have appeared in enforcement records share a consistent pattern: a documented finding that wasn't escalated, an escalation that stalled without resolution, or a SAR decision made without a contemporaneous record of reasoning.

The Yates Memo's logic applies at every level. Individual accountability follows the person whose name is on the decision. If your program's documentation maps findings to actions and actions to named decision-makers, that's a compliance record. If it maps findings to a process that goes quiet, that's a different kind of record.

The direction of enforcement is toward more individual accountability, not less. Whether the sentences catch up to that direction is still an open question.

Sources: DOJ Press Release — Sentencing of Changpeng Zhao, April 30, 2024 | DOJ Statement of Facts — United States v. Binance Holdings Limited, November 21, 2023 | DOJ Press Release — United States v. Arthur Hayes, Benjamin Delo, Samuel Reed, October 1, 2020 | OCC Formal Agreement — TD Bank, N.A., October 2024 | DOJ Memorandum — Individual Accountability for Corporate Wrongdoing (Yates Memo), September 9, 2015

INTELLIGENCE BRIEFING

FinCEN — The comment period on FinCEN's proposed AML/CFT program reform rule closed June 9. The NPRM, published in April 2026, would shift the examination standard from structural compliance to demonstrated effectiveness and require AML officers to be U.S.-based and accessible to regulators. FinCEN is now in the comment review period. Watch for a final rule timeline and any signal on which proposed provisions are drawing the most industry pushback. Source: FinCEN NPRM, April 2026.

FinCEN — On June 5, FinCEN issued a joint advisory documenting financial typologies tied to unlawful employment schemes. Financial institutions reported over $2.5 billion in suspicious activity linked to these schemes in 2025, typically involving complicit employers, labor brokers operating as unregistered MSBs, and shell companies processing off-the-books payroll. The advisory flags specific red flags for institutions monitoring business accounts in agriculture, construction, hospitality, and staffing: ITIN use in lieu of SSNs or valid employment authorization documents, large cash deposits inconsistent with business type, and structured transactions designed to avoid CTR thresholds. Source: FinCEN Advisory FIN-2026-A002, June 5, 2026.

FinCEN — In May, FinCEN issued a notice urging financial institutions in and around 2026 FIFA World Cup host cities to increase vigilance for human trafficking-related suspicious activity. The tournament runs June 11 through July 19 across 11 U.S. cities including Atlanta, Dallas, Houston, Los Angeles, Miami, and New York/New Jersey. The notice encourages SAR filings without waiting for a specific dollar threshold and recommends parallel notification to law enforcement via the National Human Trafficking Hotline. For institutions in host cities, surge-event periods create elevated exposure to trafficking-related financial flows and FinCEN is explicitly signaling it expects active monitoring during this window. Source: FinCEN Notice, May 2026.

FROM THE SOURCE

The Yates Memo established individual accountability as formal DOJ policy. It's been cited in enforcement announcements for ten years. The gap between the policy and the sentences in AML cases isn't a sign the DOJ abandoned the approach. It reflects the difficulty of building prosecutable cases against individuals at institutions where decision-making is distributed across layers of review and structured to diffuse responsibility. When individual charges have followed AML enforcement actions, they've come where documented evidence of personal knowledge was clearest. Where they haven't, the institutional penalty has sometimes been the end of it. Whether that calculus is shifting is worth watching.

Source: U.S. Department of Justice, Office of the Deputy Attorney General, September 9, 2015

If someone forwarded this to you, welcome.

The AML Brief goes out every Tuesday. Subscribe for free and get the Top 10 AML Red Flags cheat sheet as a thank-you:
[Subscribe → theamlbrief.com]

Already subscribed? Forward this to one colleague who works in financial crimes. That's how we grow.

The AML Brief | theamlbrief.com

Disclaimer: The AML Brief is an independent financial crimes intelligence publication. All content is sourced from publicly available regulatory documents, enforcement actions, and published research. Nothing published here constitutes legal, compliance, or regulatory advice. The AML Brief is not affiliated with any financial institution, regulator, law firm, or employer. For advice specific to your situation, consult a qualified attorney or compliance professional.