Congress has ordered a reassessment of the Bank Secrecy Act anti-money laundering (AML) program as part of the National Defense Authorization Act (NDAA) for Fiscal Year 2021 (H.R.6395).

The bill includes a “formal review” of BSA rules regarding the filing of suspicious activity reports (SARs) by financial institutions. Also included are separate AML provisions that pull back the veil on anonymous shell corporations and establish a BSA whistleblower program with financial rewards for tipsters whose information leads to a conviction.

In an ideal world, the U.S. Treasury and the Financial Crimes Enforcement Network (FinCEN) use the information gleaned from SARs to either launch investigations into criminal activity like money laundering or hand off the information contained in the reports to agencies better suited to handle them. For example, FinCEN regularly refers information collected in SARs regarding tax evasion to the Internal Revenue Service.

But the BSA’s AML system is sagging under the weight of the sheer tidal wave of reports filed each year. In 2020, financial institutions filed more than 2.2 million original SARs, according to FinCEN’s SAR Stats tracker, down slightly from the 2.3 million filed in 2019. But the stats tracker only reports on original SARs, not continuing SARs. FinCEN reported in June 2020 that an additional 400,000 continuing SARs were filed in 2019.

SARs chart

Counting original and continuing SARs, then, FinCEN said it received 2.7 million SARs in 2019. Take out holidays and weekends, that means an average of slightly more than 10,000 SARs were filed by financial institutions with FinCEN every business day. Ten thousand SARs a day. It’s mind-boggling.

Criticism of the AML system, and the tsunami of filed SARs in particular, came to a head in 2020 with the publication of an investigatory report by BuzzFeed News dubbed “The FinCEN Files.” The BuzzFeed News investigation shined the light on financial transactions facilitated by many of the world’s largest banks to the benefit of terrorist groups, drug cartels, Ponzi schemes, thefts by autocrats, and other criminal activity that went largely unchecked by the banks that filed the SARs.

“Presently, the volume of SARs filed has created this huge SARs chasm,” pun intended, says U.K.-based AML expert Martin Woods, a former detective turned compliance officer (and Compliance Week contributor) who has experience with major compliance cases and settlements. FinCEN’s AML program “has become this intelligence-gathering exercise, rather than sticking more to its original purpose, which is to stop money laundering.”

The BuzzFeed News investigation showed example after example of large banks continuing to move money for bad actors and criminals despite the banks’ suspicions the money being moved across their network was being generated by criminal activity. The banks filed the SARs but took no further action.

BuzzFeed News based its reporting on 2,100 SARs filed over more than a decade—a teeny, tiny slice of the overall AML system. But contained in that tiny window was $1 trillion in dirty money, according to the investigation.

Congress wants SARs streamlined 

One clear goal in the revamp of the BSA AML system that Congress has demanded is to reduce the number of SARs filed every year. Another goal is to focus the SARs that are filed on the investigatory priorities of law enforcement.

According to the NDAA, FinCEN should focus on “the categories, types, and characteristics of suspicious activity reports and currency transaction reports that are of the greatest value to, and that best support, investigative priorities of law enforcement and national security agencies.”

In the NDAA, Congress orders the Treasury and FinCEN to generate a report that offers suggestions for “streamlining” the filing of SARs (and currency transaction reports, or CTRs) by potentially raising the monetary thresholds on which financial institutions must keep records on certain types of transactions and by exempting, or lowering the risk factor on, broad swaths of transaction types, including those involving “charities, embassy accounts, money service businesses … and certain groups of correspondent banks.”

“This really is a very thorough re-examination of the entirety of the system, something that has not been undertaken in 20 years,” says Rick McDonell, executive director of the Association of Certified Anti-Money Laundering Specialists, an 81,000-plus member organization of compliance and AML experts. “There have been a lot of criticisms lodged against the system, particularly on the number of SARs filed every year.”

The changes proposed for study might seem clear cut, but there are conflicting priorities on all sides.

For example, financial institutions are generally in favor of relaxing recordkeeping rules, to ease the burden of complying with BSA requirements. FinCEN, however, has generally resisted calls to raise recordkeeping thresholds. The BSA currently requires that financial institutions maintain records on any transaction of $3,000 or more. FinCEN recently proposed the recordkeeping threshold for overseas transactions be lowered to $250.

If the thresholds are too high, criminals would simply adjust to the new rules by wiring money in small amounts, so as to avoid recordkeeping scrutiny. Law enforcement investigations into such transactions could be hamstrung as a result. If the thresholds are too low, law enforcement loses access to large swaths of transaction data.

“A balance has to be drawn between what is good for law enforcement, in contrast to what is over-burdensome for financial institutions,” McDonell says.

The NDAA requires the Treasury and FinCEN to submit the report on the AML program revamp to Congress within one year of the bill’s passage into law, meaning the report will be due by Jan. 1, 2022.

Compliance takeaways

As part of the revamp, Congress has also asked FinCEN to consult with law enforcement to develop priorities on which types of threats should trigger the filing of SARs, which would be used to establish new guidelines for financial institutions to follow when filing SARs. Another report, to be created after the first year of the revamped AML program is complete, would measure how well the SARs filed in that year were useful in criminal investigations.

Here’s a long-term compliance takeaway from Congress’ order: A year after FinCEN issues its guidelines on the type of SARs it wants, financial institutions (FIs)—using machine learning and data analytics, according to the NDAA—must show how they are finding the patterns of suspicious activity FinCEN is looking for. The information FIs must provide to FinCEN about their processes should contain granular detail, right down to the software and the algorithms used. There is a provision in the NDAA that orders FinCEN to keep this proprietary corporate information confidential, so that one financial institution cannot request to see the methods used by a competitor.

“I think there’s a lack of courage among financial institutions to stop money laundering. Either you find the activity suspicious, or you do not.”

Martin Woods, financial crime expert

But that highlights one of the biggest problems with the current BSA/AML system, those on all sides say: the lack of communication between law enforcement and financial institutions, and between financial institutions themselves. Because if law enforcement made its priorities clear for which suspicious activities it wants FIs to file SARs for, then why shouldn’t FIs share information with each other?

Rob Rowe, vice president and senior counsel of regulatory compliance and policy for the American Bankers Association, says it would help immensely if law enforcement would make it clear to the banking industry what they’re looking for.

Having clarity on patterns of interest to law enforcement would cause financial institutions “to look for the kind of red flags they’re looking for,” he says. “We could focus our resources and energy on those priorities, on what they consider important.”

Rowe adds: “If everything is a red flag, then nothing is.”

An effective overhaul of the AML system, Woods says, would demand accountability from all parties—law enforcement, regulators, and financial institutions—to stop money laundering.

Because the vast majority of SARs never develop into AML investigations by law enforcement—never mind convictions—financial institutions file SARs over and over again for similar criminal activity.

As a result, financial institutions end up simply complying with the letter of the BSA by filing SARs, without delivering much of value to law enforcement, Woods says. And even though they find an activity suspicious, they often don’t stop the activity from occurring within their network, as the FinCEN Files investigation revealed. And so, money laundering activities continue unabated.

“FinCEN needs to ask, what does success look like? Is it a better SAR or stopping money laundering?” Woods asks.

Woods argues banks should be more aggressive in flagging and closing accounts that may be linked to suspicious activity.

“I think there’s a lack of courage among financial institutions to stop money laundering. Either you find the activity suspicious, or you do not,” he says.

Another key to a successful revamp is to dramatically and meaningfully increase collaboration between law enforcement and financial institutions, and among financial institutions themselves. Regulators would actively facilitate such collaboration, he said.

Information sharing between financial institutions could improve as well, something the BSA and FinCEN have tried to encourage, with limited success.

A provision of the PATRIOT Act, Section 314(b), provides financial institutions with a “safe harbor” to share information on suspicious activity with other banks. The safe harbor shields the banks from liability, should a customer be upset their personal information was shared as part of an investigation into money laundering and/or terrorist financing.

Such information sharing is voluntary, though. A September 2017 audit of the program by the Office of Inspector General found of the 22,000 financial institutions covered by the Patriot Act’s Section 314(a), only about 5,500 of them—1 in 4—shared information on suspicious transactions with peer financial institutions as allowed by the law.

“We have a massive amount of data, but if we know what you’re looking for, we can give (law enforcement) what they’re looking for,” says Rowe, of the ABA. “At the moment, though, collaboration is happening, but not to the extent that it should.”