Fallout from BuzzFeed News’s “FinCEN Files” investigation continues to roil the Bank Secrecy Act (BSA) compliance community.
There are legitimate concerns that BuzzFeed’s investigation, based on an analysis of 2,100 suspicious activity reports (SARs) filed with the U.S. Treasury’s Financial Crime Enforcement Network (FinCEN) from 1999 to 2017, might have placed ongoing criminal investigations in jeopardy and damaged the trust relationship (such as it is) between banks and law enforcement.
“No bank would file a SAR if they knew it was going to be disclosed (to the public). It could be taken as an accusation, and the customer could say, ‘I’m going to sue you.’”
David Schwartz, president and CEO of the Florida International Bankers Association
These documents are confidential for numerous legitimate reasons. For one, they are unproven allegations based on facts collected by BSA compliance investigators working for major banks. SARs are not evidence of a crime but are meant to elicit further investigation by law enforcement.
At best, SARs contain a snapshot of criminal activity from one vantage point—that is, the bank’s. At worst, they are unproven allegations levied by bank employees that could be considered libelous, slanderous, or worse by the customers being accused, said David Schwartz, president and CEO of the Florida International Bankers Association.
“No bank would file a SAR if they knew it was going to be disclosed (to the public),” he said. “It could be taken as an accusation, and the customer could say, ‘I’m going to sue you.’” Worse, if a criminal or criminal organization can find out the name of the bank employee who filed the SAR, he or she could be in physical danger, Schwartz said.
The “secrecy” of SARs that BuzzFeed criticizes is a pillar of the BSA. The confidentiality of SARs allows information on potential criminal activity to flow between banks and law enforcement agencies without impediment.
But the secrecy also acts as an impediment to banks seeking more information about a particular customer or account. A provision in the BSA prohibits banks from sharing information they compile in SARs with other banks.
That BSA provision ought to be changed, argued Alon Kaufman, CEO and co-founder of Duality Technologies, a compliance vendor that helps companies in regulated industries to analyze sensitive data.
“This might sound counterintuitive in a moment where we’ve seen such a massive leak of incredibly sensitive information. But if financial institutions were able to share more information between themselves—securely, privately, and confidentially—they would be able to better detect, prevent, and investigate instances of financial crimes,” he said. “This will also give both regulators and industry players the ability to analyze and reveal insights from data residing in multiple institutions, allowing for a more comprehensive view of the financial transaction landscape, thereby enabling regulators like FinCEN as well as law enforcement agencies to act on much more targeted and higher quality SARs in a more timely manner.”
FinCEN has practically acknowledged that a reporting system that generates 2 million SARs a year is not effective and has called on banks to file SARs that “provide a high degree of usefulness” to law enforcement in fighting the financing of terrorism, money laundering, and other financial crimes.
While FinCEN might change the way it does business from the regulator’s side of the equation, what should banks be doing to address the trillions of dollars’ worth of banking transactions that are facilitating criminal activity every year?
Rick McDonell is executive director of the Association of Certified Anti-Money Laundering Specialists, an 81,000-plus member organization of compliance and anti-money laundering experts. He notes the world’s shortcomings in the fight against money laundering and other financial crimes is well-known. Many organizations, including his own, are battling on the front lines to improve the situation every single day.
“If financial institutions were able to share more information between themselves—securely, privately, and confidentially—they would be able to better detect, prevent, and investigate instances of financial crimes.”
Alon Kaufman, CEO and Co-Founder, Duality Technologies
McDonell says addressing the problem of financial crime will require banks, regulators, and law enforcement to work more collaboratively.
As it stands, bank compliance officers file the SARs with FinCEN, then investigators are supposed to follow up on those SARs in new or ongoing investigations. But banks often don’t know the status of those investigations or are often asked by law enforcement to keep a suspicious account open to track its activity as part of an ongoing investigation.
Bank compliance officers “are not supposed to be policemen. But the timeline has moved in terms of public-private partnerships. Police officers and compliance officers need to make the most of the intelligence they possess,” McDonell said.
Banks could begin by being more rigorous in knowing who their customers are, McDonell said. “Banks know their customers better than anyone else, better certainly than law enforcement,” he said.
The question is, are the SARs banks are filing raising enough of a concern about potential fraud or criminal activity, both within the bank and within law enforcement, to merit action?
“The imperative to do the right thing goes beyond just regulation. Businesses should be embracing risk management without direct pressure from regulators to ensure they stay on the right side of the law,” said Guy Harrison, general manager at Dow Jones Risk and Compliance, a vendor that supplies integrated technology solutions and due diligence services for managing regulatory and reputational risk. “Greater emphasis needs to be placed on access to quality, reliable, and accurate data. That means more visibility over ownership, use of adverse media, checks alongside watchlist screening, and increased scrutiny of correspondent banking relationships.”
Banks could also demand customers provide them with enough information to establish who they are and who benefits from funds in their account, McDonell said.
“Anyone who establishes a corporation or trust, the beneficial owner has to be identified,” McDonell said. “That fact needs to be declared by the customer to the financial institution, but sometimes the financial institution does not get that information because corporations in some jurisdictions are not required to supply it. This is a significant problem.”
If banks cannot determine the beneficial owner of an account in its system, they “should seriously consider not onboarding, or ceasing to provide services, to these accounts,” he said.
Asked about the idea that banks should adhere to strict beneficial ownership rules that would bar anyone suspicious from accessing their banking system, Schwartz replied, “Who’s to say they’re not doing that?”
Banks get as much information as they can about a new customer during onboarding, he said, then monitor their account for activity that raises fraud concerns. Banks decide, based on their own risk assessments, whether to do business with a particular customer, Schwartz said.
“It’s easy to look back years later and say the banks were dealing with bad guys,” he said, criticizing the “FinCEN Files” report. “It’s a challenge to make conclusions when you don’t have all the information.”