How compliance, data sharing empower FinCEN’s war on terror and crime

In the aftermath of the Sept. 11, 2001, terrorist attack on New York City, banks and other financial institutions suddenly found themselves on the forefront of the nation’s war on the financing of terrorism. As military and homeland security defenses expanded, so did responses to the complex financial mechanisms that fuel terrorist operations.

Sanctions issued by the Treasury Department’s Office of Foreign Assets Control are, of course, a major component of government efforts. The domestic frontline also includes financial institutions under the watch of Treasury’s enforcement arm, the Financial Crimes Enforcement Network, better known as FinCEN.

Late last month, the Terrorism and Illicit Finance Subcommittee, an offshoot of the House Financial Services Committee, dug deep into FinCEN’s current and future efforts. Jamal El-Hindi, acting director since May 2016, fielded queries about the agency’s ever-evolving mission.

All about the data

FinCEN promotes national security through the collection, analysis, and dissemination of Bank Secrecy Act (BSA) filings.

The BSA, the primary federal anti-money laundering law, requires that U.S. financial institutions establish AML programs, maintain records, and file reports. Covered entities include banks, credit unions, money remitters, check cashers, virtual currency exchangers, casinos, and dealers in foreign exchange.

Most of the data that FinCEN collects come from two reporting streams: Currency Transaction Reports (CTRs) and Suspicious Activity Reports (SARs). Financial institutions must file CTRs with FinCEN for all cash transactions totaling more than $10,000; SARs are filed to provide facts and a narrative on suspicious transactions.

“Both the objective reporting in CTRs and the subjective reporting in SARs are critically important; they provide a wealth of potentially useful information to FinCEN and other agencies working to detect and prevent money laundering, other financial crimes, and terrorism,” El-Hindi told members of the committee on April 27.

FinCEN receives an average of roughly 55,000 new filings to its e-Filing system each day from more than 80,000 financial institutions and 500,000 individual foreign bank account holders. It maintains more than 200 million of these BSA filings in a database.

The agency makes this information available to more than 10,000 law enforcement and other government users through a specialized search tool that is utilized roughly 30,000 times a day.

“e-Filing has streamlined the reporting process for financial institutions and individual filers and significantly improved users’ ability to exploit BSA data by making it more accessible and searchable,” El-Hindi said.

Enforcement tools

Among FinCEN’s enforcement tools is Geographic Targeting Order authority, which enables it to impose additional recordkeeping or reporting requirements on domestic financial institutions or other businesses in a specific geographic area identified in the order for 180 days.

With so many filings per day, specialized technology is used to review and analyze the data. FinCEN employs automated business rules to screen filings on a daily basis and identify reports that merit further review by analysts. Algorithms search the reporting for key terms, entities, and typologies of interest. Priority areas include: transnational security threats; cyber-crime; transnational organized crime; significant fraud; compromised financial institutions or third-party money laundering; and data quality, benchmarking, and anomaly detection.

The parameters flag approximately 5,000 rule findings per month, pointing FinCEN analysts to specific filings for hands-on review. The agency serves as a communication point between financial institutions and law enforcement, regulatory, and international colleagues.

“Both the objective reporting in CTRs and the subjective reporting in SARs are critically important; they provide a wealth of potentially useful information to FinCEN and other agencies working to detect and prevent money laundering, other financial crimes, and terrorism.”
Jamal El-Hindi, Acting Director, Financial Crimes Enforcement Network

“Financial intelligence is most effective when information flows in both directions between the public and private sectors,” El-Hindi said. “Providing information to the financial industry, based on our analysis of their own reporting, is a force-multiplier.”

Battle over beneficial ownership

FinCEN has had longstanding concerns about “all-cash” real estate transactions. Lacking bank financing, they fall largely outside the scope of most existing AML requirements and may present money laundering vulnerabilities. This is particularly true when a buyer uses a shell company to conceal its identity.

In January 2016, FinCEN issued Geographic Targeting Orders (GTOs) covering Manhattan and Miami, to further evaluate the extent of this potential money laundering vulnerability. The GTOs required certain U.S. title insurance companies to record and report the beneficial ownership information of legal entities making all-cash purchases of high-value residential real estate.

The GTOs were renewed in July 2016 with coverage extended to additional areas in New York City, South Florida, California, and Texas. They were renewed again in February 2017.

At the time of the most recent renewal, approximately 30 percent of the real estate transactions reported under the GTOs involved a beneficial owner or purchaser representative that also had previously been the subject of a SAR.

“In other words, the beneficial owners or purchaser representatives in a significant portion of transactions reported under the GTO had been previously connected to suspicious activity,” El-Hindi testified.

“The findings from the first six months were absolutely startling,” said Rep. Carolyn Maloney (D-N.Y.). “I would characterize these as shockingly high numbers, especially since you announced to the world that you would be collecting information on beneficial ownership in these cities. You would think that money launderers and bad actors would just not go to these cities during that time frame, given that it was so widely reported.”

Investigations would undoubtedly be easier if companies had to disclose their beneficial owners at the time a company is formed, Maloney said, describing legislation she has filed that would do just that.

The Incorporation Transparency and Law Enforcement Assistance Act is co-sponsored with Rep. Peter King (R-N.Y.). Sen. Sheldon Whitehouse (D-R.I.) introduced companion legislation in the Senate.

The legislation directs the Treasury Department to issue regulations requiring corporations and limited liability companies, formed in a state that does not already require basic disclosure, to file identifying information about their beneficial ownership with Treasury as a backup. The data would need to be updated within 60 days of any change in ownership.

Rep. Bill Foster (D-Wis.) offered an additional suggestion: an electronic cadaster, a map and land survey similar to those used in county government and the Bureau of Land Management.

“A national, legally binding registry of who owns specific parcels of land would simplify [FinCEN’s efforts],” he said.

Virtual currency, real problems

In 2013, FinCEN released interpretive guidance on virtual currencies. Institutions involved with these high-tech currencies must put effective AML/CFT controls in place to protect themselves from exploitation.

SUSPICIOUS ACTIVITY REPORTS AND CYBER-SECURITY

In October 2016, the Financial Crimes Enforcement Network (FinCEN) published a list of Frequently Asked Questions regarding the reporting of cyber-events and cyber-enabled crime through SARs. A selection follows:
What information should a financial institution include in SARs when reporting cyber-events and cyber-enabled crime?
Financial institutions are required to file complete and accurate reports that incorporate all relevant information available, including cyber-related information.
While suspicious transactions may not always involve a cyber-event, relevant cyber-related information should still be included in SARs when available. For instance, financial institutions should include available Internet Protocol (IP) addresses and accompanying timestamps associated with fraudulent wire transfers being reported, even if a cyber-event was not involved in the suspicious activity.
Similarly, when suspicious transactions do involve cyber-events, a financial institution should include in SARs all relevant and available information regarding the suspicious transactions and the cyber-event—including the type, magnitude, and methodology of the cyber-event as well as signatures and facts on a network or system that indicate a cyber-event.
How should a financial institution complete SARs when reporting cyber-events and cyber-enabled crime?
Financial institutions should follow FinCEN’s existing guidance when submitting SARs related to cyber-events and cyber-enabled crime. Financial institutions should include relevant information in pertinent SAR fields as well as a description of the facts surrounding the cyber-event or cyber-enabled crime in the narrative section.
Recognizing that cyber-events and cyber-enabled crime may involve event-specific cyber-related information, FinCEN requests filing institutions to be consistent and use widely used and accepted terminology.
Financial institutions should enter available cyber-related information and identifiers in their designated SAR fields.
For example, specific SAR fields are available for providing IP addresses (item 44), website/URL addresses (item 19a), and e-mail addresses (item 19). Relevant information with no pre-designated SAR field should be included in the SAR narrative.
Financial institutions may use as a resource the Glossary of Key Information Security Terms (May 2013) and other publications issued by the National Institute of Standards and Technology (NIST), a non-regulatory federal agency within the U.S. Department of Commerce.
Financial institutions should document and provide in the SAR narrative a detailed description of the suspicious activity (e.g., transactions, cyber-events) being reported. In addition, filers should include in the SAR narrative descriptive cyber-related information as well as cyber-related identifiers for which there is no pre-designated SAR field.
Filers may also include information as an attachment to the SAR. For example, filers may include in a SAR a achment patterns of online activity and other data, which may be easier to read and use in tabular format.
FinCEN’s SAR accepts a single comma separated value (CSV) file as an attachment. Attachments are considered part of the SAR and are not a substitute for the narrative itself.
Should a SAR be filed in instances where an otherwise reportable cyber-event is unsuccessful?
Yes. An otherwise reportable cyber-event should be reported regardless of whether it is considered unsuccessful. Rather, a financial institution is required to  le a SAR to report any cyber-event if the institution knows, suspects, or has reason to suspect the cyber-event was intended to or could affect a transaction conducted or attempted by, at, or through the financial institution.
Are BSA/AML personnel now required to be knowledgeable on cyber-security and cyber-events?
No. There are no new requirements or obligations for financial institutions. A BSA/AML unit may work and collaborate as necessary with its institution’s cyber-security personnel, to assist in their ability to adequately identify and report suspicious activity, including cyber-events and cyber- enabled crime.
Can financial institutions use Section 314(b) of the USA PATRIOT Act to share cyber-event and cyber-enabled crime information with other financial institutions?
Yes. Under Section 314(b), participating financial institutions may exchange information, including cyber-related information, regarding individuals, entities, organizations, and countries to identify and report money laundering and terrorist activities.
Section 314(b) of the USA PATRIOT Act provides financial institutions with the ability to share information voluntarily with one another—after notifying FinCEN and satisfying certain other requirements—under a safe harbor, which offers protections from liability under certain circumstances.
In addition, under Section 314(b) any type of participating financial institution, such as a bank, may share information with any other participating institution, such as a credit card operator or a money transmitter.
Cyber-related information is information that describes technical details of activity and behavior, such as IP addresses, timestamps, indicators of compromise, and device identifiers. Cyber-related information also includes, but is not limited to, data regarding the digital footprint of individuals and their behavior.
Source: FinCEN

In May 2015, in coordination with federal law enforcement partners, FinCEN assessed the first civil monetary penalty against a virtual currency exchanger, Ripple Labs, for its failure to register as a money services business and maintain an adequate AML program.

Cyber-security is another fast-evolving problem. Criminals target financial institutions’ Websites, systems, and employees to steal customer and commercial credentials and proprietary information.

“Financial institutions play an important role in safeguarding customers and the financial system from these threats through timely and thorough reporting of cyber-events and cyber-related information in SARs,” El-Hindi said.

In 2016, FinCEN received more than 60,000 cyber-related SARs describing a range of cyber-enabled financial crimes. In response, it issued an advisory on e-mail compromise fraud schemes. The plots often use compromised e-mail accounts to mislead financial institutions and their customers into conducting unauthorized wire transfers.

Over the past two years, with respect to the illicit overseas transfer of roughly $491 million brought to FinCEN’s attention. It has helped return more than $275 million.

Reefer madness

The patchwork of state and federal laws regarding marijuana use and commerce is creating dilemmas for FinCEN.

In 2013, Department of Justice Deputy Attorney General James Cole issued a memorandum to federal prosecutors.

The memo outlined enforcement priorities, separate of state laws, including: preventing marijuana revenue from funding criminal enterprises, gangs, or cartels and uncovering state-legal marijuana sales that are a cover for illegal activity.

On Valentine’s Day of 2014, FinCEN adapted the Cole Memo into agency guidance that was intended to clarify BSA expectations for financial institutions seeking to provide services to marijuana-related businesses.

The Controlled Substances Act makes it illegal under federal law to manufacture, distribute, or dispense marijuana. Notwithstanding the federal ban, numerous states have legalized marijuana-related activities.

The Cole Memo reiterates Congress’s determination that “marijuana is a dangerous drug and that the illegal distribution and sale of marijuana is a serious crime that provides a significant source of revenue to large-scale criminal enterprises, gangs, and cartels,” FinCEN wrote.

In assessing the risk of providing services to a marijuana-related business, a financial institution should conduct customer due diligence that includes: verifying whether the business is duly licensed and registered; reviewing the license application; requesting information about the business and related parties; and developing an understanding of normal and expected business activities.

As part of its customer due diligence, a financial institution should consider whether a marijuana-related business implicates one of the Cole Memo priorities or violates state law.

A financial institution that decides to provide financial services to a marijuana-related business would be required to file SARs, an obligation unaffected by any state law that legalizes marijuana-related activity.

“If individuals are acting as legit businesses in their state then they will be given the authority to continue to do business,” El-Hindi said. Our guidance was designed within the financial sector space to provide law enforcement with information that would be useful in following our priorities. We feel that the guidance has worked.”

“Where there is a conflict between state law and federal law, we wanted to see how banks were dealing with it,” he added. “When we looked at the data they provide, they would often say that the only reason they were filing a SAR is because, essentially, marijuana trade remains illegal under federal law. We looked at the distinctions they were making and felt that, going forward with our guidance in the way that we did would provide law enforcement in states, whether marijuana is legal or illegal, with information they could use.”

Rep. Ed Perlmutter (D-Colo.) urged a reconsideration of related banking restrictions. “With eight states and Washington, D.C., now allowing for adult-use recreational marijuana and 29 states legalizing medical marijuana, it is time to align federal and state laws, specifically as they relate to the banking crisis confronting marijuana-related businesses,” he said.

On the same day as the hearing, Perlmutter, Rep. Denny Heck (D-Wash.), and Rep. Don Young (R-Ark.) introduced bipartisan legislation to allow marijuana-related businesses in states with existing regulatory structures to access the banking system.

The Secure and Fair Enforcement Banking Act (SAFE Banking Act), formerly known as the Marijuana Businesses Access to Banking Act, is intended to ensure that financial institutions can service marijuana-related businesses without the fear of reprisal from the federal government.

“With the majority of states now allowing for some form of recreational or medical marijuana, we have reached a tipping point on this issue and it’s time for Congress to act,” Perlmutter said. “Allowing tightly regulated marijuana businesses the ability to access the banking system will help reduce the threat of crime, robbery, and assault in our communities and keep the cash out of cartels.”

Currently, hundreds of licensed and regulated businesses do not have access to the banking industry and are unable to accept credit cards, deposit revenues, or write checks to meet payroll or pay taxes, he explained. Financial institutions that provide banking services to legitimate marijuana businesses are subject to criminal and civil liability for “aiding and abetting” a federal crime and money laundering under the Controlled Substances Act and federal banking statutes.

The SAFE Banking Act would provide safe-harbor protections for depository institutions that provide a “financial product or service” to a covered business.