The FinCEN Files: a renewed push towards more effective AML/CFT efforts

On 20 September, Buzzfeed News, in cooperation with the International Consortium of Investigative Journalists (ICIJ), published the findings from its investigation into more than 2,100 suspicious activity reports leaked from the US Treasury Department’s Financial Crimes Enforcement Network (FinCEN) in 2018. The FinCEN Files have drawn international attention to systematic failures of both banks and regulators in combatting financial crime. Unlike other data leaks, the release of highly sensitive data may have far-reaching consequences for public-private cooperation and may give fresh impetus to improving the suspicious activity reporting regime.

The SARs regime and its criticism

The suspicious activity or transactions reporting (SAR/STR) regime places a legal obligation on regulated financial institutions to report suspicions of money laundering or terrorist financing to the relevant competent authority, in the US to FinCEN. This reporting regime has long been the subject of criticism for lack of feedback, visibility, flexibility and innovation.

Since the current anti-money laundering and terrorist financing regulatory framework (AML/CFT) in the US is mainly derived from the Bank Secrecy Act (1970) and the US Patriot Act (2001), criticism has primarily concentrated around its inability to adapt to the more interconnected and technologically advanced financial systems of the past decade. Regulatory efforts have also been criticised for incentivising a shift towards technical compliance as opposed to encouraging the development and use of more innovative and effective methods by financial institutions in order to detect and report illicit client behaviour.

Despite the rise of public-private partnerships between law enforcement and financial institutions in the past five years, most notably the establishment of the UK’s Joint Money Laundering Intelligence Task Force in 2015, concerns over the SAR/STR regimes operating as a “black box” have largely remained. FinCEN statistics show a significant increase in SAR filings in the past five years, the total number of reports increasing by almost 30 percent, from 1,659,123 in 2014 to 2,301,163 in 2019. Although no official statistics have been released on what percentage of these reports were ultimately used by law enforcement, employees of financial intelligence units have repeatedly warned warned against the prevalence of defensive reporting which overall dilutes the quality of intelligence supplied to FinCEN.

Financial institutions have often cited the lack of regulatory communication regarding priority enforcement areas and increased pressure on financial institutions to demonstrate compliance with existing policies and procedures as the primary propellers of defensive suspicious activity reporting. Although financial institutions might expect that they have discharged their legal and regulatory obligations through these practices, the FinCEN Files could demonstrate how mere technical compliance may ultimately prove insufficient to achieving actual commitment to AML/CFT efforts.

The data leak and its consequences

The leaking of FinCEN documents significantly differs from earlier data breach incidents such as the Panama or Paradise Papers or the more recent Luanda Leaks, since it offers a rare view into the (dis)functioning and overall (in)effectiveness of the SAR/STR regime in the US as well as the limitations of international efforts to combat global money laundering.

The FinCEN Files comprise disclosures of significant transactions by the world’s largest financial institutions, as would be expected given their size and systemic importance. Therefore, it is understandable why the media has focused its attention on these institutions, although in many cases (e.g. HSBC, Deutsche Bank) the suspicious transactions referenced in the FinCEN Files relate to scandals that have already been well-documented and subject to regulatory action. It is unclear whether, from a regulatory perspective, they would be subject to further sanctions. Nevertheless, there is likely to be a sustained drip-feed of information from media sources, stemming from the documents, in the coming months. This may cause further reputation and possibly legal risks to the named financial institutions as third parties could seek to bring legal action against them for having processed transactions even where they had demonstrable suspicions or awareness of illegal activity.

The FinCEN Files investigations have undeniably uncovered obvious regulatory failures by financial institutions, such as carrying out transactions without any information about the beneficiaries or delayed and incomplete filing of SARs. It has also clearly demonstrated earlier concerns over the practice of defensive SAR filing and its possibly overwhelming effect on the regulatory system. The time and international effort it took to process only 0.02 percent of the SARs that FinCEN received in six years (media reports on the data breach first emerged in late 2018) clearly demonstrates the amount of resources needed to process the data that has been generated under the SAR/STR regime. This may rightfully raise questions about the US government’s commitment to improving the effectiveness of the reporting regime and its overall willingness or perhaps ability to follow-through on the intelligence it receives.

 Although the first investigative reports were only recently released and mainly concern the financial institutions’ actual or perceived shortcomings in the fight against money laundering and terrorist financing, the FinCEN Files have already significantly undermined public trust in the effectiveness of the SAR/STR regime and may renew pressure for the overhaul of the global AML/CFT system. As an early response, on 14 September, FinCEN published a “Gap rule,” requiring minimum standards for banks lacking a federal functional regulator and, on 16 September, released a proposal for regulatory amendments to existing AML regulations. This will, amongst others, include, the issuing of a list of national AML priorities every two years.

Similar pressure for a regulatory overhaul may also be expected in the UK, since the country emerged as a “higher risk jurisdiction” from the FinCEN Files due to the large number of UK shell companies in the leaked SARs. Demands for the reform of the UK’s corporate liability laws, AML/CFT supervisory regime as well as the acceleration of initiatives to wind up anonymous company ownership should be expected to receive increased attention in the following months.

The leaking of the FinCEN Files has undeniably put the data security vulnerabilities of one of the most powerful financial services regulators in the global spotlight. Unless FinCEN demonstrates the improvement of its commitment to secure the highly sensitive information it receives, this may undermine the guarantee of confidentiality that the SARs regime has been based on and it is expected to have wide-reaching effects on public-private cooperation in the fight against financial crime.

On the other hand, the FinCEN Files follow a pattern of previous leaks from various sources and clearly demonstrates that no data is secure. Therefore, all regulated financial institutions need to assume the worst and plan for it. They must avoid reducing AML resources significantly once immediate scandals have been resolved, as this has proved to be a high legal, reputational, regulatory and even financial risk. In the aftermath of the FinCEN Files investigation, financial institutions will likely be expected to demonstrate more than just “work to the rule” compliance but also the fact that they have carefully assessed the risks including, notably, knowing who they are doing business with and whether that business is legal (and equally, ethical). Financial institutions need to recognise that filing a SAR does not absolve them of responsibility and regardless of what action regulators may take, they will continue to be judged in the court of public opinion.

By Zsuzsánna Deák CAMS

Senior Analyst at Aperio Intelligence

zsuzsanna.deak@aperio-intelligence.com