“Never let a good crisis go to waste.” This quote by Winston Churchill has been used often as we all have struggled to deal with the effects of COVID-19. While the leak of the FinCEN Files pales in significance to COVID-19, it has proven to be a public relations crisis – unfairly in our view, as we said in our initial blog on this topic – for the banking industry. But, we may as well learn all we can from it.
The investigative reporters of the International Consortium of Investigative Journalists (ICIJ), BuzzFeed News and more than 100 other media partners spent sixteen months analyzing the 2,100 Suspicious Activity Reports (SARs) leaked to BuzzFeed by a former FinCEN employee. According to an article by Gary Pons posted on Lexology on September 21, 2020, these SARs include information on more than 10,000 people and organizations and involve over 170 countries and territories. The ICIJ website includes instructions for accessing some of the SARs as well as a database developed by the investigators of a subset of the activity documented in the SARs. The site also includes exposés of some of the banks that filed the SARs as well as geographic (e.g., Asia) and industry (e.g., the art world) snapshots of the activity.
A financial institution that operates in the markets involved in the leaked SARs should perform its own analysis of the available information and may want to take the following actions:
- Determine whether any of the named subjects of SARs are included in its own portfolio and, if so, conduct appropriate reviews to determine whether any SARs should be filed based on the financial institution’s own dealings with these parties and/or whether any newfound information should lead to a change in risk ratings for, or determination not to do business with, any customers.
To the extent any of the named subjects are identified in the financial institution’s portfolio, the institution should review the customer profiles and customer risk ratings assigned to these customers to evaluate their reasonableness.
- Identify inherent geographic and industry risk factors as presented in the leaked SARs and compare them to how these factors are currently rated in the financial institution’s own risk rating methodologies to determine if any changes or updates are warranted.
- Review the typologies used in the leaked SARs to determine whether these have already, as applicable, been identified by the financial institution and incorporated into its transaction monitoring program or whether additional rules/scenarios are necessary to address these typologies.
To the extent customers are found to have engaged in any similar activity with the financial institution, the best way to demonstrate the efficacy of the financial institution’s transaction monitoring program is to determine, first, whether the activity alerted and, if so, how it was dispositioned. If the activity alerted and was, based on subsequent review, improperly dispositioned as not unusual or suspicious, the financial institution may have an issue with the experience and training of its investigators and/or gaps in its quality control program.
Just to be clear, the above is not an exercise that we are suggesting every financial institution undertake. Its value will be primarily to large multinational financial institutions with broad geographic footprints or smaller institutions that may have exposure to specific segments cited in the reports, in which case their analysis could be more targeted.
The more interesting lessons to be learned – ones to which we may never be privy – likely belong to FinCEN and law enforcement. Those lessons would come in the responses to the following questions:
- What percentage of the SARs filed resulted in law enforcement opening a case or helped law enforcement build an existing case?
- How many of these law enforcement cases led to convictions of money launderers?
- To the extent that these SARs didn’t result in law enforcement cases, was that because they were uninteresting to law enforcement or because law enforcement didn’t have the bandwidth to pursue them?
- If the SARs filed were not interesting to law enforcement, how should we reform the SAR regime to make sure that law enforcement is getting useful information (and that financial institutions are not wasting time and resources producing information of no interest to law enforcement)?
- If law enforcement was not able to follow up on cases that may have led to a conviction because of law enforcement’s own resource limitations, are we comfortable with this from a public policy standpoint?
- In light of multiple reported leaks this year, is FinCEN confident that it can protect the confidentiality of SARs and the identity of the financial institutions and individuals who file them? Should the SAR form be modified to eliminate some of the most sensitive detail?
For years now, we have been talking about anti-money laundering (AML) reform in the United States. The FinCEN Files should be the catalyst for real reform addressing not only the role of financial institutions in combating money laundering and terrorist financing, but also the role of the public sector. FinCEN’s recent reform proposal would be a good place to start. Using the leak as a reason for punishing financial institutions for doing what they believe is expected of them will only exacerbate an already suboptimal U.S. AML regime.