In September, the International Consortium of Investigative Journalists (ICIJ) released the so-called ‘FinCEN Papers’ (or the ‘Papers’) after a library of financial intelligence reports (including more than 2,000 suspicious activity reports, or SARs) were leaked to the press. Although the leak was illegal, with one FinCEN employee already pleading guilty to unlawful disclosure, the Papers show how large, global banks moved trillions in ‘dirty’ money for drug traffickers and cartels, corrupt political regimes, and other international criminals.  Perhaps more importantly, the Papers demonstrate that FinCEN’s bank-led enforcement framework is not working. For example, many featured SARs lacked critical information regarding the beneficial owners or controlling parties of the entities involved in the underlying transactions.

For those working in the financial crimes compliance industry, the information contained in the Papers may not be as shocking as it is to the general public.  For years, the regulatory framework has required (and indeed relied on) banks to flag suspicious activities detected during compliance monitoring processes and to report these activities to FinCEN through SARs, but has not necessarily required banks to stop financial crime.  The Papers seem to highlight what many of us in the industry have been noting for some time. Financial institutions may often file SARs as a defensive measure or with incomplete information, passing the liability for confirming and prosecuting financial crime onto regulators who may lack the technology, funding and personnel to optimize their effectiveness.

Even though fines associated with BSA/AML and sanctions compliance violations have increased substantially over time, the amounts pale compared to the trillions in ‘dirty’ money that simultaneously moved through the US banking system, often through US dollar clearing.  Is this evidence that banks are willingly accepting fines as a cost to doing business, or is it a further example that banks’ internal controls are still not what they should be?  

Moreover, the feedback loop from regulators is often not as robust as it could be, with financial institutions very rarely receiving further information on the SARs they have filed.  The feedback that banks do receive from regulators – often the result of examination – has resulted in financial institutions spending billions on strengthening their BSA/AML and sanctions compliance programs over the last decade.  During the same period, technological advances have increased electronic banking activities and shifts in customer and criminal behavior.  This digital movement has triggered a rise in transaction monitoring and sanction alerts with relatively low levels of alert effectiveness, which continues to drain compliance resources while providing little relative benefit to the financial system.

What is the answer?  Our complicated global financial system needs increased collaboration between financial institutions and law enforcement.  FinCEN has already attempted to address this gap in a recent Advance Notice of Proposed Rulemaking (ANPR) which is intended to “modernize the regulatory regime to address the evolving threats of illicit finance,” and “to provide financial institutions greater flexibility in the allocation of resources and greater alignment of priorities across industry and government, resulting in the enhanced effectiveness and efficiency of anti-money laundering (AML) programs." However, much more actionable guidance will be required by law enforcement to make a true partnership with the private sector effective, including better information sharing across borders.  

Banks should continue to invest in their internal controls and data clean-up despite pressures put on their bottom lines by COVID-19 and other global events.  More specifically, banks should take advantage of recent advancements in AI and machine learning to enhance alert effectiveness.  Further, banks should focus on their KYC processes to ensure customer information, including critical beneficial ownership data, is accurate and effectively informing SAR filings.  Banks should continue to focus on the quality of their risk assessments – although not currently an explicit regulatory requirement, risk assessments are the cornerstone to ensuring an effective BSA/AML and OFAC compliance program and may be explicitly required as a result of FinCEN’s ANPR.