Loading…

Anti-Money Laundering Act of 2020 – “Pay to Play” Arrives and Perhaps We Have An Answer to the Whereabouts of Section 314(d)

The Senate Banking Committee’s top Republican (Senator Crapo from Idaho) and top Democrat (Senator Brown from Ohio) have joined forces to draft the Anti-Money Laundering Act of 2020 as an amendment to the National Defense Authorization Act. It takes some of what the House passed in HR2513, the Corporate Transparency Act, and replicates most of what the Senate has been horse-trading on with the ILLICIT CASH Act (S2563), and adds a few other provisions: 214 pages of provisions.

If enacted, it would be the biggest revision to the U.S. AML/CFT regime since the USA PATRIOT Act of 2001. The main legislation for the AML/CFT regime is found in Title 31 of the US Code. 31 USC 5311 (the purpose of the BSA) and 5318 (the program and reporting requirements) will materially change, four new sections (5333-5336) will be added, two new BSAAG subcommittees will be created, and of course a FinCEN database of beneficial ownership information will be created to house some legal entity beneficial ownership information (more on that in another article).

Anti-Money Laundering Act of 2020

The proposed AML Act of 2020 would be tacked on to the back end – Division E – of the 2021 Defense Appropriations bill. So the titles for the Act begin at title 51 – actually the Roman numeral LI. There are five titles:

  • Title LI – Strengthening Treasury Financial Intelligence, Anti-Money Laundering [AML], and Countering the Financing of Terrorism [CFT] Programs
  • Title LII – Modernizing the AML and CFT Systems
  • Title LIII – Improving AML and CFT Communication, Oversight, and Processes
  • Title LIV – Establishing Beneficial Ownership Reporting Requirements
  • Title LV – Miscellaneous

Section 5201 – Annual Reporting Requirements

This article focuses solely on section 5201 of Title LII. Why? It includes my long-sought-after SAR feedback from law enforcement, while at the same time resurrects the long-forgotten section 314(d) of the USA PATRIOT Act.

In a nutshell, section 5201 is a “pay to play” requirement imposed on law enforcement and the intelligence community. At requires the Attorney General, on behalf of federal and state prosecutors and law enforcement agencies, to deliver an annual report and, once every five years a broader long-term trending report, to the Secretary of the Treasury, setting out statistics, metrics, and other information on the use of BSA reports. The annual report must include:

  1. The frequency with which the BSA reports contains actionable information that leads to, among other things, actions by law enforcement agencies such as grand jury subpoenas, and actions by intelligence, national security, and homeland security agencies;
  2. Calculations on the time between the BSA reporting and the use of the data by law enforcement or intelligence agencies;
  3. An analysis of the transactions associations with the BSA reports, including whether the accounts were held by legal entities or persons, and any trends or patterns in cross-border activity;
  4. The number of legal entities and persons identified by the BSA reports;
  5. The extent to which arrests, indictments, convictions, etc., were related to the reports; and
  6. Data on state and federal investigations that resulted from the reports.

The five-year report would focus on longer-term trends, patterns and threats: retrospective trends and emerging patterns and threats.

And what would the Secretary of the Treasury do with these reports? That is covered by subsection (d) of section 5201, which provides that the Secretary shall use these reports

  1. To help assess the usefulness of BSA reports;
  2. “to enhance feedback and communications with financial institutions and other entities subject to the requirements under the BSA, including by providing more detail in the reports published and distributed under section 314(d) of the USA PATRIOT Act (31 USC s. 5311 note);
  3. to assist FinCEN in considering revisions to the reporting requirements promulgated under section 314(d) of the USA PATRIOT Act (31 USC s. 5311 note).

The result? This July 2020 proposed AML legislation would require the public sector consumers of BSA reports to provide feedback to the private sector producers of those reports – essentially a “pay to play” requirement, and that feedback would be through the almost 20-year old provision of the USA PATRIOT Act, section 314(d).

I’ve written about both of these things.

On July 30, 2019 I published an article titled “SAR Feedback? What Ever Happened to Section 314(d)?” See https://regtechconsulting.net/aml-regulations-and-enforcement-actions/sar-feedback-what-ever-happened-to-section-314d/ I wrote:

Wouldn’t it be great if Treasury published a report, perhaps semi-annually, that contained a detailed analysis identifying patterns of suspicious activity and other investigative insights derived from suspicious activity reports (SARs) and investigations conducted by federal, state, and local law enforcement agencies (to the extent appropriate) and distributed that report to financial institutions that filed those SARs?

To get Treasury to do that, though, would probably require Congress to pass a law compelling it to do so.

Hold it. Congress did pass that law.  Almost 18 years ago. And, by all accounts, it’s still on the books. What happened to those semi-annual reports? When did they begin? If they began, when did they end?

Section 314(d) – Its Origins

What became 314(d) was introduced in the House version of what became the USA PATRIOT Act. The House version, the Financial Anti-Terrorism Act, was introduced on October 3, 2001. It was marked up by the House Financial Services Committee on October 11. The Senate version, originally titled the Uniting and Strengthening America Act, or USA Act, was introduced on October 4th and had sections 314(a) (public to private sector information sharing), 314(b) (cooperation among financial institutions, or private-to-private sector information sharing), and 314(c) (“rule of construction”). There was no 314(d) in that early version.

On October 17th, HR 3004, the Financial Anti-Terrorism Act, was passed by the House 412-1. Title II was “public-private cooperation”. Section 203 was:

“Reports to the Financial Services Industry on Suspicious Financial Activities – at least once each calendar quarter, the Secretary shall (1) publish a report containing a detailed analysis identifying patterns of suspicious activity and other investigative insights derived from suspicious activity reports and investigations conducted by federal, state, and local law enforcement agencies to the extent appropriate; and (2) distribute such report to financial institutions as defined in section 5312 of title 31, US code.”

The Senate and House versions were reconciled, and on October 23rd the House Congressional Record shows a consideration of what was then the USA PATRIOT Act. That version of the bill then included what had been section 203 and was now 314(d). It was the same, except instead of a quarterly report it was a semi-annual report (“at least once each calendar quarter” was changed to “at least semiannually”).

SAR Activity Review – Was That The Answer to 314(d)?

The ABA has written, and at least one former FinCEN employee has stated that the “SAR Activity Review – Trends, Tips, and Issues” was the response to 314(d). The SAR Activity Reviews were excellent resources. They contained sections on SAR statistics, national trends and analysis, law enforcement cases, tips on SAR form preparation and filing, issues and guidance, and an industry forum. The first SAR Activity Review noted that it was published under the auspices of the BSAAG, was to be published semi-annually in October and April, and was “the product of a continuing collaboration among the nation’s financial institutions, federal law enforcement, and regulatory agencies to provide meaningful information about the preparation, use, and utility of SARs.”  Although that certainly sounds like it is responsive to section 314(d), there is no reference to 314(d).

And the first SAR Activity Review was published more than a year before 314(d) was passed. Even the first SAR Activity Review published after the enactment of the USA PATRIOT Act and section 314(d) – the 4th issue published on July 31, 2002 – didn’t make any reference to 314(d). Beginning with the 6th issue of the SAR Activity Review, published in October 2003, the authors broke out the statistics from the “Trends, Tips & Issues” document and published a separate, and more detailed, “SAR Activity Review – By The Numbers”. The last SAR Activity Review (the 23rd) and the last “By The Numbers” (the 18th) were published on April 30, 2013. None of those forty-one publications referenced 314(d). After the SAR Activity Reviews stopped, FinCEN continued to publish “SAR Statistics”, and did so three times from June 2014 through March 2017.  For the last few years, FinCEN has maintained SAR Stats on its website – https://www.fincen.gov/reports/sar-stats  – that is updated on a monthly basis. Those statistics are useful, but cannot be thought of as “containing a detailed analysis identifying patterns of suspicious activity and other investigative insights derived from suspicious activity reports and investigations conducted by federal, state, and local law enforcement agencies to the extent appropriate”, quoting the 314(d) language.

Does Anyone Know What Happened to 314(d)?

I don’t have the answer to that question. Perhaps 314(d) is seen as satisfied by the accumulation of advisories, guidance, bulletins, etc., published by FinCEN and other Treasury bureaus and agencies and departments from time to time. Perhaps there is a Treasury Memorandum out there that I’m not aware of that provides a simple explanation. Perhaps not: most BSA/AML experts I speak with are not even aware of 314(d), and if the SAR Activity Review did satisfy the spirit and intent of 314(d), the last one was published more than six years ago. But everyone in the private sector BSA/AML risk management space has been clamoring for more feedback from law enforcement and FinCEN on the effectiveness and usefulness of their SAR filings. Perhaps a renewed (or any) focus on 314(d) is the answer.  The revival of 314(d) could give FinCEN the mandate they’ve been looking for to provide more valuable information to the private sector producers of Suspicious Activity Reports. We would all benefit.

Public Sector is Going to Have to Pay in Order to Play With the Private Sector’s BSA Reports

On November 21, 2019 I wrote an article titled “Like Sam Loves Free Fried Chicken, Law Enforcement Loves ‘Free’ Suspicious Activity Reports … But What If Law Enforcement Had to Earn the Right to Use the Private Sector’s ‘Free’ SARs?” See https://regtechconsulting.net/fintech-financial-crimes-and-risk-management/like-sam-loves-free-fried-chicken-law-enforcement-loves-free-suspicious-activity-reports-but-what-if-law-enforcement-had-to-earn-the-right-to-use-the-private-sector/. That article provided:

Eleven year-old Sam Caruana of Buffalo, New York waited outside a Chick-fil-A restaurant in the freezing cold in order to be one of the 100 people given free fried chicken for one year (actually, one chicken sandwich a week for fifty-two weeks). In a video that went viral (Sam Caruana YouTube – Free Chicken), young Sam explained that he simply loved fried chicken, and he’d stand in the cold for free fried chicken.

Just as Sam loves free fried chicken, law enforcement loves free Suspicious Activity Reports, or SARs. In the United States, over 30,000 private sector financial institutions – from banks to credit unions, to money transmitters and check cashers, to casinos and insurance companies, to broker dealers and investment advisers – file more than 2,000,000 SARs every year. And it costs those financial institutions billions of dollars to have the programs, policies, procedures, processes, technology, and people to onboard and risk-rate customers, to monitor for and identify unusual activity, to investigate that unusual activity to determine if it is suspicious, and, if it is, to file a SAR with the Treasury Department’s Financial Crimes Enforcement Network, or FinCEN. From there, hundreds of law enforcement agencies across the country, at every level of government, can access those SARs and use them in their investigations into possible tax, criminal, or other investigations or proceedings. To law enforcement, those SARs are, essentially, free. And like Sam loves free fried chicken, law enforcement loves free SARs. Who wouldn’t?

But should those private sector SARs, that cost billions of dollars to produce, be “free” to public sector law enforcement agencies? Put another way, should the public sector law enforcement agency consumers of SARs need to provide something in return to the private sector producers of SARs?

I say they should. And here’s what I propose: that in return for the privilege of accessing and using private sector SARs, law enforcement shouldn’t have to pay for that privilege with money, but with effort. The public sector consumers of SARs should let the private sector producers know which of those SARs provide tactical or strategic value.

A recent Mid-Size Bank Coalition of America (MBCA) survey found the average MBCA bank had: 9,648,000 transactions/month being monitored, resulting in 3,908 alerts/month (0.04% of transactions alerted), resulting in 348 cases being opened (8.9% of alerts became a case), resulting in 108 SARs being filed (31% of cases or 2.8% of alerts). Note that the survey didn’t ask whether any of those SARs were of interest or useful to law enforcement. Some of the mega banks indicate that law enforcement shows interest in (through requests for supporting documentation or grand jury subpoenas) 6% – 8% of SARs.

I argue that the Alert/SAR and even Case/SAR ratios are all of interest, but tracking to SARs filed is a little bit like a car manufacturer tracking how many cars it builds but not how many cars it sells, or how well those cars perform, how long they last, and how popular they are. And just like the automobile industry measuring how many cars are purchased, the better measure for AML programs is “SARs purchased”, or SARs that provide value to law enforcement.

Also, there is much being written about how machine learning and artificial intelligence will transform anti-money laundering programs. Indeed, ML and AI proponents are convinced – and spend a lot of time trying to convince others – that they will disrupt and revolutionize the current “broken” AML regime. Among other targets within this broken regime is AML alert generation and disposition and reducing the false positive rate. The result, if we believe the ML/AI community, is a massive reduction in the number of AML analysts that are churning through the hundreds and thousands of alerts, looking for the very few that are “true positives” worthy of being labelled “suspicious” and reported to the government. But the fundamental problem that every one of those ML/AI systems has is that they are using the wrong data to train their algorithms and “teach” their machines: they are looking at the SARs that are filed, not the SARs that have tactical or strategic value to law enforcement.

Tactical or Strategic Value Suspicious Activity Reports – TSV SARs

The best measure of an effective and efficient financial crimes program is how well it is providing timely, effective intelligence to law enforcement. And the best measure of that is whether the SARs that are being filed are providing tactical or strategic value to law enforcement. How do you determine whether a SAR provides value to law enforcement? One way would be to ask law enforcement, and hope you get an answer. That could prove to be difficult.  Can you somehow measure law enforcement interest in a SAR?  Many banks do that by tracking grand jury subpoenas received to prior SAR suspects, law enforcement requests for supporting documentation, and other formal and informal requests for SARs and SAR-related information. As I write above, an Alert-to-SAR rate may not be a good measure of whether an alert is, in fact, “positive”. What may be relevant is an Alert-to-TSV SAR rate.

A TSV SAR is one that has either tactical value – it was used in a particular case – or strategic value – it contributed to understanding a typology or trend. And some SARs can have both tactical and strategic value. That value is determined by law enforcement indicating, within seven years of the filing of the SAR (more on that later), that the SAR provided tactical (it led to or supported a particular case) or strategic (it contributed to or confirmed a typology) value.  That law enforcement response or feedback is provided to FinCEN through the same BSA Database interfaces that exist today – obviously, some coding and training will need to be done (for how FinCEN does it, see below). If the filing financial institution does not receive a TSV SAR response or feedback from law enforcement or FinCEN within seven years of filing a SAR, it can conclude that the SAR had no tactical or strategic value to law enforcement or FinCEN, and may factor that into decisions whether to change or maintain the underlying alerting methodology. Over time, the financial institution could eliminate those alerts that were not providing timely, actionable intelligence to law enforcement. And when FinCEN shares that information across the industry, others could also reduce their false positive rates.

FinCEN’s TSV SAR Feedback Loop

FinCEN is working to provide more feedback to the private sector producers of BSA reports. As FinCEN Director Ken Blanco recently stated:[1]

“Earlier this year, FinCEN began the BSA Value Project, a study and analysis of the value of the BSA information we receive. We are working to provide comprehensive and quantitative understanding of the broad value of BSA reporting and other BSA information in order to make it more effective and its collection more efficient. We already know that BSA data plays a critical role in keeping our country strong, our financial system secure, and our families safe from harm — that is clear. But FinCEN is using the BSA Value Project to improve how we communicate the way BSA information is valued and used, and to develop metrics to track and measure the value of its use on an ongoing basis.”

FinCEN receives every SAR. Indeed, FinCEN receives a number of different BSA-related reporting: SARs, CTRs, CMIRs, and Form 8300s. It’s a daunting amount of information. As FinCEN Director Ken Blanco noted in the same speech:

FinCEN’s BSA database includes nearly 300 million records — 55,000 new documents are added each day. The reporting contributes critical information that is routinely analyzed, resulting in the identification of suspected criminal and terrorist activity and the initiation of investigations.

“FinCEN grants more than 12,000 agents, analysts, and investigative personnel from over 350 unique federal, state, and local agencies across the United States with direct access to this critical reporting by financial institutions. There are approximately 30,000 searches of the BSA data taking place each day. Further, there are more than 100 Suspicious Activity Report (SAR) review teams and financial crimes task forces across the country, which bring together prosecutors and investigators from different agencies to review BSA reports. Collectively, these teams reviewed approximately 60% of all SARs filed.

Each day, law enforcement, FinCEN, regulators, and others are querying this data:  7.4 million queries per year on average. Those queries identify an average of 18.2 million filings that are responsive or useful to ongoing investigations, examinations, victim identification, analysis and network development, sanctions development, and U.S. national security activities, among many, many other uses that protect our nation from harm, help deter crime, and save lives.”

This doesn’t tell us how many of those 55,000 daily reports are SARs, but we do know that in 2018 there were 2,171,173 SARs filed, or about 8,700 every (business) day. And it appears that FinCEN knows which law enforcement agencies access which SARs, and when. And we now know that there are “18.2 million filings that are responsive or useful to ongoing investigations, examinations, victim identification, analysis and network development, sanctions development, and U.S. national security activities” every year. But which filings?

The law enforcement agencies know which SARs provide tactical or strategic value, or both. So if law enforcement finds value in a SAR, it should acknowledge that, and provide that information back to FinCEN. FinCEN, in turn, could provide an annual report to every financial institution that filed, say, more than 250 SARs a year (that’s one every business day, and is more than three times the number filed by the average bank or credit union). That report would be a simple relational database indicating which SARs had either or both tactical or strategic value. SAR filers would then be able to use that information to actually train or tune their monitoring and surveillance systems, and even eliminate those alerting systems that weren’t providing any value to law enforcement.

Why give law enforcement seven years to respond? Criminal cases take years to develop. And sometimes a case may not even be opened for years, and a SAR filing may trigger an investigation. And sometimes a case is developed and the law enforcement agency searches the SAR database and finds SARs that were filed five, six, seven or more years earlier. Between record retention rules and practical value, seven years seems reasonable.

Law enforcement agencies have tremendous responsibilities and obligations, and their resources and budgets are stretched to the breaking point. Adding another obligation – to provide feedback to the banks, credit unions, and other private sector institutions that provide them with reports of suspicious activity – may not be feasible. But the upside of that feedback – that law enforcement may get fewer, but better, reports, and the private sector institutions can focus more on human trafficking, human smuggling, and terrorist financing and less on identifying and reporting activity that isn’t of interest to law enforcement – may far exceed the downside.

Free Suspicious Activity Reports are great. But like Sam being prepared to stand in the freezing cold for his fried chicken, perhaps law enforcement is prepared to let us know whether the reports we’re filing have value.

Conclusion

As of this writing – July 3, 2020 – it remains to be seen whether the Anti-Money Laundering Act of 2020 will become law, or what parts of the Act will become law. But section 5201, which requires the public sector consumers of the BSA reports produced by the private sector to provide feedback to the private sector on the usefulness of those reports. This is a critically important, long-awaited development in the US AML/CFT regime.

For more on alert-to-SAR rates, the TSV feedback loop, machine learning and artificial intelligence, see other articles I’ve written:

The TSV SAR Feedback Loop – June 4 2019

AML and Machine Learning – December 14 2018

Rules Based Monitoring – December 20 2018

FinCEN FY2020 Report – June 4 2019

FinCEN BSA Value Project – August 19 2019

BSA Regime – A Classic Fixer-Upper – October 29 2019

[1] November 15, 2019, prepared remarks for the Chainalysis Blockchain Symposium, available at https://www.fincen.gov/news/speeches/prepared-remarks-fincen-director-kenneth-blanco-chainalysis-blockchain-symposium

AML360 Podcast – Jim Richards with Stephen Platt

On June 12, 2020 I enjoyed an hour with AML360 talk show host Stephen Platt. For an hour – live! – we talked about a broad range of issues facing the financial crimes community today:

  • The scourge of misaligned incentives, where regulators are looking at how banks run their programs, and not on how well those banks are getting timely, actionable intelligence to law enforcement. I argued that the Exam Manual needs to be changed from “a sound BSA/AML compliance program is critical in deterring and preventing money laundering and terrorist financing” (page 7, 2014 edition) to “providing actionable, timely intelligence to law enforcement is critical in deterring and preventing money laundering and terrorist financing, and a sound BSA/AML compliance program provides the foundation for being able to do so.”
  • Artificial intelligence and machine learning are critical tools, but we need to be wary of the results when those tools are used on SARs filed with law enforcement, rather than SARs used by law enforcement. I used the analogy of a car manufacturer: it’s not relevant how many cars it builds, what is relevant is how many cars are bought, and the quality of those cars. Same for SARs: it’s not relevant how many SARs a bank files, what is relevant is how many SARs are used by law enforcement, and the effectiveness of those SARs.
  • False positives, and whether high false positives rates are caused, in large part, by banks’ fear of regulatory sanctions for missing a possible actionable alert rather than by poor technology.
  • The importance of clean, consistent data. I argued that AML is 80% customer due diligence and 50% clean data (paraphrasing Yogi Berra), and that most legacy, large financial institutions still struggle to have and maintain an Enterprise Customer Risk Rating.
  • Whether and why financial institutions are falling further behind criminals and criminal organizations. They are, in large part because financial institutions need to be mindful of running their programs, testing their systems, model validation, audit requirements, regulatory exams, etc., while criminals and criminal organizations don’t need to deal with any of those things.
  • The impacts of COVID-19 on financial institutions’ fraud and AML programs. I argued that we’re able to adapt our systems to detect and prevent fraud, which is an objective event lending itself well to systemic monitoring and surveillance, but it’s too early to tell whether our AML systems will be as effective. For AML, both the numerator (alerts) and denominator (the volumes, velocities, and types of transactions) are changing so quickly, our AML models may not be as effective as they were.
  •  Transaction Monitoring – I made the statement that account-based, traditional transaction monitoring is not only dead, it’s never worked effectively. Instead, relationship-based interaction surveillance is what is required.
  • The value of Deferred Prosecution Agreements, or DPAs.
  • The importance of understanding internal bad actors’ roles in identifying and reporting fraud and money laundering.

The podcast is available at https://podcasts.apple.com/us/podcast/aml-talk-show-brought-to-you-by-kyc360-com-hosts-martin/id1484784236?i=1000477739453

FinCEN’s Estimate of the Costs and Burden of Filing SARs Is Evolving, But Needs Private Sector Input

For years, FinCEN has used a one-size-fits-all-SARs method of determining the costs and burden of filing Suspicious Activity Reports (SARs): a flat two hours, or 120 minutes. With a new-found ability to slice-and-dice its SAR data, FinCEN has now determined that the back half of the SAR filing process takes between 45 and 315 minutes, depending on the type of SAR. And it’s looking for feedback from the private sector on how to enhance this estimate.

Posted June 2, 2020

On May 26, 2020, FinCEN published a notice in the Federal Register titled “Proposed Updated Burden Estimate for Reporting Suspicious Transactions Using FinCEN Report 111 – Suspicious Activity Report”. This is a notice required under the Paperwork Reduction Act, or PRA: agencies are required to periodically assess and estimate the burdens and costs of their regulatory regimes.

This is a ground-breaking notice, for it is the first such notice where: (1) FinCEN has been able to analysis the SAR Database to quantitatively assess the numbers, characteristics, and types of SARs, by institution type, by type of work required to be done, and by what types of involved positions; and (2) perhaps just as important, FinCEN has shown a willingness to provide this information and to seek feedback from the private sector on other available information that could be incorporated into future analyses. FinCEN must be commended for both.

In prior PRA notices, FinCEN has simply estimated that the SAR filing process takes a total of two hours for each and every SAR filed. With this notice, FinCEN identified and attempted to capture burden and cost estimates for, five categories of SARs, two types of filing (batch and discrete), the six stages in the SAR filing process, and the four types of positions involved in the process.

Five categories of SARs: (1) depository institutions’ (banks and credit unions) original SARs with standard content; (2) depository institutions’ original SARs with extended content; (3) non-depository institutions’ original SARs with standard content; (4) non-depository institutions’ original SARs with extended content; and (5) all filers’ continuing activity SARs. The standard and extended content analysis looked at combinations of (1) the number of named suspects; (2) the number of suspicious activities’ categories marked on the SAR form; (3) the length and make-up of the narrative; and (4) whether there was an attachment.

Six stages in the SAR filing process: (1) maintaining a monitoring system; (2) reviewing alerts; (3) transforming alerts into cases; (4) case review; (5) documentation of the SAR/no SAR determination; and (6) the SAR filing process. The current two-hour per SAR PRA estimate only considered the 6th stage: this notice added the 4th and 5th stage, and FinCEN acknowledged that it needs further data, and comments from the private sector, in order to include the 1st, 2nd, and 3rd stages.

Four types of people: (1) general supervision (oversight); (2) direct supervision; (3) clerical (SAR investigation); and (4) clerical (filing).

With this notice, FinCEN is changing its PRA burden estimate of 120 minutes per SAR to an estimate ranging from 25 minutes to 315 minutes per SAR for the last 3 of the 6 stages in the SAR filing process, and is inviting comments on these new estimates and on how to include and estimate the first 3 of the 6 stages.

Comments from the public are due by July 27, 2020.

Below is my analysis and commentary on the FinCEN notice. The text of the Notice is in regular font: my analysis and comments are in red italics.

Renewal Without Change of the Bank Secrecy Act Reports by Financial Institutions of Suspicious Transactions

https://www.govinfo.gov/content/pkg/FR-2020-05-26/pdf/2020-11247.pdf

Agency Information Collection Activities; Proposed Renewal; Comment Request;

AGENCY: Financial Crimes Enforcement Network (FinCEN), Treasury.

ACTION: Notice and request for comments.

SUMMARY: As part of its continuing effort to reduce paperwork and respondent burden, FinCEN invites comments on the proposed renewal, without change, of currently approved information collections relating to reports of suspicious transactions. Under the Bank Secrecy Act regulations, financial institutions are required to report suspicious transactions using FinCEN Report 111 (the suspicious activity report, or SAR). Although no changes are proposed to the information collections themselves, this request for comments covers a proposed updated burden estimate for the information collections.

This request for comments is made pursuant to the Paperwork Reduction Act of 1995.

DATES: Written comments are welcome, and must be received on or before [INSERT

DATE 60 DAYS AFTER THE DATE OF PUBLICATION OF THIS DOCUMENT IN THE FEDERAL REGISTER.]

JRR Comment: Very simply, FinCEN is proposing updates to the way it estimates the burden – both time and cost – for preparing and filing Suspicious Activity Reports, and is seeking comments on these proposed updates. FinCEN’s newfound ability to analyze the data it has seems to have allowed it to shift from a two-hours-for-all-SARs approach to a much more nuanced, data-driven approach.

ADDRESSES: Comments may be submitted by any of the following methods:

  • Federal E-rulemaking Portal: http://www.regulations.gov. Follow the instructions for submitting comments. Refer to Docket Number FINCEN-2020-0004 and the specific Office of Management and Budget (OMB) control numbers 1506-0001, 1506-0006, 1506-0015, 1506-0019, 1506-0029, 1506-0061, and 1506-0065.
  • Mail: Policy Division, Financial Crimes Enforcement Network, P.O. Box 39, Vienna, VA 22183. Refer to Docket Number FINCEN-2020-0004 and OMB control numbers 1506-0001, 1506-0006, 1506-0015, 1506-0019, 1506-0029, 1506-0061, and 1506-0065.

Please submit comments by one method only. Comments will also be incorporated into FinCEN’s review of existing regulations, as provided by Treasury’s 2011 Plan for Retrospective Analysis of Existing Rules. All comments submitted in response to this notice will become a matter of public record. Therefore, you should submit only information that you wish to make publicly available.

FOR FURTHER INFORMATION CONTACT: The FinCEN Regulatory Support Section at 1-800-767-2825 or electronically at frc@fincen.gov.

SUPPLEMENTARY INFORMATION:

I. Statutory and Regulatory Provisions

The legislative framework generally referred to as the Bank Secrecy Act (BSA) consists of the Currency and Financial Transactions Reporting Act of 1970, as amended by the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (USA PATRIOT Act) (Public Law 107– 56) and other legislation. The BSA is codified at 12 U.S.C. 1829b, 12 U.S.C. 1951–1959, 31 U.S.C. 5311–5314 and 5316–5332, and notes thereto, with implementing regulations at 31 CFR Chapter X.

The BSA authorizes the Secretary of the Treasury, inter alia, to require financial institutions to keep records and file reports that are determined to have a high degree of usefulness in criminal, tax, and regulatory matters, or in the conduct of intelligence or counter-intelligence activities, to protect against international terrorism, and to implement counter-money laundering programs and compliance procedures.[1] Regulations implementing Title II of the BSA appear at 31 CFR Chapter X. The authority of the Secretary to administer the BSA has been delegated to the Director of FinCEN.[2] Under 31 U.S.C. 5318(g), the Secretary of the Treasury is authorized to require financial institutions to report any suspicious transaction relevant to a possible violation of law or regulation. Regulations implementing 31 U.S.C. 5318(g) are found at 31 CFR 1020.320, 1021.320, 1022.320, 1023.320, 1024.320, 1025.320, 1026.320, 1029.320, and 1030.320. The information collected under these requirements are made available to appropriate agencies and organizations as disclosed in FinCEN’s Privacy Act System of Records Notice relating to BSA Reports.[3]

II. Paperwork Reduction Act (PRA)[4]

Title: Reports by Financial Institutions of Suspicious Transactions (31 CFR 1020.320, 1021.320, 1022.320, 1023.320, 1024.320, 1025.320, 1026.320, and 1029.320). OMB Control Numbers: 1506-0001, 1506-0006, 1506-0015, 1506-0019, 1506-0029, 1506-0061, and 1506-0065.[5]

Report Number: FinCEN Report 111 – Suspicious Activity Report (SAR).

Abstract: FinCEN is issuing this notice to renew the OMB control numbers for the SAR regulations and the SAR report.

Type of Review: Renewal without change of currently approved information collections.

Affected Public: Businesses or other for-profit institutions, and non-profit institutions.

SAR Regulations

Estimated Burden: An administrative burden of one hour is assigned to each of the SAR regulation OMB control numbers in order to maintain the requirements in force.[6]

JRR Comment: One hour is the current “administrative burden” of preparing and filing a SAR.

The reporting and recordkeeping burden is reflected in FinCEN Report 111 – SAR, under OMB control number 1506-0065. The rationale for assigning one burden hour to each of the SAR regulation OMB control numbers is that the annual burden hours would be double counted if FinCEN estimated burden in the industry SAR regulation OMB control numbers and in the FinCEN Report 111 – SAR OMB control number.

FinCEN Report 111 – SAR

Type of Review:

  • Propose for review and comment a re-calculation of the portion of the PRA burden that has been subject to notice and comment in the past (the “traditional annual PRA burden”).
  • Propose for review and comment a method to estimate the portion of the PRA burden that FinCEN previously had not included (the “supplemental annual PRA burden”).

JRR Comment: FinCEN is acknowledging that its current burden estimate (i) needs to be re-calculated, and (ii) needs to be augmented.  And it now has the means to do so through its BSA Value Project.

Frequency: As required.

Estimated Number of Respondents: 12,148 financial institutions.[7]

JRR Comment: The estimated number of respondents – 12,148 financial institutions – and the accompanying footnote is the first interesting nugget of information. The footnote includes the phrase “not all financial institutions identify suspicious activity that would warrant a SAR filing”. This is a benign phrase, hidden in a footnote, that could be the headline of a GAO report: arguably, every regulated financial institution, no matter how small, should identify and report at least one suspicious transaction in any given year. See my comments below Table 1.

Estimated Reporting and Recordkeeping Burden:

In this notice, FinCEN introduces two substantial modifications to the scope and the methodology we previously used to estimate the annual PRA burden associated with the SAR. First, with respect to the scope of the estimate, FinCEN’s traditional annual PRA burden estimate associated with the SAR included only the filer’s annual operational burden and cost associated with (a) producing and filing the report, and (b) storing a copy of the filed report. Starting with this notice, FinCEN intends to add a supplemental annual PRA burden estimate that reflects the annual costs involved in (a) determining whether alerts that were elevated for further review merit filing a SAR, and (b) documenting the decision not to file a SAR when a case does not merit it.[8]

JRR Comment: This is where FinCEN explains what it is proposing to do. FinCEN recognizes that there is a complex process to monitor for and alert on unusual activity, determine whether to investigate that activity, to investigate that activity and, if it is suspicious to prepare and file a SAR or if not suspicious to document why it is not suspicious. Later, FinCEN describes these as the six stages in the SAR filing process. In Footnote 8, though, FinCEN acknowledges that it “lacks the granular data to estimate the costs of certain steps in that process”. In fact, it lacks the data to include the burdens for steps 1-3, which arguably may be the most burdensome from both time and cost perspectives.

Second, with respect to the methodology underlying the PRA burden and cost estimates, rather than continuing to allocate a single PRA burden and cost to the completion, submission, and storage of any type of SAR, FinCEN proposes to estimate the individual PRA burden and cost of different categories of SARs, grouped by the SARs’ estimated degree of complexity. Because there is no direct way to measure the complexity and related effort and cost of producing each SAR, FinCEN uses key features of SARs filed in 2019 to categorize them based on similar combinations of those key features, under the assumption that such combinations of key features reflect similar levels of effort and cost necessary to produce the SARs.

JRR Comment: This is where FinCEN is acknowledging that not all SARs are the same. Later, FinCEN identifies five types of SARs for its burden estimates, differentiated by (i) whether they are original SARs or “continuing activity” SARs; (ii) whether filed by banks and credit unions (collectively, “depository institutions” or “DIs”) or all other types of filers (“Non-DIs”); (iii) whether they are “standard” complexity or “extended” complexity; and (iv) whether they were batch-filed or filed as a discrete, stand-alone SAR.

Part 1 below sets out the breakdown of the SARs filed during 2019 according to the key features that are used to group SARs into categories subject to similar PRA burden and cost. Part 1 also contains the analysis of how some combinations of key features worked or failed to work as proxies for a SAR’s complexity and, therefore, burden and cost.

Part 2 uses the results of the analysis in Part 1 to estimate the individual and total annual PRA burden and cost of each category of SARs. The methodology described in Part 2 covers both the traditional and the supplemental annual PRA burden estimate.

Part 1. Breakdown of the 2019 SAR Filings

In 2019, 12,148 financial institutions (the “filing population”) submitted 2,751,694 SARs (the 2019 SAR submissions).[9] The distribution of the 2019 SAR submissions, by type of filing (original or continuing),[10] type of financial institution,[11] number of reports per filer per year, and method of filing (batch or discrete),[12] is presented in Table 1 below:

Table 1 shows that banks submitted slightly over half of the total number of SARs filed in 2019. Money services businesses (MSBs) and credit unions contributed 32.9% and 7.3% of the total, respectively. Approximately 85% of the filings from all financial institutions consisted of original reports. In addition, approximately 85% of the reports were batch filed.

JRR Comment: The most interesting aspect of Table 1 is not what is included in the Table – which is the number of financial institutions, by type, that filed SARs in 2019, but what is not included in the Table – the total number of financial institutions, by type.

  • Banks – FDIC data shows that there were 5,186 banks at the end of 2019. So 95% of banks filed at least one SAR in 2019, which means that 5% or 250 banks didn’t file a single SAR in 2019.
  • Credit Unions – NCUA data shows that there were 5,236 credit unions at the end of 2019. Using this data, 62% of credit unions filed at least one SAR in 2019, which means that 38% or 2,001 credit unions didn’t file a single SAR in 2019. 
  • Securities/Futures – In this “catch all” category, FinCEN’s May 11, 2016 Final Rule for CDD/Beneficial Ownership provided that there were 16,404 entities in this class. SEC data suggests ~3,800 registered entities. At best, 15% of the regulated financial institutions in the Securities/Futures class are filing SARs.
  • Money Services Businesses (MSBs) – There are 22,736 MSBs registered with FinCEN. So less than 10% of registered MSBs filed at least one SAR in 2019.

To determine the concentration of 2019 SAR submissions among the filing population, FinCEN grouped filers in tranches according to the number of SARs filed during the year. Table 2 sets out the number of reports per tranche,[13] and Table 3 sets out (i) each tranche as a percentage of the total filer population, and (ii) each tranche’s reports as a percentage of the 2019 SAR submissions.[14]

JRR Comment: It is useful to group filers according to the number of SARs filed. But what would be more useful is to group them by size of institution. The problem, though, is determining what “size” is across diverse institution types. Total deposits might be the best proxy for banks and credit unions (better than total assets, which can be located outside the United States and aren’t tied to transactions as much as deposits are), but that measure doesn’t work for MSBs or Casinos.

However, 95% of SARs are filed by Depository Institutions (62%) and MSBs (33%). I would propose that Depository Institutions be grouped by tranches of Total Deposits, and MSBs be grouped by number of domestic agent locations.

Ten filers (six banks and four MSBs) made up the first tranche (00_LARGEST FILERS). As set out in Table 3, these ten filers accounted for nearly half of the 2019 SAR submissions. Slightly less than 2% of the filing population (Tranches 00 to 03) submitted 81% of all the reports. Additionally, out of the filing population, 81% contributed slightly less than 4% of the filings, while 56% submitted fewer than 10 reports per year.

JRR Comment: These two tables are critical. First, though, is some much-needed context for banks and credit unions. Of the 5,236 credit unions, only 10 have assets greater than $10 billion, and the largest is $90 billion. 90% of credit unions have less than $565 million in assets. Of the 5,186 banks, 143 have assets of more than $10 billion, 32 are larger than $90 billion, and the 4 largest are all over $1.5 trillion in assets. But most banks, like credit unions, are very small: 75% of banks have less than $565 million in assets.

Looking at 50 or fewer SARs filed per year – or less than one per week – shows that 80% of banks and 81% of credit unions that filed SARs in 2019 filed fewer than 1 per week on average. And almost 60% of each filed fewer than 10 in the entire year. The 10 largest filers – 6 banks and 4 MSBs – filed more than 700 per week on average. The top 2% of banks and credit unions filed more than 80% of the SARs.

Question – is it time for a bifurcated regulatory approach, similar to the CCAR/DFAST approach taken for capital and liquidity purposes?

JRR Comment: The main flaw in the approach of grouping institutions by the number of SARs filed is that you could have a $100 million asset (deposits) institution, or a 10-agent MSB appropriately filing 50 SARs a year, and a $100 billion asset institution or a 100-agent MSB inappropriately filing 50 SARs a year, yet they are included in the same tranche.

Unlike currency transaction reports, for example, which are more easily categorized because they are filed based on objective criteria (i.e., transaction type and threshold), each SAR may require a widely disparate level of effort depending largely on the amount of research and subjective analysis required to determine: (a) whether to file a report; (b) how to attribute the suspicious behavior to money laundering, financing of terrorism, or fraud typologies; (c) who the main persons involved in the activity are; and (d) how to explain in concise terms the rationale that led the filer to decide to file a SAR.

As FinCEN has no direct way to gauge the amount of work involved in the production of each SAR, FinCEN broke down the 2019 SAR submissions by additional key features, so that, individually or in combination, these additional key features could serve as a proxy to group SARs with similar levels of estimated complexity, and therefore, with similar estimated PRA burden. The additional key features in the SARs that FinCEN has concentrated its analysis on are: (a) the number of persons identified as subjects; (b) the number of distinct suspicious activities selected;[15] (c) the length of the narrative section; and (d) whether or not the report contains an attachment.[16]

JRR Comment: One can debate whether these are the best proxies for complexity, but this is a tremendous first step in determining relative complexity and estimated PRA burden.

  • Number of Subjects/Suspects – this is a good proxy. As a general rule, the more suspects, the more complex the underlying activity.
  • Number of distinct suspicious activities selected – Footnote 15 indicates that the SAR has 18 categories of suspicious activities. I’m not sure where that number comes from. There are 11 categories of suspicious activity, each with 1 or more sub-types of activity (a total of 79 sub-types plus “other” for each category). There are also 10 instrument types and 21 product types. I recommend that FinCEN use some AI/Machine Learning techniques to analyze the combinations of suspicious activity types, instruments, and products. FinCEN attempted this in its “tractable segmentation” approach, below.
  • Length of narrative – FinCEN recognizes some of the shortcomings of this attribute, and adjusts for it, but this is a good first step.
  • Attachment – FinCEN recognizes the shortcomings, adjusts for it … and it is a good first step.

I didn’t see anything about the amount being reported (with more reported activity indicating more complexity), or the period of time between the first reported activity and the last reported activity (the greater the period of activity indicating more complexity), or the period of time between the first reported activity and the date of the SAR (which could indicate a lookback or review).

Once FinCEN identifies the combination of key features that are common to the largest number of reports submitted by a given type of filer (the “standard content” for that type of filer), FinCEN may take such combination as a proxy for the content and estimated complexity of a “standard” SAR for that filer type. Reports submitted by filers of the same type that contain different features (more subjects, more suspicious activities, a longer narrative) may represent SARs with “extended content” that are more complex, and therefore carry a larger PRA burden and cost for that filer type. Based on the data available, FinCEN is considering only two levels of SAR complexity.

Table 4A shows a breakdown of the 2019 SAR submissions by type of financial institution and narrative length. Table 4B shows the percentage of reports with and without attachments, by type of financial institution, and narrative length.

Table 5 breaks down the 2019 SAR submissions by type of financial institution and number of suspicious activities identified in each report.[17]

JRR Comment: The differences in the number of selected suspicious activities can be caused by differences in style, practices, or training from one institution to another. For example, one filer may consider a check fraud involving an elderly customer to be one category (check fraud), another two categories (check fraud, Elder Financial Exploitation), another six categories (check fraud, identity theft, providing questionable or false documentation, Elder Financial Exploitation, forgeries, identity theft).

I would combine the “tranche and type” data from Tables 2 and 3 with the number of suspicious activity categories from Table 5: the data may show that the fewer SARs an institution files, the fewer suspicious activity categories there are.

Approximately 44% of the SARs submitted by all filers have narratives not exceeding 2,000 characters (half a page), and another 39% have narratives above half a page but not exceeding one page. Most SARs (60%) identify up to two suspicious activities, while another 38% list between three and five.

FinCEN analyzed key features of the 2019 SAR submissions described in Tables 1 through 5 to generate a tractable segmentation of the SAR universe into different levels of burden. FinCEN based this segmentation on the following observations:

  • FinCEN was not able to limit the criteria for selecting categories of SAR burden to the type of financial institution or the tranche of a filer alone because of large variations in the combination of features within each type of financial institution or tranche. It was possible, however, to arrive at a small number of complexity categories by combining key features that highlight significant differences between depository institution filers (banks and credit unions), MSBs, and other types of financial institution filers (non-depository institutions).
  • Based on the analyzed complexity features as well as FinCEN’s extensive use of SARs in its work, in general and on average,[18] the content of SARs shows the following general features:
  1. There appears to be a positive correlation between the number and complexity of a financial institution’s main business lines, and the value registered by some of the key features selected: the higher the number and complexity of the filer’s business lines, the higher the number of suspicious transactions identified and the longer the narrative.
  2. In general, non-depository institutions with a single primary business line (i.e., loan and finance companies or casinos) file reports that (a) list up to two suspicious transactions involving one subject and a single transaction or a small number of transactions over a short period of time, and (b) use relatively short narratives of up to half a page to explain the basis for their suspicion.
  3. Some SARs filed by non-depository institutions have features indicating complexity, particularly longer narratives, despite the SARs not being complex. A sample of the SARs filed by two of the largest non-depository institutions showed that in 94% of the SARs with longer narratives, the increased length was due to listing transactions the filer appeared to have tracked automatically. Six percent of those SARs appeared to have required greater analytical effort. To estimate the number of SARs with extended content filed by non-depository institutions in 2019, FinCEN therefore applied the six percent threshold to the total number of SARs with narratives over one page filed by non-depository institutions.
  4. Nearly three quarters of original SARs filed by depository institutions report only up to two subjects involved in up to five suspicious activities, described in a narrative that does not exceed one page, and on their face do not appear complex.

JRR Comment: This is one of the most important statements in this Notice. Essentially, FinCEN is saying that ¾ of the 2.7 million SARs filed are not complex. Can these SARs be filed without human intervention with little, if any, material loss in utility or value to law enforcement?

Many SARs filed by depository institutions, however, have features indicating complexity. This may reflect any combination of the factors laid out in the tables above – number of subjects per SAR, number of suspicious transactions listed per SAR, length of the narrative, and presence of an attachment. However, some SARs that appear complex based on these features often are not in reality. Depository institutions, which in general tend to offer many business lines mostly to established customers, sometimes include in SARs a comparison of other information they maintain. This can increase the apparent complexity of SARs analyzed against the complexity factors FinCEN identified without necessarily being indicative of a SAR requiring extensive research. FinCEN controlled for this by removing from the complex category SARs that had a high ratio of digits to non-digit text in the SAR narrative, because a high ratio of digits often indicates the algorithmic inclusion of transaction data in the SAR narrative.

JRR Comment: This was a great catch by FinCEN. And below might have been a miss by FinCEN. Whether “continuing activity” SARs require “substantially less effort”, or any less effort than original SARs, is worth exploring.

  • For all financial institutions, FinCEN estimates that the review of cases documenting the need to file continuing SARs, and the filing of the continuing SARs themselves, will require substantially less effort than the review of cases leading to the filing of original SARs, and the actual filing of such original SARs.
  • Lastly, FinCEN assumes that financial institutions that batch file SARs have a degree of automation they can employ to the partial filling of the report. Batch filers will also store electronic files that may contain several reports per file. Based on these assumptions, FinCEN allocates a lower PRA burden per report to these filers. This burden consists of the actual time of submission per report (which may be close to instantaneous), and the administrative and supervisory tasks involved in this stage.

As noted, reflecting the observations above, FinCEN identified five categories of SARs to generate a tractable segmentation of complexity for analyzing estimated PRA burden: (a) continuing SARs; (b) original SARs with standard content filed by nondepository institutions; (c) original SARs with extended content filed by non-depository institutions; (d) original SARs with standard content filed by depository institutions; and (e) original SARs with extended content filed by depository institutions.

JRR Comment: This is the first of three steps FinCEN takes in estimating the SAR burden – identifying the five categories of SARs. The second and third steps follow: identifying the six stages in the SAR filing process, and the four types of people involved in that process, respectively.

Part 2. PRA Burden and Cost Estimates

Based on industry input, including input obtained over the past year in a project assessing how to improve the effectiveness of BSA data and measure its value for each stakeholder group, FinCEN understands that the SAR filing process comes at the end of a larger process that varies in complexity depending on the type and size of the financial institution:[19]

JRR Comment: On the following page is FinCEN’s six-stage SAR production process. This is a good first step, but I disagree with the approach that, for purposes of the PRA burden and cost estimates, the SAR process is distinct from the overall BSA/AML program process (and burden and cost). The singular purpose of the BSA/AML program regime is to provide timely, actionable intelligence to law enforcement and the intelligence community by way of BSA reports and recordkeeping – primarily SARs and CTRs. Therefore, integral to the SAR production process are the program requirements of risk assessment, CIP/CDD, training, independent testing, examination management, etc. These costs will be included in future notices.

Stage 1 – Maintaining a Monitoring System: Commensurate with the size of the filer and the complexity of its operations, each filer will run, update, and upgrade a monitoring system that reflects its assessment of risk. This monitoring system will vary in complexity from a manual review process to a fully automated one.[20]

JRR Comment: The use of the singular “monitoring system” minimizes the complexity of even the smallest institution’s program to have employees escalate unusual activity (referrals), to have manual or automated monitoring systems identify unusual activity (alerts), and the regulatory and operational requirements to run, update, and upgrade those systems. Larger, more complex institutions will run dozens of monitoring and surveillance systems.

Stage 2 – Reviewing Alerts: When the monitoring system issues an alert, the filer will have to determine whether the alert reveals a true potential risk event, or is a false positive.

JRR Comment: As FinCEN explains below, it is not including this stage in its burden and cost estimate “due to the lack of the necessary granular information”. Transaction monitoring and customer surveillance systems, and the alerts that are generated, are a major part of the burden and cost of AML programs. The issue of high false positive rates – anecdotally 95 percent or more of alerts are so-called “false positives” – is often-discussed, always-lamented, and remains an intractable problem. See: https://regtechconsulting.net/uncategorized/rules-based-monitoring-alert-to-sar-ratios-and-false-positive-rates-are-we-having-the-right-conversations/. Also see: https://regtechconsulting.net/uncategorized/flipping-the-three-aml-ratios-with-machine-learning-and-artificial-intelligence-why-bartenders-and-aml-analysts-will-survive-the-ai-apocalypse/

Stage 3 – Transforming Alerts into Cases: If, based on the filer’s analysis, the alert points to a true potential risk event, the filer will gather additional information to present the case to the reviewing level that will eventually decide whether the event merits the filing of a SAR.

JRR Comment: FinCEN has done a good job recognizing that many institutions have an alert review or alert triage process to determine if an alert should “go to case” or not. But like stages 1 and 2, this third stage is not included in the burden and cost analysis at this time.

Stage 4 – Case Review: The appropriate level will review the case to determine whether or not the event constitutes a suspicious activity that must be reported.

Stage 5 – Documentation of Determination: This notice takes into account that filers document decisions they make as part of Stage 4 that lead them to conclude that an event does not warrant the filing of a SAR.

Stage 6 – SAR Filing Process: If an event warrants the filing of a SAR, the filer will follow its SAR filing process, including: (a) selecting supporting documentation; (b) completing the report, including drafting the narrative; (c) filing the report through batch or discrete filing; and (d) storing the filed report and supporting documentation in physical or electronic form.

Each stage requires the filer’s use of human and technological resources, which combination will vary according to the sophistication of the filer. Previously, FinCEN limited its annual SAR PRA burden estimate to Stage 6 mentioned above, the SAR filing process (the “traditional annual PRA burden”). In this notice, FinCEN expands its PRA burden estimate to include Stages 4 and 5 listed above (the “supplemental annual PRA burden”).

JRR Comment: Stages 4 and 5 are the “supplemental annual PRA burden” that FinCEN is adding. Until now, FinCEN only included Stage 6 in its PRA estimate. Now FinCEN is considering Stages 4, 5, and 6.

FinCEN is not addressing the burden associated with Stages 1 to 3 above due to the lack of the necessary granular information. Notably, FinCEN would need information regarding: (i) the levels of burden and cost attributed to differing monitoring systems; (ii) varying levels of complexity in determining whether alerts represent true alerts; and (iii) the amount of research involved in assembling cases to determine whether true alerts warrant the filing of a SAR. Furthermore, FinCEN would need additional information to identify the proportion of these costs that are strictly connected to the filing of a SAR relative to the same costs associated with a filer’s other regulatory or business requirements. FinCEN intends to address the information required for the estimate of the burden and cost of Stages 1 to 3 in a future notice. FinCEN acknowledges that each stage of the SAR production contributes to the next (including those stages of the process not included in this notice). FinCEN assesses, however, that the information provided by this notice, though not a complete estimate of the SAR PRA burden, improves the estimate and creates a foundation for a future estimate of the costs of all six stages.

JRR Comment: It is incumbent on the industry to provide FinCEN with data and information on Stages 1, 2, and 3 of the process, as well as on the other aspects of a program that are not reflected in these six stages: the program requirements of risk assessment, CIP/CDD, training, independent testing, examination management, etc., that are integral to, and part of, the SAR production and filing process.

FinCEN recognizes that SAR cases that are more complex may take a longer time to review at multiple stages, such as the case investigation point in Stage 4 and the SAR filing point in Stage 6. However, for ease of presentation, FinCEN calculated the extra burden of handling complex cases in our burden estimate for Stage 6, and attributed a burden that represents our estimate of the standard administrative work connected to continuing and original SARs to Stages 4 and 5. Therefore, the total estimate proposed in this notice will be the aggregate of the following estimates of the PRA burden related to:

  • Evaluating cases for potential SAR filing (Stage 4). This will be part of the supplemental annual PRA burden calculation.
  • Recordkeeping of cases not converted into SARs (Stage 5). This will be part of the supplemental annual PRA burden calculation.
  • The SAR filing process (Stage 6). This will be part of the traditional annual PRA burden calculation and will include the PRA burden associated with the filing of (i) continuing SARs, (ii) original SARs filed by non-depository financial institutions, and (iii) original SARs filed by depository financial institutions.

JRR Comment: Up to this point, FinCEN has introduced the first two of the three components of its PRA burden and cost estimate: the five categories of SARs, and the six stages of the SAR filing process. Now FinCEN turns to the third component: the people involved in the process. FinCEN has identified four.

FinCEN identified four staff positions and corresponding roles involved in the SAR process in order to estimate the hourly costs associated with the burden hour estimates calculated in this part. Those are: (i) general supervision (providing process oversight); (ii) direct supervision (reviewing operational-level work and cross-checking all or a sample of the filings against their supporting documentation); (iii) clerical work (engaging in case evaluation to support the determination of whether a SAR must be filed); and (iv) clerical work (engaging in producing, filing, and storing SARs and supporting documentation).

JRR Comment: This is where the private sector should provide detailed comments. It has not been my experience that fraud investigators and AML analysts are performing “clerical work”, classified by the Bureau of Labor Statistics as “Financial Clerks” with a mean (average) hourly wage of $20.40. Based on that same data, the mean annual wage is $43,500, with a broad range across the US of $25,980 to $60,600. The same job code for the financial services NAICS (522000) shows an annual mean salary of $44,500 and a 90th percentile salary of $62,330 (10% of the people in that category make more than $62,330). Data from the private sector will (I believe) show that the annual average salary for financial crimes investigators and analysts will be more than $62,330.  

FinCEN calculated the fully loaded hourly wage for each of these four roles by taking the median wage as estimated by the U.S. Bureau of Labor Statistics (BLS), and computing an additional benefits cost as follows:[21]

JRR Comment: Financial institutions must provide comments (supported by data and information) to FinCEN on these four roles and the range and median salaries for those roles. For example, the BLS data shows that the average salary for the Compliance Officer position is $66,236 with a broad range of $39,790 to $111,640. Data should show that most compliance officers earn in excess of $100,000. And differentiating between Depository Institutions, Securities/Futures, and Non-DIs will be critical.

FinCEN estimates that, in general and on average, each role would spend different amounts of time on each stage of the process covered by this notice, as described in the specific estimates below.

1. Estimate of the burden and cost of evaluating cases for potential SAR filing

To estimate the PRA burden involved in evaluating each case generated by one or more alerts, FinCEN starts with the number of cases that, after review, resulted in the filing of 2,751,694 SARs in 2019. As set out in Table 1 above, of that total number of filings, 2,335,559 reports were original SARs, and 416,135 were continuing SARs.

JRR Comment: This may not be an accurate assumption. Again, the private sector needs to provide comments (supported by data) on the burdens and costs of filing continuing activity SARs. 

In the case of continuing SARs, FinCEN assumes that the filer will be monitoring the specific transactions of the previously identified subject, and filing a continuing SAR every ninety days (if the subject did not discontinue the activity), and noting the cumulative monetary amount involved in the suspicious activity. FinCEN therefore assesses that the number of continuing suspicious activity cases will equal the number of continuing SARs.

In the case of original SARs, however, a filer may need to review a large number of cases to determine which cases justify the filing of a report. A paper issued by the Bank Policy Institute in 2018 (the “BPI Paper”)[22] contains the estimates of 13 large, midsize, and small banks (with assets under management of more than $500 billion, between $200 to $500 billion, and between $50 and $200 billion, respectively) about their average conversion rate[23] of cases to SARs. The BPI Paper states that, on average, banks filed SARs on 42% of alerts turned into cases (i.e., alerts that are not considered false positives).[24] In the absence of similar data for other types of financial institutions, FinCEN adopts the bank average conversion rate from cases to SARs set out in the BPI Paper (42%) to approximate the number of cases that could have generated the number of original SARs filed in 2019. If 42% of cases result in the filing of a SAR, the total filing population would have had to review approximately 5,560,854 cases[25] to report the 2,335,559 original SARs submitted in 2019.[26]

JRR Comment: FinCEN got the case-to-SAR conversion rate of 42 percent from the BPI paper. FinCEN refers to pages 5-7 of the BPI paper. Notably, the BPI survey respondents were 19 banks that all had assets of $50 billion or more: there are only 43 such banks. These 19 banks were grouped into small ($50 – $200 billion, at which time there were 33 such banks in total), midsize ($200 – $500 billion in assets, at which time there were 6 such banks in total), and large (greater than $500 billion, at which the time there were 4 such banks). Thirteen (13) of the 19 banks provided data on Alert-to-Case-to-SAR numbers:

  • Large Banks – generated 2.8 million alerts of which 20% (560,000) became cases, of which 42% (235,200) became SARs;
  • Midsize banks – generated 117,000 alerts of which 9.5% (11,115) became cases, of which 54% (6,002) became SARs;
  • Small banks – generated 107,000 alerts of which 8% (8,560) because cases, of which 53% (4,537) became SARs.

Combined, the three tranches of banks generated 3,024,000 alerts which resulted in 579,675 cases, which eventually became 245,739 SARs. This overall Case-to-SAR conversion rate was 42%.

FinCEN estimates that the average burden involved in considering whether a case merits filing an original SAR, for all types of financial institutions and for any type of suspicious transactions, would be 20 minutes per case. FinCEN estimates that the average burden involved in reviewing cases involving continuing SARs will be much lower, at 3 minutes per case.

JRR Comment: These two assumptions – 20 minutes to determine whether a case merits filing an original SAR, and 3 minutes to determine whether continuing activity merits filing a continuing activity SAR – should be tested by financial institutions’ comments to FinCEN. These are important assumptions which may not prove true. 

FinCEN assumes that the review of cases will involve the participation of three of the roles described above, as follows:[27]

Table 7

JRR Comment: Once a case is opened, the common practice is to assign it to a fraud investigator or AML analyst to determine whether the overall activity of the customer meets the definition of “suspicious activity”. If it does, the analyst will then prepare a SAR: if the analyst determines that a SAR is not warranted, they will document their decisioning and close the case. Depending on the type of case, there may be procedures for reviewing those decisions.

Financial institutions should review their data and provide comments to FinCEN: the data will likely show that 80%-90% of the total time spent determining whether a SAR is merited is on case review, 10%-20% on direct supervision, and 0%-10% on indirect supervision.

Footnote 27 below is confusing to me: in my experience, fraud investigators and AML analysts – those people that are working cases, determining whether a SAR should be filed, and preparing and filing the SAR – are not maintaining agendas, documenting minutes of meetings, or assembling files for review by SAR committees.

The total annual PRA burden of this stage involving cases related to both continuing and original SARs would be 1,874,424 hours, at a total cost of $91,846,776, as described in Tables 8A and 8B below.

Tables 8A, 8B

2. Estimate of the burden and cost of documenting cases not converted into SARs

With 2,335,559 cases resulting in SAR filings and an estimated conversion rate of 42%, out of the estimated 5,560,854 cases, 3,225,295 would be cases involving a decision not to file. FinCEN estimates that the average burden hours of documenting the rationale as to why a case does not merit filing a SAR, for all types of financial institutions and in the context of any type of suspicious transactions, would be 25 minutes per report.

JRR Comment: FinCEN is estimating that it takes 20 minutes to determine whether a SAR is merited, and an extra 5 minutes to document the reasons for not filing a SAR if a SAR is not merited. Financial institutions should provide comments, supported by data and information, on these estimates.   

FinCEN assumes that documenting the rationale for not filing a SAR and the storage of the case documents will involve the participation of three of the roles described above, as follows:

Table 9

JRR Comment: In Table 7, FinCEN is estimating that the work done to determine whether a SAR is merited, and a SAR results, involves 10% indirect supervision, 60% indirect supervision, and 30% clerical work. In Table 9, FinCEN is estimating that the work done to determine whether a SAR is merited, and a SAR does not result, involves 1% indirect supervision, 19% indirect supervision, and 80% clerical work. However, with the exception of documenting no-SAR decisions, this is the same work performed by the same fraud investigators or AML analysts, supervised by the same direct supervisors. The ratios of work should be the same, or roughly the same, for both processes.    

The total annual PRA burden of this stage would be 1,343,872 hours, at a total cost of $38,972,288, as described in Table 10 below:

Table 10

3. Estimate of the burden of the SAR filing process

JRR Comment: To this point, FinCEN has laid out the five categories of SARs, the six stages of the SAR filing process, and the four types of positions involved in that process. FinCEN has also described the updated or new burden and cost estimate of evaluating cases for potential SAR filing and, for those cases that result in a “no-SAR” decision, the burden and cost of documenting that decision. In this section, FinCEN turns to the burden and cost estimate of the process of preparing and filing a SAR once the decision has been made that the case merits a SAR.

But first FinCEN describes its current estimate, made ten years ago before mandatory electronic filing, before attachments were allowed, and based on the old SAR forms. That estimate, or estimates, are crude and simple: two hours for the 99% and more of SARs filed by single financial institutions, and 2.5 hours for the rare (less than 1% of the SARs) filings made jointly by two or more financial institutions.

FinCEN’s prior estimate of the traditional average burden hours associated with the SAR filing process[28] was based on a 2010 assessment of the manual effort involved in the drafting, writing, filing, and storing of a paper-based SAR with a standard narrative of 4,000 characters (i.e., one page), and the storing or segregation of paper-based supporting documentation. Since 2011, financial institutions have been able to (a) file SARs electronically either in batch or discrete format, and (b) include with their SARs an attachment containing tabular data such as transaction data providing additional suspicious activity information not suitable for inclusion in the narrative. This attachment must be an MS Excel-compatible comma separated value (CSV) file with a maximum size of 1 megabyte. These new features contribute to a substantial decrease in the hourly burden of the mechanical aspects of the filing and storage of SARs and supporting documentation.

As set out in the estimates above, the review of approximately 5,560,854 cases would result in the closing out of 3,225,295 cases, and the filing of 2,335,559 original and 416,135 continuing SARs. In the previous part, FinCEN identified a tractable segmentation of SAR complexity: (a) continuing SARs; (b) original SARs with standard content filed by non-depository institutions; (c) original SARs with extended content filed by non-depository institutions; (d) original SARs with standard content filed by depository institutions; and (e) original SARs with extended content filed by depository institutions. In all cases, the estimate represents the administrative burden involved in producing and reviewing a SAR, overseeing the process of filing a SAR, and the actual filing of a SAR, and not just the mechanical process of generating, submitting, and storing the SAR (which might be very small for fully-automated filers using the batch filing method).

FinCEN assumes that the SAR filing process involves the following four roles described in Table 6, in varying proportions depending on whether the burden accounts for the reporting or the recordkeeping stage of the process:

JRR Comment: Tables 11A, 11B, and 12 set out FinCEN’s estimates for the percentage of time and resulting cost that it takes, by role, for drafting, writing, and submitting “Standard Content” SARs (Table 11A); for drafting, writing, and submitting “Extended Content” or complex SARs (Table 11B); and for the recordkeeping required for both (Table 12). Where there were stark differences in the SAR/No SAR determinations, FinCEN estimates that there are only subtle differences in the ratio of time/cost for standard or simple SARs and extended or complex SARs. Financial institutions should assess their data and information and provide comments to FinCEN: my experience is that complex investigations are often handled by more experienced investigators/analysts, and not necessarily more supervision.

3.1. Continuing SARs

In the case of a suspicious transaction that continues over time, filers must submit continuing SARs every ninety days. Financial institutions filed 416,135 continuing SARs as part of the 2019 SAR submissions. FinCEN estimates that, on average, the burden involved in filing a continuing SAR will be relatively low, and will be substantially the same among all types of financial institutions. The estimated hourly burden and its cost for continuing SARs are as follows:

JRR Comment: FinCEN phrases these as “estimates”, but they appear to be assumptions unsupported by data rather than estimates based on data. Financial institutions should provide comments to FinCEN on the burden and costs of continuing activity SARs compared to original SARs.  

3.2. Original SARs filed by non-depository institutions

Based on the application of the percentage described in Part 1 to SARs with narratives over one page filed by non-depository institution, FinCEN identified 988,377 reports with standard content and 6,897 with extended content.

Original SARs filed by non-depository institutions (standard content)

For the purpose of calculating the burden of original SARs with standard content filed by non-depository institutions, FinCEN estimates that the average burden involved in the filing of original SARs will be higher than that of continuing SARs. Specifically, FinCEN uses an estimate of 40 minutes per batch-filed report and 60 minutes per discrete-filed report for drafting, writing, and submitting the SARs, and 5 minutes per batch-filed reports and 15 minutes per discrete-filed report for storing filed reports and supporting documentation.

JRR Comment: FinCEN has developed a much more nuanced and granular estimate of the burden and cost of filing SARs. The old methodology was a single 120 minutes (2 hours) per SAR. With this new approach, there is a low estimate of 25 minutes for batch-filed, standard content continuing SARs, all the way to 315 minutes (more than 5 hours) for discrete-filed, extended content original SARs.  All of the combinations are set out in the following sections: Depository Institution versus Non-Depository Institution; standard content versus extended content; batch-filing versus discrete-filing; and drafting, writing, and submitting SARs versus recordkeeping for SARs.

The estimated hourly burden and its cost for this subset of SARs are therefore as follows:

Original SARs filed by non-depository institutions (extended content)

For the purpose of calculating the burden of original SARs with extended content filed by non-depository institutions, FinCEN estimates that the average burden will be several times higher than that of standard content SARs, and the related cost will include a larger proportion of the levels of the organization with higher fully-loaded hourly wages (those representing indirect and direct supervision). The estimated hourly burden and its cost for this subset of SARs are therefore as follows:

3.3. Original SARs filed by depository institutions

Based on the segmentation described in Part 1 of depository institution SARs into standard content and extended content, FinCEN identified 1,313,774 reports with standard content, and 26,513 that included extended content.

The estimate of the reporting and recordkeeping burden of these two SAR subsets is as follows, using the per-SAR burden estimates included in the tables:

JRR Comment: This is another significant estimate. Of the 1,340,287 original SARs filed by banks and credit unions (roughly half of all SARs filed), only 26,513 had “extended content”, which is FinCEN’s proxy for complex or, perhaps, significant SARs.

Less than 2% of the original depository institution SARs had extended content or were otherwise complex or significant SARs. The 2018 Bank Policy Institute survey of 19 large banks found that less than 4% of those SARs garnered law enforcement interest.   

Estimated Reporting and Recordkeeping Burden:

The estimated reporting and recordkeeping burden by type of process and report is as follows:

JRR Comment: At the end of this document I have included a chart that visualizes the different estimated time burdens for the twelve (12) combinations of SAR filings: Original versus Continuing Activity; DI versus Non-DI; standard content versus extended content; and batch- versus discrete-filing.

Estimated Total Annual Reporting and Recordkeeping Burden:

The total estimated reporting and recordkeeping burden and cost per type of process and type of report are as follows. As detailed in Table 22 below, the total estimated recordkeeping and reporting annual PRA burden for the case review and SAR filing process of the seven OMB control numbers covered by this notice is 5,462,026 hours, for a total cost of $206,422,989.

JRR Comment: FinCEN estimates that the total costs of the SAR filing process (or at least the last three of the six stages of the SAR filing process) costs $206,422,989. The Bank Policy Institute survey of 19 large banks found that 14 of those banks (that responded to the survey questions on costs) reported that they spent, on aggregate, $2,400,000,000 on AML and CFT (Countering the Financing of Terrorism) compliance. FinCEN’s estimates for 12,148 SAR filers has captured less than 10% of what 14 large banks have reported in a private survey. There is some work to be done to reconcile these numbers. FinCEN acknowledges that there is work still to be done: and I acknowledge and applaud the work that FinCEN has done to date.

The distribution of the total estimated annual PRA burden and cost, by type of financial institution and SAR (original or continuing), and by SAR production process stage is as follows:[29]

FinCEN acknowledges that some of the partial estimates may over- or under-state the burden and cost of some the stages of the SAR production process covered by this notice, due to generalization and lack of more detailed information. FinCEN wishes to emphasize that the total burden presented in Table 22 is spread across a number of different SAR reporting requirements involving different types of financial institutions. Indeed, in the case of depository institutions, both FinCEN and the Federal banking agencies have regulations requiring SAR reporting.[30] However, only one SAR form is filed in satisfaction of the rules of both FinCEN and the Federal banking agencies. FinCEN has historically never attempted to allocate the burden between agencies for SARs required by the rules of more than one agency. FinCEN intends to conduct more granular studies of the filing population in the near future, to arrive at more realistic estimates that take into consideration a more specific breakdown of the SAR production process, including estimating the burden to financial institutions of Stages 1 to 3, which may include the inter-agency burden allocation referred to above. The data obtained in these studies may result in a significant variation of the estimated total annual PRA burden.

An agency may not conduct or sponsor, and a person is not required to respond to, a collection of information unless the collection of information displays a valid OMB control number. Records required to be retained under the BSA must be retained for five years.

Part 3. Request for Comments

JRR Comment: This is the most important part of the notice. FinCEN has six specific requests for comments, and also invites general comments. Financial institutions must take this opportunity to provide FinCEN with actual data and information: anecdotes that “the SAR regime costs too much and doesn’t produce tangible, direct benefits to financial institutions” must be replaced with data-driven information. Only then can better collective, public/private sector decisions be made.

a. Specific Requests for Comments:

Comments submitted in response to this notice will be summarized and/or included in the request for OMB approval. All comments will become a matter of public record. Comments are invited on the calculation of the total PRA burden of filing the SAR, under the current regulatory requirements. Specifically, comments are invited on the following issues:

1. FinCEN has based the estimates contained in this notice on the actual SARs filed in 2019. We have restricted the analysis to features we could measure and statements we were able to support with data extracted from the 2019 filers and submissions, using limited external data for estimates of parameters such as labor costs and conversion rates for alerts into filed SARs. FinCEN is not able to factor in its estimate of the PRA burden the burden of portions of the process for which FinCEN lacks information in filed reports or reliable existing studies. All requests for comments ask the public to suggest other factors that may affect the burden and cost of SAR reporting. Suggested factors that FinCEN could quantify by analyzing the contents of the BSA database, or by referring to statistical information publicly available, and without conducting a formal survey of the reporting financial institutions would be especially appreciated.

JRR Comment: FinCEN is looking for data and information that comes from (i) the BSA Database (accessible on FinCEN’s website) and other publicly available, reliable sources. FinCEN does not seem interested in survey-based information, such as the BPI survey that FinCEN has, in fact, relied on for this notice.

2. FinCEN proposes to expand the annual PRA burden estimate to cover three stages of the SAR production process: (a) the review of cases based on monitoring alerts considered true positives; (b) the documentation of the decision not to turn a case into a SAR; and (c) the SAR filing process. A sample conversion rate of cases that lead to SARs for depository institutions was used to calculate how many total cases at all financial institutions would have to be evaluated to produce the total number of original SARs filed in 2019. FinCEN invites comments on the characterization of these three stages, the general case conversion rate utilized, and the existence of other generally available research documents that may show different case conversion rates for different financial institution types.

JRR Comment: This is the critical issue. FinCEN is inviting financial institutions (and their trade associations and other interested parties) to provide comments, supported by data, on the first three stages of the SAR process that are not currently included in the PRA burden and cost estimate. Those three stages are: (1) maintaining a monitoring system; (2) reviewing alerts; and (3) transforming alerts into cases.

3. FinCEN estimates that, in general, the cost of labor involved in the three stages of the SAR production process covered by this notice will depend on the level of involvement in each stage of at least four different types of labor within the organization (general supervision, direct supervision, clerical work for evaluation, and clerical work for recordkeeping). Is this a reasonable identification of the roles involved in the SAR process? Has FinCEN calculated labor costs reasonably? Within the calculations of PRA burden, has FinCEN reasonably estimated the involvement of the different kinds of labor identified?

JRR Comment: FinCEN is also seeking comments on the four types of people, or positions, in the SAR filing process, their costs (salaries and benefits), and the relative time each spends on the five types of SARs across the six stages of the SAR filing process. The data in the Bureau of Labor Statistics materials, cited by FinCEN should be analyzed and compared against what FinCEN has used. See my comments above: hourly rates of $15 to $60 per hour for all participants in the SAR process appear to be materially low.

4. FinCEN arrived at estimates for (i) the hour burden of the review of all cases based on true positive alerts, and (ii) the decision not to file SARs based on the proportion of the cases that were not converted into original SARs. In general and on average, are these estimates reasonable?

JRR Comment: As indicated, this is really two issues that FinCEN is seeking comments on. One could argue that any estimate made in good faith is, in general and on average, reasonable. But I believe FinCEN is looking for something to support a higher standard than generally, on average, reasonable. It is incumbent on financial institutions to provide FinCEN with data and information to support a higher standard.

5. FinCEN segmented the universe of SAR filings into several different categories for purposes of estimating SAR complexity: (a) continuing SARs; (b) original SARs with standard content filed by non-depository institutions; (c) original SARs with extended content filed by non-depository institutions; (d) original SARs with standard content filed by depository institutions; and (e) original SARs with extended content filed by depository institutions. For each of these categories, FinCEN adjusted the estimated SAR filing burden depending on the filing method (batch or discrete). Is this segmentation reasonable? Are there other categories of SARs which FinCEN could quantify by analyzing the contents of the BSA database and without conducting a formal survey of the reporting financial institutions?

JRR Comment: Money Services Businesses (MSBs) were bucketed into the “non-depository institution” category along with the securities/futures industries’ institutions, casinos, card clubs, housing agencies, insurance companies, loan companies, and the “undetermined”. Given that 33% of all SARs were filed by MSBs, it may be better to have three categories: Depository Institutions, MSBs, and Other Non-Depository Institutions.

6. Are the other assumptions FinCEN made to calculate the burden associated with filing the different categories of SARs reasonable, such as the number of minutes required for each category of report?

b. General Request for Comments:

Comments submitted in response to this notice will be summarized and/or included in the request for OMB approval. All comments will become a matter of public record. Comments are invited on: (1) whether the collection of information is necessary for the proper performance of the functions of the agency, including whether the information shall have practical utility; (2) the accuracy of the agency’s estimate of the burden of the collection of information; (3) ways to enhance the quality, utility, and clarity of the information to be collected; (4) ways to minimize the burden of the collection of information on respondents, including through the use of automated collection techniques or other forms of information technology; and (5) estimates of capital or start-up costs and costs of operation, maintenance, and purchase of services to provide information.

Summary of the total time to prepare, file, and record a SAR: FinCEN PRA burden and cost estimate

Endnotes

[1] Section 358 of the USA PATRIOT Act added language expanding the scope of the BSA to intelligence or counter-intelligence activities to protect against international terrorism.

[2] Treasury Order 180-01 (re-affirmed January 14, 2020).

[3] FinCEN’s System of Records Notice for the BSA Reports System was most recently published at 79 FR 20969 (April 14, 2014).

[4] Public Law 104-13, 44 U.S.C. 3506(c)(2)(A).

[5] The SAR regulatory reporting requirements are currently covered under the following OMB control numbers: 1506-0001 (31 CFR 1020.320 – Reports by banks of suspicious transactions); 1506-0006 (31 CFR 1021.320 – Reports by casinos of suspicious transactions); 1506-0015 (31 CFR 1022.320 – Reports by money services businesses of suspicious transactions); 1506-0019 (31 CFR 1023.320 – Reports by brokers or dealers in securities of suspicious transactions, 31 CFR 1024.320 – Reports by mutual funds of suspicious transactions, and 31 CFR 1026.320 – Reports by futures commission merchants and introducing brokers in commodities of suspicious transactions); 1506-0029 (31 CFR 1025.320 – Reports by insurance companies of suspicious transactions); and 1506-0061 (31 CFR 1029.320 – Reports by loan or finance companies of suspicious transactions). The PRA does not apply to reports by one government entity to another government entity. For that reason, there is no OMB control number associated with 31 CFR 1030.320 – Reports of suspicious transactions by housing government sponsored enterprises. OMB control number 1506-0065 applies to FinCEN Report 111 – SAR.

[6] One hour of burden is estimated under each of the following OMB control numbers: 1506-0001, 1506- 0006, 1506-0015, 1506-0019, 1506-0029, and 1506-0061.

[7] See Table 1 below for a breakdown of the types of financial institutions that filed SARs in 2019. Note that all banks, casinos and card clubs, money services businesses, brokers or dealers in securities, mutual funds, providers of covered insurance products, futures commission merchants and introducing brokers in commodities, loan or finance companies, and housing government sponsored enterprises are required to comply with the SAR regulatory requirements; however, not all financial institutions identify suspicious activity that would warrant a SAR filing. See 31 CFR 1020.320 (banks), 31 CFR 1021.320 (casinos and card clubs), 31 CFR 1022.320 (money services businesses), 31 CFR 1023.320 (brokers or dealers in securities), 31 CFR 1024.320 (mutual funds), 31 CFR 1025.320 (insurance companies), 31 CFR 1026.320 (futures commission merchants and introducing brokers in commodities), 31 CFR 1029.320 (loan or finance companies), and 31 CFR 1030.320 (housing government sponsored enterprises).

[8] Despite the expanded scope, FinCEN has not presented in this notice an estimate of the entire burden that is associated with SAR filings because, as described further in Part 2, FinCEN lacks the granular data to estimate the costs of certain steps in that process.

[9] Numbers are based on actual 2019 filings as reported to the BSA E-Filing System, as of 12/31/2019. Assumptions and estimates are also based on actual 2019 SAR filings.

[10] An original (or initial) report is the first SAR filed on suspicious activity no later than 30 days after the date of initial detection by the filer. (See e.g., 31 CFR 1020.320(a)(3)). A continuing SAR must be filed on suspicious activity that continues after an initial SAR is filed. Continuing reports must be filed on successive 90-day review periods until the suspicious activity ceases, but may be filed more frequently if circumstances warrant. For more information on continuing reports, see page 142 of the FinCEN Suspicious Activity Report (FinCEN SAR) Electronic Filing Requirements – XML Schema 2.0. https://bsaefiling.fincen.treas.gov/docs/XMLUserGuide_FinCENSAR.pdf

[11] In Table 1, the category “Securities/Futures” includes brokers or dealers in securities, mutual funds, futures commission merchants, and introducing brokers in commodities. The category “Undetermined” includes filers with missing, incomplete, or contradictory information about the type of financial institution to which they belong.

[12] In batch filing, a filer submits a single electronic file containing several reports. In discrete filing, the filer fills in an electronic report individually, using a data entry screen that FinCEN provides. While exceptions apply, batch filing is generally used by large-volume filers that have automated the filing process, while discrete filing is generally employed by filers that submit fewer reports per year and rely more on manual data entry methods.

[13] The category “Other” in Table 2 includes securities and futures, housing government sponsored enterprises, providers of covered insurance products, and filers for which the type of financial institution was still being determined at the moment of publication of this notice, as defined above. We adopt the same criteria for the rest of the tables contained in the notice, such as in Tables 4A, 4B, and 5 below.

[14] The percentage of filers contained in each tranche, and the percentage of reports submitted by those filers, are contained in the fields “pct_filers” and “pct_forms”, respectively. The cumulative percentage of filers contained in all tranches up to and including the current one, and the cumulative percentage of reports submitted by such filers, are shown in the fields “cumm_pct_filers” and “cumm_pct_forms”, respectively.

[15] FinCEN Report 111 – SAR contains checkboxes that allow filers to identify a variety of suspicious activities, such as structuring, terrorist financing, fraud, money laundering, and a cyber-event. FinCEN Report 111 – SAR has 18 categories of suspicious activities.

[16] Some filers attach a supplemental file to the report that in general contains a list of individual transactions that raised the alert about a potential suspicious transaction. The length of the narrative is sometimes impacted by whether the filer submits an attachment to the report listing these transactions, or uses the narrative section of the report to include such a list.

[17] The number of suspicious activities identified in each report represents the number of check boxes selected by the filer.

[18] By “in general,” FinCEN is speaking without regard to outliers (e.g., reports exhibiting features that are uncommonly higher or lower than those of the population at large), or that apply to a very narrow type of filer or type of transaction. By “on average,” FinCEN means the mean of the distribution of each subset of the population (although FinCEN uses median labor cost data to calculate weighted hourly worker compensation allocated to each PRA burden hour in Table 6 below).

[19] FinCEN acknowledges that the description of the SAR production process in this notice seems to imply that the process is always linear, with each stage following the previous one. While this situation may reflect a large proportion of the cases reviewed and SARs filed, certain situations will require the filer to return to an earlier stage (such as requiring additional information from the case managers, or drafting several versions of a narrative). The breakdown of the SAR production process in a discrete number of linear stages is intended as a conceptual framework to guide FinCEN’s estimates of the different levels of PRA burden. Such framework does not involve or imply any modification to, or new interpretation of the actual rule text of BSA regulations. The details provided in each stage of the framework serve only as a list of the features FinCEN did or did not consider when estimating the PRA burden of such stage. While FinCEN believes the tasks described in the framework represent the work generally required to produce a SAR, there is no obligation for a financial institution to adopt either formally or informally a process such as the one presented by the framework.

[20] FinCEN recognizes that filers may use the monitoring system to comply with additional BSA and non-BSA regulatory requirements, as well as for other business purposes such as protecting against reputational risks of money laundering and fraud against the filer or the filer’s customers.

[21] See U.S. Bureau of Labor Statistics, Occupational Employment Statistics-National, May 2019, available at https://www.bls.gov/oes/tables.htm . The most recent data from the BLS corresponds to May 2019. For the benefits component of total compensation, see U.S. Bureau of Labor Statistics, Employer’s Cost per Employee Compensation as of December 2019, available at https://www.bls.gov/news.release/ecec.nr0.htm . The ratio between benefits and wages for financial activities, credit intermediation and related activities is $15.80 (hourly benefits)/$31.45 (hourly wages) = 0.502. The benefit factor is 1 plus the benefit/wages ratio, or 1.502. Multiplying each hourly wage by the benefit factor produces the fully-loaded hourly wage per position.

[22] ‘Getting to Effectiveness – Report on U.S. Financial Institution Resources Devoted to BSA/AML and Sanctions Compliance’, Bank Policy Institute, October 29, 2018, available at https://bpi.com/wp-content/uploads/2018/10/BPI-AML-Sanctions-Study-vF.pdf . See pages 5-7.

[23] The average conversion rate represents the percentage of the total number of cases that, after receiving further review and consideration, warranted the filing of a SAR.

[24] Ibid. The BPI Paper identifies several provisos regarding the correlation among the different metrics (such as the number of alerts related to AML issues only, while the number of SARs filed included both fraud and AML-related transactions). FinCEN considers that these qualifications do not affect the rationale of applying the bank conversion rate of cases into SARs to the full filer population.

[25] The number of original SARs submitted in 2019 (2,335,559) divided by the 42% conversion rate.

[26] FinCEN acknowledges that this estimate simplifies the conversion, stipulating that one case will generate or fail to generate one SAR, when in practice several cases may be reported in a single SAR. It is also possible, while not very probable, that a single case may require the filing of more than one simultaneous SAR.

[27] FinCEN’s assumption is that the clerical work involved in the case review stage would include general administrative and coordination responsibilities, such as the maintaining of agendas, documentation of minutes, assembly of files to be presented to the appropriate authority (for example, a filer’s SAR Committee), and the summarization of the reasons not to file.

[28] FinCEN’s estimate of the traditional average burden hours involved in the SAR filing process was 2 hours for SARs filed individually (60 minutes attributed to reporting, and 60 minutes attributed to recordkeeping), and 2.5 hours per SAR for joint filings (90 minutes attributed to reporting, and 60 minutes attributed to recordkeeping). Joint filings are a single SAR filed by two or more separate financial institutions. This type of filing constitutes less than 1% of total filings.

[29] FinCEN obtained the breakdown by applying the percentages of continuing and original SARs by type of financial institution listed in Table 1, to the burden and cost estimates contained in Tables 8A, 8B, 10, and 13 to 20. Financial institutions the type of which is “undetermined” are included in the “Other nondepository” category in Tables 23 and 24.

[30] See 12 CFR 208.62, 211.5(k), 211.24(f), and 225.4(f) (Federal Reserve Board); 12 CFR 353.3 (Federal Deposit Insurance Corporation); 12 CFR 748.1(c) (National Credit Union Administration); 12 CFR 21.11 and 12 CFR 163.180 (Office of the Comptroller of Currency); and 31 CFR Chapter X (FinCEN).

FinCEN Director Ken Blanco is Crystal Clear on Virtual Currency Risks & Requirements

FinCEN Director Kenneth A. Blanco, delivered Prepared Remarks at the Consensus Blockchain Conference on May 13, 2020. They are available at Prepared Remarks and reproduced in full below.

Borrowing a page from Federal Reserve Chairman Jerome Powell, Director Blanco’s remarks are a clear tell-it-like-it-is message to the virtual assets/blockchain community.[1]

It is a refreshing change from many senior people in the public and private sectors who, coached by consultants and tamed by lawyers, are unwilling or unable to provide clear and concise guidance. Director Blanco’s remarks were clear and concise. Well done!

Below is the text of Director Blanco’s prepared remarks. My comments appear in blue italics.

Text of Director Blanco’s Prepared Remarks, Consensus Blockchain Conference (Virtual)

Introduction

Good morning, everyone.  Thank you so much for that very kind introduction.

It is great to be with you today, a bit ironic, via this virtual technology to discuss FinCEN, its mission, and how we—government and the virtual currency industry (all of you)—can work together to shape the virtual currency environment to combat criminal exploitation of this space, including the tech industry, to better ensure our national security and protect our financial system, our communities, and our families from harm.

This is truer today than ever before given the global situation we now find ourselves in—the need for our collaboration is clear and undeniable.

Joining this conference today are many financial institutions, including virtual currency service providers.  As I have said many times before, you are the backbone of the financial system and are on the front lines of the anti-money laundering (AML) and countering the financing of terrorism (CFT) framework—protecting people from harm.  I also know that many of FinCEN’s government partners are joining today too, experts and key leaders from the Department of Justice and other law enforcement agencies, fellow regulators, and many other government partners with whom we work on a daily basis to protect people from harm.

JRR Comment – I applaud Director Blanco’s statement that the front line of the AML/CFT regime is protecting people from harm (“the front lines of the anti-money laundering (AML) and countering the financing of terrorism (CFT) framework—protecting people from harm”). The front lines, or main focus of an AML/CFT regime has to be on protecting people from harm, and that is done by providing timely, actionable intelligence to law enforcement. The focus of financial institutions’ BSA, AML, and CFT programs must be on providing timely, actionable intelligence to law enforcement, and prudential regulators must examine and judge those programs solely on that basis … and not on whether they are complying with the technical requirements of documenting compliance with regulatory requirements for BSA/AML compliance programs..   

Both the public and private sectors are critical to combating exploitation of virtual currency, and when working together, our national security and citizens are safer.  There is no substitute for the private sector’s visibility into and ability to prevent criminal exploitation of virtual currency products and platforms—particularly those of you who are organizing, developing, and administering these products and platforms.  Our work together plays a significant role not just in advancing financial transparency, inclusion, and the development of the future of payment systems, but also in identifying, tracking, and stopping criminals including terrorists and other bad actors from harming others, particularly the most vulnerable.  It is our shared responsibility to ensure that this technology does not get hijacked by criminals and bad actors—we cannot let innovation become the conduit for crime, hate, and harm—it is a national security issue.

As many of you know, FinCEN plays two roles in the U.S. national security apparatus:

First:  FinCEN is the primary regulator and the administrator of the Bank Secrecy Act, or BSA, part of the comprehensive legal architecture in the fight against money laundering and its related crimes, and terrorism and its financing.  FinCEN, through its administration of the BSA, is a global leader in both regulating convertible virtual currency activity and taking action against its illicit use.

Second:  FinCEN is the Financial Intelligence Unit, or FIU, of the United States—the world’s largest and most powerful economy.

Today, I would like to share with you some of our recent work in the virtual currency space and use my brief time today to clarify a few misconceptions.

I will address three things:

  1. FinCEN’s efforts to provide guidance and combat money laundering and its related crimes, and terrorism and its financing, involving virtual currency related to the COVID-19 pandemic;
  2. The Travel Rule and trends FinCEN is seeing with respect to compliance; and
  3. Opportunities for collaboration in the fight against the illicit use of virtual currencies and key challenges.

COVID-19

These are, without a doubt, unprecedented times.  The last few months have had a profound effect on the world as we know it or knew it, including in the area of illicit finance threats and related crimes.  With businesses and individuals in our country and across the globe facing new and challenging circumstances, along with the rollout of major new Federal, State, local, and foreign government initiatives to combat the COVID-19 pandemic and its economic consequences, the entire AML community has been adapting in real time.

Over the last couple of months, FinCEN has pursued several important public-facing and strategic lines of effort relevant to your institutions:

  • First, AML Resources:  FinCEN has issued two Notices—one on March 16 and another on April 3 of this year—to financial institutions advising them to stay alert for malicious or fraudulent transactions, with examples of similar indicators that we have seen in the wake of natural disasters.  These Notices also provide financial institutions with information regarding AML operations during the COVID-19 pandemic and a direct contact mechanism for urgent COVID-19-related issues.  Please reach out to us proactively if you anticipate challenges fulfilling your BSA reporting obligations due to the pandemic.
  • Second, Criminal Typologies and Investigative Support:  FinCEN is also continuously monitoring criminal activity exploiting the current pandemic.  We are supporting law enforcement investigations into COVID-19-related cybercrime, scams, and fraud.  FinCEN also plans to publish multiple advisories highlighting common typologies used in the pervasive fraud, theft, and money laundering activities related to the pandemic to better help the financial sector detect and report this activity.  The mission for all of us in the financial space is to get badly needed funds to the intended recipients who need it—some for their financial survival—not to exploitive criminals and fraudsters.

Cybercrime:

I want to spend a few moments covering various forms of cybercrime that criminals continue to pursue and adapt during the pandemic.  FinCEN has observed that cybercriminals predominantly launder their proceeds and purchase the tools to conduct their malicious activities via virtual currency.  Your institutions have the opportunity, and obligation, to help identify these illicit criminal networks in your suspicious activity reporting to FinCEN, so that FinCEN can aggregate and analyze this information to identify red flags, permitting industry to spot risks.

JRR Comment: Director Blanco couldn’t be clearer: “FinCEN has observed that cybercriminals predominantly launder their proceeds and purchase the tools to conduct their malicious activities via virtual currency.”

To be clear, this obligation goes much deeper than to FinCEN or the law or to regulations—it is an obligation to others, your families, your loved ones, your friends, your neighbors, and fellow citizens who are victims or potential victims of these crimes.  During this time of crisis where our people could be more at risk and more vulnerable than ever, we, all of us, have a duty and  responsibility to use our abilities, tools, and talents to protect others and ensure the stability of this ecosystem that we are creating and that depends on trust.

Here is some of what we are seeing:

  • COVID-19 as Lure:  FinCEN and U.S. law enforcement have seen reports of cybercriminals leveraging COVID-19 themes as lures, often targeting vulnerable individuals and companies that seek healthcare information and products or are contributing to relief efforts.  This type of cybercrime in the COVID-19 environment is especially despicable, because these criminals leverage altered business operations, decreased mobility, and increased anxiety to prey on those seeking critical healthcare information and supplies, including the elderly and infirm.
  • Adapting to Opportunities Because of increased remote work by many companies and government institutions worldwide, many distinct threat vectors, risk considerations, and mitigation strategies are being used by criminals and bad actors.  FinCEN is aware that cybercriminals are targeting vulnerabilities in remote applications—including virtual private networks and remote desktop protocol exploits—to steal sensitive information and compromise transactions.  Whether with COVID-19 lures or not, cybercriminals and malicious state actors are using wide-scale phishing campaigns, malware, extortion, business email compromise, and other exploits against remote platforms to steal credentials, conduct fraud, and spread disinformation.
  • Scams:  Many prevalent scams involving virtual currency payments exploit COVID-19, from extortion, ransomware, and the sale of fraudulent medical products, to initial coin offering investment scams, which will likely continue to grow during the pandemic.
  • Undermining Due Diligence:  Criminals are also working to undermine “know your customer” processes in the remote environment.  Virtual currency businesses should remain vigilant against attacks targeting their onboarding and authentication processes, for example “deepfakes” manipulating digital images and account takeovers facilitated by credential stuffing attacks.  Financial institutions should consider the risks of the current environment in their business processes, and the appropriate level of assurance needed for digital identity solutions to mitigate criminal exploitation of your products and platforms.  Even financial institutions that typically manage their lines of business remotely, such as some virtual currency exchangers, may find themselves more exposed given the changing threat environment.

JRR Comment – Director Blanco has set this out in a way that makes it easy to understand and manage through the COVID-19 pandemic: lures, opportunities, scams, and fakes.

TRAVEL RULE

I now want to turn to another major topic, and the primary theme of today’s discussions, the Travel Rule.  The United States has long maintained an expectation that financial institutions identify counterparties involved in transactions for a variety of purposes, including AML/CFT and sanctions, even for transactions in virtual currency.  Any asset that allows the instant, anonymized transmission of value around the world with no diligence or recordkeeping is a magnet for criminals, including terrorists, money launderers, rogue states, and sanctions evaders.

As a result, we applaud steps taken by the Financial Action Task Force (FATF) last June to establish a consistent approach to the position we have taken when it adopted, as an International Standard, Interpretive Note to FATF Recommendation 15, which included, among other things, FATF’s interpretation that countries should apply FATF Recommendation 16’s Travel Rule to virtual asset service providers such as virtual currency exchanges.

We are encouraged that so many creative solutions are being developed by industry to address these Travel Rule obligations.

In particular, FinCEN is optimistic about the growth of various cross-sector organizations and working groups focusing on developing international standards and solutions addressing the Travel Rule.  I know those efforts involve many of you here today.  FinCEN will continue to monitor your developments, whether as observers in working groups, learning about your efforts in forums like this, or meeting with you under the FinCEN Innovation Hours Program, where fintech and regtech companies present to FinCEN new and innovative products and services for potential use in the financial sector.

While we are glad to see the increased emphasis on compliance, I must emphasize again that the United States has maintained this expectation to understand who is on the other side of a transaction for years.

JRR Comment – Director Blanco could have been more specific than “the United States has long maintained an expectation that financial institutions identify counterparties involved in transactions for a variety of purposes, including AML/CFT and sanctions, even for transactions in virtual currency” or “the United States has maintained this expectation to understand who is on the other side of a transaction for years.” The Travel Rule has been part of the BSA/AML regime for more than 20 years; and virtual currency exchanges and administrators have been subject to the BSA/AML regime since at least 2013.

As I mentioned at the Chainalysis conference in November, recordkeeping violations are the most commonly cited violation by our delegated Internal Revenue Service (IRS) examiners against money services businesses (MSBs) engaged in virtual currency transmission.

JRR Comment – Director Blanco was clear in remarks he made at a November 2019 ChainAlysis Blockchain Symposium, where he said the travel rule “applies to CVC, and we expect you to comply, period.” And CoinBase reported at that same symposium that Director Blanco said “you can’t build a car that only goes 150 miles per hour and ask us to change the speed limit. That’s not happening. Build your car to meet the requirements.”

We have also previously highlighted our confidence that industry can absolutely carry out this requirement.  We know technologies exist to support compliance with all recordkeeping obligations.  Most challenges we see across the sector relate to governance and process rather than technologies, and many solutions in both governance and technology models could ultimately comply.  FinCEN takes a technology neutral approach and we encourage the virtual currency sector to continue collaborative efforts to develop and implement these solutions and to keep FinCEN apprised of their progress, including by considering participating in FinCEN’s Innovation Hours Program.

OTHER OPPORTUNITIES FOR COLLABORATION AND CHALLENGES

Finally, I would like to briefly highlight some of our key opportunities for collaboration in combating illicit virtual currency use and the top remaining challenges we see, which hopefully those of you here today can help address.

Our partnerships across regulators, supervisors, law enforcement, and industry are the cornerstone of our efforts to disrupt the illicit use of virtual currency and illicit cyber activity.  FinCEN has worked alongside law enforcement initiatives like the National Cyber Investigative Joint Task Force (NCIJTF) and the Joint Criminal Opioid Darknet Enforcement (J-CODE) to investigate criminal networks exploiting virtual currency for the purchase of fentanyl, narcotics, cybercrime tools, and child pornography on darknet marketplaces.  We also work with international partners bilaterally or through multilateral forums like the Egmont Group of 164 FIUs, the Heads of FATF FIUs Symposium, of which we are a founding and leading member, and separately with FATF itself, with Europol, and with our FVEY partners as well, to enhance international capacity to investigate and prosecute criminals using virtual currencies for illicit purposes.

And of course, our partnerships with industry are paramount in the virtual currency space.  FinCEN has provided priority information on typologies of illicit virtual currency use to financial institutions through our advisory and FinCEN Exchange programs.  FinCEN is also sharing cyber indicators of compromise to help the financial sector detect, report, and defend against cyber activity that may be connected with illicit financial activity.

JRR Comment – Director Blanco is spot on with his comments. Effective Public/Private sector Partnerships, or PPPs, are the only way to combat AML and CFT, whether in the crypto space or fiat space.

The information we are able to share with industry is built on top of high quality information we receive in BSA reporting.

Since 2013, FinCEN has received nearly 70,000 Suspicious Activity Reports (SARs) involving virtual currency exploitation.  Just over half of these reports come from virtual currency industry filers, likely many of you participating today.  We also get valuable reporting from more traditional financial institutions that also have a unique window into illicit financial flows involving virtual currency, such as banks that may see ransomware payments made by customers or MSBs that see funds transfers derived from account takeovers.

This reporting is incredibly valuable to FinCEN and law enforcement, especially when you include technical indicators associated with the illicit activity, such as Internet Protocol (IP) addresses, malware hashes, malicious domains, and virtual currency addresses associated with ransomware or other illicit transactions.

JRR Comment – I would encourage Director Blanco to provide more information on the trends and patterns. There were 70,000 SARs filed: how many of those provided tactical or strategic value to law enforcement (I have called these TSV, or Tactical or Strategic Value, SARs)? Reporting financial institutions tune and enhance their monitoring and surveillance systems using an Alert-to-SAR analysis: the tuning and enhancing of those systems would be more effective, and the institutions more efficient, if they were able to use an Alert-to-TSV SAR analysis. Only the public sector can provide TSV information.

However, there remain significant issues that concern us in the virtual currency space.  Many of these are issues some of you may have heard me address before:

  • Risks associated with anonymity-enhanced cryptocurrencies, or AECs, remain unmitigated across many virtual currency financial institutions.  We expect each financial institution to have appropriate controls in place based on the products or services it offers, consistent with the obligation to maintain a risk-based AML program.  This means we are taking a close look at the AML/CFT controls you put on the types of virtual currency you offer—whether it be Monero, Zcash, Bitcoin, Grin, or something else—and you should too.  To be sure, FinCEN and our delegated examiners at the IRS are focused on this.

JRR Comment – I agree with Director Blanco that anonymity-enhanced cryptocurrencies are a key risk. Just as anonymity-enhanced legal entities are a key risk: lack of a federal standard that legal entities disclose their beneficial ownership, and provide that information to a publicly-available central registry, remains the biggest risk facing the American AML/CFT regime. 

  • We are also increasingly concerned that businesses located outside the United States continue to try to do business with U.S. persons without complying with our rules.  These include registering, maintaining a risk-based AML program, and reporting suspicious activity, among other requirements.  If you want access to the U.S. financial system and the U.S. market, you must abide by the rules.  We are serious about enforcing our regulations, including against foreign businesses operating in the United States as unregistered MSBs.  We take this very seriously and encourage you to include detailed information about such businesses in your SAR filings when you identify suspicious activity.  If you are going to avail yourself of the U.S. financial system from abroad, you cannot do so without engaging in the financial integrity practices that make this financial system so powerful, stable, trusted, and desirable.

Conclusion

As I conclude, I want to thank you all again for giving me this time today.  FinCEN is committed to enhancing our capabilities and understanding of virtual currencies and to encouraging and fostering responsible innovation.  We look forward to continuing our efforts with all of you in this regard.

Thank you.

JRR Conclusion – In an article I wrote and posted on July 11, 2019 – see RegTech Consulting Article July 11, 2019 – I wrote that “I have followed four Federal Reserve chairs (Greenspan, Bernanke, Yellen, and Powell), and have found that Chairman Powell is the only one of the four that I could consistently understand! In fact, Alan Greenspan’s infamous line – ‘Since becoming a central banker, I have learned to mumble with great incoherence. If I seem unduly clear to you, you must have misunderstood what I said’ – seems to have been the modus operandi of his successors, also … except for Chairman Powell.”

FinCEN Director Ken Blanco is another public official who is not only easy to understand, he makes it crystal clear what he and FinCEN expect of financial institutions when it comes to their AML/CFT obligations. It is refreshing, courageous, and essential as we all fight through the global pandemic of 2020 and try to emerge on the other side better and stronger. 

FOOTNOTE [1] On July 10, 2019, Federal Reserve Chairman Jerome Powell appeared before the House Financial Services Committee for his semi-annual report to Congress. Ranking Member McHenry’s opening statement included that Chairman Powell’s “candor is welcome and encouraged, and we thank you for attempting to speak like a normal human being …”.

FinCEN’s Marijuana-Related SAR Data: By Not Including MSBs, Are We Under-Reporting Marijuana Businesses’ Access to Financial Services?

Marijuana-Related Businesses may have greater access to financial services than is being reported, even if those services aren’t being provided by banks and credit unions

The only real guidance that financial institutions can turn to when deciding whether to provide financial services to marijuana-related businesses, or MRBs, is FinCEN’s February 14, 2014 guidance, FIN-2014-G001. The actual Guidance document – FIN-2014-G001 PDF – begins with: “The Financial Crimes Enforcement Network (“FinCEN”) is issuing guidance to clarify Bank Secrecy Act (“BSA”) expectations for financial institutions seeking to provide services to marijuana-related businesses.”

The section “Providing Financial Services to Marijuana-Related Businesses” begins with “This FinCEN guidance clarifies how financial institutions can provide services to marijuana-related businesses consistent with their BSA obligations. In general, the decision to open, close, or refuse any particular account or relationship should be made by each financial institution based on a number of factors specific to that institution.” Following that is a section on seven marijuana-related business-specific customer due diligence steps a financial institution should consider in assessing the risk of providing services to a marijuana-related business. Then there is guidance on the three types of marijuana-related Suspicious Activity Reports: Marijuana Limited, Marijuana Priority, and Marijuana Termination. Finally, there are two pages of “Red Flags to Distinguish Priority SARs”.

Throughout the Guidance, the term “financial institution” is used forty-four times in seven pages. The term “money services business” or “MSB” appears once (in the PDF version of the Guidance). In the “Currency Transaction Reports and Form 8300’s” section on the last page is: “Financial institutions and other persons subject to FinCEN’s regulations must report currency transactions in connection with marijuana-related businesses the same as they would in any other context, consistent with existing regulations and with the same thresholds that apply. For example, banks and money services businesses would need to file CTRs on the receipt or withdrawal by any person of more than $10,000 in cash per day.”

So, are MSBs covered by the 2014 Guidance or not? Are MSBs “financial institutions” and subject to the Guidance?

For BSA purposes, the term “financial institution” is defined in the regulations at 31 CFR s. 1010.100 as including banks, credit unions, broker dealers, casinos, mutual funds, and money services businesses, among other entities. So one could assume that the use of that term in the Guidance indicated that all entity types would be subject to the guidance – including money services businesses, broker dealers, casinos, card clubs, etc.

Although the PDF version of the FinCEN Guidance doesn’t define “financial institution”, both the news release and the non-PDF version had a reference to the term “Financial Institution” at the end (of both) that appears to mean that for the purposes of the “Guidance to Financial Institutions on Marijuana Businesses”, “financial institutions” meant money services businesses and depository institutions.

The term “depository institution” is defined in multiple banking regulations in Title 12 of the Code of Federal Regulations. To keep it simple, and in keeping with FinCEN’s reporting practices, it means banks and credit unions. So, according to FinCEN, it has issued guidance to clarify Bank Secrecy Act (“BSA”) expectations for banks, credit unions, and money services businesses seeking to provide services to marijuana-related businesses.

Since the publication of the that guidance, FinCEN has published a quarterly “Marijuana Banking” report that provides some high level data on the number of these marijuana-related SARs that it instructed depository institutions (banks and credit unions) and money services businesses to file. As can be seen from the chart, this reporting is limited to depository institutions – banks and credit unions. FinCEN hasn’t reported any marijuana-related SARs filed by any of the other “financial institution” types – money services businesses.

If FinCEN has provided guidance that banks, credit unions, and money services businesses are required to file marijuana-related SARs, why is it only reporting on the marijuana-related SARs filed by banks and credit unions?

Without knowing for sure whether any of the 227,745 MSBs (according to a GAO report released September 26, 2019 that looked at how BSA-related information was being shared between the public sector agencies and by FinCEN: see GAO-19-582 at page 9) have identified and reported any marijuana-related suspicious activity, one can assume that some of the millions of SARs filed by those MSBs since 2nd quarter 2014 must have included marijuana-related activity. Indeed, given the complaints by the cannabis/marijuana industries about the lack of access to traditional banking services, one can assume that marijuana-related businesses are turning to money services businesses and alternative financial services providers to conduct otherwise basic financial services such as paying suppliers, paying utility providers, paying taxes and license fees, even cashing checks for employees. And, if those marijuana-related businesses were doing those transactions at money services businesses, ALL of those transactions are supposed to be reported in a marijuana SAR. According to FinCEN.

The data may bear that out. FinCEN’s SAR Statistics allow you to drill down to SARs filed by depository institutions, by MSBs, by month and year, and by location of the reported suspicious activity (state, county, even metropolitan areas). See https://www.fincen.gov/reports/sar-stats

Let’s take a look at a marijuana hot spot – the Emerald Triangle of California: Humboldt, Trinity, and Mendocino counties that (reportedly) grow much of the illegal cannabis in California and about 35% of the legal cannabis.

In calendar year 2018, across all of the United States, MSBs filed about 90 SARs for every 100 SARs filed by Depository Institutions, or DIs. But for activity that occurred in California, MSBs filed 122 SARs for every 100 SARs filed by DIs. To put it another way, for suspicious activity across the United States, MSBs filed about 90% the number of SARs as banks and credit unions, but in California MSBs filed 122% the number of SARs as did DIs.  But according to FinCEN’s “heatmap” of SARs filed by MSBs by California county, there was a hotspot up in the three “Emerald Triangle” counties. Drilling down into the actual FinCEN data, in 2018 MSBs filed 327 SARs (10,076) for every 100 SARs (3,081) filed by DIs in the three Emerald Triangle counties. There are only 235,000 people in those three counties, which is 0.6% of California’s population, yet 4.6% of MSBs’ SARs were filed on activity that occurred in those three counties.

It could be that none of those 10,076 MSB SARs filed in 2018 on activity that occurred in the Emerald Triangle counties was flagged as a marijuana-related SAR for FinCEN to identify, track, and report. But the ratio of MSB-related SARs relative to the number of bank and credit union related SARs filed on activity in the Emerald Triangle – a ratio that has held steady for the last five years at 3.5 to 1 – suggests that FinCEN’s quarterly “Marijuana Banking” report of marijuana-related SARs filed by banks and credit unions may be under-reporting marijuana-related financial activity overall.

It’s logical – and likely – that this high MSB SAR count, both relative to depository institutions and to the population of the area, indicates that MSBs are filing “Marijuana Limited” SARs on all of the activity that marijuana-related businesses are doing with them, not just the traditional suspicious activity. In other words, MSBs are complying with the FinCEN guidance, and we don’t know it. The conclusion may be that marijuana related businesses have access to more financial services than is being reported, even if those financial services aren’t being provided by banks and credit unions.

Perhaps FinCEN can tell us in the next quarterly Marijuana Banking and Money Services Business Report …

Sponge Bob Square Pants, Alan Greenspan, Elton John, PPP Loans, and a Limited Safe Harbor

“Liar, liar, plants for hire”

On April 23rd the Treasury Department added a 31st question and answer to its series of Paycheck Protection Program (PPP) FAQs issued since April 6th. Question 31 that Treasury asked then answered was “Do businesses owned by large companies with adequate sources of liquidity to support the business’s ongoing operations qualify for a PPP loan?” The relevant parts of the answer were:

“… all borrowers must assess their economic need for a PPP loan under the standard established by the CARES Act and the PPP regulations at the time of the loan application … borrowers still must certify in good faith that their PPP loan request is necessary. Specifically, before submitting a PPP application, all borrowers should review carefully the required certification that “[c]urrent economic uncertainty makes this loan request necessary to support the ongoing operations of the Applicant.” Borrowers must make this certification in good faith, taking into account their current business activity and their ability to access other sources of liquidity sufficient to support their ongoing operations in a manner that is not significantly detrimental to the business. For example, it is unlikely that a public company with substantial market value and access to capital markets will be able to make the required certification in good faith, and such a company should be prepared to demonstrate to SBA, upon request, the basis for its certification.”

Tacked to the end of answer 31 was the following stand-alone paragraph:

“Lenders may rely on a borrower’s certification regarding the necessity of the loan request. Any borrower that applied for a PPP loan prior to the issuance of this guidance and repays the loan in full by May 7, 2020 will be deemed by SBA to have made the required certification in good faith.”

This last paragraph didn’t get much attention. And the context of Q&A 31 was the “Shake Shack” controversy, where the publicly-traded company obtained two PPP loans totaling $20 million, faced an onslaught of adverse media attention, then publicly announced it would return the money. Among other things, one of the principals of Shake Shack posted an article on LinkedIn that one of the reasons they applied for the PPP loan was that the conditions were “confusing”. Fair enough, and no doubt a true statement that he made from the bottom of his heart.

Liar, Liar Plants for Hire – A Limited Safe Harbor?[1]

On April 24th Treasury published another FAQ document – tacking on four more questions and answers – but just as important, issued its fourth set of PPP-related Interim Final Rules – those pesky regulations that need to be published in the Federal Register that provide the “how things will happen” details to the CARES Act’s “what should happen” general provisions. Included in this fourth PPP Interim Final Rule was the following:

5. Limited Safe Harbor with Respect to Certification Concerning Need for PPP Loan Request
Consistent with section 1102 of the CARES Act, the Borrower Application Form requires PPP applicants to certify that “[c]urrent economic uncertainty makes this loan request necessary to support the ongoing operations of the Applicant.” Any borrower that applied for a PPP loan prior to the issuance of this regulation and repays the loan in full by May 7, 2020 will be deemed by SBA to have made the required certification in good faith. The Administrator, in consultation with the Secretary, determined that this safe harbor is necessary and appropriate to ensure that borrowers promptly repay PPP loan funds that the borrower obtained based on a misunderstanding or misapplication of the required certification standard.

The CARES Act itself, and the first set of regulations referred to the certification by the PPP applicant/borrower that the loan is “necessary to support the ongoing operations” of the applicant/borrower. It doesn’t appear that Treasury, the CARES Act, or the SBA have defined or explained what they mean by “necessary to support the ongoing operations” or established the “required certification standard”. This is the Congressional equivalent of Alan Greenspan’s “mumbling with great incoherence.[2]

“I’ve learned to mumble with great incoherence”

No wonder borrowers have a misunderstanding. But I don’t know what Treasury intends by “misapplication”. Regardless, Treasury has given those who’ve misunderstood the standards, as well as those who have misapplied the standards, and even those who flat-out lied in their certifications, a limited safe harbor: “Pay the money back by May 7th and we’ll pretend it never happened.”

“Sorry Seems To Be The Hardest Word”

Let’s hope that there aren’t too many PPP recipients who misunderstood or misapplied the certification standard, or flat out lied about needing the money. Why? What about those deserving small businesses that were shut out of the PPP because of those that lied or cheated their way into a PPP loan? “Sorry seems to be the hardest word …”

One other thing. The FAQ provides a safe harbor-ish to those that applied prior to the issuance of the April 23rd guidance and repays the loan in full by May 7. The Interim Final provides a limited safe harbor for any borrower that applied for a PPP loan prior to the issuance of this regulation. The regulation was issued on April 24th but isn’t effective until the date it is published in the Federal Register. The first Interim Final Rule took almost two weeks to get published. Let’s see if they’re quicker with this fourth PPP Interim Final Rule.

[1] I couldn’t resist. For two years I’ve been looking for a reason to use a quote, any quote, from Sponge Bob Square Pants. In a great 11-second scene, Sponge Bob accuses Patrick of stealing his candy bar. Patrick replies, “Liar, liar, plants for hire”. https://www.youtube.com/watch?v=n-rhuo1vnKE

[2] In Congressional testimony in 1987, then-Federal Reserve Chairman Alan Greenspan said, “Since I’ve become a central banker, I’ve learned to mumble with great incoherence. If I seem unduly clear to you, you must have misunderstood what I said.”

BSA/AML Compliance Programs are Important, but Providing Timely, Actionable Intelligence to Law Enforcement Should be the Goal

Eighteen months ago I called for a renewal of the original purpose of the Bank Secrecy Act: with recent changes – and more expected changes – to the FFIEC’s BSA/AML Examination Manual, I’m renewing that call.

On April 15, 2020, state and federal bank regulatory agencies, through the Federal Financial Institutions Examination Council (FFIEC), updated one of the six main sections of the FFIEC’s BSA/AML Examination Manual, the section titled “Core Examination Overview and Procedures for Assessing the BSA/AML Compliance Program.” What the regulators haven’t (yet) updated are the Introduction that precedes the newly-updated section, the core examination section on the regulatory requirements, the two expanded examination sections on products and services, and persons and entities, respectively, the expanded examination section on compliance compliance programs, and the twenty appendices.

So perhaps there’s time to influence their thinking.

The stated purpose of the Manual is to provide instructions to examiners as they assess the adequacy of a bank’s BSA/AML compliance program. But the Manual is much more than that: indeed, it could be called the “BSA/AML Program Design, Development, Testing, Auditing, and Examination” Manual. It is the proverbial Bible, Torah, and Koran for everyone involved in BSA/AML. It sets the tone, as well as expectations, for everyone involved in BSA/AML, not just examiners. What is written in the Manual is critical, because the Bank Secrecy Act, or BSA is critical: “The BSA is intended to safeguard the U.S. financial system and the financial institutions that make up that system from the abuses or financial crime, including money laundering, terrorist financing, and other illicit financial transactions.” So says the Introduction section of the Manual, at page 7.

That same Introduction section also includes this:

“Banking organizations must develop, implement, and maintain effective AML programs that address the ever-changing strategies of money launderers and terrorists who attempt to gain access to the U.S. financial system. A sound BSA/AML compliance program is critical in deterring and preventing these types of activities at, or through, banks and other financial institutions.” (emphasis added)

Eighteen months ago, Verafin released my White Paper titled “50 Years of the Bank Secrecy Act: It’s Time to Renew the Purpose of Providing Actionable Intelligence to Law Enforcement”. The Paper is available at https://verafin.com/resource/50-years-bank-secrecy-act/. I conclude with the following:

“I, and many others, believe that providing timely and actionable intelligence to law enforcement is critical to the successful prevention of illicit activity. Of course, as outlined in the FFIEC manual, a sound BSA/AML compliance program provides the necessary foundation for providing that intelligence. With that in mind, a first step in reforming the BSA/AML regime in the United States may be changing the language of the Manual itself. I propose that the language is changed from ‘a sound BSA/AML compliance program is critical in deterring and preventing these types of activities at, or through, banks and other financial institutions…’ to ‘providing timely and actionable intelligence to law enforcement is critical in deterring and preventing these types of activities at, or through, banks and other financial institutions, and a sound BSA/AML compliance program provides the foundation for the ability to provide that intelligence.’ The change is subtle but important as it strengthens and focuses the very purpose of the BSA. Providing actionable, timely intelligence to law enforcement, while maintaining sound but rational programs, should be the new goal.”

I believe that a financial institution should be supervised, examined, and judged first and foremost on whether it is providing timely, actionable intelligence to law enforcement over whether the hundreds or even thousands of BSA compliance program requirements are ticked and tied and documented. Having an effective – or to use the new adjective in the just-released update – “adequate” BSA/AML compliance program is critically important, but it shouldn’t be the only defense, or even the primary defense from money laundering, terrorist financing, or other illicit financial activity.

So my suggestion to the FFIEC is this: on page 7 of the current Introduction section, replace:

“Banking organizations must develop, implement, and maintain effective AML programs that address the ever-changing strategies of money launderers and terrorists who attempt to gain access to the U.S. financial system. A sound BSA/AML compliance program is critical in deterring and preventing these types of activities at, or through, banks and other financial institutions.

With:

“Banking organizations must develop, implement, and maintain effective AML programs that address the ever-changing strategies of money launderers and terrorists who attempt to gain access to the U.S. financial system. Providing timely and actionable intelligence to law enforcement is critical in deterring and preventing these types of activities at, or through, banks and other financial institutions, and a sound BSA/AML compliance program provides the foundation for the ability to provide that intelligence.”

Dusting off the Congressional Version of an “Aged Shelf Company”

On April 21, 2020, the United States Senate resolvedthat the bill from the House of Representatives (H.R. 266) entitled ‘An Act making appropriations for the Department of the Interior, environment, and related agencies for the fiscal year ending September 30, 2019, and for other purposes’, do pass with the following AMENDMENT: Strike all after the enacting clause and insert …” the “Paycheck Protection Program and Health Care Enhancement Act”.

Apparently, in order to extend the Paycheck Protection Program quickly, Congress needed a bill that had been sitting around waiting to be amended and passed in a jiffy. They found it in a bill introduced by Representative Betty McCollum (D. MN. – 4th) on January 8, 2019 for appropriations for the Department of the Interior for 2019. They took that aged bill off the congressional shelf, stripped it of everything but its existence and history, and have re-purposed it for the PPP and healthcare funding for the coronavirus emergency.

What Congress found was the congressional equivalent of an aged shelf company. What is an “aged shelf company”? Apparently, a leading authority on aged shelf companies seems to be Wyoming Corporate Services Inc., which provides some top-shelf information on aged shelf companies.

https://wyomingcompany.com/aged-corporation/ has the following:

What exactly are Shelf Companies & Shell Companies? What are the differences?

A Shell company defined by Wikipedia: “A shell corporation is a company which serves as a vehicle for business transactions without itself having any significant assets or operations … Shell corporations are not in themselves illegal, and they do have legitimate business purposes.”

A Shelf company defined by Wikipedia: “A shelf corporation, shelf company, or aged corporation is a company or corporation that has had no activity.  It was created and left with no activity – metaphorically put on the “shelf” to “age”.  The company can then be sold to a person or group of persons who wish to start a company without going through all the procedures of creating a new one.”

Here at Wyoming Corporate Services, Inc. we do not offer, nor have we ever offered Shell companies, so we are not going to spend additional time discussing them.

We do offer Aged Shelf Companies.  Companies that we formed ourselves, placed up on the shelf and have maintained all the State required records and fees.  We guarantee in writing that they are all clean and pristine.  They do not have EIN#, bank accounts, trade lines, D&B credit scores.  They have never been used and this is the reason we can make such a guarantee. Visit our aged shelf companies page to browse a partial list of our current inventory.

Who uses Shelf Companies and why?

    • To save the time and effort involved in creating a new company.  Let’s say you have a real estate closing or transaction and would like to use a Corporation or LLC and need it right away.  In most cases, our shelf companies will come with a PDF copy of all your Articles the same day you order, and you can utilize them that same day. In many cases a bank account can be established for the entity the same day.
      • To have the ability to bid on contracts.  Some jurisdictions require a company to be in business for a certain length of time in order to bid or qualify for consideration.
      • Leasing equipment.  Often leasing companies don’t like to lease to companies that are less than six month old.
      • Perception in the market place that the company has a longevity.  Maybe you have been a sole proprietor for many years and now have decided to incorporate.  You don’t want to appear to new or potential customers that you “just started”, but rather have been in business for awhile.
      • Privacy.  The reality of the world we all now live in is there is very little privacy or the ability to have privacy.  We are often lead to believe that anyone seeking privacy must be “trying to hid something” or they are “doing something illegal”.   Therefore, if we have “nothing to hide” we should filet and display all of our personal and business dealings for public review, approval and consumption.  This is simply not true.  There are many legitimate, legal and varied reasons for one wishing to keep ones personal and business dealing out of the prying public eye.  Fortunately Wyoming is a State that still believes citizens can and most importantly still have a RIGHT to do so.  Wyoming still has the Old West mind set that if you want privacy, you have a right to it.

Please don’t be misled or misinformed by the current furor over the “Panama Papers” and role of shell vs shelf companies. Do your own research – there is a lot of great, informative and accurate information out there.

Apparently, Mitch McConnell uses aged shelf bills to save the time and effort involved in creating a new bill.

Wyoming Corporate Services Inc. is offering its 245 aged shelf companies for $645 for a company aged less than a month all the way to $5,895 for its oldest vintage – July 2006. And aged shelf companies created in January 2019 – like the bill introduced by Representative McCollum that Senator McConnell has dusted off – are going for $995. Mitch may have saved American taxpayers some money!

“Money Laundering/Terrorist Financing and Other Illicit Financial Activity” – a New BSA/AML Focus?

If this is, in fact, a new standard for the assessment of U.S. financial institutions’ BSA/AML compliance programs, then I believe it is a positive development.

The April 15, 2020 revision of four of the five introductory sections of the FFIEC BSA/AML Examination Manual is 43 pages long. It begins with “Scoping and Planning” a BSA/AML examination. In the just-replaced section from the 2014 Manual, the objective of scoping and planning was to “identify the bank’s BSA/AML risks”. The new objective is to “develop an understanding of the bank’s money laundering, terrorist financing (ML/TF) and other illicit financial activity risk profile.”

In fact, the phrase “money laundering, terrorist financing and other illicit financial activity risk” or “ML/TF and other illicit financial activity risk” appears fifty-three (53) times in forty-three (43) pages in this April 2020 update.

The phrase “money laundering or terrorist financing risk” appears three (3) times in the current Manual (twice in the CDD section, once in the MSB section), but the phrase “ML/TF and other illicit financial activity” appears exactly zero (0) times in 442 pages of the 2014 BSA/AML Examination Manual.[1]

It appears, then, that the regulatory agencies have replaced the term “BSA/AML risk” and “BSA/AML risk profile” with the phrase “ML/TF risk” and “ML/TF risk profile.”

What are the practical impacts, if any, with the regulators’ shift from examining a bank’s “BSA/AML risk profile” to examining a bank’s “ML/TF risk profile”?

Without guidance from the regulators, without knowing their intent, it’s impossible to say what, if any, practical difference there is.

What the regulators haven’t yet touched is the Introduction section of the Manual, which precedes the four sections they have updated. So, the 2014 Introduction remains. Among other things, the Introduction includes some discussion of money laundering and terrorist financing. At page 7:

Money Laundering and Terrorist Financing

The BSA is intended to safeguard the U.S. financial system and the financial institutions that make up that system from the abuses of financial crime, including money laundering, terrorist financing, and other illicit financial transactions.  Money laundering and terrorist financing are financial crimes with potentially devastating social and financial effects.  From the profits of the narcotics trafficker to the assets looted from government coffers by dishonest foreign officials, criminal proceeds have the power to corrupt and ultimately destabilize communities or entire economies.  Terrorist networks are able to facilitate their activities if they have financial means and access to the financial system.  In both money laundering and terrorist financing, criminals can exploit loopholes and other weaknesses in the legitimate financial system to launder criminal proceeds, finance terrorism, or conduct other illegal activities, and, ultimately, hide the actual purpose of their activity.

Banking organizations must develop, implement, and maintain effective AML programs that address the ever-changing strategies of money launderers and terrorists who attempt to gain access to the U.S. financial system.  A sound BSA/AML compliance program is critical in deterring and preventing these types of activities at, or through, banks and other financial institutions.

At page 8:

Terrorist Financing

The motivation behind terrorist financing is ideological as opposed to profit-seeking, which is generally the motivation for most crimes associated with money laundering.  Terrorism is intended to intimidate a population or to compel a government or an international organization to do or abstain from doing any specific act through the threat of violence.  An effective financial infrastructure is critical to terrorist operations.  Terrorist groups develop sources of funding that are relatively mobile to ensure that funds can be used to obtain material and other logistical items needed to commit terrorist acts.  Thus, money laundering is often a vital component of terrorist financing.

It appears, then, that the 2014 Introduction remains and provides clear direction that a sound BSA/AML compliance program is critical in deterring and preventing money laundering and terrorist financing at, or through, banks and other financial institutions. And it appears also that the 2020 updates have further emphasized the importance of focusing on ML/TF and other illicit financing activity risks as this phrase doesn’t appear at all in the old/existing Manual.

In this article I will make three observations about money laundering and terrorist financing, and all three come from a Congressional hearing that occurred almost seventeen (17) years ago – a year before the first BSA/AML Examination Manual was published – that was held by the House Financial Services Subcommittee on Oversight and Investigations. That hearing was titled “Improving Financial Oversight: A Private Sector View of Anti-Money Laundering Efforts”. It was held on May 18, 2004. The hearing transcript is available at Congressional Hearing May 2004. In full disclosure, I was one of five witnesses to appear before the Sub-Committee. The others were David Aufhauser (then a Senior Counsel, Center for Strategic and International Studies and Counsel, Williams & Connolly LLP, and previously General Counsel at the Treasury Department); John Byrne, at the time the Director of Center for Regulatory Compliance, American Bankers Association; Joe Cachey, then the Vice President, Global Compliance and Chief Compliance Officer and Counsel, Western Union Financial Services; and Steve Emerson, Executive Director, The Investigative Project.

1. From an operational point of view, money laundering and terrorist financing are different problems

“From a purely operational point of view, money laundering and terrorist financing are two, very, very different problems. Traditional money laundering prevention is a transaction-focused internally sourced issue where transactions lead to relational links. Terrorist financing prevention is very different. It is a relationship-focused, externally sourced issue where relational links lead to transactions.” – written testimony of Jim Richards, Operations Executive for Global Anti-Money Laundering, Bank of America, footnote 10 on page 13.

Seventeen years later, I wish I had taken a page from the FFIEC manual and added something about “money laundering is often a vital component of terrorist financing.” But in the immediate post-9/11 environment, most of our success in finding terrorist financing or the funding of terrorist operations came from getting names or other leads from law enforcement. That said, Sub-Committee Chairwoman Sue Kelly (D. NY) asked me “[c]an you identify any particular case in which your companies worked with law enforcement to stop the flow of funds to a terrorist group or an activity of some sort?” I replied:

“Madam Chairman, off the top of my head, I can think at least two particular cases: One prior to September 11 and one after September 11. In both cases, we identified what we thought was suspicious activity. Again, we are not required to detect money laundering or terrorist financing, we are required to detect and report suspicious activity. We did that. In both cases, we felt it was significant enough that we immediately contacted law enforcement, which we are entitled and indeed perhaps required to do if it is an ongoing, serious matter. And in this case, it was the Boston U.S. Attorney’s Office, and they immediately contacted us and sought the underlying records that were the basis of our suspicious activity reports. Subsequent news events confirmed that what we had reported was indeed tied to potential terrorist financing.”

So I actually contradicted myself: we reported what we thought was money laundering or suspicious activity, and subsequent events revealed that what we had actually reported was terrorist financing or the funding of terrorist activity. The FFIEC is correct: money laundering is often a vital component of terrorist financing.

2. Money laundering and terrorist financing should not just be viewed as problems, but as symptoms of problems

“… from the perspective of a bank’s risk officer, money laundering or terrorist financing is not a problem, but a symptom of an underlying operational or control problem.  When looked at from this perspective, the risk officer is able to look at the filing of a SAR or the activity represented in the SAR as a symptom of an underlying problem with account opening procedures, document collection and verification procedures, branch AML training, or the monitoring or surveillance functions.  Looking at money laundering or terrorist financing as a symptom rather than a problem can be an effective way to focus on and eliminate or mitigate the underlying causes.” – Written testimony of Jim Richards, page 13, footnote 10.

Seventeen years later, I wish I had written “from the perspective of a bank’s risk officer, money laundering or terrorist financing is not just a problem, but also a symptom of an underlying operational or control problem …”. Obviously, money laundering is a problem. As is terrorist financing. But the important point I was trying to make is that identifying and reporting the suspicious activity – whether related to money laundering or terrorist financing, or both – is not the end-game for the reporting financial institution. It’s equally important to take those reports – to take the problems that you’ve identified and reported – and view them as symptoms of possible problems or issues with your underlying operational controls, or policies and procedures, or training, or even auditing or independent testing, and to correct those problems. Being able to prevent money laundering or terrorist financing is the ultimate goal.

I attempted to explain this notion of symptom versus problem in answering a question from Congressman Jeb Hensarling (R. TX 5th):

Mr. Hensarling. Thank you, Madam Chair. Mr. Richards, I believe in your testimony you stated that money laundering or terrorist financing is not a problem but a symptom of a problem. Could you elaborate and explain that statement?

Mr. Richards. Yes. We believe that within the context of the total issue of operating risk, that the act of filing a suspicious activity report is not the end of your duty but indeed you take the suspicious activity reports and then you go back and look at the commonalities between them to determine whether the money laundering that you have reported or suspicious activity you are reported is caused by issues relating to account opening, failure to collect the proper identification, it might be a branch training issue where you have to train the people in the branch environment, something like that.

So that rather than looking at the end game being the filing of a suspicious activity report, you look at it as just the beginning of trying to see if there is an underlying operational issue in the bank. If you address the underlying operational issue, you may resolve the suspicious activity that is occurring in your bank. So, again, if you look at it as not a problem but a symptom, you can then drill down and see what the real underlying operational problem may be.

Mr. Hensarling. Thank you.

3. Managing money laundering and terrorist financing risks can only be done with creative, committed, and courageous professionals in the public and private sectors, working together

“The success of the financial sector’s anti-money laundering and terrorist financing prevention efforts is entirely dependent on two things: First, cooperation between and coordination by all of the parties involved: the law enforcement and intelligence communities, the regulatory community, the private sector, our trade associations, such as the ABA, and others; and, second, creative, committed professionals dedicated to this task. In my experience, Madam Chairman, the American financial sector has both.” – written testimony of Jim Richards

Just as I wish I had written “money laundering or terrorist financing is not just a problem, but also a symptom …”, seventeen years later I wish I had added “courageous” to my description of the type of professional that are dedicated to fighting money laundering, terrorist financing, and other illicit financial activity.

Since my Congressional testimony in 2004, I’ve come to realize that Winston Churchill was right when it comes to courage: “Courage is the single attribute upon which all other attributes depend”.

In an article I published in December 2018 titled “Rules-Based Monitoring, Alert-to-SAR Ratios, and False Positive Rates: Are We Having the Right Conversations?”  I wrote this about the importance of courage:

“After 20+ years in the AML/CTF field – designing, building, running, tuning, and revising programs in multiple global banks – I am convinced that rules-based interaction monitoring and customer surveillance systems, running against all of the data and information available to a financial institution, managed and tuned by innovative, creative, courageous financial crimes subject matter experts, can result in an effective, efficient, proactive program that both provides timely, actionable intelligence to law enforcement and meets and exceeds all regulatory obligations. Can cloud-based, cross-institutional, machine learning-based technologies assist in those efforts? Yes! If properly deployed and if running against all of the data and information available to a financial institution, managed and tuned by innovative, creative, courageous financial crimes subject matter experts.”

And in a March 2019 article titled “Lessons Learned as a BSA Officer 1998-2018” , one of the nine lessons I described was on the importance of courage. After quoting Winston Churchill (“Courage is the single attribute upon which all other attributes depend”), I wrote:

“After the September 2001 terrorist attacks, the 9/11 Commission was set up to look at what happened, and why. In its final report issued in 2004, they concluded that the US government’s failures could be grouped into four major categories: failure of policy, failure of capabilities, failure of management, and failure of imagination. And they concluded that the “most important failure” was a lack of imagination. I believe that all four of those failures – of policy, of capabilities, of management, and of imagination – have one thing in common. A failure of courage. What do I mean by courage? Courage to speak freely – but respectfully and fairly. Courage to walk away when your principles are compromised. Courage to change. Courage to listen. Courage to compromise.”

Finally, I apparently used the word “courage” six times in a podcast I did with the esteemed Jo Ann Barefoot in April 2018, just weeks after I retired from Wells Fargo. In the show notes, Jo Ann wrote, in part, that “executing the transformation [to digitally-enabled regulation] will take imagination, vision, wisdom and even courage, which is why I invited today’s guest to join us.  He is Jim Richards, founder of the new firm, RegTech Consulting, and I think he used the word “courage” six times, in our talk.”[2]

Conclusion

I don’t believe there are any practical differences between BSA/AML risks, on the one hand, and money laundering, terrorist financing (ML/TF) and other illicit financial activity risks, on the other hand. But if there are differences, then a greater focus on managing – and being examined on how financial institutions manage – ML/TF and other illicit financial activity risks is a positive thing.

It will take cooperation between, coordination by, and the courage of all of the parties involved in the fight against money laundering and terrorist financing: the law enforcement and intelligence communities, the regulatory communities, private sector financial institutions, fintech disrupters and vendors of financial crimes systems, trade associations, and others. In my experience, the American financial sector has what it takes to effectively manage money laundering and terrorist financing and other illicit financial activity risks.

[1] In fairness, the phrase “money laundering, terrorist financing, and other illicit financial transactions” appears in the current Introduction section (page 7).

[2] https://www.jsbarefoot.com/podcasts/2018/5/14/the-courage-to-change-former-wells-fargo-bsa-officer-jim-richards

The US BSA/AML Regime – Have We Just Gone From Aspiring to be “Effective” to Merely Being “Adequate”?

On April 15, 2020, federal and state banking agencies updated parts of the BSA/AML Examination Manual (“Manual”), a document that was first published in 2005 and has been revised and re-published four times since, with the last full edition published in November 2014. The Manual provides what and how examiners examine banks and other financial institutions (collectively, “banks”) for compliance with BSA/AML laws and regulations. Just as important, the Manual is the blueprint that allows banks to build and maintain their programs, and for bank auditors to audit those programs, with some confidence that they’re meeting regulatory requirements and their regulators’ expectations.

OCC Comptroller Otting’s statement on the release of the revisions to the Manual included the following statement:

Today, the FFIEC agencies published updates to the BSA/AML Examination Manual that represent a significant step forward in our efforts to improve how we ensure banks have effective programs to safeguard the banking system against financial crime, particularly money laundering and terrorist financing.[1](emphasis added)

Ensuring that banks have effective programs is critical. This “effectiveness” standard is how the United States itself is judged by the Financial Action Task Force, or FATF, which rates its member countries’ technical compliance with its Recommendations as well as how effective their BSA/AML regimes are in fighting financial crime.

“Effectiveness” is a hot topic in financial crimes risk management. Just last December, the Wolfsberg Group issued its statement on effectiveness.[2] The opening paragraphs of that statement are instructive:

The Wolfsberg Group – Statement on Effectiveness

Making AML/CTF Programmes more effective

The Wolfsberg Group (the Group) is an association of thirteen global banks, founded in 2000, which aims to develop frameworks and guidance for the management of financial crime risk in general, with a more recent and strategic focus on enhancing the effectiveness of global Anti-Money Laundering/Counter Terrorist Financing (AML/CTF) programmes. The topic of effectiveness has also been more widely discussed across the AML/CTF community in recent years.

In 2013, the Financial Action Task Force (FATF) determined that jurisdictions simply having reasonable legal frameworks in place for financial crime prevention was no longer sufficient.  FATF stated that “each country must enforce these measures, and ensure that the operational, law enforcement and legal components of an AML/CFT system work together effectively to deliver results: the 11 immediate outcomes.”  As a result, FATF changed the way it conducted mutual evaluations of its member states, no longer focusing solely on technical compliance with its 40 Recommendations, but also evaluating the overall effectiveness of the AML/CTF regime based on evidence that the outcomes were being achieved.

Notwithstanding FATF’s approach, Financial Institutions (FIs) still tend to be examined by national supervisors almost exclusively on the basis of technical compliance rather than focussing on the practical element of whether AML/CTF programmes are really making a difference in the fight against financial crime.  The Group believes that, in practice, there is as yet insufficient consideration of whether an FI’s AML/CTF programme is effective in achieving the overall goals of the AML/CTF regime which go beyond technical compliance. As a result, FIs devote a significant amount of resources to practices designed to maximise technical compliance, while not necessarily optimising the detection or deterrence of illicit activity.  The Group believes that jurisdictions should adopt the FATF’s focus on effective outcomes and therefore, that an FI’s AML/CTF programme should have three key elements:

    1. Comply with AML/CTF laws and regulations
    2. Provide highly useful information to relevant government agencies in defined priority areas
    3. Establish a reasonable and risk-based set of controls to mitigate the risks of an FI being used to facilitate illicit activity

The Group believes that supervisors and/or relevant government agencies should assess the effectiveness of an FI’s AML/CTF programme based on the above criteria, recognising that no two FIs are the same and each FI’s risk mitigation strategy must be tailored to meet its risk appetite.

This certainly seems in line with Comptroller Otting’s statement that these new BSA Exam Manual updates will help “ensure banks have effective programs to safeguard the banking system against financial crime”.

So if these updates are, in fact, a significant step forward to improve how the OCC ensures banks have effective BSA/AML programs, how come the OCC – and the other federal and state examiners – seem to have lowered their examination standards from assessing whether banks have effective programs, to assessing whether banks have adequate programs?

First, since I’m making a stink about the difference between effective and adequate, I’ll pause and offer some definitions. I went to one source only: Merriam-Webster. Here’s what I found:

Effective – producing a decided, decisive, or desired effect: as in an effective policy.

Adequate – sufficient for a specific need or requirement; as in adequate time. Also, good enough, or of a quality that is acceptable but not better than acceptable: as in a machine that does an adequate job[3]

These seem in line with what we expect: effective is a higher standard than adequate. Being an effective leader is better than being an adequate leader. And having an effective program is better than having an adequate program.

The FFIEC BSA/AML Examination Manual

Let’s first take a look at the language from the existing Manual, or rather the parts of the Manual that were just changed. As explained in the “Introduction” section of the 2014 Manual (which is over 440 pages long, by the way):

“… the manual is structured to allow examiners to tailor the BSA/AML examination scope and procedures to the specific risk profile of the banking organization.  The manual consists of the following sections:

    • Introduction
    • Core Examination Overview and Procedures for Assessing the BSA/AML Compliance Program
    • Core Examination Overview and Procedures for Regulatory Requirements and Related Topics
    • Expanded Examination Overview and Procedures for Consolidated and Other Types of BSA/AML Compliance Program Structures
    • Expanded Examination Overview and Procedures for Products and Services
    • Expanded Examination Overview and Procedures for Persons and Entities
    • Appendixes

The core and expanded overview sections provide narrative guidance and background information on each topic; each overview is followed by examination procedures.  The “Core Examination Overview and Procedures for Assessing the BSA/AML Compliance Program” and the “Core Examination Overview and Procedures for Regulatory Requirements and Related Topics” (core) sections serve as a platform for the BSA/AML examination and, for the most part, address legal and regulatory requirements of the BSA/AML compliance program.  The “Scoping and Planning” and the “BSA/AML Risk Assessment” sections help the examiner develop an appropriate examination plan based on the risk profile of the bank.  There may be instances where a topic is covered in both the core and expanded sections (e.g., funds transfers and foreign correspondent banking).  In such instances, the core overview and examination procedures address the BSA requirements while the expanded overview and examination procedures address the AML risks of the specific activity.

At a minimum, examiners should use the following examination procedures included within the “Core Examination Overview and Procedures for Assessing the BSA/AML Compliance Program” section of this manual to ensure that the bank has an adequate BSA/AML compliance program commensurate with its risk profile:

    • Scoping and Planning (refer to page 11)
    • BSA/AML Risk Assessment (refer to page 18)
    • BSA/AML Compliance Program (refer to page 28)
    • Developing Conclusions and Finalizing the Examination (refer to page 40)”

It is these last four bulleted sections that form the basis for all exams of banks’ BSA programs. And it is these four bulleted sections that were updated on April 15, 2020. A side-by-side comparison of the 2014 BSA Exam Manual (partial) table of contents and the April 2020 updates (complete) shows clearly what the regulators have focused on:

The regulatory agencies didn’t touch the 2014 Manual’s Introduction section. What they focused on are the sections on the four “pillars” of a BSA/AML compliance program. Where the 2014 Manual goes through each of the four pillars in a total of five pages, and then includes examination procedures for the overall compliance program at the end, the new 2020 update takes a different approach: it breaks out each of the four pillars, and has objectives and examination procedures for each. It is a more detailed and comprehensive approach.

So the 2014 Introduction section remains in place. That section uses three different adjectives in describing bank’s programs:

  • Page 1: “An effective BSA/AML compliance program requires sound risk management …”
  • Page 2: “… ensure that the bank has an adequate BSA/AML compliance program commensurate with its risk profile”
  • Page 6: “The federal banking agencies work to ensure that the organizations they supervise understand the importance of having an effective BSA/AML compliance program in place.”
  • Page 7: “Banking organizations must develop, implement, and maintain effective AML programs that address the ever-changing strategies of money launderers and terrorists who attempt to gain access to the U.S. financial system.  A sound BSA/AML compliance program is critical in deterring and preventing [money laundering, terrorist financing, and other illicit financial transactions] at, or through, banks and other financial institutions.”

In the four “pillar” sections that were updated in 2020, the words “effective” or “effectiveness” appear four times in forty-three pages. Those words appeared seventeen times in the old 2014 version.

Let’s go through those sections, with a focus on the differences in the use of the words “effective” and “adequate”.

Scoping & Planning

The 2014 “Scoping and Planning” section begins on page 11 with “The BSA/AML examination is intended to assess the effectiveness of the bank’s BSA/AML compliance program and the bank’s compliance with the regulatory requirements pertaining to the BSA, including a review of risk management practices.”

The 2020 “Scoping and Planning” section begins on page 1 with: “Examiners assess whether the bank has developed and implemented adequate processes to identify, measure, monitor, and control those risks and comply with BSA regulatory requirements.”

So the regulators have shifted from effective to adequate.

The 2014 “Scoping and Planning” section then continues with a reference to risk assessment. At page 11: “risk assessment has been given its own section to emphasize its importance in the examination process and in the bank’s design of effective risk-based controls.”

The 2020 update provides, on page 4: “The BSA/AML Risk Assessment section provides information and procedures for examiners in determining whether the bank has developed a risk assessment process that adequately identifies the ML/TF and other illicit financial activity risks within its banking operations.”

So the regulators will determine whether the risk assessment adequately identifies risks: not whether it effectively identifies risks.

The 2014 edition does use the term “adequate in a few places. At page 12 is a reference to the Examination Plan: “At a minimum, examiners should conduct the examination procedures included in the following sections of this manual to ensure that the bank has an adequate BSA/AML compliance program commensurate with its risk profile.” And in a mixed message, under the heading “Transaction Testing” is: “Examiners perform transaction testing to evaluate the adequacy of the bank’s compliance with regulatory requirements, determine the effectiveness of its policies, procedures, and processes, and evaluate suspicious activity monitoring systems.”

There’s no mixed message in the 2020 update, though. Under the heading “Risk-Focused Testing” on page 6 is: “Examiners perform testing to assess the adequacy of the bank’s BSA/AML compliance program, relative to its risk profile, and the bank’s compliance with BSA regulatory requirements.” And at page 8 is the new objective for risk-focused BSA/AML supervision examination procedures: “Determine the examination activities necessary to assess the adequacy of the bank’s BSA/AML compliance program, relative to its risk profile, and the bank’s compliance with BSA regulatory requirements.”

So again, it’s fair to say (write) that the regulators have shifted from effective/effectiveness to adequate/adequacy.

Page 34 of the 2014 Manual sets out the objectives of the exam procedures: “Assess the adequacy of the bank’s BSA/AML compliance program. Determine whether the bank has developed, administered, and maintained an effective program for compliance with the BSA and all of its implementing regulations.”

Page 18 of the 2020 update sets out the objective when assessing the BSA/AML compliance program: “Assess whether the bank has designed, implemented, and maintains an adequate BSA/AML compliance program that complies with BSA regulatory requirements.” And at page 20: the objective of “assessing the BSA/AML compliance program examination procedures” is to “[d]etermine whether the bank has designed, implemented, and maintains an adequate BSA/AML compliance program that complies with BSA regulatory requirements.”

Internal Controls

There are some interesting differences in the main section on the system of internal controls – one of the four pillars of a BSA/AML compliance program.[4]

The 2014 Manual sets out the objectives for the overall BSA/AML compliance program: “Assess the adequacy of the bank’s BSA/AML compliance program.  Determine whether the bank has developed, administered, and maintained an effective program for compliance with the BSA and all of its implementing regulations.” (page 28). The 2014 Manual then goes through each of the four pillars, and does so in five pages, then includes examination procedures for the overall compliance program. The 2020 update takes a different approach: it breaks out each of the four pillars, and has objectives and examination procedures for each.

The 2020 update doesn’t use the terms effective or adequate in the Internal Controls section. Rather, it refers to “ongoing” compliance (“[t]he board of directors, acting through senior management, is ultimately responsible for ensuring that the bank maintains a system of internal controls to assure ongoing compliance with BSA regulatory requirements.”).

Independent Testing

As to independent testing, the 2020 update includes an Objective: “Assess the adequacy of the bank’s independent testing program” (page 24). The objective of the exam procedures is to “[d]etermine whether the bank has designed, implemented, and maintains an adequate BSA/AML independent testing program for compliance with BSA regulatory requirements”. There isn’t similar language or detail in the 2014 Manual.

BSA Compliance Officer

The changes to the BSA Compliance Officer pillar are extensive. The 2020 update includes an objective: to “[c]onfirm that the bank’s board of directors has designated a qualified individual or individuals (BSA compliance officer) responsible for coordinating and monitoring day-to-day compliance with BSA regulatory requirements. Assess whether the BSA compliance officer has the appropriate authority, independence, access to resources, and competence to effectively execute all duties.” (page 29). In this section is the following: ” The board of directors is responsible for ensuring that the BSA compliance officer has appropriate authority, independence, and access to resources to administer an adequate BSA/AML compliance program based on the bank’s ML/TF and other illicit financial activity risk profile.”

The objective of the exam procedures for this pillar is to “[c]onfirm that the bank’s board of directors has designated a qualified individual or individuals (BSA compliance officer) responsible for coordinating and monitoring day-to-day compliance with BSA regulatory requirements.  Determine whether the BSA compliance officer has the appropriate authority, independence, access to resources, and competence to effectively execute all duties”.

The 2014 Manual provides that “[t]he board of directors, acting through senior management, is ultimately responsible for ensuring that the bank maintains an effective BSA/AML internal control structure, including suspicious activity monitoring and reporting.” (page 29). And at page 32: “[t]he board of directors is responsible for ensuring that the BSA compliance officer has sufficient authority and resources (monetary, physical, and personnel) to administer an effective BSA/AML compliance program based on the bank’s risk profile.”

To summarize: the 2014 Manual provided that the board is responsible for ensuring the BSA Compliance Officer has sufficient authority and resources to administer an effective program. The 2020 updates provide that the board is now responsible for ensuring the BSA Compliance Officer has appropriate authority and resources to administer an adequate program. What has not changed, though, with the 2020 update is this: “the board of directors is ultimately responsible for the bank’s BSA/AML compliance.”

Training

The standards for BSA/AML training seem to have dropped, also. The 2014 Manual provided that “[t]he training program should reinforce the importance that the board and senior management place on the bank’s compliance with the BSA and ensure that all employees understand their role in maintaining an effective BSA/AML compliance program.” (page 33).

The 2020 update provides: “The training program may be used to reinforce the importance that the board of directors and senior management place on the bank’s compliance with the BSA and that all employees understand their role in maintaining an adequate BSA/AML compliance program.” (page 32).

Conclusion

The Wolfsberg Group’s December 2019 Statement on Effectiveness ended with this:

The Group believes that jurisdictions should adopt the FATF’s focus on effective outcomes and therefore, that an FI’s AML/CTF programme should have three key elements: (1) Comply with AML/CTF laws and regulations; (2) Provide highly useful information to relevant government agencies in defined priority areas; and (3) Establish a reasonable and risk-based set of controls to mitigate the risks of an FI being used to facilitate illicit activity

The Group believes that supervisors and/or relevant government agencies should assess the effectiveness of an FI’s AML/CTF programme based on the above criteria, recognising that no two FIs are the same and each FI’s risk mitigation strategy must be tailored to meet its risk appetite.

Starting in 2005 with the first FFIEC BSA/AML Examination Manual, and continuing to the last full publication in 2014, the purpose of a BSA/AML regulatory exam was to determine whether banks had an effective BSA/AML compliance program, and the directors of those banks, who were ultimately responsible for their bank’s BSA/AML compliance, were to ensure the BSA Compliance Officer had sufficient authority and resources to administer an effective program. The 2020 update appears to have lowered those bars: going forward, the purpose of a BSA/AML regulatory exam is to determine whether banks have an adequate BSA/AML compliance program, and the directors of those banks, who remain ultimately responsible for their bank’s BSA/AML compliance, are now to ensure the BSA Compliance Officer has appropriate authority and resources to administer an adequate program.

It will be interesting to see what, if any, differences this new adequate standard will bring as regulatory examiners across America will be walking into banks and credit unions and announcing, “hello, we’re here to determine whether you have an adequate program.” That is a very different greeting, and a very different exam, and possibly a very different result, than if that examiner walked in and announced, “hello, we’re here to determine whether you have an effective BSA/AML compliance program.”

Post Script

In an article I wrote in August 2019 titled  “Lessons Learned as a BSA Officer – 1998 to 2018” one of the nine lessons was that words and punctuation matter. I wrote that one should use adjectives and adverbs sparingly, if at all:

Most modifiers are unnecessary. Whether necessary or not, as a risk professional you should be aware of both your use of adjectives and adverbs, and when reading others’ use of adjectives and adverbs. When confronted with any modifier, ask yourself (i) why is that modifier being used? (ii) is it being used correctly? (iii) does it change the meaning of the sentence in a way that is unintended? (iv) is it being used consistently with other modifiers? And (v) could it limit or prevent us in the future?

In this case the state and federal banking agencies changed the adjective “effective” to “adequate” to describe the quality of the BSA/AML program they will expect to see and will examine to. I hope that this was unintended, or else five to ten years from now, after a long-held standard of effectiveness is replaced by one of mere adequacy, we could be limited in our ability to fight financial crime.

Endnotes

[1] https://www.occ.gov/news-issuances/news-releases/2020/nr-occ-2020-55.html

[2] https://www.wolfsberg-principles.com/sites/default/files/wb/pdfs/Effectiveness%201%20pager%20Wolfsberg%20Group%202019%20FINAL_Publication.pdf

[3] https://www.merriam-webster.com/

[4] The 2014 FFIEC Exam Manual “was a collaborative effort of the federal and state banking agencies” and FinCEN (2014 Manual, page 1). The Interagency Statement accompanying the 2020 update provided “The Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, National Credit Union Administration, Office of the Comptroller of the Currency, and State Liaison Committee (Agencies) revised the sections in close collaboration with Treasury’s Financial Crimes Enforcement Network.” And FinCEN hasn’t (yet) issued a press release or otherwise publicly acknowledged the 2020 updates. Regardless, the agencies’ Title 12 BSA/AML compliance program includes four pillars, and FinCEN’s Title 31 BSA/AML compliance program includes five pillars.