On December 14, 2021 FinCEN published a Request For Information (RFI) soliciting comments on ways to modernize the risk-based AML/CFT regulations and guidance. As of February 11, 2022, fifty-five comments had been posted. Below is the letter I submitted on February 11, 2022.
Re: Request for Information (RF) on ways to modernize risk-based AML/CFT regulations and guidance, Docket Number FINCEN-2021-0008 – Comments of James Richards, Principal and Founder of RegTech Consulting LLC.
Dear Acting Director Das:
I appreciate the opportunity to comment on the request for information on ways to modernize the risk-based AML/CFT regulations and guidance.
Your outreach is encouraging. The current regime is now fifty years old. The formal program requirement is more than thirty-five years old. Much has been added to the regime, but its foundation has not materially changed. The Anti-Money Laundering Act of 2020 (“AMLA2020”) and one of the titles of that Act, the Corporate Transparency Act, have been touted as ushering in the biggest changes to American efforts to fight crime and corruption since the USA PATRIOT Act of 2001. That may be. As a whole, the AMLA2020 will ultimately have the effect of shifting the US AML/CFT regime from a domestic-focused, regulator-versus-regulated, compliance inputs-based regime, to an international, collaborative public/private sector, threat-focused, outputs-driven regime.
But that shift must include a second look at the existing regime. Thus your request made to all stakeholders to provide FinCEN with ideas on how to modernize the regime is so important.
I consider myself to be one of those stakeholders. I am the principal and founder of RegTech Consulting LLC, a private consulting firm focused on providing strategic advice on all aspects of financial crimes risk management to AML software providers, financial technology start-ups, cannabis-related businesses, mid-size banks, and money services businesses. I am also a Senior Advisor to Verafin Inc., the leading provider of fraud detection and BSA/AML collaboration software for financial institutions in North America, and serve on the board of advisors for two providers of financial crimes compliance technologies and services. From 2005 through April 2018 I served as the BSA Officer and Director of Global Financial Crimes Risk Management for Wells Fargo & Co. As BSA officer, I was responsible for governance, training, and program oversight for BSA, anti-money laundering (AML), and sanctions for Wells Fargo’s global operations. As Director of Global Financial Crimes Risk Management, I was responsible for BSA, AML, counter-terrorist financing (CTF), external fraud and internal fraud and misconduct investigations, the identity theft prevention program, global sanctions, financial crimes analytics, and high-risk customer due diligence. Prior to my role with Wells Fargo, I was the AML operations executive at Bank of America where I was responsible for the operational aspects of Bank of America’s global AML and CTF monitoring, surveillance, investigations, and related SAR reporting. I represented Bank of America and Wells Fargo as a three-term member of the BSA Advisory Group (BSAAG). I was also a founding board member of ACAMS and the AFCFS. Prior to my 20-year career in banking, I was a prosecutor in Massachusetts, a barrister in Ontario, Canada, and a Special Constable with the Royal Canadian Mounted Police. I am the author of “Transnational Criminal Organizations, Cybercrime, and Money Laundering” (CRC Press 1998). I earned a Bachelor of Commerce (BComm.) degree and Juris Doctorate (JD) from the University of British Columbia.
It is with this three-decade background fighting financial crimes in both the private and public sectors, and a strong desire to see the U.S. AML/CFT regime become truly effective, that I am offering suggestions and, where appropriate, providing answers to some of the questions that FinCEN has posed.
General Comments – Six Things To Fix
Before diving into some of the particular questions, and in many respects to respond to many of those suggestions, I offer six suggested changes to certain aspects of the regime that, in my opinion, would have the greatest impacts.
These suggestions are not new. I have made many of them for years, some as far back as May 2004 when I testified before the House Financial Services Committee. Others were made more recently: I published an article on October 28, 2019 titled “The Current BSA/AML Regime is a Classic Fixer-Upper … and Here’s Seven Things to Fix”.[1] Six of those seven things form the basis for these comments[2], so I will repeat them here.
- Transaction Monitoring Systems
Apparently, current customer- and account-based transaction monitoring systems are highly inefficient, because we are being told that for every 100 alerts they produce, five or fewer actually end up being reported to the government in a Suspicious Activity Report. This is known in the industry as the “false positive rate”: if only 5 of 100 alerts that are produced end up being reported in a SAR, there is a false positive rate of 95%. The transaction monitoring software is often blamed (although bad data and fear of regulatory sanctions are the more likely culprits), and machine learning and artificial intelligence are often touted (by providers of machine learning and artificial intelligence) as the solutions.
But in all the talk about high false positive rates, one question is neither asked nor answered:
If a 95% false positive rate is bad … what is a good false positive rate?
Answering this question could be the most impactful thing that FinCEN could do to reform the current regime.
But before FinCEN can or should answer this question, it needs to address the question itself: exactly what rate are we talking about? If it the rate of SARs filed to alerts generated (which it is), then this is the wrong rate to measure.
We have to stop tuning our transaction monitoring systems against SARs filed with law enforcement and start tuning them against SARs found useful by law enforcement.
I’ve written about this on many occasions and have offered up something called the “TSV” SAR – a SAR that law enforcement indicates has Tactical or Strategic Value. MY most recent article, published October 1, 2020 titled “FinCEN Files – Reforming AML Regimes Through TSV SARs (Tactical or Strategic Value Suspicious Activity Reports)”[3]
In addition, when answering the question of what a good false positive rate is, FinCEN should not assume that high false positives rates are caused by outdated technology. FinCEN must also consider that high false positive rates may be caused by other factors, including (i) missing, incomplete, or bad data; (ii) by regulatory expectations – real or imagined – that financial institutions can’t afford the audit, regulatory, legal, and reputational costs of failing to identify (alert on) something unusual or anomalous that could eventually be found to have been suspicious; and (iii) even by analyst or investigator bias that because so many previous alerts were “negative”, the next will be, also.
In addition, it may be that transaction monitoring itself is the culprit (and not bad data, outmoded technology, unreasonable regulatory expectations, or investigator bias). My experience (and I’ve filed or led teams that have filed over 3 million SARs) is that customer- and account-based transaction monitoring is not nearly as effective as relationship-based interaction surveillance. Let’s parse out what I mean by relationship-based interaction surveillance:
Customer versus relationship – focusing on a single customer is less efficient than looking at the entire relationship that customer is or could be part of. Bank’s marketing departments think in terms of households as the key relationship: credit department’s think in terms of parent and subsidiary entities and guarantors as the needed relationship in determining credit worthiness. Financial crimes departments need to also think in the same terms. It is simply more encompassing and more efficient.
Transaction versus interaction – customers may interact with a bank many times, through a phone call, an online session, a balance inquiry, or a mobile look-up, before they will perform an actual transaction or movement of value. Ignoring those interactions, and only focusing on transactions, doesn’t provide the full picture of that customer’s relationship with the bank.
Monitoring versus surveillance – monitoring is not contextual: it is simply looking at specific transaction types, in certain amounts or ranges, performed by certain customers or customer classes. Surveillance, on the other hand, is contextual: it looks at the context of certain activity compared against all activity of that customer over time, and/or of certain activity of that customer compared to other customers within its class (Whatever that class may be).
So the public sector needs to encourage the private sector to shift from a customer-based transaction monitoring regime to a relationship-based interaction surveillance regime.
- Information Sharing
Crime and criminal organizations don’t operate in a single financial institution or even in a single jurisdiction. Yet our BSA/AML regime still encourages single entity SAR filers and doesn’t promote cross-jurisdictional information sharing. The tools are available to better share information across a financial institution, and between financial institutions. Laws, regulations, and regulatory guidance all need to change to specifically and easily allow a single financial institution operating in multiple jurisdictions to (safely) share more information with itself, to allow multiple institutions in a single and multiple jurisdictions to (safely) share more information between them, and to allow those institutions to jointly investigate and report together. Greater encouragement and use of Section 314(b) associations and joint SAR filings are critical.[4]
- Classical Music, or Jazz?
Auditors, regulators, and even a lot of FinTech companies, would prefer that AML continue to be like classical music, where every note (risk assessments and policies) is carefully written, the music is perfectly orchestrated (transaction monitoring models are static and documented), and the resulting music (SAR filings) sounds the same time and time again regardless of who plays it. This allows the auditors and regulators to have perfectly-written test scripts to audit and examine the programs, and allows the FinTech companies to produce a “solution” to a defined problem. This approach may work for fraud, where an objective event (a theft or compromise) produces a defined result (a monetary loss). But from a financial institution’s perspective, AML is neither an objective event nor a defined result, but is a subjective feeling that it is more likely than not that something anomalous or different has occurred and needs to be reported. So AML is less like classical music and more like jazz: defining, designing, tuning, and running effective anti-money laundering interaction monitoring and customer surveillance systems is like writing jazz music … the composer/arranger (FinTech) provides the artist (analyst) a foundation to freely improvise (investigate) within established and consistent frameworks, and no two investigations are ever the same, and similar facts can be interpreted a different way by different people … and a SAR may or may not be filed. AML drives auditors and examiners mad, and vexes all but a few FinTechs. But it’s a better way to think about AML, and to audit and examine AML programs. FinCEN should encourage this approach. Caution, though, this is not a “risk-focused” approach that the federal regulators currently use.[5] It is more than that: it is an acknowledgment that not every like institution should have a program like its peer. More flexibility is warranted.
- Before Creating New Tools, Use the Ones We Have
The federal government has lots of AML tools in its arsenal: it simply needs to use them in more courageous and imaginative ways. Tools such as section 311 Special Measures and 314 Information Sharing are grossly under-utilized. Information sharing is discussed above: section 311 Special Measures are reserved for the most egregious bad actors in the system, and are rarely invoked. But the reality is that financial institutions will kick out a customer or not (knowingly) provide services to entire classes of customers or in certain jurisdictions for fear of not being able to economically manage the perceived risk/reward equation of that customer or class of customer or jurisdiction. But that customer or class or jurisdiction simply goes to another financial institution in the regulated sector, or to an institution in an un- or under-regulated sector (the notion of “de-risking” which is accurate from that particular institution’s perspective but is really “re-risking” from a systemic perspective). The entire financial system would be better off if, instead of re-risking a suspected bad customer or class of customer or jurisdiction, financial institutions were not encouraged to exit at all, but encouraged to keep that customer or class, and monitor for and report any suspicious activity. Then, if the government determined that the customer or class of customers was too systemically risky to be banked at all, it could use section 311 to effectively blacklist that customer or class of customers. Imposing “special measures” shouldn’t be a responsibility of private sector financial institutions guessing at whether a customer or class of customers is a bad actor: it is and should be the responsibility of the federal government using the tool it currently has available to it: Section 311.
- Reform the Currency Transaction Report
The reporting of large cash transactions was the first AML tool the US government came up with (in 1970 as part of the Currency & Foreign Transactions Reporting Act). Those reports, called Currency Transaction Reports, or CTRs, started out in 1974[6] as single cash transactions on behalf of an accountholder, for more than $10,000. They have since morphed to one or more cash transactions aggregating to more than $10,000 in a 24-hour period, by or on behalf of one or more beneficiaries. There will be more than 18 million CTRs filed this year, and apparently law enforcement finds them an effective tool. But there is nothing more inefficient: simply put, CTRs are now the biggest resource drain in BSA/AML. Because of regulatory drift, CTRs are de facto SAR-lites … we need to get back to basic CTRs and redeploy the resources used to wrestle with the ever-expanding aggregation and “by or on behalf of” requirements, and deploy them against potential suspicious activity.
The CTR threshold should either remain at $10,000 or reduced to $5,000. Talk about indexing it to inflation is misguided, naïve, and contrary to the purposes of the BSA.
And forget about increasing the threshold amount from the current “more than $10,000” standard. We’ve all read the arguments that “$10,000 in 1970 is like $65,000 in today’s dollars” to support the idea of increasing the CTR threshold. Those espousing this nonsense are ill-informed, misguided, and naïve, at best. When the CTR threshold was set in 1972 (yes, 1972: the 1970 statute did not set a threshold), there were no ATMs, no mobile banking, no automated check clearing, no ACH, etc. Cash transactions were common.
Another way to look at it is to ask a question:
Would it be reasonable to require a report of cash transactions that are 100 times the average cash transaction?
The average cash transaction in the United States today is roughly $22, according to multiple reports from the Federal Reserve. The median cash transactions is about $5, and 95% of cash transactions are $50 or less.
The CTR threshold of $10,000 is almost 500 times the average cash transaction!
No one should argue that having a requirement to report a transaction or transactions that are 200 times the amount of 95% of all cash transactions, or 500 times the average transaction, or 2,000 times the median transaction, is unreasonable.
Another consideration touches on the purpose of the CTR, and of the BSA. And that is to prevent and detect and prosecute criminal activity. So look at the CTR reporting threshold through the lens of criminal activity, not inflation. For example, with $10,000 in cash you can pay for 10 assault rifles, traffic 4 human beings, or buy enough fentanyl to kill everyone in Richmond, Virginia.
And it isn’t the threshold amount that causes inefficiencies: a $20,000 threshold will be just as inefficient (albeit, fewer CTRs will meet that threshold). What is inefficient are the requirements to (i) aggregate multiple transactions totaling more than $10,000 in a 24-hour period, (ii) to identify and aggregate transactions “by or on behalf of” multiple parties and accountholders, and (iii) exempt, on a bank-by-bank basis, certain entities that can be exempted (but rarely are) from the CTR filing regime. If anything, we could save and redploy resources if the CTR threshold was the same as the SAR threshold – $5,000 – and we used the CTR to report single transactions. Aggregation and structuring should be left to reporting suspicious activity.
- The Clash of the Titles
The BSA regime is influenced by many titles of the US Code. The protect-the-financial-system (filing great SARs) requirements of Title 31 (Money & Finance … the BSA) are trumped by the safety and soundness (program hygiene) requirements of Title 12 (Banks & Banking), and financial institutions act defensively because of the punitive measures in Title 18 (Crimes & Criminal Procedure) and Title 50 (War … OFAC’s statutes and regulations). There is a need to harmonize the Four Titles – or at least Titles 12 and 31 – and how financial institutions are examined against them. BSA/AML people are judged on whether they avoid bad TARP results (Tested, Audited, Regulated, and Prosecuted) rather than on whether they provide actionable, timely intelligence to law enforcement. Today, most BSA Officers live in fear of not being able to balance all their commitments under the four titles: the great Hugh MacLeod was probably thinking of BSA Officers when he wrote: “I do the work for free. I get paid to be afraid …”
General Observations on the Scope of the RFI
FinCEN appears to have interpreted section 6216 of the AML Act, which calls for a review of “the regulations implementing the Bank Secrecy Act and guidance related to that Act”, to just FinCEN’s own title 31 regulations.
FinCEN is limiting the review to FinCEN’s regulations and FinCEN guidance. Section 6216 doesn’t appear to be so limiting. Subsection (a) requires “the Secretary, in consultation with the Federal functional regulators, the Financial Institutions Examination Council, the Attorney General, Federal law enforcement agencies, the Director of National Intelligence, the Secretary of Homeland Security, and the Commissioner of Internal Revenue” to “undertake a formal review of the regulations implementing the Bank Secrecy Act and guidance related to that Act”. Subsection (b) seeks public comment, solicited by the Treasury Secretary, as part of the review required under subsection (a) (this RFI appears to be that solicitation). Subsection (c) then requires that “not later than 1 year after the date of enactment of this Act, the Secretary, in consultation with the Financial Institutions Examination Council, the functional regulators, the Attorney General, Federal law enforcement agencies, the Director of National Intelligence, the Secretary of Homeland Security, and the Commissioner of Internal Revenue, shall submit to Congress a report that contains all findings and determinations made in carrying out the review required under subsection (a), including administrative or legislative recommendations.”
So Treasury is required to do a “formal review of the regulations implementing the Bank Secrecy Act and guidance related to that Act”. Section 6003(1) defines “Bank Secrecy Act” as “(A) section 21 of the Federal Deposit Insurance Act (12 U.S.C. 1829b); (B) chapter 2 of title I of Public Law 91–508 (12 U.S.C. 1951 et seq.); and (C) subchapter II of chapter 53 of title 31, United States Code.” So with this, it is clear that FinCEN’s review should include the laws and regulations of both Title 12 and Title 31, not just Title 31.
Leaving aside the fact that FinCEN is missing yet another Congressional deadline, this review will be fatally flawed if it does not include the federal banking regulations and guidance. A fundamental problem with the US AML regime is the delegation of examination and supervision authority from FinCEN to the federal functional regulators. This delegation has created a conflict between the functional regulators with their focus on safety and soundness – the inputs of private sector BSA programs – and law enforcement and national security agencies with their focus on the outcomes of those programs, with the result that there has been a failure to address the desired outcomes of the BSA/AML regime – reducing the harms of financial crimes. It is only if and when this delegation authority is changed so that if the delegation continues, the Title 12 banking regulations and guidance are consistent with the Title 31 AML regulations. Only then will we see progress in addressing the desired outcomes.
Answers to the twenty-Six Questions
The purposes of the BSA are to generally protect the financial system of the United States from criminal abuse and safeguard the national security of the United States. This is accomplished, in part, by requiring private sector financial institutions to: file certain highly useful reports and maintain certain highly useful records, prevent the laundering of money and the financing of terrorism through the establishment of reasonably designed risk-based programs to combat money laundering and the financing of terrorism, and to facilitate the tracking of money that has been sourced through criminal activity or is intended to promote criminal or terrorist activity (see 31 USC section 5311).
Currently, a regulated financial institution can be subject to a public enforcement action where it has failed to implement a reasonably designed, effective BSA/AML program, and/or where it has failed to implement any of the four required pillars of a BSA/AML program. And in both cases, there need not be a finding that the institution failed to detect and report suspicious activity.
There are two risks that a regulated financial institution is required to manage in its BSA/AML compliance program: the regulatory risk of failing to implement and maintain a reasonably designed, risk-based program; and the risk of money laundering, terrorist financing, or other financial crimes. These BSA/AML risks are different from sanctions, or OFAC risk. Unlike BSA/AML laws and regulations that describe and prescribe a BSA/AML program, there is no specific legal or regulatory requirement that financial institutions have an OFAC/sanctions program. Rather, an institution can only be held accountable when there are customers and/or transactions that violate any of the sanctions laws and regulations, and then the sufficiency or lack of a recommended (not required) OFAC/sanctions program is then used to mitigate or aggravate any penalties.
A similar approach should be taken with BSA/AML: a financial institution cannot be subject to a public sanction without a finding that money laundering, terrorist financing, or other financial crimes occurred through customer activity at the institution, and the failure to monitor for, detect, and report that activity caused that activity to occur. For example, a financial institution is required to conduct a risk assessment, then design, implement, and maintain onboarding and ongoing due diligence systems based on that assessment that are intended to identify and report suspicious activity. Even without a risk assessment or any reasonable controls, if there is not any suspicious activity – indeed, there is no money laundering, terrorist financing, or other financial crimes having occurred through the institution – hasn’t the institution operated a risk-based program? If there is no illicit activity in the absence of any controls, then there is no need for any controls.
Question 2. Do AML program requirements for financial institutions sufficiently address the threats, vulnerabilities, and risks faced by the U.S. financial system? If not, what changes do you recommend to ensure that AML program requirements adequately and effectively safeguard U.S. national security?
JRR Comment – I have answered these two questions above. The AML program requirements – risk assessments, policies and procedures, model validation of monitoring systems, etc. – do not directly address the threats, vulnerabilities, and risks faced by the US financial system. What they do, though, is focus financial institutions on the inputs into their program and the direct outputs (CTRs filed, SARs filed) from their program, all at the expense of being able to focus on what is important to law enforcement and the national security community: providing timely, actionable intelligence that leads to positive outcomes. This regulatory focus on inputs and outputs rather than on outcomes is a foundational weakness of the current regime.
Question 3. Are there BSA reporting or recordkeeping requirements that you believe do Forms not provide information that is highly useful in countering financial crimes? If so, what reports or records, and why? Conversely, are there reports or records not currently required that would be highly useful? If so, what reports and records, and why?
JRR Comment – the simple answer is “we don’t know”. There is a dearth of feedback on the use and utility of BSA reports. In fact, there is nothing being reported on CTRs, Forms 8300, CMIRs. And we don’t know which SARs provide tactical or strategic value to law enforcement, or if they do, why they do. FinCEN: you must provide better feedback, and you must encourage law enforcement to provide better feedback. The AML industry is the only industry I’m aware of where the producers of a product (in this case, financial institutions producing SARs) obtain zero feedback on the consumers of the product (law enforcement agencies consuming SARs). General Motors or Tesla or Ford simply do not care how many vehicles they produce, they care about how many vehicles they sell, and who is buying them, and why they’re buying them, and whether they’re adding value to the consumers. The same applies to private sector producers of SARs: who cares if a bank files 20,000 SARs? The critical questions are how many of those SARs are being used by law enforcement? Why is law enforcement using them? What is good about them? What is bad about them? Currently, none of those questions can be answered.
Question 21. Do any BSA regulations or guidance fail to conform with U.S. commitments to meet international standards, or do not fully implement international standards, including the FATF Recommendations? If so, which regulations or guidance, and why?
Question 22. Which deficiencies identified in the FATF’s 2016 U.S. Mutual Evaluation Report and addressed in the third Follow-Up Report most significantly prevent the United States from fully implementing an effective and risk-based approach? What changes to regulations or guidance would you recommend to address the deficiencies identified?
JRR Comment – There are no BSA regulations that bring the US into conformity with FATF recommendations relating to gatekeepers: lawyers, accountants, company formation agents. For fifteen years and two mutual evaluations the US has been found to be non-compliant with the FATF recommendations relating to Designated Non-Financial Businesses and Persons (DNFBPs). This isn’t a surprise, but the American Bar Association has effectively lobbied Congress and every Administration to keep the United States non-compliant.
Conclusion
As I noted at the outset, your outreach and intent are encouraging. Many AML/CFT subject matter enthusiasts wail that the current regime is broken. I disagree: it isn’t broken, and it may be performing brilliantly if one considers the general deterrent effect of programs, recordkeeping, and reporting on kleptocrats, criminals, and money launderers. The regime’s foundations are old, and may not be suited to address current risks or anticipate future risks. And the regime certainly isn’t as efficient as it could be, although many of those same subject matter enthusiasts that screech that the regime is broken don’t appreciate that much of what is called “AML compliance” is simply sound business practices that would be done absent an AML program requirement (gosh, don’t banks want to know their customers so they can sell them more and better products and services, or more effectively lend them money?).
There are many things that could be improved, enhanced, tweaked, added, or removed from the current BSA/AML regime. But I’ll end where I started, with six suggestions FinCEN could consider to dramatically reform the current AML regime:
- Shift from customer-centric transaction monitoring systems to relationship-based interaction surveillance systems
- Encourage cross-institutional and cross-jurisdictional information sharing
- Encourage the private sector to be more creative and innovative in its approach to AML – AML is like jazz music, not classical music
- Address de-risking through aggressive use of Section 311 Special Measures
- Simplify the CTR regime. Please. And forget about increasing the $10,000 threshold – in fact, reduce it to $5,000
- Harmonize the requirements of the four main US Code titles that impact the AML regime: titles 12, 18, 31, and 50
Endnotes
[1] The Current BSA/AML Regime is a Classic Fixer-Upper … and Here’s Seven Things to Fix – RegTech Consulting, LLC
[2] The seventh suggestion – creating a central, national registry of beneficial ownership information – has been addressed through the Corporate Transparency Act.
[3] FinCEN Files – Reforming AML Regimes Through TSV SARs (Tactical or Strategic Value Suspicious Activity Reports) – RegTech Consulting, LLC
[4] The recent pilot program for US financial institutions to share SAR-related information with their overseas branches and affiliates is a good first step.
[5] That is not a typo: federal regulators examine financial institutions’ risk-based programs using a risk-focused approach.
[6] The law was passed in 1970. The regulation was promulgated in 1972. But due to court challenges, the first CTRs were not filed until 1974.