Loading…

FinCEN’s Proposed AML Program Effectiveness Rule – Comments of RegTech Consulting LLC

The following comments to FinCEN’s Advance Notice of Proposed Rule Making (ANPRM) on AML Program Effectiveness were submitted by Jim Richards, founder and principal of RegTech Consulting LLC. The ANPRM was published in the Federal Register on September 17, 2020. It gave the public 60 days to submit comments. These comments were submitted on November 7, 2020.

Background on Jim Richards

Jim Richards is the principal and founder of RegTech Consulting LLC, a private consulting firm focused on providing strategic advice on all aspects of financial crimes risk management to AML software providers, financial technology start-ups, cannabis-related businesses, mid-size banks, and money services businesses. Mr. Richards is also a Senior Advisor to Verafin Inc., the leading provider of fraud detection and BSA/AML collaboration software for financial institutions in North America.

From 2005 through April 2018 Mr. Richards served as the BSA Officer and Director of Global Financial Crimes Risk Management for Wells Fargo & Co. As BSA officer, he was responsible for governance, training, and program oversight for BSA, anti-money laundering (AML), and sanctions for Wells Fargo’s global operations. As Director of Global Financial Crimes Risk Management, he was responsible for BSA, AML, counter-terrorist financing (CTF), external fraud, internal fraud and misconduct, the identity theft prevention program, global sanctions, financial crimes analytics, and high-risk customer due diligence.

Prior to his role with Wells Fargo, Mr. Richards was the AML operations executive at Bank of America. There, he was responsible for the operational aspects of Bank of America’s global AML and CTF monitoring, surveillance, investigations, and related SAR reporting. Mr. Richards represented Bank of America and Wells Fargo as a three-term member of the BSA Advisory Group (BSAAG). Mr. Richards was also a founding board member of ACAMS.

Prior to his 20-year career in banking, Mr. Richards was a prosecutor in Massachusetts, a barrister in Ontario, Canada, and a Special Constable with the Royal Canadian Mounted Police. He is the author of “Transnational Criminal Organizations, Cybercrime, and Money Laundering” (CRC Press 1998) Mr. Richards has a Bachelor of Commerce (BComm.) degree and Juris Doctorate (JD) from the University of British Columbia.

Introduction to the ANPRM

On September 17, 2020, the Financial Crimes Enforcement Network (FinCEN) published an Advance notice of proposed rulemaking (ANPRM) in the Federal Register (85 FR  58023, Docket Number 2020-20527), seeking “public comment on potential regulatory amendments to establish that all covered financial institutions subject to an anti-money laundering program requirement must maintain an ‘effective and reasonably designed’ anti-money laundering program [that] assesses and manages risk as informed by a financial institution’s risk assessment, including consideration of anti-money laundering priorities to be issued by FinCEN consistent with the proposed amendments; provides for compliance with Bank Secrecy Act requirements; and provides for the reporting of information with a high degree of usefulness to government authorities.”

The BSAAG and AML Effectiveness Working Group Recommendations

The ANPRM noted that the BSAAG created an Anti-Money-Laundering Effectiveness Working Group (AMLE WG) in June 2019 to develop recommendations for strengthening the national AML regime by increasing its effectiveness and efficiency. Apparently the AMLE WG worked to “identify regulatory initiatives that would allow financial institutions to reallocate resources to better focus on national AML priorities set by government authorities, increase information sharing and public-private partnerships, and leverage new technologies and risk-management techniques – and thus increase the efficiency and effectiveness of the nation’s AML regime” and came up with five broad categories of recommendations. These were endorsed by the BSAAG plenary in October 2019 and evaluated by FinCEN, resulting in the September 16, 2020 ANPRM.

I commend FinCEN Director Blanco and his staff, the BSAAG members, and the members of the AML Working Group for their thoughtfulness, hard work, and courage in making these recommendations and publishing the ANPRM.

With the ANPRM, FinCEN is seeking public comments on whether an effective and reasonably designed AML program should have three components:

  1. It assesses and manages risk as informed by a financial institution’s risk assessment, including consideration of anti-money laundering priorities to be issued by FinCEN consistent with the proposed amendments;
  2. It provides for compliance with Bank Secrecy Act requirements; and
  3. It provides for the reporting of information with a high degree of usefulness to government authorities.”

As the ANPRM noted, the intent of the regulatory amendments under consideration is “to modernize the regulatory regime to address the evolving threats of illicit finance, and provide financial institutions with greater flexibility in the allocation of resources, resulting in the enhanced effectiveness and efficiency of anti-money laundering programs.”

The notice has three substantive sections. Section II sets the stage, with a historical look at the BSA/AML laws and regulations, from the first Currency and Foreign Transactions Reporting Act of 1970 through the 2016 changes to the customer due diligence and beneficial ownership regulations. It then goes through the recent efforts of the BSA Advisory Group’s Effectiveness Working Group to modernize the AML regime, which culminated in five recommendations: developing and focusing on AML priorities, reallocating compliance resources, monitoring and reporting changes, enhancing information sharing, and advancing regulatory innovation. Those five recommendations were then taken up by FinCEN and incorporated into its proposed regulatory changes. Section III sets out those proposed changes, framed as the elements of an effective and reasonably designed AML program. The third substantive section, section IV, sets out the issues for comment: eleven questions to be answered.

A Startling Admission: There is no Regulatory Requirement for Financial Institutions to Have an Effective and Reasonably Designed AML Program

Perhaps the single most interesting part of the notice is in section III, where FinCEN writes “after consulting with the staffs of various supervisory agencies, and having considered the BSAAG recommendations and other BSA modernization efforts” FinCEN “is publishing this ANPRM seeking comment on whether it is appropriate to clearly define a requirement for an ‘effective and reasonably designed’ AML program in BSA regulations.” This last statement – whether it is appropriate to clearly define a requirement for an “effective and reasonably designed” AML program in BSA regulations – is, in fact, a startling admission. For years financial institutions have been fined billions of dollars, even charged criminally, for violating BSA regulations by failing to maintain and implement an AML program, and yet those regulations (apparently) do not clearly set out what is required for an effective and reasonably designed AML program.

The Crux of the ANPRM – Refocusing on the Singular Purpose of the BSA/AML Regime

Currently, the federal banking agencies (the Federal Reserve, FDIC, NCUA, and OCC) that supervise and examine approximately 10,000 banks and credit unions for AML program requirements, only look at whether the financial institution “has designed, implemented, and maintains an adequate BSA/AML compliance program that complies with BSA regulatory requirements.”[1] Those agencies’ field examiners are not instructed to determine whether the institution is providing timely, effective information to government authorities.

It can be fairly argued that parts of the first two components of FinCEN’s proposed requirement for an effective and reasonably designed AML program are already in place and being considered by the regulatory agencies: whether the institution’s program assesses and manages financial crimes risk as informed by its risk assessment and whether it provides for compliance with BSA requirements. It can equally be argued – indeed, it is irrefutable – that the regulatory agencies are not currently considering whether the institution’s program provides for the reporting of information with a high degree of usefulness to government authorities.

This third regulatory focus – whether the program actually provides for the reporting of information with a high degree of usefulness to government authorities – would be new. But this is not a new concept: indeed, the very purpose of the very first BSA/AML law, the Currency and Foreign Transactions Reporting Act of 1970, was to require financial institutions to keep records and file reports that “have a high degree of usefulness in criminal, tax, or regulatory investigations or proceedings”. This singular purpose, which I refer to as providing timely, effective information to government authorities, remains today: 31 USC section 5311 sets out the declaration of purpose:

It is the purpose of this subchapter (except section 5315) to require certain reports or records where they have a high degree of usefulness in criminal, tax, or regulatory investigations or proceedings, or in the conduct of intelligence or counterintelligence activities, including analysis, to protect against international terrorism.

Over the years, notably with statutory and regulatory changes in 1986 and 1992 (discussed below), the singular purpose of the BSA/AML regime of providing timely, effective information to government authorities, has been overshadowed by, and then lost to, the programmatic compliance-focused regulatory requirements. This proposed change – of adding back the original purpose of the BSA – would bring the focus back, in part, on the very purpose of the BSA/AML regime: to provide timely, actionable information to government authorities.

FinCEN’s Request for Comments and Answers to Eleven Questions

In addition to seeking general comments concerning the potential rulemaking to incorporate a requirement for an “effective and reasonably designed” AML program into AML program regulations and to provide clarity on its application, FinCEN requested comments on eleven questions. I have set out those questions and provided comments (answers) where needed. Following those questions and comments/answers, I have provided a brief conclusion.

Question 1

Does this ANPRM make clear the concept that FinCEN is considering for an “effective and reasonably designed” AML program through regulatory amendments to the AML program rules? If not, how should the concept be modified to provide greater clarity?

The stated purpose of the ANPRM is clear, but operational clarity for financial institutions will only come if it is clear that the regulatory agencies examine to the regulations, and not to the regulatory expectations set out in the FFIEC BSA/AML Examination Manual (the Manual). FinCEN writes that it is “publishing this ANPRM seeking comment on whether it is appropriate to clearly define a requirement for an ‘effective and reasonably designed’ AML program in BSA regulations.” Later, FinCEN clarifies that it is considering regulatory amendments that would explicitly define an “effective and reasonably designed” AML program as one that has three elements:

  • Identifies, assesses, and reasonably mitigates the risks resulting from illicit financial activity — including terrorist financing, money laundering, and other related financial crimes — consistent with both the institution’s risk profile and the risks communicated by relevant government authorities as national AML priorities;
  • Assures and monitors compliance with the recordkeeping and reporting requirements of the BSA; and
  • Provides information with a high degree of usefulness to government authorities consistent with both the institution’s risk assessment and the risks communicated by relevant government authorities as national AML

The NPRM should make it clear that only the second element currently exists in both Titles 12 and 31 and their respective regulations, and that the first and third elements are new. For example, the purpose of 12 CFR § 21.21 “Procedures for monitoring Bank Secrecy Act (BSA) compliance” is described in 21.21(a):

“This subpart is issued to assure that all national banks and savings associations establish and maintain procedures reasonably designed to assure and monitor their compliance with the requirements of subchapter II of chapter 53 of title 31, United States Code, and the implementing regulations promulgated thereunder by the Department of the Treasury at 31 CFR Chapter X.”

And subsection 21.21(c) provides, in part, that the bank “shall develop and provide for the continued administration of a program reasonably designed to assure and monitor compliance” with subchapter II of chapter 53. So although the foundational purpose of the BSA regime – to have private sector financial institutions keep records and provide reports that have a “high degree of usefulness” to government authorities – there is nothing in the regulation(s) that speaks to that purpose. Rather, the purpose is to “assure and monitor compliance” with 31 CFR chapter X. What is the purpose of that regulation; or what does that regulation require?

The regulation, 31 CFR chapter X, provides the “how” to the “what” set out in the legislation, subchapter II of chapter 53 of title 31. Section 5311 is the declaration of purpose: “It is the purpose of this subchapter (except section 5315) to require certain reports or records where they have a high degree of usefulness in criminal, tax, or regulatory investigations or proceedings, or in the conduct of intelligence or counterintelligence activities, including analysis, to protect against international terrorism.”

The program requirements are set out in section 5318(a) and (h):

5318. Compliance, exemptions, and summons authority

(a) General power of Secretary. – The Secretary of the Treasury may (except under section 5315 of this title and regulations prescribed under section 5315)

(2) require a class of domestic financial institutions or nonfinancial trades or businesses to maintain appropriate procedures to ensure compliance with this subchapter and regulations prescribed under this subchapter or to guard against money laundering;

*****

(h) Anti-money laundering programs.

(1) In general. – In order to guard against money laundering through financial institutions, each financial institution shall establish anti-money laundering programs, including, at a minimum

(A) the development of internal policies, procedures, and controls;

(B) the designation of a compliance officer;

(C) an ongoing employee training program; and

(D) an independent audit function to test programs.

(2) Regulations – The Secretary of the Treasury, after consultation with the appropriate Federal functional regulator (as defined in section 509 of the Gramm-Leach-Bliley Act), may prescribe minimum standards for programs established under paragraph (1) …

So the law provides what Congress intended when it comes to the Bank Secrecy Act: the overall purpose is to require certain reports or records where they have a high degree of usefulness to government authorities, and that purpose is met, in part, by requiring financial institutions to maintain appropriate procedures and establish AML programs to guard against money laundering. The law also provides that minimum standards for these programs are to be prescribed by the Secretary of the Treasury through regulations.

Those regulations are set out at 31 CFR chapter X. Chapter X includes general provisions required of all financial institutions (in section 1010) and then specific provisions for the eleven categories of financial institutions subject to the regulations (in sections 1020-1030) such as banks (1020), casinos (1021), MSBs (1022), etc. None of those sections includes a “purpose” statement, and none of them compel financial institutions to provide reports that have a high degree of usefulness to government authorities. None of them include the phrase “high degree of usefulness”.

Perhaps most important, though, none of the five full editions of the FFIEC BSA/AML Exam Manual, nor the 2016 and 2020 partial amendments, compel examiners to examine financial institutions on whether they provide reports that have a high degree of usefulness to government authorities or even include the phrase “high degree of usefulness”. Put another way, when conducting BSA examinations, neither FinCEN nor any of the financial regulatory agencies consider whether the institution is complying with the very purpose of the BSA.

To put this in perspective, the purpose of the Community Reinvestment Act (CRA) is to encourage financial institutions to help meet the credit needs of the communities in which they do business, including low- and moderate-income (LMI) neighborhoods. When conducting examinations of financial institutions’ CRA compliance, regulators will, in fact, look to whether those institutions are meeting the credit needs of the communities in which they do business, including low- and moderate-income (LMI) neighborhoods. Not so with the BSA: the purpose of the BSA is to require financial institutions to submit certain reports and keep certain records where they have a high degree of usefulness to government authorities, yet those institutions are not examined on whether the reports they submit or the records they keep have a high degree of usefulness to government authorities.

 Question 2

Are this ANPRM’s three proposed core elements and objectives of an “effective and reasonably designed” AML program appropriate? Should FinCEN make any changes to the three proposed elements of an “effective and reasonably designed” AML program in a future notice of proposed rulemaking?

As described above, FinCEN is considering regulatory amendments that would define an “effective and reasonably designed” program as one that:

  • Identifies, assesses, and reasonably mitigates the risks resulting from illicit financial activity, including terrorist financing, money laundering, and other related financial crimes, consistent with both the institution’s risk profile and the risks communicated by relevant government authorities as national AML priorities;
  • Assures and monitors compliance with the recordkeeping and reporting requirements of the BSA; and
  • Provides information with a high degree of usefulness to government authorities consistent with both the institution’s risk assessment and the risks communicated by relevant government authorities as national AML

The order of the three elements is important, as it suggests a priority. I suggest a reordering, or re-prioritization of the elements. I would begin with the very purpose of the BSA, which is for financial institutions to keep records, and submit reports, that provide a high degree of usefulness to law enforcement.

Also, only two of the three components have a “consistent with” provision. All three components should be risk-based. Also, the two components’ “consistent with” provisions are slightly different. The “identified, assesses, and reasonably mitigates the risks” component is to be consistent with an institution’s risk profile, while the “provides information” component is to be consistent with an institution’s risk assessment. A risk profile is based, in large part, on the assessment of the risks: both (all three) components should be the same, and the consistency should be against the institution’s risk profile rather than its risk assessment. The result would be this:

An “effective and reasonably designed” program as one that:

  • Provides information with a high degree of usefulness to government authorities;
  • Identifies, assesses, and reasonably mitigates the risks resulting from illicit financial activity, including terrorist financing, money laundering, and other related financial crimes; and
  • Assures and monitors compliance with the recordkeeping and reporting requirements of the BSA

consistent with both the institution’s risk profile and the risks communicated by relevant government authorities as national AML priorities.

As I wrote above, over the years, notably with statutory and regulatory changes in 1986 and 1992, the singular purpose of the BSA/AML regime of providing timely, effective information to government authorities, has been overshadowed by, and then lost to, the programmatic compliance-focused regulatory requirements. Those changes are worth describing.

The first change came about from the Money Laundering Control Act of 1986 (MLCA), PL 99–570, 100 Stat. 3207 (Oct. 27, 1986) was enacted to essentially solve two problems: customers of banks were avoiding the recordkeeping and reporting requirements by “structuring” their transactions, and financial institutions were ignoring their responsibilities to keep those records and file reports. The MLCA made structuring and money laundering crimes, and it required the federal regulatory agencies (1) to issue regulations for covered financial institutions to “establish and maintain procedures reasonably designed to assure and monitor the compliance” of such institutions with the reporting and some recordkeeping requirements of the BSA; and (2) to issue enforcement actions when those institutions fail to do so.

In its ANPRM, FinCEN writes that the MLCA “amended the BSA, underscoring the importance of reporting information with a high degree of usefulness to government authorities.” In fact, it did not. There is no mention of the importance of reporting information with a high degree of usefulness in the MLCA. And the effect of the new “procedures” regulations – and examination of and enforcement of those new regulations – was to begin the shift away from focusing on providing useful information to meeting regulatory, procedural regulations. The MLCA gave birth to two new industries: the professional money launderer, and the professional AML compliance officer.

The second change came about with the Annunzio-Wylie Anti-Money Laundering Act of 1992 (Annunzio-Wylie), Title XV of PL 102–550, 106 Stat. 3672 (Oct. 28, 1992). Annunzio-Wylie gave the industry the “four pillar program” requirements we are so familiar with today by authorizing Treasury to issue regulations requiring all financial institutions to maintain ‘‘minimum standards’’ of an AML program. The minimum standards, for both FinCEN and the banking agencies, require financial institutions to establish and maintain procedures “reasonably designed” to assure and monitor compliance with the requirements of the BSA and include (1) system of internal controls, (2) a BSA compliance officer, (2) independent testing, and (4) training. Like the MLCA, Annunzio-Wylie did not include references to providing information with a high degree of usefulness to law enforcement.

Title III of the Patriot Act (the International Counter Money Laundering and Anti-Terrorist Financing Act, part of the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001, PL 107-56, 115 Stat. 272 (Oct. 26, 2001) did remind the industry of the importance of providing information with a high degree of usefulness to government agencies. Since 1970, the purpose of the BSA (set out in 31 USC s. 5311) had been to require certain reports or records where they have a high degree of usefulness in criminal, tax, or regulatory investigations or proceedings. With the horrific events of 9/11, that purpose was expanded: to require certain reports or records where they have a high degree of usefulness in criminal, tax, or regulatory investigations or proceedings, or in the conduct of intelligence or counterintelligence activities, including analysis, to protect against international terrorism.

But that expanded purpose did not make it into the regulations – either the banking agencies’ regulations in Title 12 or FinCEN’s regulations in Title 31. And notwithstanding that expanded purpose, the Patriot Act added more program requirements, notably the customer identification program (CIP) requirements. Regulations followed roughly two years after the Patriot Act was signed into law; and in April 2005 the first of five FFIEC BSA/AML Examination Manuals was published. You will not find any instructions to regulatory agencies’ examiners in any of the Manuals that tells them to evaluate whether the financial institution is providing information with a high degree of usefulness to law enforcement. In fact, the phrase “high degree of usefulness” does not appear in the Manual, other than in Appendix D which is a list of the twenty-six types of financial institutions that are covered by the BSA and a twenty-seventh type that could be covered: “Any other business designated by the Secretary whose cash transactions have a high degree of usefulness in criminal, tax, or regulatory matters.” The irony, of course, is that if this other business is required to have a BSA program, and to keep records and provide reports on its cash transactions because they would have a high degree of usefulness in criminal, tax, or regulatory matters, it would not be examined on whether it did, in fact, provide reports of information with a high degree of usefulness. (and note to FinCEN: 31 USC 5312(a)(2)(Z) needs to be amended to add “, or in the conduct of intelligence or counterintelligence activities, including analysis, to protect against international terrorism.”).

Question 3

Are the changes to the AML regulations under consideration in this ANPRM an appropriate mechanism to achieve the objective of increasing the effectiveness of AML programs? If not, what different or additional mechanisms should FinCEN consider?

These proposed changes are an appropriate mechanism, primarily because they would shift the non-binding regulatory expectations from guidance documents and the BSA/AML Examination Manual, which do not have the force of law, to regulations, which do have the force of law and are enforceable. But more can and should be done.

 Question 4

Should regulatory amendments to incorporate the requirement for an “effective and reasonably designed” AML program be proposed for all financial institutions currently subject to AML program rules? Are there any industry-specific issues that FinCEN should consider in a future notice of proposed rulemaking to further define an “effective and reasonably designed” AML program?

FinCEN notes that, as regulations for different segments of the financial industry have been promulgated at different times in the past, such AML program regulations have evolved and, consequently, contain provisions that differ among the various industries subject to AML program requirements. For example, the AML program requirement for money services businesses (31 CFR 1022.210(a)) already contains an effectiveness component.[2] FinCEN invites comments from all covered industries subject to AML program regulations as to how a requirement for an “effective and reasonably designed” AML program would impact their industry. Furthermore, FinCEN invites comment as to whether any industry-specific modifications would be appropriate to consider in future rulemaking.

Question 5

Would it be appropriate to impose an explicit requirement for a risk-assessment process that identifies, assesses, and reasonably mitigates risks in order to achieve an “effective and reasonably designed” AML program? If not, why? Are there other alternatives that FinCEN should consider? Are there factors unique to how certain institutions or industries develop and apply a risk assessment that FinCEN should consider? Should there be carve-outs or waivers to this requirement, and if so, what factors should FinCEN evaluate to determine the application thereof?

Yes, it would be appropriate to impose a regulatory requirement that an effective and reasonably designed AML program is risk-based, and a formal risk assessment process determines the risks (and corresponding controls and whether those controls are addressing and mitigating those risks).

As the regulatory agencies noted in their September 11, 2018 Interagency Statement Clarifying the Role of Supervisory Guidance, “[u]nlike a law or regulation, supervisory guidance does not have the force and effect of law, and the agencies do not take enforcement actions based on supervisory guidance. Rather, supervisory guidance outlines the agencies’ supervisory expectations or priorities and articulates the agencies’ general views regarding appropriate practices for a given subject area.”[3]

As set out above, 31 CFR Part X includes specific requirements for eleven classes of financial institutions. As summarized in the table below, six of the eleven classes already have requirements for risk-based AML programs, while all eleven have either explicit and risk-based Customer Identification Program (CIP) requirements or embed risk-based customer identification requirements in the internal control pillar of the AML program requirement.

A reasonably simple solution is to adopt and, where necessary, adapt the current risk-based program requirements to those financial institution types that currently do not have them.

Question 6

Should FinCEN issue Strategic AML Priorities, and should it do so every two years or at a different interval? Is an explicit requirement that risk assessments consider the Strategic AML Priorities appropriate? If not, why? Are there alternatives that FinCEN should consider?

The only reason a risk assessment would consider strategic AML priorities is for the institution to then adapt its program and underlying controls to those priorities. Programmatic and control changes can take years to design, test, and implement, and perfect. Requiring programs and controls to adapt to bi-annual changes to FinCEN’s strategic AML priorities will never allow an institution to actually implement a program. Any “strategic” priorities have to be priorities over a five year or longer time period; otherwise they are tactical.

And what are these national or strategic priorities? The most recent were set out in Treasury’s 2020 National Strategy for Combating Terrorist and Other Illicit Financing (February 6, 2020). That national strategy described ten vulnerabilities: lack of beneficial ownership requirements at the time of company formation, lack of BSA regulations impacting real estate professionals and key gatekeepers such as attorneys and accountants, correspondent banking, cash, complicit professionals, compliance weaknesses at regulated financial institutions, digital assets, MSBs, securities broker/dealers, and casinos. The national strategy listed three key priorities: (1) increase transparency and close legal framework gaps for beneficial ownership, real estate, and digital assets; (2) continue to improve the efficiency and effectiveness of the regulatory framework; and (3) enhance the current AML/CFT operational framework.

 Question 7

Aside from policies and procedures related to the risk-assessment process, what additional changes to AML program policies, procedures, or processes would financial institutions need to implement if FinCEN implemented regulatory changes to incorporate the requirement for an “effective and reasonably designed” AML program, as described in this ANPRM? Overall, how long of a period should FinCEN provide for implementing such changes?

Any regulatory change requires a financial institution to assess the change, determine the policy, systems/technology, and personnel changes that would need to be made, and determine the costs of and time needed to implement those changes across all of the businesses, delivery channels, and customer groups of the institution. For the very small percentage of financial institutions that have international operations, the non-US jurisdictional regulatory impacts must also be determined, and any changes made.

As FinCEN did with the beneficial ownership rule, I would provide a two-year implementation period.

Question 8

As financial institutions vary widely in business models and risk profiles, even within the same category of financial institution, should FinCEN consider any regulatory changes to appropriately reflect such differences in risk profile? For example, should regulatory amendments to incorporate the requirement for an “effective and reasonably designed” AML program be proposed for all financial institutions within each industry type, or should this requirement differ based on the size or operational complexity of these financial institutions, or some other factors? Should smaller, less complex financial institutions, or institutions that already maintain effective BSA compliance programs with risk assessments that sufficiently manage and mitigate the risks identified as Strategic AML Priorities, have the ability to “opt in” to making changes to AML programs as described in this ANPRM?

No comments.

Question 9

Are there ways to articulate objective criteria and/or a rubric for examination of how financial institutions would conduct their risk-assessment processes and report in accordance with those assessments, based on the regulatory proposals under consideration in this ANPRM?

In the narrative to this question, FinCEN wrote:

“FinCEN appreciates that, in order for the regulatory proposals as described in this ANPRM to achieve the objective of increased effectiveness of the overall U.S. AML regime, the supervisory process must support and reinforce this objective. Indeed, FinCEN has consulted with the staffs of various Federal supervisory agencies in developing this ANPRM, and FinCEN requests comments on how the supervisory regime could best support the objectives as identified in this ANPRM.”

So we know that FinCEN has consulted with the staffs of various Federal supervisory agencies, but we don’t know the nature of, or results from, those consultations. This question can only be answered by those supervisory agencies: are they going to support and reinforce the objective of increased effectiveness of the overall US AML regime, or keep the status quo?

Question 10

Are there ways to articulate objective criteria and/or a rubric for independent testing of how financial institutions would conduct their risk-assessment processes and report in accordance with those assessments, based on the regulatory proposals under consideration in this ANPRM?

I would defer to auditors on how they can set out objective criteria or a statement of purpose (rubric) on how they would independently test a more formalized, regulatory-driven risk assessment process.

Question 11

A core objective of the incorporation of a requirement for an “effective and reasonably designed” AML program would be to provide financial institutions with greater flexibility to reallocate resources towards Strategic AML Priorities, as appropriate. FinCEN seeks comment on whether such regulatory changes would increase or decrease the regulatory burden on financial institutions. How can FinCEN, through future rulemaking or any other mechanisms, best ensure a clear and shared understanding in the financial industry that AML resources should not merely be reduced as a result of such regulatory amendments, but rather should, as appropriate, be reallocated to higher priority areas?

I first became a BSA Officer at a large bank in the late 1990s, and continued as a BSA Officer until April 2018 at successively large financial institutions. The regulatory burden increased with each year, with each legislative change (there have been only two substantive regulatory changes in the last twenty years – in 2001 and 2004), each regulatory change, with every change in regulatory expectation and guidance (e.g., the five full editions of the BSA Exam Manuals from 2005 through 2014, and the partial changes to the Exam Manual in 2016 and 2020), and with heightened expectations from the increasing number and severity of regulatory sanctions and enforcement actions. The regulatory burden has never decreased. In fact, the single biggest risk a BSA Officer must manage today is regulator risk – managing the management of risk management so as not to incur MRAs, MRIAs, non-public Part 30 orders, or public enforcement actions.

The BSAAG AML Working Group’s first recommendation addresses this issue of how to ensure that resources are effectively allocated. The title of that first recommendation was “Developing and Focusing on AML Priorities”, and the Working Group “recommended that stakeholders refocus the national AML regime to place greater emphasis on providing information with a high degree of usefulness to government authorities based on national AML priorities, in order to promote effective outputs over auditable processes and to ensure clearer standards for measuring effectiveness in evaluating AML programs.”

But there is one critical aspect of this that does not appear to have been assessed, let alone resolved: in order for regulated financial institutions to be examined on how well they are providing information with a high degree of usefulness to government authorities, those government authorities will need to provide feedback on what information does, in fact, have a high degree of usefulness. Currently, there is no systemic way for law enforcement to provide feedback to institutions on whether a particular SAR or CTR (the two primary BSA reports), or any SAR or CTR, or any type of typology of SAR or CTR, provides information with a high degree of usefulness, and what type of use – tactical or strategic – that information has.

I have offered solutions on how law enforcement can (and should) provide feedback, principally through what I have described as “Tactical or Strategic Value” Suspicious Activity Reports, or TSV SARs. See https://regtechconsulting.net/uncategorized/fincen-files-reforming-aml-regimes-through-tsv-sars-tactical-or-strategic-value-suspicious-activity-reports/

The Working Group’s second recommendation dealt with BSA compliance resource reallocation, and recommended reducing or eliminating activities that are not required by law or regulation, make limited contributions to meeting risk-management objectives, and supply less useful information to government authorities. The Working Group concluded that resources freed from these activities could be reallocated to address areas of risk and national AML priorities. The Working Group specifically suggested that the application of existing model-risk-management guidance to AML systems be revised.

Revising existing model-risk-management guidance to AML systems assumes there is existing model-risk-management guidance to AML systems. But there isn’t any such guidance. The model risk management guidance – from 2000 and revised in 2011 – was never intended to be applied against AML systems. None of the five editions of the FFIEC Exam Manual, the four after the original 2000 guidance and the one following the 2011 revision of the guidance, make any reference to the model risk management guidance. If AML systems are to be subject to strict model governance, then that governance must be set out in binding regulation subject to public review and comment. And AML systems should not be subject to the same strict model governance requirements as Value-At-Risk models, liquidity models, or even consumer lending models. Nothing has more adversely impacted the ability of large financial institutions to fight financial crime, human trafficking, kleptocracy, nuclear proliferation, etc., as the strict, pedantic, dogmatic application of model risk governance.

Conclusion

I commend FinCEN, the members of the BSAA Advisory Group – particularly those members that served on the AML Working Group – for the hard work, collaboration, and courage it took to make and accept the recommendations and publish the Advance Notice of Proposed Rule Making.

Everyone in the public- and private-sector AML/CFT communities wants to (in the words of the AML Working Group) “identify regulatory initiatives that would allow financial institutions to reallocate resources to better focus on national AML priorities set by government authorities, increase information sharing and public-private partnerships, and leverage new technologies and risk-management techniques – and thus increase the efficiency and effectiveness of the nation’s AML regime.” As the BSA Exam Manual instructs us (at page 7):

“The BSA is intended to safeguard the U.S. financial system and the financial institutions that make up that system from the abuses of financial crime, including money laundering, terrorist financing, and other illicit financial transactions. Money laundering and terrorist financing are financial crimes with potentially devastating social and financial effects. From the profits of the narcotics trafficker to the assets looted from government coffers by dishonest foreign officials, criminal proceeds have the power to corrupt and ultimately destabilize communities or entire economies. Terrorist networks are able to facilitate their activities if they have financial means and access to the financial system. In both money laundering and terrorist financing, criminals can exploit loopholes and other weaknesses in the legitimate financial system to launder criminal proceeds, finance terrorism, or conduct other illegal activities, and, ultimately, hide the actual purpose of their activity.”

The Exam Manual then continues with this:

“Banking organizations must develop, implement, and maintain effective AML programs that address the ever-changing strategies of money launderers and terrorists who attempt to gain access to the U.S. financial system. A sound BSA/AML compliance program is critical in deterring and preventing these types of activities at, or through, banks and other financial institutions.”

This is where I differ, and where I have directed most of my comments. Although a sound BSA/AML compliance program is important in deterring and preventing financial crime at or through banks and other financial institutions, the primary function of a program is providing timely, actionable information to law enforcement. I suggest the following:

“Banking organizations must provide government authorities with timely and effective reports of information that have a high degree of usefulness in criminal, tax, or regulatory investigations or proceedings, or in the conduct of intelligence or counterintelligence activities, including analysis, to protect against international terrorism, and in order to be able to do so must develop, implement, and maintain effective AML programs that address the ever-changing strategies of money launderers and terrorists who attempt to gain access to the U.S. financial system. Providing timely, effective information that has a high degree of usefulness to government authorities is critical in deterring and preventing these types of activities at, or through, banks and other financial institutions.”

It is this shift from a inputs- or process-centric regime to an outputs- or results-centric regime that is reflected in the third leg (which I would make the first leg) of FinCEN’s proposed “effective and reasonably designed” AML program requirements.

Requiring financial institutions to provide timely, effective information that has a high degree of usefulness to government authorities is the singular purpose of the BSA.[4] If financial institutions are to be examined for their compliance with the BSA, and held accountable for failing to comply with the BSA, they must be examined on whether they are, in fact, providing timely, effective information that has a high degree of usefulness to government authorities. Today, they are not. Hopefully, in the near future, through the rule-making process that FinCEN has initiated, they will be. The result will be a more efficient and effective US AML regime that is better able to protect and defend individuals, communities, institutions, the financial system, and our homeland.

Thank you for the opportunity to comment.

Jim Richards

November 7, 2020

Endnotes

[1] April 15, 2020 revision to the FFIEC BSA/AML Examination Manual, page 18. This is a change from the 2014 Manual, which instructed examiners to “determine whether the bank has developed, administered, and maintained an effective program for compliance with the BSA and all of its implementing regulations.” Whether the standard is “adequate” or “effective”, examiners are not asked to determine whether the institution is providing timely, effective information to government authorities.

[2] Specifically, it provides that each money services business, as defined by §1010.100(ff), shall develop, implement, and maintain an effective anti-money laundering program. An effective anti-money laundering program is one that is reasonably designed to prevent the money services business from being used to facilitate money laundering and the financing of terrorist activities.

[3] On November 5, 2020 those same agencies published a Notice of Proposed Rule Making (85 FR 70512) seeking to codify the September 11, 2018 Interagency Statement.

[4] In fact, the proposed AML Act of 2020, an amendment to the proposed National Defense Authorization Act of Fiscal Year 2021, would amend 31 USC s. 5311 to add four additional “purposes” to the BSA to the current purpose of providing information that is highly useful to government agencies. The first of the four new purposes would be “to prevent the laundering of money and financing of terrorism through the establishment by financial institutions of reasonably designed risk-based programs.” The AML Act (section 5101) would also amend 31 USC s. 5318(h), the AML program requirement to reflect these changes in purpose.

Biden or Trump? Possible Impacts of a New Administration on Financial Crimes Compliance

And does FinCEN have a 95 percent “false positive rate” it needs to address?

The U.S. election is Tuesday, November 3rd. We’ll know soon thereafter whether the country will have a new Democratic Joe Biden administration or whether the current administration under Republican Donald Trump will continue for a second term. And we’ll also know whether the Senate stays with a Republican majority or flips and goes Democratic (control of the House of Representatives will likely remain with the Democrats).

Financial crimes professionals are asking about what a change in administration could mean for them. Let’s look at recent trends in four different aspects of financial crimes compliance: (i) the number of Suspicious Activity Reports (SARs) filed, (ii) the number and types of federal criminal cases, (iii) the number of Deferred Prosecution Agreements (DPAs) entered into by corporations, and (iv) referrals to FinCEN made by federal agencies for substantial potential BSA violations.

We will look at the period 2011 through 2019. The recent FinCEN Files investigation and articles from Buzzfeed News and the International Consortium of Investigative Journalists (ICIJ) used leaked SARs that had been filed from 2011 through 2017 (actually, there were also about 10 SARs a year from each of 2008, 2009, and 2010, but journalists haven’t focused on those, likely because they don’t reveal enough salacious information to fit their narrative). And 2019 is the last full year (federal government fiscal year running through September 30) that has available data. Also, this nine-year period includes the last four years of the Democratic Obama administration and the first two full years of the Republican Trump administration. So we can compare the two to see if there are any differences or trends.

Caveat/Disclaimer – the Trump administration took power on January 21, 2017, almost four months into the 2017 fiscal year. In fairness to that administration, I have only used fiscal years 2018 and 2019 as being “Trump” years, and have described these years as the first two full years of this administration.

I. SAR Filing Trends Compared to Federal Criminal Cases

The image below is complicated and contains a lot of data and information. First, the main table with the grey, blue, and green column headings: the blue headings show the total number of Suspicious Activity Reports (SARs) filed each year from 2011 through 2019. The red arrows in the cells indicate that the number in that cell (year) is higher than the number in the prior year. As can be seen, the number of SARs filed goes up every year.

The total number of SARs filed is compared to the number of FinCEN Files SARs. As explained in the ** note below the chart, Buzzfeed News has a chart that allows you to estimate the number of SARs it had by year. I include this to show that the FinCEN Files SARs are a very small proportion of the total SARs filed: that alone should convince a reader that the FinCEN Files SARs are not representative of all SARs filed.

The green columns show data from the Office of the United States Attorney’s Annual Statistical Reports. The first green-header column shows the total number of criminal cases filed in all Federal District Courts. As can be seen by the arrows, the total number of criminal cases dropped every year 2012 through 2017, then rose significantly in 2018 and again in 2019. As indicated, 2014 through 2017 are the last four years of the Obama administration: 2018 and 2019 are the first two full fiscal years of the Trump administration.

The next six columns break out the criminal cases by the DOJ program categories. I selected the four largest (by total number of cases) categories – immigration, violent crime, drugs, and white collar crime – as well as Money Laundering (being of obvious interest to financial crimes compliance professionals) and then all others.

Immigration Cases – these cases make up about 40 percent of all federal criminal cases. Comparing the average of the last four years of the Obama administration with the average of the first two years of the Trump administration, immigration cases are up about 37 percent under Trump. And where these cases trended down every year under the Democratic administration, they are up both years under the Republican administration.

Violent Crime Cases – these cases make up about 22 percent of all federal criminal cases. Comparing the average of the last four years of the Obama administration with the average of the first two years of the Trump administration, violent crime cases are up about 31 percent under Trump.

Observation: Over 60 percent of federal criminal cases are immigration or violent crime cases. It is unlikely that BSA reports would play a major part in the identification, investigation, or prosecution of these types of cases, which appear to be a focus of the Trump administration.

Drug Cases – these cases make up about 21 percent of all federal criminal cases. Comparing the average of the last four years of the Obama administration with the average of the first two years of the Trump administration, drug cases are up about 13 percent under Trump.

White Collar Cases – these cases make up about 9 percent of all federal criminal cases. Comparing the average of the last four years of the Obama administration with the average of the first two years of the Trump administration, white collar cases are down about 10 percent under Trump. However, the trends are more complicated than the averages: white collar cases dropped every year for the last four years of the Obama administration, from a high of 6,300 in 2013 down to 4,379 in 2017. The numbers are only slightly higher under the Trump administration at ~4,600 each year.

Money Laundering Cases – there is no real trend in these cases other than very few are brought. I have included this category of cases to illustrate the difference between suspicious activity, which is what financial institutions are required to report to the federal government, and the crime of money laundering. For every 10,000 SARs and 100,000 BSA reports, the federal government brings 1 money laundering case.

Over 30 percent of federal criminal cases involve drug crimes, white collar crimes, or money laundering. It is likely that BSA reports play a major part in the identification, investigation, or prosecution of these types of cases. 

So to summarize:

II. SAR Filing Trends Compared to Deferred Prosecution Agreements (DPAs)

If you were able to figure out the previous graphic, this next one should be a breeze. The website Corporate Prosecution Registry is maintained by a group at the University of Virginia. The website provides the following description:

The Corporate Prosecution Registry is a joint project of the Legal Data Lab at the University of Virginia School of Law and Duke University School of Law. The goal of this Corporate Prosecution Registry is to provide comprehensive and up-to-date information on federal organizational prosecutions in the United States, so that we can better understand how corporate prosecutions are brought and resolved. We include detailed information about every federal organizational prosecution since 2001, as well as deferred and non-prosecution agreements with organizations since 1990.

We aim to provide accurate, timely, and accessible information for policymakers, researchers and litigators alike. All of the information contained on this website is publicly available, and was gathered from federal docket sheets, press releases, prosecutor’s offices, as well as from FOIA requests.

The Registry was created by Professor Brandon Garrett ( bgarrett@law.duke.edu) and Jon Ashley ( jonashley@law.virginia.edu)). We welcome any questions or feedback about the contents or features of this website. Please tell us if you notice any errors or can add information about a case, or if you have information about a case that is missing from the Registry.

We want to encourage the broadest possible use of this data for research and educational purposes. We believe all of the primary documents collected here are works of the United States government and are therefore free of all copyright protection, per Section 105 of the U.S. Copyright Act. To promote access and reuse of the database, which may be subject to limited copyright protection or other legal protections, we have licensed the data for free public use under the Creative Commons Attribution-NonCommercial 4.0 International License. Please attribute the database as indicated above. For permission to make commercial uses not covered by the license or a relevant legal provision (such as fair use), please contact us.

Please cite to this resource collection as “Brandon L. Garrett and Jon Ashley, Corporate Prosecution Registry, Duke University and University of Virginia School of Law”, at http://lib.law.virginia.edu/Garrett/corporate-prosecution-registry/index.html

With that introduction, I pulled the data for Deferred Prosecution Agreements (DPAs), Non-Prosecution Agreements (NPAs) and guilty pleas, by year, and then took three sub-sets of that data: (i) DPAs, NPAs, and Pleas relating to six types of offenses (as categorized by the folks at UVA and Duke) that involve financial crimes-related matters (BSA, Money Laundering, Bribery, Foreign Corrupt Practices Act, four types of Frauds, and Kickbacks); (ii) DPAs, NPAs, and guilty pleas of any type by financial institutions; and (iii) DPAs, NPAs, and guilty pleas by financial institutions for BSA of Money Laundering. And as I did with federal criminal cases, I included total SARs filed and FinCEN Files SARs as a comparison.

There are some interesting trends. First, 2015 is an anomaly: it included 73 fraud cases prosecuted against Swiss banks under a program that DOJ ran relating to undisclosed accounts and assets held by U.S. taxpayers. 


Total DPAs, NPAs, Pleas – the total number of DPAs, NPAs, and guilty pleas has been steadily dropping from 2011 through 2019, but the drop is more pronounced under the Trump administration, where they’re down by about two-thirds compared to the last four years of the Obama administration.

DPAs, NPAs, Pleas for Financial Crimes – Comparing the average of the last four years of the Obama administration with the average of the first two years of the Trump administration, these are down by over 42 percent.

Observation: Comparing the average of the last four years of the Obama administration with the average of the first two years of the Trump administration, total DPAs, NPAs, and guilty pleas, and financial crimes-related DPAs, NPAs, and guilty pleas, against corporations are down by about half.

DPAs, NPAs, and Pleas against Financial Institutions – although the number of financial institutions entering into DPAs, NPAs, and guilty pleas isn’t high – other than the spike from the Swiss bank cases in 2015 it has not exceeded twelve in any year – the percentage of these resolutions involving financial institutions has gone up under the Trump administration (11 percent of all DPAs, NPAs, and pleas) compared to three of the last four years of the Obama administration (7 percent, excluding the anomalous 2015 year). 

DPAs, NPAs, and Pleas Entered into by Financial Institutions for BSA and Money Laundering – As seen above, these are rare. In the last nine years (with the exception of the anomalous 2015 year) there has never been more than two of these cases brought against financial institutions. There are 30,000+ financial institutions in the United States: the chances of being prosecuted for BSA or money laundering violations is exceedingly rare.

To summarize:

III. Referrals from Regulatory Agencies to FinCEN

In August 2019 the Government Accountability Office, or GAO, issued a report titled “BSA: Agencies and Financial Institutions Share Information but Metrics and Feedback not Regularly Provided”. It is available at https://www.gao.gov/assets/710/701086.pdf.

Among other things, the GAO looked at FinCEN’s enforcement action authority, and how it obtained information needed to issue enforcement actions. On pages 29 and 30 they described these referral sources as follows:

“FinCEN enforcement actions can be based on sources that include referrals from examining authorities, information from financial institutions, interviews, and leads from law enforcement. Other sources for FinCEN enforcement actions can include FinCEN’s own targeted BSA/AML examinations for high-risk areas and other areas that FinCEN identifies through referrals within FinCEN or through its proactive investigations. Supervisory agencies, including the federal banking regulators, SEC, CFTC, and their respective SROs are to promptly notify FinCEN of any significant potential BSA violations. A significant violation, as established in a memorandum of understanding with each supervisory agency, generally includes systemic BSA/AML compliance program deficiencies or reporting or recordkeeping violation(s); a financial institution’s failure to respond to supervisory warnings concerning such BSA deficiencies or violations; a financial institution’s willful or reckless disregard of BSA requirements; or a violation that creates a substantial risk of money laundering or the financing of terrorism in the institution. IRS also makes referrals to FinCEN for violations it identifies in its BSA examinations, such as willful violations of AML program requirements and recordkeeping and reporting regulations and structuring. Additionally, financial institutions can self-report violations, DOJ or other law enforcement agencies may provide leads, and FinCEN personnel can refer potential violations to FinCEN’s Enforcement Division to be investigated.”

From January 2015 through September 2018, six regulatory agencies (Federal Reserve, OCC, FDIC, CFTC, SEC, NCUA) and the IRS referred 419 significant potential BSA violations to FinCEN. According to the GAO, it took FinCEN between 5 months and 3 years to close a referral case. Below is table 3 from the GAO report summarizing those referrals:

In that same period (2015-2018), FinCEN issued 26 enforcement actions (one in 2019, two in 2020). Here’s what that looks like:

The first trend we can see from this data is that the number of FinCEN enforcement actions dropped every year from a high of twelve in 2015 to a low of one in 2019. Through October 30 there have been two FinCEN enforcement actions issued in 2020, and both have been against individuals: Michael LaFontaine, former chief risk officer of US Bank, and Larry Dean Harmon, who operated an unlicensed money service business (a crypto exchange and mixer).

This data also reveals something that is not about a trend or a comparison between political administrations, but is about the outcomes from the agency referrals. Given the 5 month to three year lag in closing cases, we can assume (generously) that a referral made in 2015 wouldn’t be closed (and an enforcement action either doesn’t result or does result from the closed case) until at least 2016. So most of the 135 referrals from 2015 would be part of the 76 or even 180 closed cases in 2016 and 2017. But it would be fair to assume that the 419 referrals from 2015 through 2018 were resolved between 2016 and 2020. With that assumption,

96 percent or more of regulatory agencies’ referrals of significant potential BSA violations do not result in a FinCEN enforcement action: that is a 96 percent “false positive” rate!

I write “96 percent or more” because agency referrals, as explained by the GAO, are only one source of potential FinCEN enforcement actions: financial institutions can self-report issues, the DOJ can make referrals, and FinCEN, of course, has the ability to source its own cases. So 96 percent is conservative: it is likely closer to 98 percent.

Everyone in the industry, and everyone commenting on the industry, bemoans the terrible false positive rate of traditional transaction monitoring systems. Experts and enthusiasts alike write and talk about the 95 percent false positive rate – where only 5 of 100 alerts that are generated end up being reported in a Suspicious Activity Report, or SAR. Leaving aside the sloppiness of the description – alerts are not reported in SARs, suspicious activity is reported in SARs – and the axiomatic and anecdotal nature of the complaints, it is fair to say that traditional transaction monitoring systems are neither effective nor efficient, and a 95 percent false positive rate, on average, may not be too far off reality. It is, at least, a useful talking point and an anchoring number we can use as we strive to lower that rate to something better. I have written about this at length. See, for example, https://regtechconsulting.net/uncategorized/the-current-bsa-aml-regime-is-a-classic-fixer-upper-and-heres-seven-things-to-fix/

But it is certainly interesting, even if only for conversational purposes, if FinCEN itself also suffers from a 95 percent false positive rate when it comes to converting agency referrals of “significant potential BSA violations” to its version of a SAR, an enforcement action.

Conclusion

When we wake up on November 4th (although it could take longer, and technically some states are not required to certify their votes until early December) we will either have a new Democratic administration under former Vice-President Joe Biden, or the current Republican administration under President Donald Trump will remain for another four years. Looking at trends in criminal cases against both individuals and corporations (with the latter represented by Deferred and Non-Prosecution Agreements), and trends in enforcement actions brought by FinCEN, we can expect real differences between a Biden administration – more financial crimes-related cases and enforcement actions – and a Trump administration – less. Regardless of the incoming administration, though, we should probably take a closer look at the referrals being made by the regulatory agencies to FinCEN, and how FinCEN is managing them (five months to three years to make a decision on a referral) and closing them: 95 percent “false positives” is inefficient and ineffective in the public sector as well as the private sector.

Don’t Blame FinCEN – Congress Has Left it Underfunded for Years

In the last five years, FinCEN’s workload has gone up three times as much as its budget: if we care about preventing terrorist financing, human trafficking, and public corruption, Congress must fund our nation’s financial intelligence unit.

FinCEN is a bureau in the U.S. Department of the Treasury. The Director of FinCEN reports to the Under Secretary for Terrorism and Financial Intelligence (TFI). In carrying out its mission, FinCEN has numerous statutory areas of responsibility:

  1. Developing and issuing regulations under the Bank Secrecy Act (BSA);
  2. Enforcing compliance with the BSA in partnership with law enforcement and other regulatory partners;
  3. Serving as the U.S. Financial Intelligence Unit (FIU) and maintaining a network of information sharing with FIUs in 164 partner countries;
  4. Receiving millions of new financial reports each year;
  5. Securing and maintaining a database of over 300 million reports;
  6. Analyzing and disseminating financial intelligence to federal, state, and local law enforcement, federal and state regulators, foreign FIUs, and industry; and
  7. Bringing together the disparate interests of law enforcement, FIUs, regulatory partners, and industry.

What is FinCEN’s mission? According to its most recent Congressional budget justification and annual performance plan and report (Fiscal Year 2021) submitted earlier this year (see https://home.treasury.gov/system/files/266/12.-FinCEN-FY-2021-CJ.pdf), FinCEN’s mission statement is “to safeguard the financial system from illicit use, combat money laundering, and promote national security through the strategic use of financial authorities and the collection, analysis, and dissemination of financial intelligence.”

FinCEN has a daunting and important mission – to safeguard the financial system – and Congress has placed upon FinCEN many critical responsibilities in safeguarding the financial system, everything from developing and enforcing the regulations for tens of thousands of private sector entities, receiving millions of reports (actually, more than 20 million) intended to provide a high degree of usefulness to government authorities, safeguarding those reports, and analyzing those reports and getting information back to over 6,700 federal, state, local, and tribal law enforcement agencies (according to an FBI/DOJ notice published in the Federal Register on June 30, 2020).

With this daunting mission, and millions of reports to collect and analyze, tens of thousands of private sector entities to regulate, and thousands of law enforcement agencies to support, FinCEN must be a massive agency with an impressive budget.

Let’s take a look.

The first thing that should jump out at you, and will be a surprise to most people, is how small FinCEN is: less than 300 people and a budget that is eclipsed by many global banks’ financial crimes risk management departments. That aside, and clipped directly from the FY2021 budget request, this table shows FinCEN’s resource levels – people and budget – for six fiscal years and its requested resource levels for 2021. (FinCEN’s fiscal year – the federal government’s fiscal year – runs from October 1 to September 30). This table also shows FinCEN’s “workload output/activity”, or at least three measurable parts of its overall workload: (1) the total number of BSA reports filed each fiscal year, (2) the total number of Suspicious Activity Reports (SARs) each year (a subset of the total number of BSA reports), and (3) the number of people (generally law enforcement) who use, or access, FinCEN’s BSA database. What is not measured and shown here is the other work or output or activities FinCEN is responsible for (developing and enforcing BSA regulations and analyzing BSA reports and getting information back to law enforcement, for example).

A quick glance at this table suggests that the workload is going up: SARs have gone from just over 2 million in FY2015 to an estimated 3 million in FY2021; the total number of BSA reports continues to go up; and the number of BSA users has gone from 10,166 in FY2015 to an estimated 13,589 in FY2021.

Have FinCEN’s resources kept pace with its workload?

This is an important question. The recent “FinCEN Files” release by Buzzfeed News and the International Consortium of Investigative Journalists (ICIJ) has caste a very negative spotlight on some large global banks as being the reason for, or the facilitators of, financial crime and corruption. Those stories have resulted in calls to reform what the media and others are calling a broken, ineffective, and inefficient regime. Although the journalists haven’t focused on FinCEN, it too has been receiving some unwarranted attention. Questions are being asked: banks and other financial institutions are reporting all this suspicious activity, so what is FinCEN doing about it?

FinCEN’s resources are not keeping pace with its workload.

I reformatted FinCEN’s budget numbers in order to better compare the annual resource numbers with the workload numbers. Given the FinCEN Files focus on Suspicious Activity Reports (SARs), I’ve highlighted those:

What appears obvious from this is that the number of SARs has gone up about three times as fast as FinCEN’s resources: SARs are up almost 35% in five years, but FinCEN’s staffing has gone up just 9% and its overall budget has gone up just 12.5%. FinCEN’s resources aren’t keeping pace with its workload.

FinCEN has received more than 2 million SARs in each of the last six years … or has it?

This is not a criticism of FinCEN. But when I saw those numbers in the budget request, I paused. FinCEN has a “SAR Stats” feature that allows the public to access FinCEN’s data on the number of SARs filed, by what type of filers, when, for what kind of suspicious activity, etc. It’s a great resource, and I use it a lot, and didn’t recall seeing more than 2 million SARs as far back as 2015. So I went back into the SAR Stats page …

… and I exported the total number of SARs filed, by month, for the entire period of available data – January 2014 through August 2020. Here’s what FinCEN provided (reformatted):

These are the actual numbers exported from the FinCEN website (with the exception of September 2020, which isn’t yet available: I estimated the number of SARs filed for that one month). At first glance one can see that not all six fiscal years had more than 2 million filed SARs. So I put the two sets of data – the 2021 budget submission and the FinCEN SAR Stats – together for easier comparison:

I can’t explain the differences – there is likely a reason why the two sets of SAR data are different. But both show an increase in the number of SARs filed over the last five fiscal years that is triple the increase in FinCEN’s resources that are available to manage those SARs, analyze them, and disseminate actionable intelligence back to more than 6,000 law enforcement agencies in order to protect our financial system.

Congress must support the fight against financial crime

If Congress is serious about fighting financial crime and protecting our financial system, it must provide FinCEN with the appropriate resources. So far it has failed to do so.

FinCEN Files – Reforming AML Regimes Through TSV SARs (Tactical or Strategic Value Suspicious Activity Reports)

The Public/Private AML Industry is Fifty Years Old and is Long Overdue for a Makeover: Let’s Start with Better Public Sector Feedback

What we know as the Bank Secrecy Act (BSA) has been around since October 26, 1970. The original purpose was to require financial institutions to keep records and file reports that had “a high degree of usefulness in criminal, tax, or regulatory investigations or proceedings”. Other than adding another purpose after the terrorist attacks of 9/11 (reports to support “the conduct of intelligence or counterintelligence activities, including analysis, to protect against international terrorism”), that original purpose hasn’t changed. Fifty years ago a few thousand reports were submitted to law enforcement: this year more than 20 million BSA reports are produced by the private sector and submitted to the Treasury Department’s financial intelligence unit, or FIU – the Financial Crimes Enforcement Network (FinCEN).

To repeat, the purpose of these BSA reports, indeed of the entire anti-money laundering (AML) and counter-terrorist financing (CFT) regime, is to provide “a high degree of usefulness in criminal, tax, or regulatory investigations or proceedings, or in the conduct of intelligence or counterintelligence activities, including analysis, to protect against international terrorism.”[1]

The production of these reports doesn’t come cheaply. It costs the private sector billions of dollars every year to develop and maintain programs that are ultimately intended to produce and keep these records and to produce and file these reports. And for years the private sector has complained that law enforcement isn’t using the reports effectively and isn’t providing feedback to the private sector as to which reports are useful.

It costs the private sector billions of dollars every year to develop and maintain programs that are ultimately intended to produce and keep these records and to produce and file these reports. And for years the private sector has complained that law enforcement isn’t using the reports effectively and isn’t providing feedback to the private sector as to which reports are useful.

The FinCEN Files – a series of salacious stories based on the illegal disclosure of over 2,100 Suspicious Activity Reports (SARs) filed by dozens of banks – painted some large, global banks as being the reason for, or the facilitators of, financial crime and corruption. Those stories have resulted in calls to reform – once and for all – what the media and others are calling a broken, ineffective, and inefficient regime. But none of those calls for reform offer any solutions. Five recent US government publications provide a more measured – and legal – view into the U.S. anti-money laundering regime and the use, usefulness, and costs of producing those SARs, and other Bank Secrecy Act (BSA) reports filed by tens of thousands of financial institutions. And one of those reports, a September 22, 2020 report on the use and usefulness of BSA reports published by the U.S. Government Accountability Office (GAO), suggests what needs to be done to streamline and improve the AML regime: we need to “systematically collect information on outcomes from the use of BSA reports”.  In other words, there are plenty of inputs into the system – private sector reports of suspicious activity – but we know very little about the outputs from or results of those inputs – what is law enforcement doing with those reports? Which ones are providing actual leads, or tactical information? Which ones are providing trending and analytical value, or strategic information? What agencies are using the reports? All these questions remain unanswered. And although the GAO suggests what needs to be done, it doesn’t suggest how that can be done.  I do. The most effective way to systematically collect information so that the private sector producers of BSA reports (financial institutions) can provide reports with a “high degree of usefulness to government authorities” (the very purpose of the BSA), is to require that the public sector consumers of BSA reports (law enforcement) provide feedback to the private sector. And the mechanism for that feedback is the Tactical or Strategic Value Suspicious Activity Report, or TSV SAR.

This article tracks a September 22, 2020 GAO Report on the use and usefulness of BSA reports, and brings in excerpts from other federal government publications where appropriate. This article focuses on three issues described in the GAO report: law enforcement’s use of BSA reports, and whether they find them useful; the BSA/AML compliance cost burden; and regulators’ supervision and examination of BSA compliance programs. The fourth issue – the SAR and CTR thresholds – is included in the compliance cost section.

Finally, and as described above, I offer a solution to how the public sector can provide more effective feedback to the private sector so the private sector can more effectively and efficiently meet its obligations to provide timely, actionable intelligence to government authorities – the TSV SAR. This is not the only solution; indeed, we need more public/private sector partnerships, we need to move to cross-institutional and cross-jurisdictional collaborative investigations, we need more effective information sharing, and we need more efficient and effective monitoring/surveillance, alerting, investigations, and reporting. But the key to any reform is public sector feedback: I’m offering the TSV SAR as the vehicle for that feedback.  

Five U.S. Government Publications

FinCEN’s Suspicious Activity Report (SAR) Cost & Burden Estimate

On May 26, 2020, FinCEN published a notice in the Federal Register titled “Proposed Updated Burden Estimate for Reporting Suspicious Transactions Using FinCEN Report 111 – Suspicious Activity Report”. This is a notice required under the Paperwork Reduction Act, or PRA: agencies are required to periodically assess and estimate the burdens and costs of their regulatory regimes.

This was the first such notice where: (1) FinCEN has been able to analysis the SAR Database to quantitatively assess the numbers, characteristics, and types of SARs, by institution type, by type of work required to be done, and by what types of involved positions; and (2) perhaps just as important, FinCEN has shown a willingness to provide this information and to seek feedback from the private sector on other available information that could be incorporated into future analyses. FinCEN must be commended for both.

In prior PRA notices, FinCEN has simply estimated that the SAR filing process takes a total of two hours for each and every SAR filed. With this notice, FinCEN identified and attempted to capture burden and cost estimates for five categories of SARs, two types of filing (batch and discrete), three of the six stages in the SAR filing process, and the four types of positions involved in the process.

Five categories of SARs: (1) depository institutions’ (banks and credit unions) original SARs with standard content; (2) depository institutions’ original SARs with extended content; (3) non-depository institutions’ original SARs with standard content; (4) non-depository institutions’ original SARs with extended content; and (5) all filers’ continuing activity SARs. The standard and extended content analysis looked at combinations of (1) the number of named suspects; (2) the number of suspicious activities’ categories marked on the SAR form; (3) the length and make-up of the narrative; and (4) whether there was an attachment.

Six stages in the SAR filing process: (1) maintaining a monitoring system; (2) reviewing alerts; (3) transforming alerts into cases; (4) case review; (5) documentation of the SAR/no SAR determination; and (6) the SAR filing process. The current two-hour per SAR PRA estimate only considered the 6th stage: this notice added the 4th and 5th stage, and FinCEN acknowledged that it needs further data, and comments from the private sector, in order to include the 1st, 2nd, and 3rd stages.

Four types of people: (1) general supervision (oversight); (2) direct supervision; (3) clerical (SAR investigation); and (4) clerical (filing).

With this notice, FinCEN is changing its PRA burden estimate of 120 minutes per SAR to an estimate ranging from 25 minutes to 315 minutes per SAR for the last 3 of the 6 stages in the SAR filing process, and is inviting comments on these new estimates and on how to include and estimate the first 3 of the 6 stages.[2]

US Attorney’s Annual Statistical Report, Fiscal Year 2019

The DOJ statistical reports are available going back to fiscal year 1955 (the federal government’s fiscal year ends on September 30th). They are available at https://www.justice.gov/usao/resources/annual-statistical-reports. These reports provide an incredible amount of information on federal criminal cases by US Attorney’s office, by major type of criminal offence, by number of cases filed and completed, how they are completed (guilty, not guilty, dismissed, other), whether dispositioned in district court or by magistrate, length of case, etc.

US Sentencing Commission’s Statistical Information Packets, Fiscal Year 2019

Since at least 1996 the US Sentencing Commission has published summaries of federal criminal cases by district court, by types of crimes, by guilty pleas versus trial, sentence type and term, whether above or below the guidelines and why, etc. The fiscal year 2019 reports are available at https://www.ussc.gov/research/data-reports/geography/2019-federal-sentencing-statistics. The Sentencing Commission data generally aligns with the US Attorney’s data, although there are some differences that I cannot explain (nor have I made formal inquiries). For example, the US Attorneys’ data shows a total of 73,934 defendants pled or were found guilty, while the USSC data shows 76,538 defendants were sentenced. The programs (US Attorneys’ data) and types of crimes (USSC) generally aligned, although there were differences there, also. For example, the US Attorney’s data showed  221 defendants pled or were found guilty under the program heading “money laundering”, while the USSC data shows 1,177 defendants were sentenced for money laundering.

I have included a summary of the Department of Justice’s US Attorneys’ Annual Statistical Report for Fiscal Year 2019. Where the GAO report includes information on how law enforcement uses BSA reports, and whether those reports are useful, it doesn’t indicate how many cases, and what kinds of cases, federal law enforcement agencies bring. Neither the US Sentencing Commission’s Statistical Information Packets nor the US Attorney’s Annual Statistical Report link BSA reports to criminal cases: that remains the undiscovered Holy Grail. Regardless, the US Attorneys’ information is enlightening and, in many respects, concerning.

FinCEN’s Advance Notice of Proposed Rule-Making on BSA/AML Program Effectiveness

On September 16, 2020 FinCEN published a notice seeking public comment for potential regulatory amendments to require all covered financial institutions to maintain an “effective and reasonably designed” AML program that (1) assesses and manages risk as informed by a financial institution’s risk assessment, including consideration of anti-money laundering priorities to be issued by FinCEN consistent with the proposed amendments; (2) provides for compliance with Bank Secrecy Act requirements; and (3) provides for the reporting of information with a high degree of usefulness to government authorities. The intent of the proposed changes is to “modernize the regulatory regime to address the evolving threats of illicit finance, and provide financial institutions with greater flexibility in the allocation of resources, resulting in the enhanced effectiveness and efficiency of anti-money laundering programs.”

Currently, financial institutions must have programs that assess and manage financial crimes risk and meet the requirements of the BSA laws and regulations. The critical change is the addition of a third program requirement: providing reports that have a high degree of usefulness to government authorities. This is critical: the very purpose of the BSA laws and regulations (set out in the first AML statute in 1970 and codified at 31 USC s. 5311) is “to require certain reports or records where they have a high degree of usefulness in criminal, tax, or regulatory investigations or proceedings, or in the conduct of intelligence or counterintelligence activities, including analysis, to protect against international terrorism.” Currently there is no express requirement that financial institutions’ BSA programs address the very purpose of the BSA.

But as explained in the conclusions and recommendations, there currently is no way to determine what what “useful” means, how it would be measured, and which records or reports are, in fact, useful, and for what purposes.

The GAO Report on Use & Usefulness of BSA Reports

On September 22, 2020, the United States Government Accountability Office (GAO) issued a report that addressed these very concerns about the use made of, and usefulness of, BSA reports, and the costs to produce those reports and maintain the required programs. Titled “Anti-Money Laundering: Opportunities Exist to Increase Law Enforcement Use of Bank Secrecy Act Reports, and Banks’ Costs to Comply with the Act Varied”, the Report was addressed to Representative Blaine Luetkemeyer (R. MO 3rd), the Ranking Member of the Subcommittee on Consumer Protection and Financial Institutions, Committee on Financial Services, House of Representatives. The report, GAO-20-574, is available at https://www.gao.gov/assets/710/709547.pdf.

The Report is lengthy – 214 pages – and covers four main topics or issues and posed two questions relating to FinCEN’s role in BSA/AML supervision and examination:

  1. Law enforcement’s use of Bank Secrecy Act (BSA) reports – pages 14 to 36 with details and supporting information in Appendix II
  2. A survey of eleven representative banks’ and credit unions’ direct costs of running a BSA/AML compliance program – pages 36 to 60 with details and supporting information in Appendix III
  3. A discussion of regulators’ supervision and examination of BSA/AML compliance programs – pages 60 to 65
  4. A discussion of proposed changes to reporting thresholds, sharing of information, and using innovative technologies – pages 65 to 75
  5. A discussion whether FinCEN should adopt the SEC practice of issuing “No Action Letters” (Appx V)
  6. A discussion of whether FinCEN should conduct BSA/AML examinations (Appx VI)

The GAO did its work from September 2018 through September 2020, using information and data from 2015 – 2018. It surveyed six federal law enforcement agencies, eleven banks and credit unions, and six trade associations. The Report is data-intensive: it includes 123 Tables and 16 Figures. Like all GAO reports, it is well written, uses plain language, fairly represents the issues, and, where appropriate, makes recommendations.

Issue 1 – Law Enforcement Use of BSA Reports

The Law Enforcement Agencies

The GAO surveyed six federal law enforcement agencies that were the main users of FinCEN’s BSA database in 2018. I noted that the US Postal Inspection Service was not included.

The table below shows the relative sizes of the agencies, which drive the sample sizes required for statistical integrity. The GAO sent surveys out to select positions within the agencies to get a representative sample. As can be seen, the overall response rate was 57.2%: note the IRS-CI response rate of 75.5%. The IRS-CI also stood out throughout the Report as having higher than average usage rates of all BSA reports.

Figure 3, below, summarizes the percentages of law enforcement personnel from the six agencies that used BSA reports to start or assist on new investigations, conduct or assist with ongoing criminal investigations, to analyze patterns, trends, and issues associated with criminal activity, and to work on criminal prosecutions. Almost three-quarters of respondents use BSA reports to conduct or assist with ongoing investigations. Notably, only 41% of the respondents indicated that they used BSA reports for analyzing trends or patterns. And as can be seen in Figure 3, the IRS-CI is a prodigious consumer of BSA reports.

Use and Usefulness of BSA Reports

Some of the more interesting findings in the Report are in the details of how frequently law enforcement used the five main BSA reports in their work, and whether they found those reports useful.

The table below is a summary of twelve different tables from Appendix II of the Report. The table provides a high-level snapshot on the use and usefulness of the main types of BSA reports. The color-coding is intended to highlight some of the clear trends:

  • Across the six agencies, SARs and CTRs were the most commonly used reports, but still were only used “almost always” or “frequently” about half the time. But when used, SARs and CTRs were found to be very useful or somewhat useful the majority of the time.
  • The Form 8300 usage and usefulness data suggests that there is an opportunity for improving the overall utilization of these reports. Forms 8300 are prepared and submitted by non-financial businesses when they receive cash greater than $10,000. For example, a car dealer receiving $12,000 in cash must submit a Form 8300.

Law Enforcement Use of BSA Reports By Type of Potential Crime

Figure 6 summarized the results of questions posed to law enforcement on whether they used BSA reports for ten criminal activities.[3]  I found the 27% positive response rate for human trafficking indicated a potential for better public/private sector outreach.[4]

Human Trafficking and BSA Reports

I’ll pause to include some detail on the findings relating to human trafficking, one of the worst crimes impacting the most vulnerable parts of global society.[5] The Report notes that “human trafficking and human smuggling were added to the SAR form as separate suspicious activity categories in 2018. Before that time, personnel working in these areas did not have a systematic mechanism to identify potentially relevant reports when starting investigations or analyzing criminal activities.” And, in a footnote (footnote 60, page 25): “In a 2014 advisory, FinCEN encouraged banks to use common terms to report on human smuggling and human trafficking activities in the written portion of the SAR. According to law enforcement agency staff we spoke with, agencies perform key word searches of SARs to identify reports on a specific topic or activity, but officials with two of the six law enforcement agencies we spoke with noted that the effectiveness of this approach can be limited because financial institutions may use different terms on the form to describe similar activities.”

At page 7 of the Report the GAO notes that “[a]ccording to Treasury’s 2018 National Money Laundering Risk Assessment, the crimes that generate the bulk of illicit proceeds in the Unites States are fraud, drug trafficking, human smuggling, human trafficking, organized crime, and corruption.” That, and the revision of the SAR form in 2018 to add a specific category for human trafficking, one would expect that there should have been a lot of human trafficking SARs filed in 2019 and 2020. But that is not the case: in the first 8 months of 2020 FinCEN’s SAR Statistics data (https://www.fincen.gov/reports/sar-stats) shows only 1,822 SARs with the category “human trafficking” (out of 1,574,353 total SARs filed). This is down from 2019 filings: for the same eight month period in 2019, there were 2,478 SARs flagging human trafficking as the suspicious activity (out of 1,527,881 total SARs filed in that period).

Alternatives to BSA Reports?

This Report focused on law enforcement’s use of BSA reports, and whether those reports were useful. But the GAO correctly asked questions about whether there were alternatives to BSA reports that were more readily and easily available to law enforcement. At page 25 the GAO wrote: “we estimated that at least 74 percent of law enforcement personnel who used BSA reports in their work on investigation, analysis, or prosecutions from 2015 through 2018 reported either having no alternative source of information or having an alternative source that was less efficient. Those alternative sources include surveillance, warrants, and grand jury subpoenas. Figure 7, below, provides the details.

FinCEN’s Duties and Powers – to Maintain and Disseminate

This section (pages 27 to 35) of the Report addresses the foundational duties and powers of FinCEN, and doesn’t paint a very positive picture. In footnote 63 on page 27 the GAO writes: “Congress gave FinCEN responsibility for operating a government-wide data access service for SARs, CTRs, and other BSA reports. See 31 U.S.C. § 310(b)(2)(B). Treasury is further tasked with establishing and maintaining operating procedures that allow for the efficient retrieval of information from FinCEN’s BSA database, including by cataloguing the information in a manner that facilitates rapid retrieval by law enforcement personnel of meaningful data. See 31 U.S.C. § 310(c).”

The actual language of 31 U.S.C. § 310(b) is instructive. 31 U.S.C. § 310(b)(2) sets out the duties and powers of the Director of FinCEN as follows:

(A) Advise and make recommendations on matters relating to financial intelligence, financial criminal activities, and other financial activities to the Under Secretary of the Treasury for Enforcement.

(B) Maintain a government-wide data access service, with access, in accordance with applicable legal requirements, to the following: (i) Information collected by the Department of the Treasury, including report information filed under subchapter II of chapter 53 of this title (such as reports on cash transactions, foreign financial agency transactions and relationships, foreign currency transactions, exporting and importing monetary instruments, and suspicious activities) …

(C)  Analyze and disseminate the available data in accordance with applicable legal requirements and policies and guidelines established by the Secretary of the Treasury and the Under Secretary of the Treasury for Enforcement to– (i) identify possible criminal activity to appropriate Federal, State, local, and foreign law enforcement agencies; (ii) support ongoing criminal financial investigations and prosecutions and related proceedings, including civil and criminal tax and forfeiture proceedings … (v) determine emerging trends and methods in money laundering and other financial crimes; (vi) support the conduct of intelligence or counterintelligence activities, including analysis, to protect against international terrorism;  and (vii) support government initiatives against money laundering.

These three duties and powers can be summarized as (1) providing advice to the Under Secretary of the Treasury for Enforcement, (2) maintaining an accessible FinCEN BSA database, and (3) analyzing and disseminating financial crimes data to federal, state, local, and foreign law enforcement agencies. The GAO report concludes that FinCEN can improve in two of its three duties.

Law Enforcement Access to FinCEN’s BSA Database

The GAO found that 85% of federal agencies had direct access to the FinCEN BSA database, but only 54% of state agencies had direct access, and only 1% of local and county agencies had direct access (page 27).

In the section beginning on page 30 titled “FinCEN Lacks Written Policies and Procedures to Help Ensure That Agencies without Direct Access Use BSA Reports to the Greatest Extent Possible” were the following observations:

  • “Thirty-two state attorney general offices, including offices that prosecute criminal cases involving money laundering, such as organized crime, public corruption, and human trafficking, did not have direct access” To the FinCEN database.
  • “Twenty-one of the 50 largest local police departments, which investigate crimes that could involve money laundering, such as drug trafficking, financial crimes, cybercrimes, terrorism, and human trafficking, did not have direct access” to the FinCEN database.

The GAO noted (page 32) that FinCEN “scores” law enforcement agencies seeking direct access, and that it denied 40 of 103 applications from 2015 through 2018. In addition to gaining direct access to the BSA database, law enforcement agencies can request searches. But in 2018, only 4% to 8% of the roughly 15,000 state and local police departments requested searches. The GAO wrote “[a]ccording to FinCEN officials, they do not have policies and procedures to promote the use of BSA reports to law enforcement agencies without direct access.” But FinCEN disputed this finding in its response (see Appendix VII, page 194).

FinCEN Disseminating Information to Law Enforcement

As set out above, 31 USC section 310(b)(2)(B) – (E) set out the duties and powers of the Director of FinCEN. The GAO describes these at page 34 as requiring FinCEN to disseminate BSA reports to identify possible criminal activity to appropriate federal, state, tribal, and local law enforcement agencies.

In other words, in addition to opening up its BSA database, FinCEN has a duty to “analyze and disseminate the available data” to federal, state, and local law enforcement agencies. The GAO found (at page 34) that “FinCEN’s written policies and procedures do not specifically address how to achieve that outcome.”

It appears that FinCEN could do more to proactively reach out to law enforcement. This is another area of opportunity for FinCEN. As the country’s financial intelligence unit, or FIU, it has the duty and responsibility to provide actionable intelligence to law enforcement – to disseminate information to law enforcement. It is, and should be, more than a financial information depository organization.

Issue 2 – The BSA/AML Compliance Cost Burden

The GAO included a representative sample of four credit unions and seven banks.[6] The key attributes of the eleven surveyed financial institutions are in Appendix III. I summarized multiple tables containing the details of the eleven institutions into one table:

Some observations on US banks and credit unions are warranted in order to put these eleven institutions in some sort of context. I will use data from roughly the time these institutions were selected.

  • There are 4 banks with assets of $1 trillion or more. These four banks have a total of $7.2 trillion in assets. The other 5,367 banks have combined assets of $11 trillion.
  • The next 40 largest banks assets between $50 billion and $500 billion. The two “Very Large Banks” in this report are on the small end of that range.
  • There are 188 banks with assets between $5 billion and $50 billion. The “Large Bank” in this report is at the small end of that range.
  • The majority of US banks – 2,847 or 53% – have assets less than $250 million. The two “Small Community Banks” in this report are in the middle of this range.
  • Of the ~5,200 credit unions, only 7 of then have assets of more than $10 billion, and the largest, Navy Federal Credit Union, is less than $100 billion in assets.

 

I found it curious, and could not find an explanation, that the “Large Credit Unions” were both smaller than $200 million in assets: there are more than 300 credit unions that have more than $1 billion in assets. It would have been instructive to have one of these larger credit unions and even one of the seven of the largest credit unions.

Also, the GAO was careful not to select a bank or credit union that was under spending duress from a recent enforcement action (“we used information from the federal banking agencies to confirm that the banks we selected were not subject to BSA/AML-related formal enforcement actions in recent years”). Also notable, the GAO “did not assess the quality of banks’ BSA/AML programs.” (footnote 88, page 36).

The GAO considered the overall direct costs of running a BSA/AML program, as well as breaking out those costs into five main components of a BSA/AML program: customer due diligence, reporting, the four pillars, software and consultants, and a catch-all “other” made up of monetary instrument reporting, funds transfer recordkeeping, information sharing, and special measures.

Estimated Total Direct Costs for BSA/AML Compliance Programs

Figure 8 summarizes the estimate direct costs for each of the eleven banks. “Direct” costs were defined as labor, software, and third party costs, and did not include indirect costs such as office space or depreciation on computer systems. The GAO noted that the estimate for Very Large Bank B, based on interviews, surveys, and reviewing budget documents, of $15 million was comparable to the actual budget of the bank’s BSA/AML Department of $13 million.

The GAO also included seven other recent (2016-2018) cost of compliance studies in Appendix IV of the Report. It noted that a 2018 Bank Policy Institute survey of fourteen large banks found that the median program costs for banks in the $50 billion to $200 billion range was $25 million, and the median program costs for the mega banks (those with assets over $500 billion) was $600 million.

I observed (and describe below) that the average cost per SAR of the largest bank in this survey (roughly $100), extrapolated out to the 150,000 SARs the four mega banks file (on average) would result in SAR filing costs alone of $150 million. This Report also suggests that SAR filing accounts for 25% of total program costs, meaning the four mega banks would have total program costs of $600 million. This aligns with the BPI survey.[7]

Estimated Direct Costs by BSA Program Component

Figure 10 on page 41 breaks out the relative costs for the five main program components. What is clear is that Customer Due Diligence (CDD) requirements and BSA reporting – primarily SAR reporting – make up the majority of the program costs.

All the credit unions and the two small community banks opened less than 1,000 new customer relationships in 2018. The smallest institutions had very manual CDD processes, thus relatively higher costs, and the larger institutions had more automated processes, thus relatively lower costs. The larger banks all had more automated processes: sheer volumes of new customers, and the complexities of those customers, contributed to the higher relative costs.

Cost of Customer Due Diligence

The analysis of the cost of customer due diligence began at page 42. The GAO noted “For the 11 banks in our review, estimated costs for complying with the customer due diligence requirements ranged from about 15 percent to about 59 percent of total direct BSA/AML costs. These requirements collectively were more costly than any other BSA/AML requirement (as a percentage of total costs) for five of the 11 banks, including the four largest.”

The per-account costs seemed low to me. Table 1 showed that the selected banks spent an estimated average of $15 per new account to comply with the customer due diligence requirements in 2018, and per-account costs ranged from $5 to $44. That table is summarized here.

As a general rule, legal entity customers take longer to onboard than natural persons. Small Credit Union B, which opened up less than 200 accounts at a cost of $8 per account, opened only one account in 2018 for a legal entity. It’s average cost per new account was $8. Very Large Bank A, on the other hand, opened over 36,000 legal entity accounts in 2018 at a total cost of ~$3.7 million or $103 per legal entity account. Using a fully-loaded cost of $75,000 and 1,720 effective hours in a year gives an hourly rate of $43.60. That would suggest that this Very Large Bank took about 2.5 hours to onboard a legal entity customer.

Implementation Costs of the Beneficial Ownership Requirement

Page 43 of the Report had an interesting sidebar. It provided:

The 11 banks we studied also incurred onetime implementation costs to comply with the new beneficial ownership requirement for legal entity customers, which has an applicability date of May 11, 2018, as part of the Financial Crimes Enforcement Network’s final rule on Customer Due Diligence Requirements for Financial Institutions.

Banks we reviewed incurred costs to research the new requirement, update policies and procedures, revise information collection systems, and train personnel. However, implementation costs varied. For example:

    • Small credit union B ($50 million or less in total assets), which opened only one legal entity account in 2018, spent under $100 to implement the new requirement, including to update policies and train personnel.
    • Very large bank A ($101 billion or more in total assets), which opened over 36,000 legal entity accounts in 2018, spent an estimated $3.7 million. Bank representatives told us that they assigned two senior compliance personnel to the implementation project over a 2-year period, updated hardware and software systems, and trained approximately 4,000 bank personnel on the new requirement.

Cost of Suspicious Activity Reports

The GAO looked at the costs of all BSA reports: SARs, CTRs, and others (CMIRs, FBARs, DOEPs). All of these reports together accounted for an average of 28% of the total cost of running a BSA/AML program, but the SAR-related costs accounted for 90% of the total reporting costs. They also noted that the bulk of the SAR costs – 83% – were incurred in monitoring for and investigating suspicious activity alerts. They described “investigating” as includes the time banks spent initially reviewing an alert, escalating it to an investigation, and deciding whether to file a SAR, so it appears that the other 17% of the costs related to preparing and filing the actual SAR, as well as the long-term recordkeeping requirements.

Table 2 on page 47 of the Report provides the number of SARs, and average estimated cost per SAR filed, for the eleven financial institutions. I added a third column for the institution’s SAR filing frequency compared to its peer institutions.

I have two observations from Table 2. Observation A relates to Large Community Bank A that only filed 9 SARs in 2018 (putting it in the bottom quarter in number of SARs filed within its peer group). The Report notes that this bank reported that it generated 7,000 Alerts that resulted in 60 Cases that generated 9 SARs. That is a Alert/SAR ratio of 0.13%, or a false positive rate of 99.87%.

The second observation (B) relates to Small Community Bank B, also in the bottom 25% in number of SARs filed in its peer group. That bank filed two SARs. It reported that both related to elder financial abuse and both took about 80 hours to investigate and report. $17,691 divided by 160 hours is $110.57 per hour, suggesting that more senior people were involved in the SAR in investigation.

GAO’s Survey and FinCEN’s SAR Burden and Cost Estimate

The third observation needs me to pull in a SAR cost and burden estimate that was recently published by FinCEN. Recall that earlier this year (May 26, 2020) FinCEN published a request for comments on its estimates of the costs and burden of filing SARs. Whereas the GAO considered the total SAR process – monitoring, the initial review of alert, escalating alerts to “case” (to an investigation), conducting the investigation, making the SAR/No SAR decision, preparing and filing the actual SAR, and the long-term recordkeeping requirements – FinCEN’s analysis only considered the process from the “case” forward:  conducting the investigation, making the SAR/No SAR decision, preparing and filing the actual SAR, and the long-term recordkeeping requirements. FinCEN concluded that “simple” SARs (about 83% of all SARs) took between 45 and 75 minutes each; “complex” SARs (about 2% of all SARs) took between 205 and 315 minutes; and “Continuing activity” SARs (about 15% of all SARs) took between 25 and 45 minutes.[8]

So I compared FinCEN’s estimates with what the GAO found. The results are interesting.

First, I used a fully-loaded cost of $75,000 per full time equivalent (FTE) and 1,720 effective hours in a year to get an hourly rate of $43.60. For mathematical simplicity, I reduced that to $40 per hour. Second, I took the average time for each of the three types of SARs that FinCEN identified:

  • Simple SARs: 83.3% of SARs taking 45 to 75 minutes each = 60 minutes, or 1.0 hour
  • Complex SARs: 1.6% of SARs taking 205 to 315 minutes each = 260 minutes or 4.33 hours
  • Repeat SARs: 15.1 % of SARs taking 24 to 45 minutes each = 35 minutes or 0.58 hours

As can be seen, the GAO survey results were very different than the FinCEN estimates. The biggest reason is that the GAO results included the costs of generating alerts and dispositioning the alerts – either deciding to open a case and conduct and investigation, or close the alert without doing an investigation. Recall my observation on Large Community Bank A, that had 7,000 alerts but only 60 cases and 9 SARs. The GAO survey included the cost of making determination on 6,940 alerts that did not result in a case investigation, and 51 investigations did not result in a SAR. The FinCEN methodology only considered the costs of the case investigations and SARs. And Small Community Bank B, where FinCEN’s methodology was 45,000 percent less than the GAO survey, reflects the fact that each of those two SARs took that bank 80 hours (they were elder financial exploitation cases, which are always very time intensive).

 

This is not a criticism of FinCEN’s methodology, but a call for a more fulsome analysis of all the aspects of suspicious activity monitoring, alert generation, alert disposition, case management, investigations, SAR decisions, preparation, filing, recordkeeping, and responding to law enforcement requests for supporting documentation.

Proposed Changes to the SAR Threshold

Part IV of the Report, beginning on page 68, includes a section on whether to increase the SAR reporting threshold from $5,000 to $10,000. I’m including a summary of that section here, for continuity purposes.

The GAO noted that there have been Congressional efforts (bills) to increase the mandatory SAR filing threshold from $5,000 – first set in 1996 – to $10,000.[9] The result, according to an analysis by FinCEN, would be 21% fewer SARs filed by depository financial institutions (banks and credit unions).

How many SARs is 21%? Using FinCEN’s SAR Stats – https://www.fincen.gov/reports/sar-stats – for calendar year 2018 (which the GAO was using for its Report), based on the primary federal regulator, we find:

118,113 SARs filed by Credit Unions (NCUA regulated entities)

859,590 SARs filed by Banks (FDIC, FRB, OCC)

873,479 SARs filed by Money Services Businesses (IRS)

319,991 SARs filed by All Others (multiple regulators)

2,171,173 Total SARs filed in 2018

Law enforcement disagreed with increasing the mandatory SAR reporting threshold: “Officials from six federal law enforcement agencies expressed concerns that raising the SAR threshold, as with the CTR threshold, would reduce the amount of financial intelligence available to law enforcement agencies and harm their investigations … Officials said that the nature of the suspicious activity, such as human trafficking and terrorist financing, can be more relevant than the amount of money involved.” (page 68). I agree. And so do many banks: according to this Report, banks filed ~44,000 SARs reporting amounts less than $5,000, roughly 5% of all bank SARs filed in 2018.

In addition, law enforcement found SARs to provide a high degree of usefulness: at page 69 it is noted that 53% of the law enforcement agents used SARs frequently, and 50% found them to be very useful.[10]

There was also a discussion on streamlining SAR filings for structuring.[11] In footnote 137 on page 70, the GAO described structuring as follows:

According to FinCEN, structuring can take two basic forms. First, a customer might deposit currency on multiple days in amounts under $10,000 for the intended purpose of circumventing a bank’s obligation to report any cash deposit over $10,000 on a CTR. Although such deposits do not require aggregation for currency transaction reporting because they occur on different business days, they nonetheless meet the definition of structuring under the BSA, implementing regulations, and relevant case law. In another variation, a customer may engage in multiple transactions during 1 day or over a period of several days or more, in one or more branches of a bank, in a manner intended to circumvent either the currency transaction reporting requirement or some other BSA requirement, such as the recordkeeping requirements for funds transfers of $3,000 or more.

This description makes structuring seem like an easy thing to detect, alert on, investigate, and report. It isn’t, or, rather, the variations of structuring are not always easy to detect, alert on, properly and thoroughly investigate, and accurately report. There are often multiple parties, co-signers, non-accountholder depositors involved in multiple, related transactions; there can be multiple branches, ATM deposits, or cash vault deposits made in multiple (but somehow related) accounts. Very few structuring cases involve one customer with one account and one branch over a one- or two-day period. Banks and industry groups have suggested “auto-filing” “simple structuring” SARs or reducing or eliminating the narrative portion for structuring SARs. Law enforcement does not support either initiative.

Sharing SARs With Foreign Branches

There is a quirk in the regulations and regulatory guidance around the sharing of SARs, or information that would lead to the discovery of a SAR, with the foreign branches of a US financial institution. The discussion begins on page 71 of the Report. Notably, only 34 banks, out of the 5,250 banks in the US at the time of the Report, have one or more foreign branches (in 65 countries), so this issue is limited to only a few of the largest, most complex, international financial institutions. The issue is complex, but can be summarized as follows:

  • A US branch of a foreign bank may disclose a SAR to its head office outside the United States
  • A US bank may not disclose a SAR to its branch offices outside the United States

The GAO, and FinCEN, and the private sector, all agree that greater clarity and consistency is required, particularly given the international nature of many transactions, if not financial institution structures.

Cost of Currency Transaction Reports

At page 49 the GAO noted “banks generally must file a CTR when a customer conducts a transaction in currency of more than $10,000 in aggregate over 1 day.”

If it was only that simple. The 2014 edition of the FFIEC BSA/AML Examination Manual devotes a page to explaining the CTR requirement:

A bank must electronically file a Currency Transaction Report (CTR) for each transaction in currency (deposit, withdrawal, exchange, or other payment or transfer) of more than $10,000 by, through, or to the bank. Certain types of currency transactions need not be reported, such as those involving “exempt persons,” a group which can include retail or commercial customers meeting specific criteria for exemption …

Aggregation of Currency Transactions

Multiple currency transactions totaling more than $10,000 during any one business day are treated as a single transaction if the bank has knowledge that they are by or on behalf of the same person. Transactions throughout the bank should be aggregated when determining multiple transactions.

In cases where multiple businesses share a common owner, the presumption is that separately incorporated entities are independent persons. The currency transactions of separately incorporated businesses should not automatically be aggregated as being on behalf of any one person simply because those businesses are owned by the same person. Financial institutions should determine, based on information obtained in the ordinary course of business, whether multiple businesses that share a common owner are being operated independently depending on all the facts and circumstances.

However, if a financial institution determines that these businesses (or one or more of the businesses and the private accounts of the owner) are not operating separately or independently of one another or their common owner (e.g., the businesses are staffed by the same employees and are located at the same address, the bank accounts of one business are repeatedly used to pay the expenses of another business, or the business bank accounts are repeatedly used to pay the personal expenses of the owner) the financial institution may determine that aggregating the businesses’ transactions is appropriate because the transactions were made on behalf of a single person.

If a financial institution determines that the businesses are independent, then it should not aggregate the separate transactions of these businesses. Alternatively, once a financial institution determines that the businesses are not independent of each other or their common owner, then the transactions of these businesses should be aggregated going forward. (2014 Exam Manual, page 82, three footnotes omitted)

The paragraph that describes the complexities of CTRs is “multiple currency transactions totaling more than $10,000 during any one business day are treated as a single transaction if the bank has knowledge that they are by or on behalf of the same person. Transactions throughout the bank should be aggregated when determining multiple transactions.” This same paragraph is the source of the wide range in regulatory expectations across the industry, as some institutions do not have the systems or other capabilities (they lack knowledge) to aggregate across conductors, across accounts, across delivery channels. The Exam Manual instructs examiners to “determine whether the bank aggregates all or some currency transactions within the bank.” (page 87). But not all institutions can, nor do all examiners expect their institutions to, identify and aggregate all cash transactions conducted at bank branches, cash vaults (and those can be outsourced to other institutions), ATMs, and even mail-in services. As a result, determining who is conducting the cash transaction(s), on whose behalf the transaction(s) are being done, through which delivery channel(s), can be so daunting for smaller institutions that they don’t do it, and their regulators don’t expect them to do it.

I expect that the low time and cost estimates in this Report are a result, in part, of a lack of identification of all conductors, beneficiaries, and delivery channels. The GAO estimated that the costs to identify, research, complete, and file a CTR ranged from about $3 to about $12 (or about $7 on average) for the 11 banks.

Proposed Changes to the CTR Threshold

The Report considered the impact of increasing the CTR threshold (pages 65-67). Increasing the CTR threshold has been the most common, and in my opinion least understood, proposal to reduce banks’ BSA compliance burdens. Proponents of increasing the threshold commonly point out that the

$10,000 threshold was set when the BSA was first enacted in 1970. As the GAO notes:

FinCEN’s analysis indicates that … increasing the CTR threshold from $10,000 to $20,000 would have resulted in banks filing around 65 percent fewer CTRs. Increasing the threshold to $30,000 would have resulted in banks filing around 81 percent fewer CTRs. Finally, increasing the threshold to $61,276 (original 1970 threshold adjusted for inflation) would have resulted in banks filing around 94 percent fewer CTRs.

As with the arguments for raising the SAR threshold to account for inflation, these arguments are misguided and ill-informed. First, the original 1970 threshold of $10,000 was for a single cash transaction: there was no aggregation. Second, that threshold was established before ATMs, before credit cards, before mobile or online or other electronic banking. I argue that single cash transactions of $5,000 are even rarer or more unusual today than cash transactions of $10,000 were twenty, thirty, or forty years ago. Multiple Federal Reserve studies show that the average cash transaction is less than $20, and the median cash transaction is $2 – $3. A more effective way to reduce overall compliance costs is to simplify the CTR reporting requirement to single cash transactions greater than $10,000 (allowing for fully automated reporting), leaving all other aggregated cash transactions and the “by or on behalf of” identification and analysis to the Suspicious Activity Report.

I agree with law enforcement’s opposition to raising the CTR threshold:

Officials from six federal law enforcement agencies told us that they generally oppose raising the CTR threshold, largely because it would reduce the amount of financial intelligence available to them for investigations, analysis, and prosecutions. For example, fewer CTRs could reduce opportunities for law enforcement to link financial transactions to criminal activity and identify subjects, coconspirators, and assets related to ongoing investigations. Officials also said that increasing the CTR threshold would make it easier for criminals to launder greater amounts of illicit proceeds. Further, officials told us the $10,000 threshold may continue to be warranted because, as customers have shifted to electronic payments, large cash transactions may especially signal potentially suspicious activity. Finally, some officials said that law enforcement has used lower-dollar CTRs to investigate terrorism, fraud, and money laundering. (pages 66-67)

The GAO noted that five of the six industry associations that they interviewed generally supported increasing the CTR reporting threshold to reduce costs. But what costs would be reduced? I used the GAO data on the number of CTRs filed and average estimated costs, then reduced the number of CTRs filed by 65% (FinCEN’s estimated reduction in CTRs by moving the threshold to $20,000).

The result is that increasing the CTR threshold from $10,000 to $20,000 would materially reduce the compliance costs for only the largest banks: even the “Large Bank” would see its total compliance costs go down by only $5,240. Given that 42% of law enforcement uses CTRs frequently, 39% of them find CTRs very useful, and some of the most egregious crimes – human trafficking and terrorist financing – involve very small dollar amounts, these cost savings are not worth the potential human costs. I recommend that the $10,000 CTR threshold remain.

Cost of Managing Three (of Four (or Five?)) Pillars of a BSA/AML Program

There are four (or five) pillars to a BSA/AML program: a system of internal controls, a designated BSA compliance officer, independent testing (audit), and training.[12] The GAO considered the BSA compliance officer costs to be embedded in the other components of a program (CDD, reporting, training, etc., so did not consider those costs separately. The GAO described internal controls as the policies, procedures, and processes banks use to manage risks and ensure compliance (pages 51-52). They considered the costs of updating policies, procedures, and processes and conducting a risk assessment, and concluded that the two very large banks spent $200,000 and $500,000, while the average of all the others was $1,800.

In multiple parts of the Report the GAO cautioned that their findings for these eleven banks cannot be generalized to other banks (see, for example, page 40). After seeing the results for the costs attributed to the system of internal controls, I agree. It is inconceivable to me that any financial institution in the United States, no matter how small, can spend $220 in personnel time to develop, maintain, update, and implement BSA/AML policies, procedures, and processes AND conduct an annual and ongoing risk assessments to ensure those controls are appropriately risk-based. $220 is between 1 and 5 hours of time, depending on the position. It is simply not possible to run an effective, even adequate program for a year by dedicating 1 to 5 hours. In fairness, the GAO did not consider the effectiveness of any of the banks and credit unions it surveyed.

One thing did emerge from the data that may be worth commenting on. The two large credit unions indicated they spent $183 and $297 on their system of internal controls. Their two bank peers – the two large community banks – indicated they spend $3,232 and $4,379, or roughly fifteen times what the two credit unions spent. The GAO may consider an audit of the relative supervisory programs of the NCUA and FDIC.[13]

Cost of AML Software

I combined Tables 2 and 6 with Figure 14 to show the number of SAR filed, the average estimated cost per SAR filed (employee time), and the dedicated BSA/AML software costs (which are in addition to the estimated cost per SAR filed). The GAO noted that 10 of the 11 banks that used specialized software used it to assist with customer due diligence requirements, such as verifying customers’ identities and assigning risk profiles to their accounts. Eight of the 10 banks used surveillance monitoring software to identify suspicious activity. What this chart suggests is that transaction monitoring and customer surveillance monitoring and alerting systems, and case management systems to manage the investigative processes, are the most costly.

In an interesting section on pages 59-60 dealing with whether banks passed on their BSA/AML costs to their customers (they generally did not), the GAO noted that “at least six of the banks said they did not offer accounts to money services businesses because of the potentially greater and more costly due diligence, monitoring, and reporting involved.”

Issue 3 – Supervision/Examination of BSA Compliance Program

The GAO chose to use this statement as their sidebar/headline introducing this section of the Report on page 60: “Federal Banking Agencies Are Required to Conduct BSA Compliance Examinations and Cited Nearly a Quarter of Banks Under Their Supervision for BSA Violations”. That is an accurate, but deceptive statement. Two pages later, in another sidebar, the GAO wrote: “FinCEN Data Show Nearly a Quarter of the Examined Banks Had BSA Violations, but Many Violations Were Technical.” And then two pages later, in the last paragraph of this section on page 64, the GAO wrote that “the Federal Reserve, FDIC, and OCC issued 123 BSA-related formal enforcement actions in fiscal years 2015–2018 – representing less than 1 percent of the total BSA examinations that they conducted during the same period.

This is unfortunate, as the message from the headline – a quarter of all banks are violating the BSA – is different from the reality – although a quarter of banks have technical violations of the BSA, less than 1 percent have substantive violations requiring formal enforcement actions.

Figure 15 (page 63) of the Report sets out the percentage of federal banking agency exams with BSA violations, by type of violation. As can be seen in the chart below, the most common type of violation was CTR (8.0%) then SAR (7.3%). Notably, an overall program violation was cited in only 1.4% of the exams, and those program violations resulted in public enforcement actions in less than 1 percent of the exams. This is clear evidence that the vast majority of banks and credit unions are taking their BSA/AML responsibilities seriously, and doing a good job.

US Attorneys’ Annual Statistical Report for Fiscal Year 2019

This statistical report is not part of the GAO Report. The DOJ statistical reports are available going back to fiscal year 1955 (the federal government’s fiscal year ends on September 30th). They are available at https://www.justice.gov/usao/resources/annual-statistical-reports.

The reports provide an incredible amount of information on federal criminal cases by US Attorney’s office, by major type of criminal offence, by number of cases filed and completed, how they are completed (guilty, not guilty, dismissed, other), whether dispositioned in district court or by magistrate, length of case, etc.

Why is this important? The GAO report tells us that in 2018 banks and credit unions filed about 1 million SARs and 14 million CTRs. The GAO report also tells us that six major federal law enforcement agencies – DEA, FBI, HIS, IRS-CI, USAOs, and USSS – have almost 29,000 investigators, 8,000 analysts, and 5,300 prosecutors. That 53 percent of them used SARs frequently, and 50 percent found them very useful. That 59 percent of them used BSA reports to start or assist new investigations and 72 percent used them to conduct or assist in ongoing investigations. That 41 percent of them used BSA reports to analyze trends or patterns, and 44 percent used them to work on criminal prosecutions. That 74 percent of them used BSA reports in potential drug trafficking prosecutions, and 27 percent used them in potential human trafficking prosecutions. But the GAO Report doesn’t tell us how many criminal prosecutions there were. The US Attorney’s Statistical Report tells us.

Each of the program categories has a number of crimes. The table below summarizes a four-page table from the US Attorneys’ Statistical Report. It shows that in fiscal year 2019 (October 1, 2018 through September 30, 2019), there were a total of 69,412 cases filed in Federal District Court naming 87,266 defendants. 63,012 cases involving 79,310 defendants were terminated: 73,934 defendants, or 93.2% pled or were found guilty (0.3% were found not guilty).

I chose to differentiate the Immigration and Violent Crime program categories from all other federal criminal program categories. I made the assumption that BSA reports were not likely to have been utilized in immigration or violent crime cases. This leaves 22,848 federal criminal cases that were brought in fiscal year 2019 that law enforcement likely, or could have, used BSA reports.

Recall Figure 6 on page 4 of this document, which summarized ten tables of data (Tables 0-89) from pages 149-156 of the GAO Report, where the GAO asked law enforcement which potential criminal activities they used BSA reports. Figure 6 showed that 74% of law enforcement agents indicated they used BSA reports for potential drug trafficking. Here, we can see that 13,631 “drug dealing” cases were filed in FY2019.

Looking at the data, and the issues, at their most basic level, we have 20 million BSA reports and something less than 25,000 federal criminal cases where those reports could have been useful. Even assuming that 100% of the 25,000 federal criminal cases used BSA reports (and law enforcement indicated that only half of them used SARs and CTRs frequently and found them very useful), we don’t know which reports were used for what purposes in what types of cases.

As the GAO noted on page 35 of their Report: “systematically collecting information on outcomes from use of BSA reports is essential to understanding the value of the program and a critical step toward streamlining and improving the program for the future.”

The “White Collar Crimes” category of crimes is interesting, as it closely reflects many of the categories set out in the Suspicious Activity Report form itself.

Conclusions and Recommendations

The first conclusion is that about half of federal law enforcement agents frequently use SARs and CTRs, and find them very useful. This means that half don’t use them, or if they do, don’t find them very useful. So there is room for improvement. And this overall, or average, usage/usefulness isn’t reflected in all criminal investigations: BSA reports are used in about one of every four human smuggling and human trafficking investigations. I recommend that FinCEN mount a concerted effort to target those agencies that are not using SARs and CTRs frequently, as well as work with those agencies focused on human smuggling and human trafficking investigations.

The second conclusion tracks the GAO recommendation: FinCEN needs to do more to give state and local/county law enforcement agencies access to the FinCEN BSA database and do what they can to ensure those agencies are using the BSA reports. According to the GAO, only 54% of state agencies and 1% of local and county agencies have direct access to the FinCEN BSA database.

The third conclusion is that FinCEN does not have the resources to analyze and disseminate information, intelligence, and BSA reports out to state and local law enforcement agencies. The GAO found that about 1% of 15,000 state and local law enforcement agencies had direct access to the BSA database, but as I wrote on page 6, FinCEN is to monitor and disseminate: 31 U.S.C. § 310(b)(2)(C) provides that the FinCEN Director is empowered to “analyze and disseminate the available data in accordance with applicable legal requirements and policies and guidelines established by the Secretary of the Treasury and the Under Secretary of the Treasury for Enforcement to– (i) identify possible criminal activity to appropriate Federal, State, local, and foreign law enforcement agencies …”. Congress needs to fund FinCEN appropriately so it can really be a true financial intelligence unit (rather than a financial information depository organization) by analyzing and disseminating more actionable intelligence to all law enforcement agencies.

It is difficult to draw any conclusions on the second issue, the cost of BSA compliance. Indeed, the GAO warns us against drawing any conclusions: they indicated on a number of occasions that the information they obtained from the eleven banks in their sample “cannot be generalized to other banks”. That appears to be a fair warning. Any conclusions for the overall BSA/AML/CFT regime should only be drawn if and when the GAO conducts similar audits of the un- or under-represented parts of the private sector participants. I suggest two audits: one of the four mega banks, which account for about half of all SARs and CTRs filed by all 10,000+ banks and credit unions (collectively, “depository institutions” in FinCEN’s reporting methodology); and Money Services Businesses, or MSBs, which file almost as many SARs as depository institutions (and the MSB industry is as dominated by two large institutions, Western Union and MoneyGram, as depository institutions are dominated by the big four).

One conclusion, and recommendation I will make, though, relates to the differences between the cost estimates that the GAO found from its limited survey of eleven banks and credit unions, and FinCEN’s May 26, 2020 estimates of the burden and costs of part of the SAR process. From these differences it is easy to conclude, and recommend, that any future estimate of the SAR burden and cost that FinCEN publishes must include the entire SAR process: from suspicious activity monitoring, to alert generation, to alert disposition, case management, investigations, SAR decisions, preparation, filing, recordkeeping, responding to law enforcement requests for supporting documentation, and the internal testing and auditing, and external examinations of, that process.

As to the third issue, the supervision and examination of BSA compliance, I recommend that the BSAAG provide guidance to the private sector and regulatory agencies on how to better position the private sector’s overall compliance with BSA/AML laws, regulations, and regulatory guidance. This is particularly important with so much media, political, and social pressure on parts of the industry as a result of the FinCEN Files. As the GAO report found, less than 1% of BSA examinations result in enforcement actions, which means more than 99% of BSA examinations conclude that the financial institution is generally meeting its regulatory obligations. That story is not being told well.

We also need to put to rest the inane and ill-informed notions of raising the mandatory CTR and SAR filing thresholds. According to the GAO report – which we apparently should not rely on – CTRs don’t cost very much, so any percentage savings wouldn’t be enough to offset the loss of intelligence to law enforcement. And the amount being reported doesn’t create complexity and cost: it is the aggregation of multiple transactions across multiple delivery channels and the “by and on behalf of” requirements. The better solution is to keep the threshold at more than $10,000, make it a single transaction reporting the accountholder … and everything else (aggregation, conductors, different channels, etc.) moves to a determination of whether the activity was suspicious. And raising the mandatory SAR threshold from $5,000 to $10,000 won’t address the fundamental problem: we don’t know which SARs law enforcement finds useful.

Tactical or Strategic Value (TSV) SARs

The GAO described what needs to be done to reform the AML regime at page 35 of their Report:

Systematically collecting information on outcomes from the use of BSA reports is essential to understanding the value of the program and a critical step toward streamlining and improving the program for the future.

So that is what needs to be done. But how can we systematically collect information on outcomes from the use of BSA reports?  And if the purpose of the BSA/AML regime is to produce reports that have a high degree of usefulness to government agencies, how do we identify and measure what is useful?

I’ll begin to answer those questions by posing another question: should private sector SARs that cost billions of dollars to produce be “free” to public sector law enforcement agencies? Put another way, should the public sector law enforcement agency consumers of SARs need to provide something in return to the private sector producers of SARs?

I say they should. And here’s what I propose: that in return for the privilege of accessing and using private sector SARs, law enforcement should have to pay for that privilege. Not with money, but with effort. The public sector consumers of SARs should be required to notify the private sector producers which of those SARs provide tactical or strategic value.

A 2018 Mid-Size Bank Coalition of America (MBCA) survey found the average MBCA bank had 9,648,000 transactions/month being monitored, resulting in 3,908 alerts/month (0.04% of transactions alerted), resulting in 348 cases being opened (8.9% of alerts became a case), resulting in 108 SARs being filed (31% of cases or 2.8% of alerts). The MBCA survey didn’t ask whether any of those SARs were of interest or useful to law enforcement. Anecdotally, the four U.S. mega banks indicate that law enforcement shows interest in (through requests for supporting documentation or grand jury subpoenas) in six percent to eight percent of the SARs they file.

I argue that the Alert/SAR and even Case/SAR ratios are all of interest, but tracking any of the inputs or process steps to SARs filed is like a car manufacturer tracking how many cars it builds, but not how many cars it sells, or how well those cars perform, how long they last, and how popular they are. The better measure for AML programs is “SARs purchased”, or SARs that provide value to law enforcement.

Also, there is much being written about how machine learning and artificial intelligence will transform anti-money laundering programs. Indeed, ML and AI proponents are convinced – and spend a lot of time trying to convince others – that they will disrupt and revolutionize the current “broken” AML regime. Among other targets within this broken regime is AML alert generation and disposition and reducing the false positive rate. The result, if we believe the ML/AI community, is a massive reduction in the number of AML analysts that are churning through the hundreds and thousands of alerts, looking for the very few that are “true positives” worthy of being labelled “suspicious” and reported to the government. But the fundamental problem that every one of those ML/AI systems has is that they are using the wrong data to train their algorithms and “teach” their machines: they are looking at the SARs that are filed, not the SARs that have tactical or strategic value to law enforcement.

Tactical or Strategic Value Suspicious Activity Reports – TSV SARs

The best measure of an effective and efficient financial crimes program is how well it is providing timely, effective intelligence to law enforcement. And the best measure of that is whether the SARs that are being filed are providing tactical or strategic value to law enforcement. How do you determine whether a SAR provides value to law enforcement? One way would be to ask law enforcement, and hope you get an answer. That could prove to be difficult.  Can you somehow measure law enforcement interest in a SAR?  Many banks do that by tracking grand jury subpoenas received to prior SAR suspects, law enforcement requests for supporting documentation, and other formal and informal requests for SARs and SAR-related information. As I write above, an Alert-to-SAR rate may not be a good measure of whether an alert is, in fact, “positive”. What may be relevant is an Alert-to-TSV SAR rate.

A TSV SAR is one that has either tactical value – it was used in a particular case – or strategic value – it contributed to understanding a typology or trend. And some SARs can have both tactical and strategic value. That value is determined by law enforcement indicating, within seven years of the filing of the SAR (more on that later), that the SAR provided tactical (it led to or supported a particular case) or strategic (it contributed to or confirmed a typology) value.  That law enforcement response or feedback is provided to FinCEN through the same BSA Database interfaces that exist today – obviously, some coding and training will need to be done (for how FinCEN does it, see below). If the filing financial institution does not receive a TSV SAR response or feedback from law enforcement or FinCEN within seven years of filing a SAR, it can conclude that the SAR had no tactical or strategic value to law enforcement or FinCEN, and may factor that into decisions whether to change or maintain the underlying alerting methodology. Over time, the financial institution could eliminate those alerts that were not providing timely, actionable intelligence to law enforcement. And when FinCEN shares that information across the industry, others could also reduce their false positive rates.

FinCEN’s TSV SAR Feedback Loop

FinCEN is working to provide more feedback to the private sector producers of BSA reports. As FinCEN Director Ken Blanco recently stated:

“Earlier this year, FinCEN began the BSA Value Project, a study and analysis of the value of the BSA information we receive. We are working to provide comprehensive and quantitative understanding of the broad value of BSA reporting and other BSA information in order to make it more effective and its collection more efficient. We already know that BSA data plays a critical role in keeping our country strong, our financial system secure, and our families safe from harm — that is clear. But FinCEN is using the BSA Value Project to improve how we communicate the way BSA information is valued and used, and to develop metrics to track and measure the value of its use on an ongoing basis.”[14]

FinCEN receives every SAR. Indeed, FinCEN receives a number of different BSA-related reporting: SARs, CTRs, CMIRs, and Form 8300s. It’s a daunting amount of information. As FinCEN Director Ken Blanco noted in the same speech:

“FinCEN’s BSA database includes nearly 300 million records — 55,000 new documents are added each day. The reporting contributes critical information that is routinely analyzed, resulting in the identification of suspected criminal and terrorist activity and the initiation of investigations.

“FinCEN grants more than 12,000 agents, analysts, and investigative personnel from over 350 unique federal, state, and local agencies across the United States with direct access to this critical reporting by financial institutions. There are approximately 30,000 searches of the BSA data taking place each day. Further, there are more than 100 Suspicious Activity Report (SAR) review teams and financial crimes task forces across the country, which bring together prosecutors and investigators from different agencies to review BSA reports. Collectively, these teams reviewed approximately 60% of all SARs filed.

Each day, law enforcement, FinCEN, regulators, and others are querying this data:  7.4 million queries per year on average. Those queries identify an average of 18.2 million filings that are responsive or useful to ongoing investigations, examinations, victim identification, analysis and network development, sanctions development, and U.S. national security activities, among many, many other uses that protect our nation from harm, help deter crime, and save lives.”

This doesn’t tell us how many of those 55,000 daily reports are SARs, but we do know that in 2018 there were 2,171,173 SARs filed, or about 8,700 every (business) day. And it appears that FinCEN knows which law enforcement agencies access which SARs, and when. And we now know that there are “18.2 million filings that are responsive or useful to ongoing investigations, examinations, victim identification, analysis and network development, sanctions development, and U.S. national security activities” every year. But which filings?

The law enforcement agencies know which SARs provide tactical or strategic value, or both. So if law enforcement finds value in a SAR, it should acknowledge that, and provide that information back to FinCEN. FinCEN, in turn, could provide an annual report to every financial institution that filed, say, more than 250 SARs a year (that’s one every business day, and is more than three times the number filed by the average bank or credit union). That report would be a simple relational database indicating which SARs had either or both tactical or strategic value. SAR filers would then be able to use that information to actually train or tune their monitoring and surveillance systems, and even eliminate those alerting systems that weren’t providing any value to law enforcement.

Why give law enforcement seven years to respond? Criminal cases take years to develop. And sometimes a case may not even be opened for years, and a SAR filing may trigger an investigation. And sometimes a case is developed and the law enforcement agency searches the SAR database and finds SARs that were filed five, six, seven or more years earlier. Between record retention rules and practical value, seven years seems reasonable.

Law enforcement agencies have tremendous responsibilities and obligations, and their resources and budgets are stretched to the breaking point. Adding another obligation – to provide feedback to the banks, credit unions, and other private sector institutions that provide them with reports of suspicious activity – may not be feasible. But the upside of that feedback – that law enforcement may get fewer, but better, reports, and the private sector institutions can focus more on human trafficking, human smuggling, and terrorist financing and less on identifying and reporting activity that isn’t of interest to law enforcement – may far exceed the downside.

Final Word

As I wrote in the introduction, the Tactical or Strategic Value (TSV) SAR is not the only solution; indeed, we need more public/private sector partnerships, we need to move to cross-institutional and cross-jurisdictional collaborative investigations, we need more effective information sharing, and we need more efficient and effective monitoring/surveillance, alerting, investigations, and reporting. But the key to any reform is public sector feedback: I’m offering the TSV SAR as the vehicle for that feedback. I’m open to any better solutions, but perhaps we can start with the TSV SAR.

For more on alert-to-SAR rates, the TSV feedback loop, machine learning and artificial intelligence, see other articles I’ve written:

The TSV SAR Feedback Loop – June 4 2019     

AML and Machine Learning – December 14 2018

Rules Based Monitoring – December 20 2018             

FinCEN FY2020 Report – June 4 2019

FinCEN BSA Value Project – August 19 2019   

BSA Regime – A Classic Fixer-Upper – October 29 2019

Jim Richards Walnut Creek, CA September 26, 2020

[1] 31 U.S. Code § 5311, declaration of purpose. From 1970 to 2001, the purpose of the records and reports was to provide a high degree of usefulness in criminal, tax, or regulatory investigations or proceedings. The USA PATRIOT Act amended section 5311 by adding “or in the conduct of intelligence or counterintelligence activities, including analysis, to protect against international terrorism”.

[2] For a full analysis of FinCEN’s cost and burden estimate, see https://regtechconsulting.net/aml-regulations-and-enforcement-actions/fincens-estimate-of-the-costs-and-burden-of-filing-sars-is-evolving-but-needs-private-sector-input/

[3] Compare this information with the US Attorney’s Statistical Report, in the Appendix.

[4] In footnote 59 on page 25 the GAO set out its definition of human trafficking used for the survey: “we defined … human trafficking to include the movement of nonconsenting persons, often across borders, potentially through force, fraud, or coercion.”

[5] Human trafficking is a heinous, inexcusable crime. Those of us working in the private financial sector, and in the industries that support the private financial sector, are relatively privileged and safe compared to the victims, and families of victims, of human trafficking. We can do much more than we are to combat and eliminate human trafficking.

[6] There are approximately 5,200 credit unions and 5,100 banks in the United States. Eighteen months ago (March 2019) there were 5,500 credit unions and 5,400 banks.

[7] This might be the only alignment I could find between the GAO survey results and the private sector studies in Appendix IV. For example, a LexisNexis “True Cost of AML Compliance Study” from 2019 that included results from 117 US firms found that firms less than $10 billion in assets (9 of the 11 firms in the GAO study) averaged $1.5 million in AML compliance costs, and firms of more than $10 billion in assets averaged $14.3 million in AML compliance costs. In the next section – the cost of customer due diligence – the GAO found that the average bank spent an estimated average of $15 per new account: the LexisNexis study found that all banks (small and large) took between 3 and 10 hours to onboard natural persons, and between 6 and 25 hours to onboard legal entities. There is a disconnect.

[8] I wrote a lengthy article on June 2, 2020 about this FinCEN publication: https://regtechconsulting.net/aml-regulations-and-enforcement-actions/fincens-estimate-of-the-costs-and-burden-of-filing-sars-is-evolving-but-needs-private-sector-input/

[9] The GAO noted that $5,000 in 1996, indexed for inflation, would be $8,037 as of December 2018. How or why inflation has anything to do with criminal behavior, particularly with greater electronification of financial transactions, is a mystery to me. Harshly, I believe that those that argue for indexing BSA filing thresholds to inflation are either lazy or misguided.

[10] See the table on page 4, infra, for a summary of the use and usefulness of SARs and CTRs.

[11] The report noted that just less than one-third of the 860,000 bank SARs reported structuring.

[12] In 2016 FinCEN added a fifth pillar to its Title 31 BSA/AML program requirements by essentially carving out the customer due diligence obligations embedded in the “system of internal controls” pillar, adding beneficial ownership requirements, and creating a fifth pillar. The Title 12 regulatory agencies did not follow suit.

[13] Adding to this concern, at page 64 the GAO refers to FinCEN information that between 2015 and 2018 the three banking agencies (FRB, FDIC, and OCC) issued 123 BSA enforcement actions, and the NCUA did not issue any. With more than 5,000 credit unions being examined over four years, it’s inconceivable that none had any systemic, programmatic issues.

[14] November 15, 2019, prepared remarks for the Chainalysis Blockchain Symposium, available at https://www.fincen.gov/news/speeches/prepared-remarks-fincen-director-kenneth-blanco-chainalysis-blockchain-symposium

Enforcing AML Laws: Significant Potential for Money Laundering? Or Potential for Significant Money Laundering?

On August 13 the federal banking agencies issued a joint statement on updates to their guidance on enforcing BSA/AML requirements. See https://www.fdic.gov/news/press-releases/2020/pr20091a.pdf. There is some new language that may be relevant for most financial institutions.

The FDIC and OCC press releases provided that the joint statement is:

… updating their existing enforcement guidance to enhance transparency regarding how they evaluate enforcement actions that are required by statute when financial institutions fail to meet Bank Secrecy Act/anti-money laundering (BSA/AML) obligations. The statement clarifies that isolated or technical violations or deficiencies are generally not considered the kinds of problems that would result in an enforcement action. The statement also addresses how the agencies evaluate violations of individual components (known as pillars) of the BSA/AML compliance program. It also describes how the agencies incorporate the customer due diligence regulations and recordkeeping requirements issued by the U.S. Department of the Treasury as part of the internal controls pillar of the financial institution’s BSA/AML compliance program. The statement, issued by the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the National Credit Union Administration, and the Office of the Comptroller of the Currency, updates and supersedes the Interagency Statement on Enforcement of BSA/AML Requirements issued on July 19, 2007, to promote a consistent approach to the application of Section 8(s) of the Federal Deposit Insurance Act and Section 206(q) of the Federal Credit Union Act. The Financial Crimes Enforcement Network simultaneously issued a “Statement on Enforcement of the Bank Secrecy Act” that sets forth its approach to enforcement in circumstances of non-compliance with the BSA.

In fact, FinCEN didn’t issue its statement until August 18th. The FinCEN press release provides:

As the primary regulator and administrator of the Bank Secrecy Act (BSA), the Financial Crimes Enforcement Network (FinCEN) today issued a statement that sets forth its approach to enforcing the rules and regulations within the BSA. Through this statement, FinCEN aims to provide clarity and transparency to its approach when contemplating compliance or enforcement actions against covered financial institutions that violate the BSA.  Today’s statement outlines the administrative actions available to FinCEN, and provides an overview of the information FinCEN analyzes in order to determine the appropriate outcome to violations of the BSA.  FinCEN also encourages financial institutions to voluntarily and promptly report violations, and to candidly and completely cooperate with any investigation. “FinCEN is committed to being transparent about its approach to BSA enforcement.  It is not a ‘gotcha’ game,” said FinCEN Director Kenneth A. Blanco.  “The information required by the BSA saves lives, and protects our communities and people from harm.  It is a national security issue.” The statement describes FinCEN’s enforcement authorities, dispositions, and the factors it evaluates in determining the appropriate response and enforcement of BSA violations.

FinCEN’s statement is very different than the prudential regulators’ statement. FinCEN sets out the six possible actions it can take – from no action, to a civil money penalty, to referring a matter for criminal prosecution – and the ten factors it will take into consideration when assessing possible violations. The key factors are:

  1. Nature and seriousness of the violations;
  2. Pervasiveness of wrongdoing within an entity, including management’s complicity in, condoning or enabling of, or knowledge of the conduct underlying the violations;
  3. History of similar violations, or misconduct in general, including prior criminal, civil, and regulatory enforcement actions;
  4. Presence or absence of prompt, effective action to terminate the violations upon discovery, including self-initiated remedial measures;
  5. Timely and voluntary disclosure of the violations to FinCEN;
  6. Quality and extent of cooperation with FinCEN and other relevant agencies, including as to potential wrongdoing by its directors, officers, employees, agents, and counterparties.

Number 6 is important: FinCEN expects that institutions’ cooperation includes identifying potential individual wrongdoers. This is consistent with federal criminal prosecution. The Department of Justice Manual includes a lengthy section on the criminal prosecution of companies, and that (i) prosecutors should first consider the criminal liability of those involved in or responsible for the criminal activity of the company; and (ii) a company cannot get “cooperation credit” without providing to the DOJ the names and particulars of all those employees (or directors) involved in or responsible for the conduct in question. So here, FinCEN is letting financial institutions know that for those institutions to get cooperation credit they need to provide the names and particulars of the people involved in the regulatory violations.

But back to the prudential regulators’ updated and clarified guidance.

First, the prudential regulators did not include anything about the liability of directors, officers, or employees in their joint statement. They could have, as the statutory provision the agencies rely on – section 8(s) of the FDI Act, codified at 12 USC s. 1818(s) – allows for cease and desist orders, and civil money penalties, against institutions and against institution-affiliated parties.

Second, although the interagency statement indicated that it “updates and supersedes the Interagency Statement on Enforcement of BSA/AML Requirements issued on July 19, 2007”, it did not indicate that the 2007 statement has been part of the FFIEC BSA/AML Exam Manual since 2007. It is the current Appendix R in the 2014 edition of the Exam Manual.

Since the agencies indicated that the August 2020 statement updates and supersedes the 2007 statement, which is set out in Appendix R, I compared the August 2020 joint statement with Appendix R to see what differences there were (it’s pretty common for the agencies to publish a new statement or rule that is purported to simply update or clarify an existing statement or rule, when in fact there are substantive changes). There were many small changes in wording, and the 2020 joint statement incorporates the new customer due diligence and beneficial ownership rules that were issued in May 2016. The 2020 joint statement included two new examples of when a mandatory cease and desist order would issue: both of those are particularly relevant to financial institutions.

The first addition relates to rapid foreign expansion. The second addition relates to a failure to resolve issues relating to customer risk rating. What is important is that these are additions to the existing language, which means they are key or at least current concerns of the regulators.

Rapid Foreign Expansion

“An institution would also be subject to a cease and desist order if the institution fails to implement a BSA/AML compliance program that adequately covers the required program components or pillars. For example, an institution rapidly expands its business relationships through its foreign affiliates and businesses:

  • without identifying its money laundering and other illicit financial transaction risks;
  • without an appropriate system of internal controls to verify customers’ identities, conduct customer due diligence, or monitor for suspicious activity related to its products and services;
  • without providing sufficient authority, resources, or staffing to its designated BSA officer to properly oversee its BSA/AML compliance program;
  • with deficiencies in independent testing that caused it to fail to identify problems; and
  • with inadequate training exemplified by relevant personnel not understanding their BSA/AML responsibilities.

Although these bullets are framed as failures (in the negative), they can be turned around and framed positively to provide a roadmap or checklist for an institution’s foreign expansion plans:

“For BANK NAME to continue to expand its business relationships through its foreign affiliates and businesses, it must implement a BSA/AML compliance program that adequately covers the required program components or pillars, including:

  • identifying its money laundering and other illicit financial transaction risks;
  • implementing an appropriate system of internal controls to verify customers’ identities, conduct customer due diligence; and monitor for suspicious activity related to the products and services;
  • providing sufficient authority, resources, and staffing to its designated BSA officer to properly oversee BANK NAME’s in-country and in-region BSA/AML compliance programs;
  • independent testing; and
  • adequate training exemplified by relevant personnel understanding their BSA/AML responsibilities.”

Failure to Resolve Issues Relating to Customer Risk Profiles

The joint statement provides:

“An Agency will ordinarily not issue a cease and desist order under sections 8(s) or 206(q) for failure to correct a BSA/AML compliance program problem unless the problems subsequently found by the Agency are substantially the same as those previously reported to the institution. For example, during a previous examination, an institution’s system of internal controls was considered inadequate as a result of substantive deficiencies related to customer due diligence and suspicious activity monitoring processes. Specifically, the institution had not developed customer risk profiles to identify, monitor, and report suspicious activities related to the institution’s higher-risk businesses lines. These substantive deficiencies were identified in the previous report of examination as a problem requiring board attention and management’s correction. The subsequent report of examination determined that management had not addressed the previously reported problem with the institution’s BSA/AML compliance program. Customer risk profiles remained undeveloped to identify, monitor, and report suspicious activity related to the institution’s higher-risk business lines. As a result, the institution would be subject to a cease and desist order for failure to correct a previously reported problem with its BSA/AML compliance program.”

This is important language for any financial institution: a financial institution’s end-to-end high risk customer management program must address the importance of having “customer risk profiles to identify, monitor, and report suspicious activities related to the institution’s higher-risk businesses lines”.

Other Changes

There was some curious language, or changes in language, in the section on when a mandatory C&D will issue. Note that this August 2020 Joint Statement was signed by the top lawyers at each of the regulatory agencies: lawyers choose their words very carefully, and any changes in wording are deliberate and thought out.

A mandatory cease and desist order will be issued in three situations: (1) where the institution fails to have a written program that adequately covers the pillars; (2) where the institution fails to implement that program; or (3) there are defects in one or more pillars of the program and those deficiencies are coupled with other aggravating factors (and both the 2020 joint statement and 2014 appendix R have four aggravating factors). The first aggravating factor was about suspicious activity creating a potential for money laundering or terrorist financing:

2014 Appendix R – “highly suspicious activity creating a significant potential for unreported money laundering or terrorist financing …”.

2020 Joint Statement – “highly suspicious activity creating a potential for significant money laundering, terrorist financing, or other illicit financial transactions …”.

Two points.

First, the modifier “highly” suggests that the regulators aren’t concerned about run-of-the-mill cases and SARs (or failure to open cases or file SARs) on low-end, low-dollar activity.

Second is the shift in what I’ll call the “likelihood and severity” of the activity. The old standard was a low likelihood but high severity: “a potential for significant money laundering”, while the new standard is a high likelihood but low severity: “significant potential for unreported money laundering”. It is unlikely that this difference in language will create a different regulatory experience and outcome, either for any one institution or all institutions, but it is interesting nonetheless, and seems to support the agencies’ statement “that isolated or technical violations or deficiencies are generally not considered the kinds of problems that would result in an enforcement action.”

Summary & Conclusion

No substantive or immediate changes are needed to most institution’s program. All institutions must remain vigilant around foreign expansion, and ensure AML/CFT controls “keep pace” with any foreign expansion. “Expansion” includes new products and services in existing jurisdictions, not just expansion into new jurisdictions. Also, don’t forget that in order to get cooperation credit from FinCEN or the Department of Justice, an institution will need to provide authorities with the names and particulars of all persons involved in or responsible for the impugned conduct. And that includes MLROs and BSA Officers.

A GAO Report on GTOs Reveals the Underlying Flaws In the Entire American BSA/AML Regime

The General Accountability Office, or GAO, issued a Report on August 14, 2020 titled “FinCEN Should Enhance Procedures for Implementing and Evaluating Geographic Targeting Orders”.[1] The Geographic Targeting Orders, or GTOs, subject to this report are a series of nine GTOs issued since 2016 targeting all-cash (or non-financed) purchases of residential real estate in certain areas of the country over a certain amount.

Most people will read this report for what it is – a full-fledged year-long, not-very-positive audit of FinCEN’s management of the real estate Geographic Targeting Order program. But the GTO program, and FinCEN’s management of it (which, by the way, I don’t think FinCEN got enough credit from the GAO for taking the initiative in the first place), are lesser issues than a single observation the GAO reported more than half way through (on page 22) the Report:

“Officials from five federal law enforcement agencies told us that their agencies do not systematically track the specific types of BSA reports used in investigations …”.

The GAO didn’t indicate which five federal law enforcement agencies these were, but the agencies interviewed for the Report were the DEA, FBI, ICE-HSI, IRS-CI, the DOJ’s Criminal Division, the US Attorneys Offices for the Southern District of New York and Southern District of Florida, FinCEN, and two task forces (OCDETF and El Dorado). So it’s likely that at least four of the five agencies that do not systematically track which Bank Secrecy Act or BSA reports are used in investigations are the “big four” of AML/CFT: the FBI, DEA, Homeland Security, and IRS.

Why is this important?

The entire purpose of the BSA regime is for the private sector to provide timely, actionable intelligence to law enforcement in order to protect the financial system, and society at large, from underlying criminal and terrorist activity. In the “Background” section of the Report, on page 5, the GAO explained the purpose behind the BSA:

“The BSA authorizes the Secretary of the Treasury to issue regulations requiring financial institutions to keep records and file reports the Secretary determines ‘have a high degree of usefulness in criminal, tax, or regulatory investigations or proceedings, or in the conduct of intelligence or counterintelligence activities, including analysis, to protect against international terrorism.’ The Secretary also is authorized to impose AML program requirements on certain financial institutions. The authority of the Secretary to administer the BSA has been delegated to the Director of FinCEN.” [citations omitted][2]

Approximately 20 million BSA reports are filed by tens of thousands of private sector financial institutions every year: the most common are Currency Transaction Reports or CTRs (roughly 16 million) and Suspicious Activity Reports, or SARs (roughly 2.7 million). Those institutions are spending billions of dollars in running BSA programs intended to allow them to prepare and file those 20 million reports, and they face regulatory and even criminal sanctions for failing to maintain an adequate program or failing to detect and report suspicious activity or large currency transactions. And yet the primary users of those reports, the federal law enforcement agencies, “do not systematically track the specific types of BSA reports used in investigations …”.

It is time that the public sector consumers of BSA reports – primarily law enforcement agencies – provide feedback to the private sector producers of BSA reports – tens of thousands of financial institutions – on exactly which reports “have a high degree of usefulness in criminal, tax, or regulatory investigations or proceedings, or in the conduct of intelligence or counterintelligence activities, including analysis, to protect against international terrorism”. It’s not enough for the private sector to know anecdotally that the reports it is filing are generally useful to law enforcement. In this age of machine learning and artificial intelligence, financial institutions are using these tools to teach and train their monitoring, surveillance, and alerting systems that churn through millions or billions of customer, account, and transaction data, in an effort to be more effective and efficient. And all of those machine learning and artificial intelligence efforts are for naught if the private sector doesn’t have the training data needed to identify those reports that are providing tactical and/or strategic value. Training a surveillance and alerting system against the SARs that are filed is a fool’s errand if you don’t know whether that SAR has ever been looked at by law enforcement, whether it was useful, whether it provided tactical or strategic value.

Lack of Law Enforcement Feedback Is One of the Two Main Flaws in the US BSA/AML Regime: the Other is the Lack of Corporate Transparency

The United States does not have an effective beneficial ownership regime. Even the Treasury Secretary calls this a “glaring hole in our system”, and I have written about this on a number of occasions. See, for example, https://regtechconsulting.net/beneficial-ownership-customer-due-diligence/lack-of-beneficial-ownership-information-a-glaring-hole-in-our-system-says-treasury-secretary/. And this GAO Report includes a section on the lack of a true beneficial ownership regime (notwithstanding FinCEN’s 2016 rule on customer due diligence and beneficial ownership), and how a FATF-compliant beneficial ownership regime would enhance the US AML/CFT regime and be complimentary to the real estate GTO.

The other flaw, as described in this article, is lack of law enforcement feedback. I have been writing about this flaw in our system for years. See my article from November 2019 https://regtechconsulting.net/fintech-financial-crimes-and-risk-management/like-sam-loves-free-fried-chicken-law-enforcement-loves-free-suspicious-activity-reports-but-what-if-law-enforcement-had-to-earn-the-right-to-use-the-private-sector/ and my article from July 2020 https://regtechconsulting.net/aml-regulations-and-enforcement-actions/anti-money-laundering-act-of-2020-pay-to-play-arrives-and-perhaps-we-have-an-answer-to-the-whereabouts-of-section-314d/. Both of these articles reference other articles I’ve written on this subject. The July 2020 article offers some solutions.

This is not a criticism of law enforcement or the intelligence community. They simply haven’t had the means to provide feedback to the private sector. Bills, or provisions in bills, currently before Congress aim to address this issue and provide the means for the public sector to begin the process of providing feedback to the private sector. If the purpose of the multi-billion dollar anti-money laundering regime is to compel the private sector to provide law enforcement and the intelligence agencies with timely, actionable reports of cross-border flows of cash, foreign bank accounts, suspicious activity, possible terrorist financing activity, and large cash transactions, then it is incumbent on law enforcement and the intelligence agencies to provide feedback on which of those reports have a high degree of usefulness in criminal, tax, or regulatory investigations or proceedings, or in the conduct of intelligence or counterintelligence activities, including analysis, to protect against international terrorism. Without that feedback, both the private and public sector, and society at large, will fail in their collective efforts to keep our financial system safe and secure. And for law enforcement and the intelligence community to get the means to provide that feedback, it is incumbent on Congress to act and pass the necessary legislation.

We all know what needs to be done to make the BSA/AML regime more effective and more efficient. Now Congress must act.

[1] See GAO-20-546 available at https://www.gao.gov/assets/710/708115.pdf

[2] The language “high degree of usefulness in criminal, tax, or regulatory investigations or proceedings, or in the conduct of intelligence or counterintelligence activities, including analysis, to protect against international terrorism” is pulled directly from the purpose statement of the main “BSA” statute, 31 USC section 5311.

What Does It Take to Run a BSA Program? Not Much, According to the FDIC

Unfortunately, the FDIC’s estimate of the time and effort it takes to run a BSA/AML compliance program is … laughable.

Let’s start with some background information.

FDIC-Supervised Banks

There are about 5,200 FDIC-insured banks in the United States. And the FDIC is the primary regulator for about 3,340 of these banks – those that are “state-chartered”.

The FDIC has placed those banks into three buckets, based on their size (as measured by total assets of the bank. Note that loans are always the biggest category of asset that banks have on their books, and the asset “loans” is generally offset by the liability of “deposits” … balance sheets of most banks aren’t that complicated).

  • Small Institutions – are those with assets of less than $500 million. About 75% of state-chartered and FDIC-supervised banks, or 2,523 banks, are in this category. FDIC data suggests that the average bank in this category has 40 to 50 employees.
  • Medium Institutions – are hose with assets between $500 million and $10 billion. About 23% of state-chartered and FDIC-supervised banks, or 774 banks, are in this category. FDIC data suggests that the average bank in this category has about 270 employees.
  • Large Institutions – are those with assets of more than $10 billion. Only about 2% of state-chartered and FDIC-supervised banks, or 47 banks, are in this category. FDIC data suggests that the average bank in this category has about 2,500 employees.

One other bench mark. A full-time employee, or FTE, has about 250 work days in a year (52 weeks, 5 days a week, less 10 statutory or legal holidays). Let’s also assume they take four weeks vacation – so we’re at about 230 days.  At 8 hours a day, that’s 1,840 hours. To keep the math simple, let’s use 1,800 hours as the bench mark for how many hours any one employee, or FTE, has available in a year.

Bank Secrecy Act (BSA) Program Requirements

All financial institutions in the United States – banks, credit unions, broker dealers, insurance companies, check cashers, and more – are required to have written BSA compliance programs. The requirements around these programs are so onerous that the regulatory agencies have published a manual that gives their examiners a roadmap on how to examine or supervise those institutions to ensure they do, in fact, have adequate programs. That manual, the FFIEC BSA/AML Examination Manual, is now over 420 pages long.

What are the program requirements? As the FDIC notes, the banks it supervises must “establish and maintain procedures designed to monitor and ensure their compliance with the requirements of the Bank Secrecy Act and the implementing regulations promulgated by the Department of Treasury at 31 CFR Chapter X. Respondents must also provide training for appropriate personnel.” The Manual gives some more detail. Banks must do a risk assessment to understand their customer, product and service, and geographical risks. That risk assessment must be updated as the bank’s profile changes over time. Banks must also have a Customer Identification Program, or CIP. Banks must have a written, board-approved program that includes, at a minimum, certain “pillars” – preventive and detective controls, a BSA compliance officer, independent testing or auditing of the program, and training. And those preventive and detective controls include the ability to monitor for, and alert on, unusual activity, and to investigate and report suspicious activity.

How Much Time Does it Take to Build and Maintain a BSA Compliance Program?

Let’s use a “Medium” institution as a benchmark. Those are the 774 FDIC-supervised institutions that have about 270 employees, on average. We’ll also assume that they have a full-time BSA Officer with a staff of four people. Those five people are responsible for writing policies and procedures and distributing those down to the business and operations people; for establishing customer onboarding requirements; for setting up and maintaining the transaction monitoring systems; for generating and dispositioning any alerts from those systems; for investigating and reporting possible suspicious activity; for designing and conducting training for the other 265 employees; for managing the audits and FDIC examinations of the program; and for doing the required reporting to senior management and the board.

Those five people can’t do everything themselves. They depend on front-line staff to onboard customers and handle the documentation of transactions. They depend on the audit group for the independent testing. The in-house law department is likely involved and providing legal and compliance-related advice. So let’s assume that there may be 20 or 30 other people that spend 20% of their time managing one or more aspects of the BSA/AML compliance program. That’s another 5 FTE. So we’re up to 10 FTE.

10 FTE is 18,400 hours of time. And let’s not forget training. Assume that everyone goes through 1 hour of training a year. Now we’re up to 18,670 hours of time. It’s probably safe to build in a 5% +/- cushion, in case these estimates are off a little bit. And it makes the math easier. It’s fair to say that …

A medium-size bank will spend 20,000 hours a year running its BSA/AML compliance program

What about small and large banks? If we simply extrapolate the 20,000 hours for the average medium-sized bank out to the average small and large bank, we’d get the following estimates:

Small Bank – 3,700 hours or 2 FTE to run a BSA/AML compliance program

Medium Bank – 20,000 hours or 10 FTE to run a BSA/AML compliance program

Large Bank – 185,000 hours or 100 FTE to run a BSA/AML compliance program

What does the FDIC have to say about that?

According to the FDIC, a bank will spend between 35 and 450 hours a year running its BSA/AML compliance program!

What?

On June 2, 2020, the FDIC published a request for comment in the Federal Register – https://www.govinfo.gov/content/pkg/FR-2020-06-02/pdf/2020-11855.pdf. The FDIC, as part of its obligations under the Paperwork Reduction Act of 1995 (PRA), invited the general public and other Federal agencies to comment on the renewal of the then-existing burden on FDIC-supervised banks to “establish and
maintain procedures designed to monitor and ensure their compliance with the requirements of the Bank Secrecy Act and the implementing regulations promulgated by the Department of Treasury at 31 CFR Chapter X” and to “provide training for appropriate
personnel.”

At that time, here’s what the FDIC estimated were the burdens for its supervised banks:

As can be seen here, the FDIC estimated that the burden on 75% of its supervised banks – the smallest banks – was 35 hours a year. That’s one person spending less than one week a year to run a BSA/AML compliance program – all the policies, procedures, customer onboarding, monitoring, investigating, reporting, auditing, and examining. And for the largest banks, where, if you believe my estimate that it takes the equivalent of about 185,000 people-hours to run a BSA/AML compliance program, the FDIC estimates that it takes about 0.2% of that time to actually run the program.

There’s a disconnect.

But, as the FDIC points out in its most recent Federal Register notice, which will be formally published tomorrow (August 7, 2020) but is available today (August 6th), it didn’t receive any comments from the private or public sector about its estimates of the burden of running a BSA/AML compliance program! See https://s3.amazonaws.com/public-inspection.federalregister.gov/2020-17330.pdf

But there is still an opportunity to comment. The FDIC is giving us another 30 days to submit comments. I encourage people to do so.

Anti-Money Laundering Act of 2020 – “Pay to Play” Arrives and Perhaps We Have An Answer to the Whereabouts of Section 314(d)

The Senate Banking Committee’s top Republican (Senator Crapo from Idaho) and top Democrat (Senator Brown from Ohio) have joined forces to draft the Anti-Money Laundering Act of 2020 as an amendment to the National Defense Authorization Act. It takes some of what the House passed in HR2513, the Corporate Transparency Act, and replicates most of what the Senate has been horse-trading on with the ILLICIT CASH Act (S2563), and adds a few other provisions: 214 pages of provisions.

If enacted, it would be the biggest revision to the U.S. AML/CFT regime since the USA PATRIOT Act of 2001. The main legislation for the AML/CFT regime is found in Title 31 of the US Code. 31 USC 5311 (the purpose of the BSA) and 5318 (the program and reporting requirements) will materially change, four new sections (5333-5336) will be added, two new BSAAG subcommittees will be created, and of course a FinCEN database of beneficial ownership information will be created to house some legal entity beneficial ownership information (more on that in another article).

Anti-Money Laundering Act of 2020

The proposed AML Act of 2020 would be tacked on to the back end – Division E – of the 2021 Defense Appropriations bill. So the titles for the Act begin at title 51 – actually the Roman numeral LI. There are five titles:

  • Title LI – Strengthening Treasury Financial Intelligence, Anti-Money Laundering [AML], and Countering the Financing of Terrorism [CFT] Programs
  • Title LII – Modernizing the AML and CFT Systems
  • Title LIII – Improving AML and CFT Communication, Oversight, and Processes
  • Title LIV – Establishing Beneficial Ownership Reporting Requirements
  • Title LV – Miscellaneous

Section 5201 – Annual Reporting Requirements

This article focuses solely on section 5201 of Title LII. Why? It includes my long-sought-after SAR feedback from law enforcement, while at the same time resurrects the long-forgotten section 314(d) of the USA PATRIOT Act.

In a nutshell, section 5201 is a “pay to play” requirement imposed on law enforcement and the intelligence community. At requires the Attorney General, on behalf of federal and state prosecutors and law enforcement agencies, to deliver an annual report and, once every five years a broader long-term trending report, to the Secretary of the Treasury, setting out statistics, metrics, and other information on the use of BSA reports. The annual report must include:

  1. The frequency with which the BSA reports contains actionable information that leads to, among other things, actions by law enforcement agencies such as grand jury subpoenas, and actions by intelligence, national security, and homeland security agencies;
  2. Calculations on the time between the BSA reporting and the use of the data by law enforcement or intelligence agencies;
  3. An analysis of the transactions associations with the BSA reports, including whether the accounts were held by legal entities or persons, and any trends or patterns in cross-border activity;
  4. The number of legal entities and persons identified by the BSA reports;
  5. The extent to which arrests, indictments, convictions, etc., were related to the reports; and
  6. Data on state and federal investigations that resulted from the reports.

The five-year report would focus on longer-term trends, patterns and threats: retrospective trends and emerging patterns and threats.

And what would the Secretary of the Treasury do with these reports? That is covered by subsection (d) of section 5201, which provides that the Secretary shall use these reports

  1. To help assess the usefulness of BSA reports;
  2. “to enhance feedback and communications with financial institutions and other entities subject to the requirements under the BSA, including by providing more detail in the reports published and distributed under section 314(d) of the USA PATRIOT Act (31 USC s. 5311 note);
  3. to assist FinCEN in considering revisions to the reporting requirements promulgated under section 314(d) of the USA PATRIOT Act (31 USC s. 5311 note).

The result? This July 2020 proposed AML legislation would require the public sector consumers of BSA reports to provide feedback to the private sector producers of those reports – essentially a “pay to play” requirement, and that feedback would be through the almost 20-year old provision of the USA PATRIOT Act, section 314(d).

I’ve written about both of these things.

On July 30, 2019 I published an article titled “SAR Feedback? What Ever Happened to Section 314(d)?” See https://regtechconsulting.net/aml-regulations-and-enforcement-actions/sar-feedback-what-ever-happened-to-section-314d/ I wrote:

Wouldn’t it be great if Treasury published a report, perhaps semi-annually, that contained a detailed analysis identifying patterns of suspicious activity and other investigative insights derived from suspicious activity reports (SARs) and investigations conducted by federal, state, and local law enforcement agencies (to the extent appropriate) and distributed that report to financial institutions that filed those SARs?

To get Treasury to do that, though, would probably require Congress to pass a law compelling it to do so.

Hold it. Congress did pass that law.  Almost 18 years ago. And, by all accounts, it’s still on the books. What happened to those semi-annual reports? When did they begin? If they began, when did they end?

Section 314(d) – Its Origins

What became 314(d) was introduced in the House version of what became the USA PATRIOT Act. The House version, the Financial Anti-Terrorism Act, was introduced on October 3, 2001. It was marked up by the House Financial Services Committee on October 11. The Senate version, originally titled the Uniting and Strengthening America Act, or USA Act, was introduced on October 4th and had sections 314(a) (public to private sector information sharing), 314(b) (cooperation among financial institutions, or private-to-private sector information sharing), and 314(c) (“rule of construction”). There was no 314(d) in that early version.

On October 17th, HR 3004, the Financial Anti-Terrorism Act, was passed by the House 412-1. Title II was “public-private cooperation”. Section 203 was:

“Reports to the Financial Services Industry on Suspicious Financial Activities – at least once each calendar quarter, the Secretary shall (1) publish a report containing a detailed analysis identifying patterns of suspicious activity and other investigative insights derived from suspicious activity reports and investigations conducted by federal, state, and local law enforcement agencies to the extent appropriate; and (2) distribute such report to financial institutions as defined in section 5312 of title 31, US code.”

The Senate and House versions were reconciled, and on October 23rd the House Congressional Record shows a consideration of what was then the USA PATRIOT Act. That version of the bill then included what had been section 203 and was now 314(d). It was the same, except instead of a quarterly report it was a semi-annual report (“at least once each calendar quarter” was changed to “at least semiannually”).

SAR Activity Review – Was That The Answer to 314(d)?

The ABA has written, and at least one former FinCEN employee has stated that the “SAR Activity Review – Trends, Tips, and Issues” was the response to 314(d). The SAR Activity Reviews were excellent resources. They contained sections on SAR statistics, national trends and analysis, law enforcement cases, tips on SAR form preparation and filing, issues and guidance, and an industry forum. The first SAR Activity Review noted that it was published under the auspices of the BSAAG, was to be published semi-annually in October and April, and was “the product of a continuing collaboration among the nation’s financial institutions, federal law enforcement, and regulatory agencies to provide meaningful information about the preparation, use, and utility of SARs.”  Although that certainly sounds like it is responsive to section 314(d), there is no reference to 314(d).

And the first SAR Activity Review was published more than a year before 314(d) was passed. Even the first SAR Activity Review published after the enactment of the USA PATRIOT Act and section 314(d) – the 4th issue published on July 31, 2002 – didn’t make any reference to 314(d). Beginning with the 6th issue of the SAR Activity Review, published in October 2003, the authors broke out the statistics from the “Trends, Tips & Issues” document and published a separate, and more detailed, “SAR Activity Review – By The Numbers”. The last SAR Activity Review (the 23rd) and the last “By The Numbers” (the 18th) were published on April 30, 2013. None of those forty-one publications referenced 314(d). After the SAR Activity Reviews stopped, FinCEN continued to publish “SAR Statistics”, and did so three times from June 2014 through March 2017.  For the last few years, FinCEN has maintained SAR Stats on its website – https://www.fincen.gov/reports/sar-stats  – that is updated on a monthly basis. Those statistics are useful, but cannot be thought of as “containing a detailed analysis identifying patterns of suspicious activity and other investigative insights derived from suspicious activity reports and investigations conducted by federal, state, and local law enforcement agencies to the extent appropriate”, quoting the 314(d) language.

Does Anyone Know What Happened to 314(d)?

I don’t have the answer to that question. Perhaps 314(d) is seen as satisfied by the accumulation of advisories, guidance, bulletins, etc., published by FinCEN and other Treasury bureaus and agencies and departments from time to time. Perhaps there is a Treasury Memorandum out there that I’m not aware of that provides a simple explanation. Perhaps not: most BSA/AML experts I speak with are not even aware of 314(d), and if the SAR Activity Review did satisfy the spirit and intent of 314(d), the last one was published more than six years ago. But everyone in the private sector BSA/AML risk management space has been clamoring for more feedback from law enforcement and FinCEN on the effectiveness and usefulness of their SAR filings. Perhaps a renewed (or any) focus on 314(d) is the answer.  The revival of 314(d) could give FinCEN the mandate they’ve been looking for to provide more valuable information to the private sector producers of Suspicious Activity Reports. We would all benefit.

Public Sector is Going to Have to Pay in Order to Play With the Private Sector’s BSA Reports

On November 21, 2019 I wrote an article titled “Like Sam Loves Free Fried Chicken, Law Enforcement Loves ‘Free’ Suspicious Activity Reports … But What If Law Enforcement Had to Earn the Right to Use the Private Sector’s ‘Free’ SARs?” See https://regtechconsulting.net/fintech-financial-crimes-and-risk-management/like-sam-loves-free-fried-chicken-law-enforcement-loves-free-suspicious-activity-reports-but-what-if-law-enforcement-had-to-earn-the-right-to-use-the-private-sector/. That article provided:

Eleven year-old Sam Caruana of Buffalo, New York waited outside a Chick-fil-A restaurant in the freezing cold in order to be one of the 100 people given free fried chicken for one year (actually, one chicken sandwich a week for fifty-two weeks). In a video that went viral (Sam Caruana YouTube – Free Chicken), young Sam explained that he simply loved fried chicken, and he’d stand in the cold for free fried chicken.

Just as Sam loves free fried chicken, law enforcement loves free Suspicious Activity Reports, or SARs. In the United States, over 30,000 private sector financial institutions – from banks to credit unions, to money transmitters and check cashers, to casinos and insurance companies, to broker dealers and investment advisers – file more than 2,000,000 SARs every year. And it costs those financial institutions billions of dollars to have the programs, policies, procedures, processes, technology, and people to onboard and risk-rate customers, to monitor for and identify unusual activity, to investigate that unusual activity to determine if it is suspicious, and, if it is, to file a SAR with the Treasury Department’s Financial Crimes Enforcement Network, or FinCEN. From there, hundreds of law enforcement agencies across the country, at every level of government, can access those SARs and use them in their investigations into possible tax, criminal, or other investigations or proceedings. To law enforcement, those SARs are, essentially, free. And like Sam loves free fried chicken, law enforcement loves free SARs. Who wouldn’t?

But should those private sector SARs, that cost billions of dollars to produce, be “free” to public sector law enforcement agencies? Put another way, should the public sector law enforcement agency consumers of SARs need to provide something in return to the private sector producers of SARs?

I say they should. And here’s what I propose: that in return for the privilege of accessing and using private sector SARs, law enforcement shouldn’t have to pay for that privilege with money, but with effort. The public sector consumers of SARs should let the private sector producers know which of those SARs provide tactical or strategic value.

A recent Mid-Size Bank Coalition of America (MBCA) survey found the average MBCA bank had: 9,648,000 transactions/month being monitored, resulting in 3,908 alerts/month (0.04% of transactions alerted), resulting in 348 cases being opened (8.9% of alerts became a case), resulting in 108 SARs being filed (31% of cases or 2.8% of alerts). Note that the survey didn’t ask whether any of those SARs were of interest or useful to law enforcement. Some of the mega banks indicate that law enforcement shows interest in (through requests for supporting documentation or grand jury subpoenas) 6% – 8% of SARs.

I argue that the Alert/SAR and even Case/SAR ratios are all of interest, but tracking to SARs filed is a little bit like a car manufacturer tracking how many cars it builds but not how many cars it sells, or how well those cars perform, how long they last, and how popular they are. And just like the automobile industry measuring how many cars are purchased, the better measure for AML programs is “SARs purchased”, or SARs that provide value to law enforcement.

Also, there is much being written about how machine learning and artificial intelligence will transform anti-money laundering programs. Indeed, ML and AI proponents are convinced – and spend a lot of time trying to convince others – that they will disrupt and revolutionize the current “broken” AML regime. Among other targets within this broken regime is AML alert generation and disposition and reducing the false positive rate. The result, if we believe the ML/AI community, is a massive reduction in the number of AML analysts that are churning through the hundreds and thousands of alerts, looking for the very few that are “true positives” worthy of being labelled “suspicious” and reported to the government. But the fundamental problem that every one of those ML/AI systems has is that they are using the wrong data to train their algorithms and “teach” their machines: they are looking at the SARs that are filed, not the SARs that have tactical or strategic value to law enforcement.

Tactical or Strategic Value Suspicious Activity Reports – TSV SARs

The best measure of an effective and efficient financial crimes program is how well it is providing timely, effective intelligence to law enforcement. And the best measure of that is whether the SARs that are being filed are providing tactical or strategic value to law enforcement. How do you determine whether a SAR provides value to law enforcement? One way would be to ask law enforcement, and hope you get an answer. That could prove to be difficult.  Can you somehow measure law enforcement interest in a SAR?  Many banks do that by tracking grand jury subpoenas received to prior SAR suspects, law enforcement requests for supporting documentation, and other formal and informal requests for SARs and SAR-related information. As I write above, an Alert-to-SAR rate may not be a good measure of whether an alert is, in fact, “positive”. What may be relevant is an Alert-to-TSV SAR rate.

A TSV SAR is one that has either tactical value – it was used in a particular case – or strategic value – it contributed to understanding a typology or trend. And some SARs can have both tactical and strategic value. That value is determined by law enforcement indicating, within seven years of the filing of the SAR (more on that later), that the SAR provided tactical (it led to or supported a particular case) or strategic (it contributed to or confirmed a typology) value.  That law enforcement response or feedback is provided to FinCEN through the same BSA Database interfaces that exist today – obviously, some coding and training will need to be done (for how FinCEN does it, see below). If the filing financial institution does not receive a TSV SAR response or feedback from law enforcement or FinCEN within seven years of filing a SAR, it can conclude that the SAR had no tactical or strategic value to law enforcement or FinCEN, and may factor that into decisions whether to change or maintain the underlying alerting methodology. Over time, the financial institution could eliminate those alerts that were not providing timely, actionable intelligence to law enforcement. And when FinCEN shares that information across the industry, others could also reduce their false positive rates.

FinCEN’s TSV SAR Feedback Loop

FinCEN is working to provide more feedback to the private sector producers of BSA reports. As FinCEN Director Ken Blanco recently stated:[1]

“Earlier this year, FinCEN began the BSA Value Project, a study and analysis of the value of the BSA information we receive. We are working to provide comprehensive and quantitative understanding of the broad value of BSA reporting and other BSA information in order to make it more effective and its collection more efficient. We already know that BSA data plays a critical role in keeping our country strong, our financial system secure, and our families safe from harm — that is clear. But FinCEN is using the BSA Value Project to improve how we communicate the way BSA information is valued and used, and to develop metrics to track and measure the value of its use on an ongoing basis.”

FinCEN receives every SAR. Indeed, FinCEN receives a number of different BSA-related reporting: SARs, CTRs, CMIRs, and Form 8300s. It’s a daunting amount of information. As FinCEN Director Ken Blanco noted in the same speech:

FinCEN’s BSA database includes nearly 300 million records — 55,000 new documents are added each day. The reporting contributes critical information that is routinely analyzed, resulting in the identification of suspected criminal and terrorist activity and the initiation of investigations.

“FinCEN grants more than 12,000 agents, analysts, and investigative personnel from over 350 unique federal, state, and local agencies across the United States with direct access to this critical reporting by financial institutions. There are approximately 30,000 searches of the BSA data taking place each day. Further, there are more than 100 Suspicious Activity Report (SAR) review teams and financial crimes task forces across the country, which bring together prosecutors and investigators from different agencies to review BSA reports. Collectively, these teams reviewed approximately 60% of all SARs filed.

Each day, law enforcement, FinCEN, regulators, and others are querying this data:  7.4 million queries per year on average. Those queries identify an average of 18.2 million filings that are responsive or useful to ongoing investigations, examinations, victim identification, analysis and network development, sanctions development, and U.S. national security activities, among many, many other uses that protect our nation from harm, help deter crime, and save lives.”

This doesn’t tell us how many of those 55,000 daily reports are SARs, but we do know that in 2018 there were 2,171,173 SARs filed, or about 8,700 every (business) day. And it appears that FinCEN knows which law enforcement agencies access which SARs, and when. And we now know that there are “18.2 million filings that are responsive or useful to ongoing investigations, examinations, victim identification, analysis and network development, sanctions development, and U.S. national security activities” every year. But which filings?

The law enforcement agencies know which SARs provide tactical or strategic value, or both. So if law enforcement finds value in a SAR, it should acknowledge that, and provide that information back to FinCEN. FinCEN, in turn, could provide an annual report to every financial institution that filed, say, more than 250 SARs a year (that’s one every business day, and is more than three times the number filed by the average bank or credit union). That report would be a simple relational database indicating which SARs had either or both tactical or strategic value. SAR filers would then be able to use that information to actually train or tune their monitoring and surveillance systems, and even eliminate those alerting systems that weren’t providing any value to law enforcement.

Why give law enforcement seven years to respond? Criminal cases take years to develop. And sometimes a case may not even be opened for years, and a SAR filing may trigger an investigation. And sometimes a case is developed and the law enforcement agency searches the SAR database and finds SARs that were filed five, six, seven or more years earlier. Between record retention rules and practical value, seven years seems reasonable.

Law enforcement agencies have tremendous responsibilities and obligations, and their resources and budgets are stretched to the breaking point. Adding another obligation – to provide feedback to the banks, credit unions, and other private sector institutions that provide them with reports of suspicious activity – may not be feasible. But the upside of that feedback – that law enforcement may get fewer, but better, reports, and the private sector institutions can focus more on human trafficking, human smuggling, and terrorist financing and less on identifying and reporting activity that isn’t of interest to law enforcement – may far exceed the downside.

Free Suspicious Activity Reports are great. But like Sam being prepared to stand in the freezing cold for his fried chicken, perhaps law enforcement is prepared to let us know whether the reports we’re filing have value.

Conclusion

As of this writing – July 3, 2020 – it remains to be seen whether the Anti-Money Laundering Act of 2020 will become law, or what parts of the Act will become law. But section 5201, which requires the public sector consumers of the BSA reports produced by the private sector to provide feedback to the private sector on the usefulness of those reports. This is a critically important, long-awaited development in the US AML/CFT regime.

For more on alert-to-SAR rates, the TSV feedback loop, machine learning and artificial intelligence, see other articles I’ve written:

The TSV SAR Feedback Loop – June 4 2019

AML and Machine Learning – December 14 2018

Rules Based Monitoring – December 20 2018

FinCEN FY2020 Report – June 4 2019

FinCEN BSA Value Project – August 19 2019

BSA Regime – A Classic Fixer-Upper – October 29 2019

[1] November 15, 2019, prepared remarks for the Chainalysis Blockchain Symposium, available at https://www.fincen.gov/news/speeches/prepared-remarks-fincen-director-kenneth-blanco-chainalysis-blockchain-symposium

AML360 Podcast – Jim Richards with Stephen Platt

On June 12, 2020 I enjoyed an hour with AML360 talk show host Stephen Platt. For an hour – live! – we talked about a broad range of issues facing the financial crimes community today:

  • The scourge of misaligned incentives, where regulators are looking at how banks run their programs, and not on how well those banks are getting timely, actionable intelligence to law enforcement. I argued that the Exam Manual needs to be changed from “a sound BSA/AML compliance program is critical in deterring and preventing money laundering and terrorist financing” (page 7, 2014 edition) to “providing actionable, timely intelligence to law enforcement is critical in deterring and preventing money laundering and terrorist financing, and a sound BSA/AML compliance program provides the foundation for being able to do so.”
  • Artificial intelligence and machine learning are critical tools, but we need to be wary of the results when those tools are used on SARs filed with law enforcement, rather than SARs used by law enforcement. I used the analogy of a car manufacturer: it’s not relevant how many cars it builds, what is relevant is how many cars are bought, and the quality of those cars. Same for SARs: it’s not relevant how many SARs a bank files, what is relevant is how many SARs are used by law enforcement, and the effectiveness of those SARs.
  • False positives, and whether high false positives rates are caused, in large part, by banks’ fear of regulatory sanctions for missing a possible actionable alert rather than by poor technology.
  • The importance of clean, consistent data. I argued that AML is 80% customer due diligence and 50% clean data (paraphrasing Yogi Berra), and that most legacy, large financial institutions still struggle to have and maintain an Enterprise Customer Risk Rating.
  • Whether and why financial institutions are falling further behind criminals and criminal organizations. They are, in large part because financial institutions need to be mindful of running their programs, testing their systems, model validation, audit requirements, regulatory exams, etc., while criminals and criminal organizations don’t need to deal with any of those things.
  • The impacts of COVID-19 on financial institutions’ fraud and AML programs. I argued that we’re able to adapt our systems to detect and prevent fraud, which is an objective event lending itself well to systemic monitoring and surveillance, but it’s too early to tell whether our AML systems will be as effective. For AML, both the numerator (alerts) and denominator (the volumes, velocities, and types of transactions) are changing so quickly, our AML models may not be as effective as they were.
  •  Transaction Monitoring – I made the statement that account-based, traditional transaction monitoring is not only dead, it’s never worked effectively. Instead, relationship-based interaction surveillance is what is required.
  • The value of Deferred Prosecution Agreements, or DPAs.
  • The importance of understanding internal bad actors’ roles in identifying and reporting fraud and money laundering.

The podcast is available at https://podcasts.apple.com/us/podcast/aml-talk-show-brought-to-you-by-kyc360-com-hosts-martin/id1484784236?i=1000477739453

FinCEN’s Estimate of the Costs and Burden of Filing SARs Is Evolving, But Needs Private Sector Input

For years, FinCEN has used a one-size-fits-all-SARs method of determining the costs and burden of filing Suspicious Activity Reports (SARs): a flat two hours, or 120 minutes. With a new-found ability to slice-and-dice its SAR data, FinCEN has now determined that the back half of the SAR filing process takes between 45 and 315 minutes, depending on the type of SAR. And it’s looking for feedback from the private sector on how to enhance this estimate.

Posted June 2, 2020

On May 26, 2020, FinCEN published a notice in the Federal Register titled “Proposed Updated Burden Estimate for Reporting Suspicious Transactions Using FinCEN Report 111 – Suspicious Activity Report”. This is a notice required under the Paperwork Reduction Act, or PRA: agencies are required to periodically assess and estimate the burdens and costs of their regulatory regimes.

This is a ground-breaking notice, for it is the first such notice where: (1) FinCEN has been able to analysis the SAR Database to quantitatively assess the numbers, characteristics, and types of SARs, by institution type, by type of work required to be done, and by what types of involved positions; and (2) perhaps just as important, FinCEN has shown a willingness to provide this information and to seek feedback from the private sector on other available information that could be incorporated into future analyses. FinCEN must be commended for both.

In prior PRA notices, FinCEN has simply estimated that the SAR filing process takes a total of two hours for each and every SAR filed. With this notice, FinCEN identified and attempted to capture burden and cost estimates for, five categories of SARs, two types of filing (batch and discrete), the six stages in the SAR filing process, and the four types of positions involved in the process.

Five categories of SARs: (1) depository institutions’ (banks and credit unions) original SARs with standard content; (2) depository institutions’ original SARs with extended content; (3) non-depository institutions’ original SARs with standard content; (4) non-depository institutions’ original SARs with extended content; and (5) all filers’ continuing activity SARs. The standard and extended content analysis looked at combinations of (1) the number of named suspects; (2) the number of suspicious activities’ categories marked on the SAR form; (3) the length and make-up of the narrative; and (4) whether there was an attachment.

Six stages in the SAR filing process: (1) maintaining a monitoring system; (2) reviewing alerts; (3) transforming alerts into cases; (4) case review; (5) documentation of the SAR/no SAR determination; and (6) the SAR filing process. The current two-hour per SAR PRA estimate only considered the 6th stage: this notice added the 4th and 5th stage, and FinCEN acknowledged that it needs further data, and comments from the private sector, in order to include the 1st, 2nd, and 3rd stages.

Four types of people: (1) general supervision (oversight); (2) direct supervision; (3) clerical (SAR investigation); and (4) clerical (filing).

With this notice, FinCEN is changing its PRA burden estimate of 120 minutes per SAR to an estimate ranging from 25 minutes to 315 minutes per SAR for the last 3 of the 6 stages in the SAR filing process, and is inviting comments on these new estimates and on how to include and estimate the first 3 of the 6 stages.

Comments from the public are due by July 27, 2020.

Below is my analysis and commentary on the FinCEN notice. The text of the Notice is in regular font: my analysis and comments are in red italics.

Renewal Without Change of the Bank Secrecy Act Reports by Financial Institutions of Suspicious Transactions

https://www.govinfo.gov/content/pkg/FR-2020-05-26/pdf/2020-11247.pdf

Agency Information Collection Activities; Proposed Renewal; Comment Request;

AGENCY: Financial Crimes Enforcement Network (FinCEN), Treasury.

ACTION: Notice and request for comments.

SUMMARY: As part of its continuing effort to reduce paperwork and respondent burden, FinCEN invites comments on the proposed renewal, without change, of currently approved information collections relating to reports of suspicious transactions. Under the Bank Secrecy Act regulations, financial institutions are required to report suspicious transactions using FinCEN Report 111 (the suspicious activity report, or SAR). Although no changes are proposed to the information collections themselves, this request for comments covers a proposed updated burden estimate for the information collections.

This request for comments is made pursuant to the Paperwork Reduction Act of 1995.

DATES: Written comments are welcome, and must be received on or before [INSERT

DATE 60 DAYS AFTER THE DATE OF PUBLICATION OF THIS DOCUMENT IN THE FEDERAL REGISTER.]

JRR Comment: Very simply, FinCEN is proposing updates to the way it estimates the burden – both time and cost – for preparing and filing Suspicious Activity Reports, and is seeking comments on these proposed updates. FinCEN’s newfound ability to analyze the data it has seems to have allowed it to shift from a two-hours-for-all-SARs approach to a much more nuanced, data-driven approach.

ADDRESSES: Comments may be submitted by any of the following methods:

  • Federal E-rulemaking Portal: http://www.regulations.gov. Follow the instructions for submitting comments. Refer to Docket Number FINCEN-2020-0004 and the specific Office of Management and Budget (OMB) control numbers 1506-0001, 1506-0006, 1506-0015, 1506-0019, 1506-0029, 1506-0061, and 1506-0065.
  • Mail: Policy Division, Financial Crimes Enforcement Network, P.O. Box 39, Vienna, VA 22183. Refer to Docket Number FINCEN-2020-0004 and OMB control numbers 1506-0001, 1506-0006, 1506-0015, 1506-0019, 1506-0029, 1506-0061, and 1506-0065.

Please submit comments by one method only. Comments will also be incorporated into FinCEN’s review of existing regulations, as provided by Treasury’s 2011 Plan for Retrospective Analysis of Existing Rules. All comments submitted in response to this notice will become a matter of public record. Therefore, you should submit only information that you wish to make publicly available.

FOR FURTHER INFORMATION CONTACT: The FinCEN Regulatory Support Section at 1-800-767-2825 or electronically at frc@fincen.gov.

SUPPLEMENTARY INFORMATION:

I. Statutory and Regulatory Provisions

The legislative framework generally referred to as the Bank Secrecy Act (BSA) consists of the Currency and Financial Transactions Reporting Act of 1970, as amended by the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (USA PATRIOT Act) (Public Law 107– 56) and other legislation. The BSA is codified at 12 U.S.C. 1829b, 12 U.S.C. 1951–1959, 31 U.S.C. 5311–5314 and 5316–5332, and notes thereto, with implementing regulations at 31 CFR Chapter X.

The BSA authorizes the Secretary of the Treasury, inter alia, to require financial institutions to keep records and file reports that are determined to have a high degree of usefulness in criminal, tax, and regulatory matters, or in the conduct of intelligence or counter-intelligence activities, to protect against international terrorism, and to implement counter-money laundering programs and compliance procedures.[1] Regulations implementing Title II of the BSA appear at 31 CFR Chapter X. The authority of the Secretary to administer the BSA has been delegated to the Director of FinCEN.[2] Under 31 U.S.C. 5318(g), the Secretary of the Treasury is authorized to require financial institutions to report any suspicious transaction relevant to a possible violation of law or regulation. Regulations implementing 31 U.S.C. 5318(g) are found at 31 CFR 1020.320, 1021.320, 1022.320, 1023.320, 1024.320, 1025.320, 1026.320, 1029.320, and 1030.320. The information collected under these requirements are made available to appropriate agencies and organizations as disclosed in FinCEN’s Privacy Act System of Records Notice relating to BSA Reports.[3]

II. Paperwork Reduction Act (PRA)[4]

Title: Reports by Financial Institutions of Suspicious Transactions (31 CFR 1020.320, 1021.320, 1022.320, 1023.320, 1024.320, 1025.320, 1026.320, and 1029.320). OMB Control Numbers: 1506-0001, 1506-0006, 1506-0015, 1506-0019, 1506-0029, 1506-0061, and 1506-0065.[5]

Report Number: FinCEN Report 111 – Suspicious Activity Report (SAR).

Abstract: FinCEN is issuing this notice to renew the OMB control numbers for the SAR regulations and the SAR report.

Type of Review: Renewal without change of currently approved information collections.

Affected Public: Businesses or other for-profit institutions, and non-profit institutions.

SAR Regulations

Estimated Burden: An administrative burden of one hour is assigned to each of the SAR regulation OMB control numbers in order to maintain the requirements in force.[6]

JRR Comment: One hour is the current “administrative burden” of preparing and filing a SAR.

The reporting and recordkeeping burden is reflected in FinCEN Report 111 – SAR, under OMB control number 1506-0065. The rationale for assigning one burden hour to each of the SAR regulation OMB control numbers is that the annual burden hours would be double counted if FinCEN estimated burden in the industry SAR regulation OMB control numbers and in the FinCEN Report 111 – SAR OMB control number.

FinCEN Report 111 – SAR

Type of Review:

  • Propose for review and comment a re-calculation of the portion of the PRA burden that has been subject to notice and comment in the past (the “traditional annual PRA burden”).
  • Propose for review and comment a method to estimate the portion of the PRA burden that FinCEN previously had not included (the “supplemental annual PRA burden”).

JRR Comment: FinCEN is acknowledging that its current burden estimate (i) needs to be re-calculated, and (ii) needs to be augmented.  And it now has the means to do so through its BSA Value Project.

Frequency: As required.

Estimated Number of Respondents: 12,148 financial institutions.[7]

JRR Comment: The estimated number of respondents – 12,148 financial institutions – and the accompanying footnote is the first interesting nugget of information. The footnote includes the phrase “not all financial institutions identify suspicious activity that would warrant a SAR filing”. This is a benign phrase, hidden in a footnote, that could be the headline of a GAO report: arguably, every regulated financial institution, no matter how small, should identify and report at least one suspicious transaction in any given year. See my comments below Table 1.

Estimated Reporting and Recordkeeping Burden:

In this notice, FinCEN introduces two substantial modifications to the scope and the methodology we previously used to estimate the annual PRA burden associated with the SAR. First, with respect to the scope of the estimate, FinCEN’s traditional annual PRA burden estimate associated with the SAR included only the filer’s annual operational burden and cost associated with (a) producing and filing the report, and (b) storing a copy of the filed report. Starting with this notice, FinCEN intends to add a supplemental annual PRA burden estimate that reflects the annual costs involved in (a) determining whether alerts that were elevated for further review merit filing a SAR, and (b) documenting the decision not to file a SAR when a case does not merit it.[8]

JRR Comment: This is where FinCEN explains what it is proposing to do. FinCEN recognizes that there is a complex process to monitor for and alert on unusual activity, determine whether to investigate that activity, to investigate that activity and, if it is suspicious to prepare and file a SAR or if not suspicious to document why it is not suspicious. Later, FinCEN describes these as the six stages in the SAR filing process. In Footnote 8, though, FinCEN acknowledges that it “lacks the granular data to estimate the costs of certain steps in that process”. In fact, it lacks the data to include the burdens for steps 1-3, which arguably may be the most burdensome from both time and cost perspectives.

Second, with respect to the methodology underlying the PRA burden and cost estimates, rather than continuing to allocate a single PRA burden and cost to the completion, submission, and storage of any type of SAR, FinCEN proposes to estimate the individual PRA burden and cost of different categories of SARs, grouped by the SARs’ estimated degree of complexity. Because there is no direct way to measure the complexity and related effort and cost of producing each SAR, FinCEN uses key features of SARs filed in 2019 to categorize them based on similar combinations of those key features, under the assumption that such combinations of key features reflect similar levels of effort and cost necessary to produce the SARs.

JRR Comment: This is where FinCEN is acknowledging that not all SARs are the same. Later, FinCEN identifies five types of SARs for its burden estimates, differentiated by (i) whether they are original SARs or “continuing activity” SARs; (ii) whether filed by banks and credit unions (collectively, “depository institutions” or “DIs”) or all other types of filers (“Non-DIs”); (iii) whether they are “standard” complexity or “extended” complexity; and (iv) whether they were batch-filed or filed as a discrete, stand-alone SAR.

Part 1 below sets out the breakdown of the SARs filed during 2019 according to the key features that are used to group SARs into categories subject to similar PRA burden and cost. Part 1 also contains the analysis of how some combinations of key features worked or failed to work as proxies for a SAR’s complexity and, therefore, burden and cost.

Part 2 uses the results of the analysis in Part 1 to estimate the individual and total annual PRA burden and cost of each category of SARs. The methodology described in Part 2 covers both the traditional and the supplemental annual PRA burden estimate.

Part 1. Breakdown of the 2019 SAR Filings

In 2019, 12,148 financial institutions (the “filing population”) submitted 2,751,694 SARs (the 2019 SAR submissions).[9] The distribution of the 2019 SAR submissions, by type of filing (original or continuing),[10] type of financial institution,[11] number of reports per filer per year, and method of filing (batch or discrete),[12] is presented in Table 1 below:

Table 1 shows that banks submitted slightly over half of the total number of SARs filed in 2019. Money services businesses (MSBs) and credit unions contributed 32.9% and 7.3% of the total, respectively. Approximately 85% of the filings from all financial institutions consisted of original reports. In addition, approximately 85% of the reports were batch filed.

JRR Comment: The most interesting aspect of Table 1 is not what is included in the Table – which is the number of financial institutions, by type, that filed SARs in 2019, but what is not included in the Table – the total number of financial institutions, by type.

  • Banks – FDIC data shows that there were 5,186 banks at the end of 2019. So 95% of banks filed at least one SAR in 2019, which means that 5% or 250 banks didn’t file a single SAR in 2019.
  • Credit Unions – NCUA data shows that there were 5,236 credit unions at the end of 2019. Using this data, 62% of credit unions filed at least one SAR in 2019, which means that 38% or 2,001 credit unions didn’t file a single SAR in 2019. 
  • Securities/Futures – In this “catch all” category, FinCEN’s May 11, 2016 Final Rule for CDD/Beneficial Ownership provided that there were 16,404 entities in this class. SEC data suggests ~3,800 registered entities. At best, 15% of the regulated financial institutions in the Securities/Futures class are filing SARs.
  • Money Services Businesses (MSBs) – There are 22,736 MSBs registered with FinCEN. So less than 10% of registered MSBs filed at least one SAR in 2019.

To determine the concentration of 2019 SAR submissions among the filing population, FinCEN grouped filers in tranches according to the number of SARs filed during the year. Table 2 sets out the number of reports per tranche,[13] and Table 3 sets out (i) each tranche as a percentage of the total filer population, and (ii) each tranche’s reports as a percentage of the 2019 SAR submissions.[14]

JRR Comment: It is useful to group filers according to the number of SARs filed. But what would be more useful is to group them by size of institution. The problem, though, is determining what “size” is across diverse institution types. Total deposits might be the best proxy for banks and credit unions (better than total assets, which can be located outside the United States and aren’t tied to transactions as much as deposits are), but that measure doesn’t work for MSBs or Casinos.

However, 95% of SARs are filed by Depository Institutions (62%) and MSBs (33%). I would propose that Depository Institutions be grouped by tranches of Total Deposits, and MSBs be grouped by number of domestic agent locations.

Ten filers (six banks and four MSBs) made up the first tranche (00_LARGEST FILERS). As set out in Table 3, these ten filers accounted for nearly half of the 2019 SAR submissions. Slightly less than 2% of the filing population (Tranches 00 to 03) submitted 81% of all the reports. Additionally, out of the filing population, 81% contributed slightly less than 4% of the filings, while 56% submitted fewer than 10 reports per year.

JRR Comment: These two tables are critical. First, though, is some much-needed context for banks and credit unions. Of the 5,236 credit unions, only 10 have assets greater than $10 billion, and the largest is $90 billion. 90% of credit unions have less than $565 million in assets. Of the 5,186 banks, 143 have assets of more than $10 billion, 32 are larger than $90 billion, and the 4 largest are all over $1.5 trillion in assets. But most banks, like credit unions, are very small: 75% of banks have less than $565 million in assets.

Looking at 50 or fewer SARs filed per year – or less than one per week – shows that 80% of banks and 81% of credit unions that filed SARs in 2019 filed fewer than 1 per week on average. And almost 60% of each filed fewer than 10 in the entire year. The 10 largest filers – 6 banks and 4 MSBs – filed more than 700 per week on average. The top 2% of banks and credit unions filed more than 80% of the SARs.

Question – is it time for a bifurcated regulatory approach, similar to the CCAR/DFAST approach taken for capital and liquidity purposes?

JRR Comment: The main flaw in the approach of grouping institutions by the number of SARs filed is that you could have a $100 million asset (deposits) institution, or a 10-agent MSB appropriately filing 50 SARs a year, and a $100 billion asset institution or a 100-agent MSB inappropriately filing 50 SARs a year, yet they are included in the same tranche.

Unlike currency transaction reports, for example, which are more easily categorized because they are filed based on objective criteria (i.e., transaction type and threshold), each SAR may require a widely disparate level of effort depending largely on the amount of research and subjective analysis required to determine: (a) whether to file a report; (b) how to attribute the suspicious behavior to money laundering, financing of terrorism, or fraud typologies; (c) who the main persons involved in the activity are; and (d) how to explain in concise terms the rationale that led the filer to decide to file a SAR.

As FinCEN has no direct way to gauge the amount of work involved in the production of each SAR, FinCEN broke down the 2019 SAR submissions by additional key features, so that, individually or in combination, these additional key features could serve as a proxy to group SARs with similar levels of estimated complexity, and therefore, with similar estimated PRA burden. The additional key features in the SARs that FinCEN has concentrated its analysis on are: (a) the number of persons identified as subjects; (b) the number of distinct suspicious activities selected;[15] (c) the length of the narrative section; and (d) whether or not the report contains an attachment.[16]

JRR Comment: One can debate whether these are the best proxies for complexity, but this is a tremendous first step in determining relative complexity and estimated PRA burden.

  • Number of Subjects/Suspects – this is a good proxy. As a general rule, the more suspects, the more complex the underlying activity.
  • Number of distinct suspicious activities selected – Footnote 15 indicates that the SAR has 18 categories of suspicious activities. I’m not sure where that number comes from. There are 11 categories of suspicious activity, each with 1 or more sub-types of activity (a total of 79 sub-types plus “other” for each category). There are also 10 instrument types and 21 product types. I recommend that FinCEN use some AI/Machine Learning techniques to analyze the combinations of suspicious activity types, instruments, and products. FinCEN attempted this in its “tractable segmentation” approach, below.
  • Length of narrative – FinCEN recognizes some of the shortcomings of this attribute, and adjusts for it, but this is a good first step.
  • Attachment – FinCEN recognizes the shortcomings, adjusts for it … and it is a good first step.

I didn’t see anything about the amount being reported (with more reported activity indicating more complexity), or the period of time between the first reported activity and the last reported activity (the greater the period of activity indicating more complexity), or the period of time between the first reported activity and the date of the SAR (which could indicate a lookback or review).

Once FinCEN identifies the combination of key features that are common to the largest number of reports submitted by a given type of filer (the “standard content” for that type of filer), FinCEN may take such combination as a proxy for the content and estimated complexity of a “standard” SAR for that filer type. Reports submitted by filers of the same type that contain different features (more subjects, more suspicious activities, a longer narrative) may represent SARs with “extended content” that are more complex, and therefore carry a larger PRA burden and cost for that filer type. Based on the data available, FinCEN is considering only two levels of SAR complexity.

Table 4A shows a breakdown of the 2019 SAR submissions by type of financial institution and narrative length. Table 4B shows the percentage of reports with and without attachments, by type of financial institution, and narrative length.

Table 5 breaks down the 2019 SAR submissions by type of financial institution and number of suspicious activities identified in each report.[17]

JRR Comment: The differences in the number of selected suspicious activities can be caused by differences in style, practices, or training from one institution to another. For example, one filer may consider a check fraud involving an elderly customer to be one category (check fraud), another two categories (check fraud, Elder Financial Exploitation), another six categories (check fraud, identity theft, providing questionable or false documentation, Elder Financial Exploitation, forgeries, identity theft).

I would combine the “tranche and type” data from Tables 2 and 3 with the number of suspicious activity categories from Table 5: the data may show that the fewer SARs an institution files, the fewer suspicious activity categories there are.

Approximately 44% of the SARs submitted by all filers have narratives not exceeding 2,000 characters (half a page), and another 39% have narratives above half a page but not exceeding one page. Most SARs (60%) identify up to two suspicious activities, while another 38% list between three and five.

FinCEN analyzed key features of the 2019 SAR submissions described in Tables 1 through 5 to generate a tractable segmentation of the SAR universe into different levels of burden. FinCEN based this segmentation on the following observations:

  • FinCEN was not able to limit the criteria for selecting categories of SAR burden to the type of financial institution or the tranche of a filer alone because of large variations in the combination of features within each type of financial institution or tranche. It was possible, however, to arrive at a small number of complexity categories by combining key features that highlight significant differences between depository institution filers (banks and credit unions), MSBs, and other types of financial institution filers (non-depository institutions).
  • Based on the analyzed complexity features as well as FinCEN’s extensive use of SARs in its work, in general and on average,[18] the content of SARs shows the following general features:
  1. There appears to be a positive correlation between the number and complexity of a financial institution’s main business lines, and the value registered by some of the key features selected: the higher the number and complexity of the filer’s business lines, the higher the number of suspicious transactions identified and the longer the narrative.
  2. In general, non-depository institutions with a single primary business line (i.e., loan and finance companies or casinos) file reports that (a) list up to two suspicious transactions involving one subject and a single transaction or a small number of transactions over a short period of time, and (b) use relatively short narratives of up to half a page to explain the basis for their suspicion.
  3. Some SARs filed by non-depository institutions have features indicating complexity, particularly longer narratives, despite the SARs not being complex. A sample of the SARs filed by two of the largest non-depository institutions showed that in 94% of the SARs with longer narratives, the increased length was due to listing transactions the filer appeared to have tracked automatically. Six percent of those SARs appeared to have required greater analytical effort. To estimate the number of SARs with extended content filed by non-depository institutions in 2019, FinCEN therefore applied the six percent threshold to the total number of SARs with narratives over one page filed by non-depository institutions.
  4. Nearly three quarters of original SARs filed by depository institutions report only up to two subjects involved in up to five suspicious activities, described in a narrative that does not exceed one page, and on their face do not appear complex.

JRR Comment: This is one of the most important statements in this Notice. Essentially, FinCEN is saying that ¾ of the 2.7 million SARs filed are not complex. Can these SARs be filed without human intervention with little, if any, material loss in utility or value to law enforcement?

Many SARs filed by depository institutions, however, have features indicating complexity. This may reflect any combination of the factors laid out in the tables above – number of subjects per SAR, number of suspicious transactions listed per SAR, length of the narrative, and presence of an attachment. However, some SARs that appear complex based on these features often are not in reality. Depository institutions, which in general tend to offer many business lines mostly to established customers, sometimes include in SARs a comparison of other information they maintain. This can increase the apparent complexity of SARs analyzed against the complexity factors FinCEN identified without necessarily being indicative of a SAR requiring extensive research. FinCEN controlled for this by removing from the complex category SARs that had a high ratio of digits to non-digit text in the SAR narrative, because a high ratio of digits often indicates the algorithmic inclusion of transaction data in the SAR narrative.

JRR Comment: This was a great catch by FinCEN. And below might have been a miss by FinCEN. Whether “continuing activity” SARs require “substantially less effort”, or any less effort than original SARs, is worth exploring.

  • For all financial institutions, FinCEN estimates that the review of cases documenting the need to file continuing SARs, and the filing of the continuing SARs themselves, will require substantially less effort than the review of cases leading to the filing of original SARs, and the actual filing of such original SARs.
  • Lastly, FinCEN assumes that financial institutions that batch file SARs have a degree of automation they can employ to the partial filling of the report. Batch filers will also store electronic files that may contain several reports per file. Based on these assumptions, FinCEN allocates a lower PRA burden per report to these filers. This burden consists of the actual time of submission per report (which may be close to instantaneous), and the administrative and supervisory tasks involved in this stage.

As noted, reflecting the observations above, FinCEN identified five categories of SARs to generate a tractable segmentation of complexity for analyzing estimated PRA burden: (a) continuing SARs; (b) original SARs with standard content filed by nondepository institutions; (c) original SARs with extended content filed by non-depository institutions; (d) original SARs with standard content filed by depository institutions; and (e) original SARs with extended content filed by depository institutions.

JRR Comment: This is the first of three steps FinCEN takes in estimating the SAR burden – identifying the five categories of SARs. The second and third steps follow: identifying the six stages in the SAR filing process, and the four types of people involved in that process, respectively.

Part 2. PRA Burden and Cost Estimates

Based on industry input, including input obtained over the past year in a project assessing how to improve the effectiveness of BSA data and measure its value for each stakeholder group, FinCEN understands that the SAR filing process comes at the end of a larger process that varies in complexity depending on the type and size of the financial institution:[19]

JRR Comment: On the following page is FinCEN’s six-stage SAR production process. This is a good first step, but I disagree with the approach that, for purposes of the PRA burden and cost estimates, the SAR process is distinct from the overall BSA/AML program process (and burden and cost). The singular purpose of the BSA/AML program regime is to provide timely, actionable intelligence to law enforcement and the intelligence community by way of BSA reports and recordkeeping – primarily SARs and CTRs. Therefore, integral to the SAR production process are the program requirements of risk assessment, CIP/CDD, training, independent testing, examination management, etc. These costs will be included in future notices.

Stage 1 – Maintaining a Monitoring System: Commensurate with the size of the filer and the complexity of its operations, each filer will run, update, and upgrade a monitoring system that reflects its assessment of risk. This monitoring system will vary in complexity from a manual review process to a fully automated one.[20]

JRR Comment: The use of the singular “monitoring system” minimizes the complexity of even the smallest institution’s program to have employees escalate unusual activity (referrals), to have manual or automated monitoring systems identify unusual activity (alerts), and the regulatory and operational requirements to run, update, and upgrade those systems. Larger, more complex institutions will run dozens of monitoring and surveillance systems.

Stage 2 – Reviewing Alerts: When the monitoring system issues an alert, the filer will have to determine whether the alert reveals a true potential risk event, or is a false positive.

JRR Comment: As FinCEN explains below, it is not including this stage in its burden and cost estimate “due to the lack of the necessary granular information”. Transaction monitoring and customer surveillance systems, and the alerts that are generated, are a major part of the burden and cost of AML programs. The issue of high false positive rates – anecdotally 95 percent or more of alerts are so-called “false positives” – is often-discussed, always-lamented, and remains an intractable problem. See: https://regtechconsulting.net/uncategorized/rules-based-monitoring-alert-to-sar-ratios-and-false-positive-rates-are-we-having-the-right-conversations/. Also see: https://regtechconsulting.net/uncategorized/flipping-the-three-aml-ratios-with-machine-learning-and-artificial-intelligence-why-bartenders-and-aml-analysts-will-survive-the-ai-apocalypse/

Stage 3 – Transforming Alerts into Cases: If, based on the filer’s analysis, the alert points to a true potential risk event, the filer will gather additional information to present the case to the reviewing level that will eventually decide whether the event merits the filing of a SAR.

JRR Comment: FinCEN has done a good job recognizing that many institutions have an alert review or alert triage process to determine if an alert should “go to case” or not. But like stages 1 and 2, this third stage is not included in the burden and cost analysis at this time.

Stage 4 – Case Review: The appropriate level will review the case to determine whether or not the event constitutes a suspicious activity that must be reported.

Stage 5 – Documentation of Determination: This notice takes into account that filers document decisions they make as part of Stage 4 that lead them to conclude that an event does not warrant the filing of a SAR.

Stage 6 – SAR Filing Process: If an event warrants the filing of a SAR, the filer will follow its SAR filing process, including: (a) selecting supporting documentation; (b) completing the report, including drafting the narrative; (c) filing the report through batch or discrete filing; and (d) storing the filed report and supporting documentation in physical or electronic form.

Each stage requires the filer’s use of human and technological resources, which combination will vary according to the sophistication of the filer. Previously, FinCEN limited its annual SAR PRA burden estimate to Stage 6 mentioned above, the SAR filing process (the “traditional annual PRA burden”). In this notice, FinCEN expands its PRA burden estimate to include Stages 4 and 5 listed above (the “supplemental annual PRA burden”).

JRR Comment: Stages 4 and 5 are the “supplemental annual PRA burden” that FinCEN is adding. Until now, FinCEN only included Stage 6 in its PRA estimate. Now FinCEN is considering Stages 4, 5, and 6.

FinCEN is not addressing the burden associated with Stages 1 to 3 above due to the lack of the necessary granular information. Notably, FinCEN would need information regarding: (i) the levels of burden and cost attributed to differing monitoring systems; (ii) varying levels of complexity in determining whether alerts represent true alerts; and (iii) the amount of research involved in assembling cases to determine whether true alerts warrant the filing of a SAR. Furthermore, FinCEN would need additional information to identify the proportion of these costs that are strictly connected to the filing of a SAR relative to the same costs associated with a filer’s other regulatory or business requirements. FinCEN intends to address the information required for the estimate of the burden and cost of Stages 1 to 3 in a future notice. FinCEN acknowledges that each stage of the SAR production contributes to the next (including those stages of the process not included in this notice). FinCEN assesses, however, that the information provided by this notice, though not a complete estimate of the SAR PRA burden, improves the estimate and creates a foundation for a future estimate of the costs of all six stages.

JRR Comment: It is incumbent on the industry to provide FinCEN with data and information on Stages 1, 2, and 3 of the process, as well as on the other aspects of a program that are not reflected in these six stages: the program requirements of risk assessment, CIP/CDD, training, independent testing, examination management, etc., that are integral to, and part of, the SAR production and filing process.

FinCEN recognizes that SAR cases that are more complex may take a longer time to review at multiple stages, such as the case investigation point in Stage 4 and the SAR filing point in Stage 6. However, for ease of presentation, FinCEN calculated the extra burden of handling complex cases in our burden estimate for Stage 6, and attributed a burden that represents our estimate of the standard administrative work connected to continuing and original SARs to Stages 4 and 5. Therefore, the total estimate proposed in this notice will be the aggregate of the following estimates of the PRA burden related to:

  • Evaluating cases for potential SAR filing (Stage 4). This will be part of the supplemental annual PRA burden calculation.
  • Recordkeeping of cases not converted into SARs (Stage 5). This will be part of the supplemental annual PRA burden calculation.
  • The SAR filing process (Stage 6). This will be part of the traditional annual PRA burden calculation and will include the PRA burden associated with the filing of (i) continuing SARs, (ii) original SARs filed by non-depository financial institutions, and (iii) original SARs filed by depository financial institutions.

JRR Comment: Up to this point, FinCEN has introduced the first two of the three components of its PRA burden and cost estimate: the five categories of SARs, and the six stages of the SAR filing process. Now FinCEN turns to the third component: the people involved in the process. FinCEN has identified four.

FinCEN identified four staff positions and corresponding roles involved in the SAR process in order to estimate the hourly costs associated with the burden hour estimates calculated in this part. Those are: (i) general supervision (providing process oversight); (ii) direct supervision (reviewing operational-level work and cross-checking all or a sample of the filings against their supporting documentation); (iii) clerical work (engaging in case evaluation to support the determination of whether a SAR must be filed); and (iv) clerical work (engaging in producing, filing, and storing SARs and supporting documentation).

JRR Comment: This is where the private sector should provide detailed comments. It has not been my experience that fraud investigators and AML analysts are performing “clerical work”, classified by the Bureau of Labor Statistics as “Financial Clerks” with a mean (average) hourly wage of $20.40. Based on that same data, the mean annual wage is $43,500, with a broad range across the US of $25,980 to $60,600. The same job code for the financial services NAICS (522000) shows an annual mean salary of $44,500 and a 90th percentile salary of $62,330 (10% of the people in that category make more than $62,330). Data from the private sector will (I believe) show that the annual average salary for financial crimes investigators and analysts will be more than $62,330.  

FinCEN calculated the fully loaded hourly wage for each of these four roles by taking the median wage as estimated by the U.S. Bureau of Labor Statistics (BLS), and computing an additional benefits cost as follows:[21]

JRR Comment: Financial institutions must provide comments (supported by data and information) to FinCEN on these four roles and the range and median salaries for those roles. For example, the BLS data shows that the average salary for the Compliance Officer position is $66,236 with a broad range of $39,790 to $111,640. Data should show that most compliance officers earn in excess of $100,000. And differentiating between Depository Institutions, Securities/Futures, and Non-DIs will be critical.

FinCEN estimates that, in general and on average, each role would spend different amounts of time on each stage of the process covered by this notice, as described in the specific estimates below.

1. Estimate of the burden and cost of evaluating cases for potential SAR filing

To estimate the PRA burden involved in evaluating each case generated by one or more alerts, FinCEN starts with the number of cases that, after review, resulted in the filing of 2,751,694 SARs in 2019. As set out in Table 1 above, of that total number of filings, 2,335,559 reports were original SARs, and 416,135 were continuing SARs.

JRR Comment: This may not be an accurate assumption. Again, the private sector needs to provide comments (supported by data) on the burdens and costs of filing continuing activity SARs. 

In the case of continuing SARs, FinCEN assumes that the filer will be monitoring the specific transactions of the previously identified subject, and filing a continuing SAR every ninety days (if the subject did not discontinue the activity), and noting the cumulative monetary amount involved in the suspicious activity. FinCEN therefore assesses that the number of continuing suspicious activity cases will equal the number of continuing SARs.

In the case of original SARs, however, a filer may need to review a large number of cases to determine which cases justify the filing of a report. A paper issued by the Bank Policy Institute in 2018 (the “BPI Paper”)[22] contains the estimates of 13 large, midsize, and small banks (with assets under management of more than $500 billion, between $200 to $500 billion, and between $50 and $200 billion, respectively) about their average conversion rate[23] of cases to SARs. The BPI Paper states that, on average, banks filed SARs on 42% of alerts turned into cases (i.e., alerts that are not considered false positives).[24] In the absence of similar data for other types of financial institutions, FinCEN adopts the bank average conversion rate from cases to SARs set out in the BPI Paper (42%) to approximate the number of cases that could have generated the number of original SARs filed in 2019. If 42% of cases result in the filing of a SAR, the total filing population would have had to review approximately 5,560,854 cases[25] to report the 2,335,559 original SARs submitted in 2019.[26]

JRR Comment: FinCEN got the case-to-SAR conversion rate of 42 percent from the BPI paper. FinCEN refers to pages 5-7 of the BPI paper. Notably, the BPI survey respondents were 19 banks that all had assets of $50 billion or more: there are only 43 such banks. These 19 banks were grouped into small ($50 – $200 billion, at which time there were 33 such banks in total), midsize ($200 – $500 billion in assets, at which time there were 6 such banks in total), and large (greater than $500 billion, at which the time there were 4 such banks). Thirteen (13) of the 19 banks provided data on Alert-to-Case-to-SAR numbers:

  • Large Banks – generated 2.8 million alerts of which 20% (560,000) became cases, of which 42% (235,200) became SARs;
  • Midsize banks – generated 117,000 alerts of which 9.5% (11,115) became cases, of which 54% (6,002) became SARs;
  • Small banks – generated 107,000 alerts of which 8% (8,560) because cases, of which 53% (4,537) became SARs.

Combined, the three tranches of banks generated 3,024,000 alerts which resulted in 579,675 cases, which eventually became 245,739 SARs. This overall Case-to-SAR conversion rate was 42%.

FinCEN estimates that the average burden involved in considering whether a case merits filing an original SAR, for all types of financial institutions and for any type of suspicious transactions, would be 20 minutes per case. FinCEN estimates that the average burden involved in reviewing cases involving continuing SARs will be much lower, at 3 minutes per case.

JRR Comment: These two assumptions – 20 minutes to determine whether a case merits filing an original SAR, and 3 minutes to determine whether continuing activity merits filing a continuing activity SAR – should be tested by financial institutions’ comments to FinCEN. These are important assumptions which may not prove true. 

FinCEN assumes that the review of cases will involve the participation of three of the roles described above, as follows:[27]

Table 7

JRR Comment: Once a case is opened, the common practice is to assign it to a fraud investigator or AML analyst to determine whether the overall activity of the customer meets the definition of “suspicious activity”. If it does, the analyst will then prepare a SAR: if the analyst determines that a SAR is not warranted, they will document their decisioning and close the case. Depending on the type of case, there may be procedures for reviewing those decisions.

Financial institutions should review their data and provide comments to FinCEN: the data will likely show that 80%-90% of the total time spent determining whether a SAR is merited is on case review, 10%-20% on direct supervision, and 0%-10% on indirect supervision.

Footnote 27 below is confusing to me: in my experience, fraud investigators and AML analysts – those people that are working cases, determining whether a SAR should be filed, and preparing and filing the SAR – are not maintaining agendas, documenting minutes of meetings, or assembling files for review by SAR committees.

The total annual PRA burden of this stage involving cases related to both continuing and original SARs would be 1,874,424 hours, at a total cost of $91,846,776, as described in Tables 8A and 8B below.

Tables 8A, 8B

2. Estimate of the burden and cost of documenting cases not converted into SARs

With 2,335,559 cases resulting in SAR filings and an estimated conversion rate of 42%, out of the estimated 5,560,854 cases, 3,225,295 would be cases involving a decision not to file. FinCEN estimates that the average burden hours of documenting the rationale as to why a case does not merit filing a SAR, for all types of financial institutions and in the context of any type of suspicious transactions, would be 25 minutes per report.

JRR Comment: FinCEN is estimating that it takes 20 minutes to determine whether a SAR is merited, and an extra 5 minutes to document the reasons for not filing a SAR if a SAR is not merited. Financial institutions should provide comments, supported by data and information, on these estimates.   

FinCEN assumes that documenting the rationale for not filing a SAR and the storage of the case documents will involve the participation of three of the roles described above, as follows:

Table 9

JRR Comment: In Table 7, FinCEN is estimating that the work done to determine whether a SAR is merited, and a SAR results, involves 10% indirect supervision, 60% indirect supervision, and 30% clerical work. In Table 9, FinCEN is estimating that the work done to determine whether a SAR is merited, and a SAR does not result, involves 1% indirect supervision, 19% indirect supervision, and 80% clerical work. However, with the exception of documenting no-SAR decisions, this is the same work performed by the same fraud investigators or AML analysts, supervised by the same direct supervisors. The ratios of work should be the same, or roughly the same, for both processes.    

The total annual PRA burden of this stage would be 1,343,872 hours, at a total cost of $38,972,288, as described in Table 10 below:

Table 10

3. Estimate of the burden of the SAR filing process

JRR Comment: To this point, FinCEN has laid out the five categories of SARs, the six stages of the SAR filing process, and the four types of positions involved in that process. FinCEN has also described the updated or new burden and cost estimate of evaluating cases for potential SAR filing and, for those cases that result in a “no-SAR” decision, the burden and cost of documenting that decision. In this section, FinCEN turns to the burden and cost estimate of the process of preparing and filing a SAR once the decision has been made that the case merits a SAR.

But first FinCEN describes its current estimate, made ten years ago before mandatory electronic filing, before attachments were allowed, and based on the old SAR forms. That estimate, or estimates, are crude and simple: two hours for the 99% and more of SARs filed by single financial institutions, and 2.5 hours for the rare (less than 1% of the SARs) filings made jointly by two or more financial institutions.

FinCEN’s prior estimate of the traditional average burden hours associated with the SAR filing process[28] was based on a 2010 assessment of the manual effort involved in the drafting, writing, filing, and storing of a paper-based SAR with a standard narrative of 4,000 characters (i.e., one page), and the storing or segregation of paper-based supporting documentation. Since 2011, financial institutions have been able to (a) file SARs electronically either in batch or discrete format, and (b) include with their SARs an attachment containing tabular data such as transaction data providing additional suspicious activity information not suitable for inclusion in the narrative. This attachment must be an MS Excel-compatible comma separated value (CSV) file with a maximum size of 1 megabyte. These new features contribute to a substantial decrease in the hourly burden of the mechanical aspects of the filing and storage of SARs and supporting documentation.

As set out in the estimates above, the review of approximately 5,560,854 cases would result in the closing out of 3,225,295 cases, and the filing of 2,335,559 original and 416,135 continuing SARs. In the previous part, FinCEN identified a tractable segmentation of SAR complexity: (a) continuing SARs; (b) original SARs with standard content filed by non-depository institutions; (c) original SARs with extended content filed by non-depository institutions; (d) original SARs with standard content filed by depository institutions; and (e) original SARs with extended content filed by depository institutions. In all cases, the estimate represents the administrative burden involved in producing and reviewing a SAR, overseeing the process of filing a SAR, and the actual filing of a SAR, and not just the mechanical process of generating, submitting, and storing the SAR (which might be very small for fully-automated filers using the batch filing method).

FinCEN assumes that the SAR filing process involves the following four roles described in Table 6, in varying proportions depending on whether the burden accounts for the reporting or the recordkeeping stage of the process:

JRR Comment: Tables 11A, 11B, and 12 set out FinCEN’s estimates for the percentage of time and resulting cost that it takes, by role, for drafting, writing, and submitting “Standard Content” SARs (Table 11A); for drafting, writing, and submitting “Extended Content” or complex SARs (Table 11B); and for the recordkeeping required for both (Table 12). Where there were stark differences in the SAR/No SAR determinations, FinCEN estimates that there are only subtle differences in the ratio of time/cost for standard or simple SARs and extended or complex SARs. Financial institutions should assess their data and information and provide comments to FinCEN: my experience is that complex investigations are often handled by more experienced investigators/analysts, and not necessarily more supervision.

3.1. Continuing SARs

In the case of a suspicious transaction that continues over time, filers must submit continuing SARs every ninety days. Financial institutions filed 416,135 continuing SARs as part of the 2019 SAR submissions. FinCEN estimates that, on average, the burden involved in filing a continuing SAR will be relatively low, and will be substantially the same among all types of financial institutions. The estimated hourly burden and its cost for continuing SARs are as follows:

JRR Comment: FinCEN phrases these as “estimates”, but they appear to be assumptions unsupported by data rather than estimates based on data. Financial institutions should provide comments to FinCEN on the burden and costs of continuing activity SARs compared to original SARs.  

3.2. Original SARs filed by non-depository institutions

Based on the application of the percentage described in Part 1 to SARs with narratives over one page filed by non-depository institution, FinCEN identified 988,377 reports with standard content and 6,897 with extended content.

Original SARs filed by non-depository institutions (standard content)

For the purpose of calculating the burden of original SARs with standard content filed by non-depository institutions, FinCEN estimates that the average burden involved in the filing of original SARs will be higher than that of continuing SARs. Specifically, FinCEN uses an estimate of 40 minutes per batch-filed report and 60 minutes per discrete-filed report for drafting, writing, and submitting the SARs, and 5 minutes per batch-filed reports and 15 minutes per discrete-filed report for storing filed reports and supporting documentation.

JRR Comment: FinCEN has developed a much more nuanced and granular estimate of the burden and cost of filing SARs. The old methodology was a single 120 minutes (2 hours) per SAR. With this new approach, there is a low estimate of 25 minutes for batch-filed, standard content continuing SARs, all the way to 315 minutes (more than 5 hours) for discrete-filed, extended content original SARs.  All of the combinations are set out in the following sections: Depository Institution versus Non-Depository Institution; standard content versus extended content; batch-filing versus discrete-filing; and drafting, writing, and submitting SARs versus recordkeeping for SARs.

The estimated hourly burden and its cost for this subset of SARs are therefore as follows:

Original SARs filed by non-depository institutions (extended content)

For the purpose of calculating the burden of original SARs with extended content filed by non-depository institutions, FinCEN estimates that the average burden will be several times higher than that of standard content SARs, and the related cost will include a larger proportion of the levels of the organization with higher fully-loaded hourly wages (those representing indirect and direct supervision). The estimated hourly burden and its cost for this subset of SARs are therefore as follows:

3.3. Original SARs filed by depository institutions

Based on the segmentation described in Part 1 of depository institution SARs into standard content and extended content, FinCEN identified 1,313,774 reports with standard content, and 26,513 that included extended content.

The estimate of the reporting and recordkeeping burden of these two SAR subsets is as follows, using the per-SAR burden estimates included in the tables:

JRR Comment: This is another significant estimate. Of the 1,340,287 original SARs filed by banks and credit unions (roughly half of all SARs filed), only 26,513 had “extended content”, which is FinCEN’s proxy for complex or, perhaps, significant SARs.

Less than 2% of the original depository institution SARs had extended content or were otherwise complex or significant SARs. The 2018 Bank Policy Institute survey of 19 large banks found that less than 4% of those SARs garnered law enforcement interest.   

Estimated Reporting and Recordkeeping Burden:

The estimated reporting and recordkeeping burden by type of process and report is as follows:

JRR Comment: At the end of this document I have included a chart that visualizes the different estimated time burdens for the twelve (12) combinations of SAR filings: Original versus Continuing Activity; DI versus Non-DI; standard content versus extended content; and batch- versus discrete-filing.

Estimated Total Annual Reporting and Recordkeeping Burden:

The total estimated reporting and recordkeeping burden and cost per type of process and type of report are as follows. As detailed in Table 22 below, the total estimated recordkeeping and reporting annual PRA burden for the case review and SAR filing process of the seven OMB control numbers covered by this notice is 5,462,026 hours, for a total cost of $206,422,989.

JRR Comment: FinCEN estimates that the total costs of the SAR filing process (or at least the last three of the six stages of the SAR filing process) costs $206,422,989. The Bank Policy Institute survey of 19 large banks found that 14 of those banks (that responded to the survey questions on costs) reported that they spent, on aggregate, $2,400,000,000 on AML and CFT (Countering the Financing of Terrorism) compliance. FinCEN’s estimates for 12,148 SAR filers has captured less than 10% of what 14 large banks have reported in a private survey. There is some work to be done to reconcile these numbers. FinCEN acknowledges that there is work still to be done: and I acknowledge and applaud the work that FinCEN has done to date.

The distribution of the total estimated annual PRA burden and cost, by type of financial institution and SAR (original or continuing), and by SAR production process stage is as follows:[29]

FinCEN acknowledges that some of the partial estimates may over- or under-state the burden and cost of some the stages of the SAR production process covered by this notice, due to generalization and lack of more detailed information. FinCEN wishes to emphasize that the total burden presented in Table 22 is spread across a number of different SAR reporting requirements involving different types of financial institutions. Indeed, in the case of depository institutions, both FinCEN and the Federal banking agencies have regulations requiring SAR reporting.[30] However, only one SAR form is filed in satisfaction of the rules of both FinCEN and the Federal banking agencies. FinCEN has historically never attempted to allocate the burden between agencies for SARs required by the rules of more than one agency. FinCEN intends to conduct more granular studies of the filing population in the near future, to arrive at more realistic estimates that take into consideration a more specific breakdown of the SAR production process, including estimating the burden to financial institutions of Stages 1 to 3, which may include the inter-agency burden allocation referred to above. The data obtained in these studies may result in a significant variation of the estimated total annual PRA burden.

An agency may not conduct or sponsor, and a person is not required to respond to, a collection of information unless the collection of information displays a valid OMB control number. Records required to be retained under the BSA must be retained for five years.

Part 3. Request for Comments

JRR Comment: This is the most important part of the notice. FinCEN has six specific requests for comments, and also invites general comments. Financial institutions must take this opportunity to provide FinCEN with actual data and information: anecdotes that “the SAR regime costs too much and doesn’t produce tangible, direct benefits to financial institutions” must be replaced with data-driven information. Only then can better collective, public/private sector decisions be made.

a. Specific Requests for Comments:

Comments submitted in response to this notice will be summarized and/or included in the request for OMB approval. All comments will become a matter of public record. Comments are invited on the calculation of the total PRA burden of filing the SAR, under the current regulatory requirements. Specifically, comments are invited on the following issues:

1. FinCEN has based the estimates contained in this notice on the actual SARs filed in 2019. We have restricted the analysis to features we could measure and statements we were able to support with data extracted from the 2019 filers and submissions, using limited external data for estimates of parameters such as labor costs and conversion rates for alerts into filed SARs. FinCEN is not able to factor in its estimate of the PRA burden the burden of portions of the process for which FinCEN lacks information in filed reports or reliable existing studies. All requests for comments ask the public to suggest other factors that may affect the burden and cost of SAR reporting. Suggested factors that FinCEN could quantify by analyzing the contents of the BSA database, or by referring to statistical information publicly available, and without conducting a formal survey of the reporting financial institutions would be especially appreciated.

JRR Comment: FinCEN is looking for data and information that comes from (i) the BSA Database (accessible on FinCEN’s website) and other publicly available, reliable sources. FinCEN does not seem interested in survey-based information, such as the BPI survey that FinCEN has, in fact, relied on for this notice.

2. FinCEN proposes to expand the annual PRA burden estimate to cover three stages of the SAR production process: (a) the review of cases based on monitoring alerts considered true positives; (b) the documentation of the decision not to turn a case into a SAR; and (c) the SAR filing process. A sample conversion rate of cases that lead to SARs for depository institutions was used to calculate how many total cases at all financial institutions would have to be evaluated to produce the total number of original SARs filed in 2019. FinCEN invites comments on the characterization of these three stages, the general case conversion rate utilized, and the existence of other generally available research documents that may show different case conversion rates for different financial institution types.

JRR Comment: This is the critical issue. FinCEN is inviting financial institutions (and their trade associations and other interested parties) to provide comments, supported by data, on the first three stages of the SAR process that are not currently included in the PRA burden and cost estimate. Those three stages are: (1) maintaining a monitoring system; (2) reviewing alerts; and (3) transforming alerts into cases.

3. FinCEN estimates that, in general, the cost of labor involved in the three stages of the SAR production process covered by this notice will depend on the level of involvement in each stage of at least four different types of labor within the organization (general supervision, direct supervision, clerical work for evaluation, and clerical work for recordkeeping). Is this a reasonable identification of the roles involved in the SAR process? Has FinCEN calculated labor costs reasonably? Within the calculations of PRA burden, has FinCEN reasonably estimated the involvement of the different kinds of labor identified?

JRR Comment: FinCEN is also seeking comments on the four types of people, or positions, in the SAR filing process, their costs (salaries and benefits), and the relative time each spends on the five types of SARs across the six stages of the SAR filing process. The data in the Bureau of Labor Statistics materials, cited by FinCEN should be analyzed and compared against what FinCEN has used. See my comments above: hourly rates of $15 to $60 per hour for all participants in the SAR process appear to be materially low.

4. FinCEN arrived at estimates for (i) the hour burden of the review of all cases based on true positive alerts, and (ii) the decision not to file SARs based on the proportion of the cases that were not converted into original SARs. In general and on average, are these estimates reasonable?

JRR Comment: As indicated, this is really two issues that FinCEN is seeking comments on. One could argue that any estimate made in good faith is, in general and on average, reasonable. But I believe FinCEN is looking for something to support a higher standard than generally, on average, reasonable. It is incumbent on financial institutions to provide FinCEN with data and information to support a higher standard.

5. FinCEN segmented the universe of SAR filings into several different categories for purposes of estimating SAR complexity: (a) continuing SARs; (b) original SARs with standard content filed by non-depository institutions; (c) original SARs with extended content filed by non-depository institutions; (d) original SARs with standard content filed by depository institutions; and (e) original SARs with extended content filed by depository institutions. For each of these categories, FinCEN adjusted the estimated SAR filing burden depending on the filing method (batch or discrete). Is this segmentation reasonable? Are there other categories of SARs which FinCEN could quantify by analyzing the contents of the BSA database and without conducting a formal survey of the reporting financial institutions?

JRR Comment: Money Services Businesses (MSBs) were bucketed into the “non-depository institution” category along with the securities/futures industries’ institutions, casinos, card clubs, housing agencies, insurance companies, loan companies, and the “undetermined”. Given that 33% of all SARs were filed by MSBs, it may be better to have three categories: Depository Institutions, MSBs, and Other Non-Depository Institutions.

6. Are the other assumptions FinCEN made to calculate the burden associated with filing the different categories of SARs reasonable, such as the number of minutes required for each category of report?

b. General Request for Comments:

Comments submitted in response to this notice will be summarized and/or included in the request for OMB approval. All comments will become a matter of public record. Comments are invited on: (1) whether the collection of information is necessary for the proper performance of the functions of the agency, including whether the information shall have practical utility; (2) the accuracy of the agency’s estimate of the burden of the collection of information; (3) ways to enhance the quality, utility, and clarity of the information to be collected; (4) ways to minimize the burden of the collection of information on respondents, including through the use of automated collection techniques or other forms of information technology; and (5) estimates of capital or start-up costs and costs of operation, maintenance, and purchase of services to provide information.

Summary of the total time to prepare, file, and record a SAR: FinCEN PRA burden and cost estimate

Endnotes

[1] Section 358 of the USA PATRIOT Act added language expanding the scope of the BSA to intelligence or counter-intelligence activities to protect against international terrorism.

[2] Treasury Order 180-01 (re-affirmed January 14, 2020).

[3] FinCEN’s System of Records Notice for the BSA Reports System was most recently published at 79 FR 20969 (April 14, 2014).

[4] Public Law 104-13, 44 U.S.C. 3506(c)(2)(A).

[5] The SAR regulatory reporting requirements are currently covered under the following OMB control numbers: 1506-0001 (31 CFR 1020.320 – Reports by banks of suspicious transactions); 1506-0006 (31 CFR 1021.320 – Reports by casinos of suspicious transactions); 1506-0015 (31 CFR 1022.320 – Reports by money services businesses of suspicious transactions); 1506-0019 (31 CFR 1023.320 – Reports by brokers or dealers in securities of suspicious transactions, 31 CFR 1024.320 – Reports by mutual funds of suspicious transactions, and 31 CFR 1026.320 – Reports by futures commission merchants and introducing brokers in commodities of suspicious transactions); 1506-0029 (31 CFR 1025.320 – Reports by insurance companies of suspicious transactions); and 1506-0061 (31 CFR 1029.320 – Reports by loan or finance companies of suspicious transactions). The PRA does not apply to reports by one government entity to another government entity. For that reason, there is no OMB control number associated with 31 CFR 1030.320 – Reports of suspicious transactions by housing government sponsored enterprises. OMB control number 1506-0065 applies to FinCEN Report 111 – SAR.

[6] One hour of burden is estimated under each of the following OMB control numbers: 1506-0001, 1506- 0006, 1506-0015, 1506-0019, 1506-0029, and 1506-0061.

[7] See Table 1 below for a breakdown of the types of financial institutions that filed SARs in 2019. Note that all banks, casinos and card clubs, money services businesses, brokers or dealers in securities, mutual funds, providers of covered insurance products, futures commission merchants and introducing brokers in commodities, loan or finance companies, and housing government sponsored enterprises are required to comply with the SAR regulatory requirements; however, not all financial institutions identify suspicious activity that would warrant a SAR filing. See 31 CFR 1020.320 (banks), 31 CFR 1021.320 (casinos and card clubs), 31 CFR 1022.320 (money services businesses), 31 CFR 1023.320 (brokers or dealers in securities), 31 CFR 1024.320 (mutual funds), 31 CFR 1025.320 (insurance companies), 31 CFR 1026.320 (futures commission merchants and introducing brokers in commodities), 31 CFR 1029.320 (loan or finance companies), and 31 CFR 1030.320 (housing government sponsored enterprises).

[8] Despite the expanded scope, FinCEN has not presented in this notice an estimate of the entire burden that is associated with SAR filings because, as described further in Part 2, FinCEN lacks the granular data to estimate the costs of certain steps in that process.

[9] Numbers are based on actual 2019 filings as reported to the BSA E-Filing System, as of 12/31/2019. Assumptions and estimates are also based on actual 2019 SAR filings.

[10] An original (or initial) report is the first SAR filed on suspicious activity no later than 30 days after the date of initial detection by the filer. (See e.g., 31 CFR 1020.320(a)(3)). A continuing SAR must be filed on suspicious activity that continues after an initial SAR is filed. Continuing reports must be filed on successive 90-day review periods until the suspicious activity ceases, but may be filed more frequently if circumstances warrant. For more information on continuing reports, see page 142 of the FinCEN Suspicious Activity Report (FinCEN SAR) Electronic Filing Requirements – XML Schema 2.0. https://bsaefiling.fincen.treas.gov/docs/XMLUserGuide_FinCENSAR.pdf

[11] In Table 1, the category “Securities/Futures” includes brokers or dealers in securities, mutual funds, futures commission merchants, and introducing brokers in commodities. The category “Undetermined” includes filers with missing, incomplete, or contradictory information about the type of financial institution to which they belong.

[12] In batch filing, a filer submits a single electronic file containing several reports. In discrete filing, the filer fills in an electronic report individually, using a data entry screen that FinCEN provides. While exceptions apply, batch filing is generally used by large-volume filers that have automated the filing process, while discrete filing is generally employed by filers that submit fewer reports per year and rely more on manual data entry methods.

[13] The category “Other” in Table 2 includes securities and futures, housing government sponsored enterprises, providers of covered insurance products, and filers for which the type of financial institution was still being determined at the moment of publication of this notice, as defined above. We adopt the same criteria for the rest of the tables contained in the notice, such as in Tables 4A, 4B, and 5 below.

[14] The percentage of filers contained in each tranche, and the percentage of reports submitted by those filers, are contained in the fields “pct_filers” and “pct_forms”, respectively. The cumulative percentage of filers contained in all tranches up to and including the current one, and the cumulative percentage of reports submitted by such filers, are shown in the fields “cumm_pct_filers” and “cumm_pct_forms”, respectively.

[15] FinCEN Report 111 – SAR contains checkboxes that allow filers to identify a variety of suspicious activities, such as structuring, terrorist financing, fraud, money laundering, and a cyber-event. FinCEN Report 111 – SAR has 18 categories of suspicious activities.

[16] Some filers attach a supplemental file to the report that in general contains a list of individual transactions that raised the alert about a potential suspicious transaction. The length of the narrative is sometimes impacted by whether the filer submits an attachment to the report listing these transactions, or uses the narrative section of the report to include such a list.

[17] The number of suspicious activities identified in each report represents the number of check boxes selected by the filer.

[18] By “in general,” FinCEN is speaking without regard to outliers (e.g., reports exhibiting features that are uncommonly higher or lower than those of the population at large), or that apply to a very narrow type of filer or type of transaction. By “on average,” FinCEN means the mean of the distribution of each subset of the population (although FinCEN uses median labor cost data to calculate weighted hourly worker compensation allocated to each PRA burden hour in Table 6 below).

[19] FinCEN acknowledges that the description of the SAR production process in this notice seems to imply that the process is always linear, with each stage following the previous one. While this situation may reflect a large proportion of the cases reviewed and SARs filed, certain situations will require the filer to return to an earlier stage (such as requiring additional information from the case managers, or drafting several versions of a narrative). The breakdown of the SAR production process in a discrete number of linear stages is intended as a conceptual framework to guide FinCEN’s estimates of the different levels of PRA burden. Such framework does not involve or imply any modification to, or new interpretation of the actual rule text of BSA regulations. The details provided in each stage of the framework serve only as a list of the features FinCEN did or did not consider when estimating the PRA burden of such stage. While FinCEN believes the tasks described in the framework represent the work generally required to produce a SAR, there is no obligation for a financial institution to adopt either formally or informally a process such as the one presented by the framework.

[20] FinCEN recognizes that filers may use the monitoring system to comply with additional BSA and non-BSA regulatory requirements, as well as for other business purposes such as protecting against reputational risks of money laundering and fraud against the filer or the filer’s customers.

[21] See U.S. Bureau of Labor Statistics, Occupational Employment Statistics-National, May 2019, available at https://www.bls.gov/oes/tables.htm . The most recent data from the BLS corresponds to May 2019. For the benefits component of total compensation, see U.S. Bureau of Labor Statistics, Employer’s Cost per Employee Compensation as of December 2019, available at https://www.bls.gov/news.release/ecec.nr0.htm . The ratio between benefits and wages for financial activities, credit intermediation and related activities is $15.80 (hourly benefits)/$31.45 (hourly wages) = 0.502. The benefit factor is 1 plus the benefit/wages ratio, or 1.502. Multiplying each hourly wage by the benefit factor produces the fully-loaded hourly wage per position.

[22] ‘Getting to Effectiveness – Report on U.S. Financial Institution Resources Devoted to BSA/AML and Sanctions Compliance’, Bank Policy Institute, October 29, 2018, available at https://bpi.com/wp-content/uploads/2018/10/BPI-AML-Sanctions-Study-vF.pdf . See pages 5-7.

[23] The average conversion rate represents the percentage of the total number of cases that, after receiving further review and consideration, warranted the filing of a SAR.

[24] Ibid. The BPI Paper identifies several provisos regarding the correlation among the different metrics (such as the number of alerts related to AML issues only, while the number of SARs filed included both fraud and AML-related transactions). FinCEN considers that these qualifications do not affect the rationale of applying the bank conversion rate of cases into SARs to the full filer population.

[25] The number of original SARs submitted in 2019 (2,335,559) divided by the 42% conversion rate.

[26] FinCEN acknowledges that this estimate simplifies the conversion, stipulating that one case will generate or fail to generate one SAR, when in practice several cases may be reported in a single SAR. It is also possible, while not very probable, that a single case may require the filing of more than one simultaneous SAR.

[27] FinCEN’s assumption is that the clerical work involved in the case review stage would include general administrative and coordination responsibilities, such as the maintaining of agendas, documentation of minutes, assembly of files to be presented to the appropriate authority (for example, a filer’s SAR Committee), and the summarization of the reasons not to file.

[28] FinCEN’s estimate of the traditional average burden hours involved in the SAR filing process was 2 hours for SARs filed individually (60 minutes attributed to reporting, and 60 minutes attributed to recordkeeping), and 2.5 hours per SAR for joint filings (90 minutes attributed to reporting, and 60 minutes attributed to recordkeeping). Joint filings are a single SAR filed by two or more separate financial institutions. This type of filing constitutes less than 1% of total filings.

[29] FinCEN obtained the breakdown by applying the percentages of continuing and original SARs by type of financial institution listed in Table 1, to the burden and cost estimates contained in Tables 8A, 8B, 10, and 13 to 20. Financial institutions the type of which is “undetermined” are included in the “Other nondepository” category in Tables 23 and 24.

[30] See 12 CFR 208.62, 211.5(k), 211.24(f), and 225.4(f) (Federal Reserve Board); 12 CFR 353.3 (Federal Deposit Insurance Corporation); 12 CFR 748.1(c) (National Credit Union Administration); 12 CFR 21.11 and 12 CFR 163.180 (Office of the Comptroller of Currency); and 31 CFR Chapter X (FinCEN).