Loading…

Lack of Beneficial Ownership Information: a “Glaring Hole in our System” Says Treasury Secretary

On February 12, 2020, Treasury Secretary Mnuchin testified before the Senate Finance Committee on the President’s Fiscal Year 2021 budget. At the 75:22 mark of the hearing, Senator Mark Warner (D. VA) began a series of statements and questions about the lack of beneficial ownership information. Senator Warner observed that the just-submitted (February 6th) 2020 National Strategy for Combating Terrorist and Other Illicit Financing – National Strategy  – indicated that the number one vulnerability facing the U.S. efforts to combat terrorism, money laundering, and proliferation financing was the lack of beneficial ownership requirements at the time of company formation.

Senator Warren noted that “one of the key vulnerabilities identified in the report is the lack of a legally binding requirement to collect beneficial ownership at the time of company formation.” At the 76:50 mark, the Senator posed the following question:

Mr. Secretary, do you agree that one of our most urgent national security and regulatory problems is that the US Government still has no idea who really controls shell companies?

At the 77:25 mark Secretary Mnuchin replied:

“This is a glaring hole in our own system.”

What did the National Strategy have to say about lack of beneficial ownership information?

2020 National Strategy for Combating Terrorist and Other Illicit Financing – Key Vulnerability is Lack of Beneficial Ownership Information

The National Strategy listed 10 vulnerabilities. In the “Vulnerabilities Overview” section (page 12), the first of the “most significant vulnerabilities in the United States exploited by illicit actors” was “the lack of a requirement to collect beneficial ownership information at the time of company formation and after changes in ownership.” The Strategy goes on:

“Misuse of legal entities to hide a criminal beneficial owner or illegal source of funds continues to be a common, if not the dominant, feature of illicit finance schemes, especially those involving money laundering, predicate offences, tax evasion, and proliferation financing.

*****

More than two million corporations and limited liability companies (LLCs) are formed in the United States every year. Domestic shell companies continue to present criminals with the opportunity to conceal assets and activities through the establishment of a seemingly legitimate U.S. businesses. The administrative ease and low-cost of company formation in the United States provide important advantages and should be preserved for legitimate investors and businesses. However, the current lack of disclosure requirements gives both U.S. and foreign criminals a method of obfuscation that they can and have repeatedly used, here and abroad, to carry out financial crimes. There are numerous challenges for federal law enforcement when the true beneficiaries of illicit proceeds are concealed through shell or front companies. Money launderers and others involved in commercial activity intentionally conduct transactions through corporate structures in order to evade detection, and may layer such structures, much like Matryoshka dolls, across various secretive jurisdictions. In many instances, each time an investigator obtains ownership records for a domestic or foreign entity, the newly identified entity is yet another corporate entity, necessitating a repeat of the same process. While some federal law enforcement agencies may have the resources required to undertake complex (and costly) investigations, the same is often not true for state, local, and tribal law enforcement.

*****

To address a major aspect of this recognized vulnerability, FinCEN issued a Customer Due Diligence (CDD) Rule, which became fully enforceable for covered financial institutions on May 11, 2018. This rule requires, among other things, more than 23,000 covered financial institutions to identify and verify the identities of beneficial owners of legal entity customers at the time of account opening and defined points thereafter.

*****

While the CDD Rule addressed the gap of collecting beneficial ownership information at the time of account opening, there remains no categorical obligation at either the state or federal level that requires the disclosure of beneficial ownership information at the time of company formation. Treasury currently does not have the authority to require the disclosure of beneficial ownership information at the time of company formation without legislative action. The CDD
Rule is an important risk-mitigating measure for financial institutions and an equally important resource for law enforcement, but it is not a comprehensive solution to the problem and a crucial gap remains.

The United Sates is traditionally the global leader on AML/CFT. But the lack of a legally-binding requirement to collect beneficial ownership information at the time of company formation hinders the ability of all regulated sectors to mitigate risks and law enforcement’s ability to swiftly investigate those entities created to hide ownership. Crucially, this deficiency drives significant costs and delays for both the public and private sectors. The 2016 Financial Action Task Force (FATF) Mutual Evaluation Report (MER) underscored the seriousness of this deficiency. Indeed, this gap is one of the principal reasons for the United States’ failing grade regarding the efficacy of its mechanisms for beneficial ownership transparency.” (citations omitted)

Key Priorities of the US Government in Combating Terrorism, Money Laundering, and Proliferation Financing

After setting out the threats and vulnerabilities, the 2020 National Strategy turned to the US Government’s three key priorities in fighting terrorist and other illicit financial activity:

“To make this 21st century AML/CFT regime a practical reality, the U.S. government will continue to review and pursue the following key priorities: (1) modernize our legal framework to increase transparency and close regulatory gaps; (2) continue to improve the efficiency and effectiveness of our regulatory framework for financial institutions; and (3) enhance our current AML/CFT operational framework. This will include the supporting actions discussed below.” (page 39)

Priority 1: Increase Transparency and Close Legal Framework Gaps

This first priority has four supporting actions: (i) require collection of beneficial ownership information by the government at time of company formation and after ownership changes; (ii) minimize the risks of the laundering of illicit proceeds through real estate purchases; (iii) extend AML program obligations to certain financial institutions and intermediaries currently outside the scope of the BSA; and (iv) clarify or update our regulatory framework to expand coverage of digital assets.

Supporting Action: Require the Collection of Beneficial Ownership Information by the Government at Time of Company Formation and After Ownership Changes

Currently, there is no categorical obligation at the state or federal level that requires the disclosure of beneficial ownership information at the time of company formation. Also, Treasury does not have the authority to require the disclosure of beneficial ownership information at the time of company formation without legislative action. Having immediate access to accurate information about the natural person behind a company or legal entity is essential for law enforcement and other authorities to disrupt complex money laundering and proliferation financing networks. However, this must be balanced with individual privacy concerns and not be unduly burdensome for small businesses.

The Administration believes that congressional proposals to require the collection of beneficial ownership information of legal entities by FinCEN, including the Corporate Transparency Act represents important progress in strengthening national security, supporting law enforcement, and clarifying regulatory requirements. The Administration is working with Congress. The aim—pass beneficial ownership legislation in 2020. It is important that any law enacted should closely align the definition of “beneficial owner” to that in FinCEN’s CDD Rule, protect small businesses from unduly burdensome disclosure requirements, and provide for adequate access controls with respect to the information gathered under this bill’s new disclosure regime.

The ILLICIT CASH Act – A Solution to the Beneficial Ownership Vulnerability

The 2020 National Strategy refers to congressional proposals. One of those was mentioned by Senator Warren, who referred to the bipartisan support that exists in Congress for addressing this vulnerability through a Senate bill, the ILLICIT CASH Act, S.2563 before the Senate Banking Committee. Senator Warren noted that the ILLICIT CASH Act, or Improving Laundering Laws & Increasing Comprehensive Information Tracking of Criminal Activity in Shell Holdings Act (clearly one of the great “backronyms” of all time!) had the support of 4 Democrats and 4 Republicans. Title IV of that bill set out “Beneficial Ownership Disclosure Requirements”, and included provisions to establish beneficial ownership reporting requirements. Although there is bipartisan and Administration support for the bill, not everyone is as supportive: the American Bar Association, for one, opposes the bill.

The American Bar Association – Supportive of Reasonable Measures to Combat Money Laundering, But Not the ILLICIT CASH Act

The American Bar Association – ABA Position on Combating Financial Crime  – “supports reasonable and necessary domestic and international measures designed to combat money laundering and terrorist financing. However, the Association opposes legislation and regulations that would impose burdensome and intrusive gatekeeper requirements on small businesses or their attorneys or undermine the attorney-client privilege, the confidential attorney-client relationship, or the right to effective counsel.” With respect to the ILLICIT CASH Act, the ABA opposes key provisions, and expressed that opposition in a June 19, 2019 letter to the Chairman and Ranking Member of the Senate Banking Committee. ABA Letter Opposing the ILLICIT CASH Act. And on their webpage:

“The ILLICIT CASH Act would require anyone involved in a real estate purchase or sale to file a detailed report with the Treasury Department containing the name of the natural person purchasing the real estate, the amount and source of the funds received, the date and nature of the transaction, and other data. Because attorneys often represent clients in real estate transactions, the ILLICIT CASH Act would compel many attorneys to disclose confidential client information to the government, a result plainly inconsistent with state court ethics rules.”

Conclusion – Courage to Compromise Is Needed if We Are to Make Inroads in the Fight Against Terrorism, Money Laundering, and Proliferation Financing

The ABA’s concerns about burdensome and intrusive requirements and undermining the attorney-client privilege are understandable. The Treasury Department’s concerns about the vulnerabilities of, and need to amend, the broken beneficial ownership regime are understandable. Democrats and Republicans in the House and Senate, and Republicans in the White House, will need to come together to draft, pass, and enact laws to fix the broken beneficial ownership regime. All of these groups, and more, will need the courage to compromise if we are to fill the most glaring hole in our AML system.

The Roger Stone Case – Whether Outraged or Relieved, At Least Be Informed

“A good deal of hysteria, some of it reflexive, much of it recreational”

The media, social media, politicians, and pundits are reacting loudly and passionately about the President’s decision to weigh in on the sentencing of Roger Stone, the resignations of four Assistant United States Attorneys involved in the case, and the decision of the Department of Justice to submit a revised sentencing recommendation. And the hysteria should continue for the foreseeable future, with the sentencing of Mr. Stone now set for February 20th.

Whether you are outraged or relieved about what is happening in this case, your outrage or relief should at least be informed.

In an essay published on May 10, 2004 in the Wall Street Journal’s Opinion section titled “The Spirit of Liberty: Before Attacking the Patriot Act, Try Reading It”, then chief judge of the U. S. District Court, Southern District of New York Michael Mukasey reminded us that if we were to express opinions on something, those opinions should at least be informed. Judge Mukasey was writing about the USA PATRIOT Act, passed in October 2001 in the wake of the 9/11 terrorist attacks, a statute which had “become the focus of a good deal of hysteria, some of it reflexive, much of it recreational.” Judge Mukasey wrote that “[l]ike any other act of Congress, the Patriot Act should be scrutinized, criticized and, if necessary, amended. But in order to scrutinize and criticize it, it helps to read what is actually in it.”

The Roger Stone case isn’t an act of Congress, but the facts of the case – set out in the 288 documents on the docket – should be read and understood before one expresses an opinion. But 288 documents is a lot of reading. Three of those documents should, in my opinion, be enough to provide enough of a balanced background to allow someone to have and express an informed opinion: the Government’s original Sentencing Memorandum, Roger Stone’s Sentencing Memorandum, and the Government’s Revised Sentencing Memorandum.  These are all publicly available documents. I’ll summarize them here. But first, a stop to explain the Sentencing Guidelines that are used in all federal criminal cases and which have been the subject of much of the rational, irrational, reflexive, or recreational hysteria around the Roger Stone case.

Federal Sentencing Guidelines – a Primer

The following is an excerpt from my April 2019 article on the College Admissions Scandal – College Admissions Scandal – RegTech Consulting Article April 16, 2019.

The Federal Sentencing Guidelines are intended to provide “guideline ranges that specify an appropriate sentence for each class of convicted persons determined by coordinating the offense behavior categories with the offender characteristic categories.” US Sentencing Commission Link

So there are two things to be considered: the defendant’s own criminal histories, if any, and the “offense level” of their crime, adjusted for various aggravating factors, and adjusted down for “acceptance of responsibility”. This gives an offense level of between 1 and 43, organized into four “zones”. The defendant’s criminal history is then considered, resulting in being placed into one of six criminal history categories. The result is a Sentencing Table with the seriousness of the crime on the Y axis and the seriousness of the criminal on the X axis. The court refers to, and can depart from, the ranges set out in the Table. A (partial) sentencing table (showing only the first 30 of the 43 offence levels) is seen below.

United States v. Roger J. Stone, U.S. District Court, District of Columbia Case 19CR00018 – Sentencing Scheduled for February 20, 2020

Government’s Original Sentencing Memorandum – Seeking imprisonment consistent with Sentencing Guidelines of 87-108 months

The Government’s original Sentencing Memorandum went through the history of the case. In January 2019 a federal grand jury indicted Roger Stone on seven criminal counts: one count of obstruction of a Congressional investigation (relating to his sworn testimony before the House Intelligence Committee), five counts of making false statements to Congress (“in his testimony before the House Intelligence Committee, Stone told the Committee five categories of lies”), and one count of witness tampering. In November 2019, after a lengthy trial, a jury convicted Roger Stone of all seven counts. The Memorandum also included a number of issues relating to the pre-trial conduct of Mr. Stone, and the court’s response to that conduct. An episode relating to an image Mr. Stone posted to Instagram of the judge with cross-hairs next to her head was included in the Memorandum.

The Government asked that “a sentence consistent with the applicable advisory Guidelines would accurately reflect the seriousness of his crimes and promote respect for the law.” At page 16 of its Memorandum, the Government set out the Guidelines Range based on an offense level of 29 and a Criminal History category of I (no criminal record), resulting in a range of imprisonment of 87 months to 108 months. That offense level of 29 was determined as follows:

14 for the base offense(s) level

+8 for threatening a witness

+3 for interference with the administration of justice

+2 for an offense that was extensive in scope, planning, or preparation

+2 for obstruction of justice

Roger Stone’s Sentencing Memorandum – Seeking probation below the Sentencing Guidelines of 15-21 months

Roger Stone’s attorneys’ Memorandum included a number of character references (letters) and focused on his exemplary personal life, a life they pointed out was very different than his public persona. They laid out a position that the sentencing guidelines should be based only on the base offense level of 14, without any enhancements, leaving a guideline range of 15 to 21 months, and that the Court should go below that range and sentence the defendant to a period of probation. They concluded ” the Court should impose a non-Guidelines sentence of probation with any conditions that the Court deems reasonable under the
circumstances.”

Government’s Amended Sentencing Memorandum (February 11) – Seeking imprisonment “far less than” Sentencing Guidelines of 87-108 months, but leaving it up to the Judge to decide how much less than

After the four Assistant US Attorneys withdrew from the case, new counsel from the Department of Justice filed an amended Sentencing Memorandum, setting out the Government’s position that:

“The prior filing submitted by the United States on February 10, 2020 (Gov. Sent. Memo. ECF No. 279) does not accurately reflect the Department of Justice’s position on what would be a reasonable sentence in this matter. While it remains the position of the United States that a sentence of incarceration is warranted here, the government respectfully submits that the range of 87 to 108 months presented as the applicable advisory Guidelines range would not be appropriate or serve the interests of justice in this case.”

And the Government concluded:

“The defendant committed serious offenses and deserves a sentence of incarceration that is “sufficient, but not greater than necessary” to satisfy the factors set forth in Section 3553(a). Based on the facts known to the government, a sentence of between 87 to 108 months’ imprisonment, however, could be considered excessive and unwarranted under the circumstances. Ultimately, the government defers to the Court as to what specific sentence is appropriate under the facts and circumstances of this case.”

Conclusion

You’ve read, or will read, the three sentencing memoranda. You have or will have a rudimentary understanding of the Federal Sentencing Guidelines and how they were applied in this case. From there, you can join the debate and express a reasonably learned opinion, backed by some knowledge of the facts. It is my opinion that everyone has a right to their opinion and to express that opinion, but it is their duty to express that opinion only after informing themselves of the facts and, to paraphrase Judge Mukasey, without resorting to reflexive, recreational hysteria.

Chinese Money Brokers – The First US Case Involving An Identified Threat to the US Financial System?

February 6, 2020 – US Warns of Chinese Money Brokers Integrating Illicit Cash Proceeds through Trade Based Money Laundering, or TBML

On February 6, 2020, the Treasury Department released its 2020 National Strategy for Combating Terrorist and Other Illicit Financing. 2020 National Strategy. Among other threats to the US financial system were Chinese money laundering networks, or money brokers, described at pages 24 and 25 of the Strategy …

U.S. law enforcement has seen an increase in complex schemes to launder proceeds from the sale of illegal narcotics in the United States by facilitating the exchange of cash proceeds from Mexican drug trafficking organizations to Chinese citizens residing in the United States. These money laundering schemes, run by Professional Money Laundering Networks, or PMLNs, are designed to sidestep two separate obstacles: Drug Trafficking Organizations’ (DTOs’) inability to repatriate drug proceeds into the Mexican banking system due to dollar deposit restrictions imposed by Mexico in 2010 [of $4,000 a month per individual and $1,500 a month for U.S. currency exchanges by non-accountholders] and Chinese capital flight law restrictions on Chinese citizens located in the United States that prevent them from transferring the equivalent of US$50,000 held in Chinese bank accounts for use abroad. Chinese money laundering networks facilitate the transfer of cash between these two groups.

As described in the graphic from the Strategy [below], a variety of Chinese money brokers, processors and money couriers facilitate these PMLNs. Brokers in Mexico coordinate with DTOs in order for the DTOs to receive pesos in exchange for drug profits earned in the United States. The DTO instructs a courier in the United States to provide U.S. currency to the broker’s U.S. processor. The processor then launders the cash and identifies U.S.-based buyers. In exchange for U.S. currency, the buyer will transfer renminbi (RMB) through their Chinese bank account to a Chinese account controlled by the money broker. The broker then uses the RMB to buy commodities from a Chinese manufacturer for export to Mexico. Once the goods arrive in Mexico, the broker or the DTO completes the cycle by selling the goods locally for pesos.”

 

February 3, 2020 – Owners of Underground, International Financial Institutions Plead Guilty to Operating Unlicensed Money Transmitting Business

The First Chinese Money Broker Prosecution? On February 3, 2020 – three days before the 2020 National Strategy was released, the US Attorney for the Southern District of California issued a press release that announced that Bing Han and Lei Zhang pleaded guilty in federal court for operating unlicensed money transmitting businesses. The US Attorney noted that the guilty pleas “are believed to be the first in the United States for a developing form of unlawful underground financial institution that transfers money between the United States and China, thereby circumventing domestic and foreign laws regarding monetary transfers and reporting, including United States anti-money laundering scrutiny and Chinese capital flight controls.”

The press release described the scheme as admitted in the plea agreements (which are not available online) as follows:

“Han and Zhang would collect U.S. dollars (in cash) from various third-parties in the United States and deliver that cash to a customer, typically a gambler from China who could not readily access cash in the United States due to capital controls that limit the amount of Chinese yuan an individual can convert to foreign currency at $50,000 per year. Upon receipt of the U.S. dollars, the customer (i.e., the gambler) would transfer the equivalent value of yuan (using banking apps on their cell phones in the United States) from the customer’s Chinese bank account to a Chinese bank account designated by defendant Han or Zhang. For facilitating these transactions, Zhang and Han were paid a commission based on the monetary value illegally transferred … Han and Zhang further admitted that they were regularly introduced to customers by casino hosts, who sought to increase the gambling play of the casino’s customers. By connecting cash-starved gamblers in the United States with illicit money transmitting businesses, like those operated by Han and Zhang, the casinos increased the domestic cash play of their China-based customers. All a gambler needed was a mobile device that had remote access a China-based bank account. As a result, Han and Zhang managed to transmit and convert electronic funds in China into hard currency in the United States; all while circumventing the obstacles imposed both by China’s capital controls, and the anti-money laundering scrutiny imposed on all United States financial institutions. For their efforts, the casino hosts often received a cut of Han’s or Zhang’s commission.”

This sounds very similar to what was described in the 2020 National Strategy document. AML professionals should put a reminder in their calendars for the sentencing hearings of Han and Zhang in order to learn more about these “Chinese Money Broker” crimes that pose a threat to the US financial system.

US v. Bing Han, SD CA Case 20CR00369 is scheduled for sentencing on May 1, 2020.

US v. Lei Zhang, SD CA Case 20CR00370 is scheduled for sentencing on May 4, 2020.

OCC Comptroller Talks About AML “False Negatives” and Technology

Whether “False Negatives” or “False Positives”, the Answer May Not Lie Just in New or Improved Technologies, but in an Improved Mix of New Technologies and More Forgiving Regulatory Requirements


On January 24, 2020, Jo Ann Barefoot had Thomas Otting, Comptroller of the Currency, as her guest on her podcast. The link is available at Barefoot Otting Podcast. Among other things, the Comptroller talked about BSA/AML, or as he put it “AML/BSA”.

Approximately 12:00 minutes into the podcast, the Comptroller had this to say about BSA/AML:

“Are we doing it the most effective way? … what we’re doing, is it helping us catch the bad guys as they’re coming into the banking industry and taking advantage of it?”

In a discussion on technology trends, the Comptroller spoke about how banks are using new technologies to learn about their customers and for risk management. Beginning at the 20:45 mark, he stated:

“Today our AML/BSA relies upon a lot of systems to kick out a lot of data that often has an enormous amount of false negatives associated with it that requires a lot of resources to go through that false negative, and I think if we can get to the point where we have better fine-tuned data with artificial intelligence about tracking information is and the type of activities that are occurring, I think ultimately we’ll have better risk management practices within the institutions as well.”

Having been a guest on Jo Ann’s podcast myself (see Richards Podcast), I know how unforgiving the literal transcript of a podcast can be, so it is fair to write that the Comptroller’s point was that the current systems kick out a lot of false negatives that require a lot of manual investigations; and better data and artificial intelligence could reduce those false negatives, resulting in greater efficiencies and better risk management.

But it is curious that he refers to “false negatives” – which are transactions that do not alert but should have alerted – rather than “false positives” – which are transactions that did alert and, after being investigated, prove not to be suspicious and therefore falsely alerted.  The Comptroller has many issues to deal with, and it’s easy to confuse false negatives with false positives. In fairness, his ultimate point was well made: the current regulatory requirements and expectations around AML monitoring, alerting, investigations, and reporting have resulted in a regime that is not efficient (he didn’t addressed the effectiveness of the SAR regime).

At the 21:30 mark, Jo Ann Barefoot commented on the recent FinTech Hackathon she hosted that looked at using new technology to make suspicious activity  monitoring and reporting more efficient and effective, and stated that “we need to get rid of the false flags in the system” (I got the sense that she was uncomfortable with using the Comptroller’s phrase of “false negatives” – Jo Ann is well-versed in BSA and AML and familiar with the issue of high rates of false positives). Comptroller Otting replied:

“If you think just in the SARs space, that 7 percent of transactions kind of hit the tripwire, and then ultimately about 2 percent generally have SARs filed against them, that 5 percent is an enormous amount of resources that organizations are dedicating towards that compliance function that I’m convinced that with new technology we can improve that process.”

Again, podcast transcripts can be unforgiving, and I believe the point that the Comptroller was making was that a small percentage of transactions are alerted on by AML monitoring systems, and an even smaller percentage of those alerts are eventually reported in SARs. His percentages, and math, may not foot back to any verifiable data, but his point is sound: the current AML monitoring, alerting, investigations, and reporting system isn’t as efficient as it should be and could be (again, he didn’t address its effectiveness).

I don’t believe that the inefficiencies in the current AML system are wholly caused by outdated or poorly deployed technology. Rather, financial institutions are (rightfully) deathly afraid of a regulatory sanction for missing a potentially suspicious transaction, and will err on the side of alerting and filing on much more than is truly suspicious. For larger institutions, it will cost them a few million dollars more to run at a 95% false positive rate rather than an 85% rate, or 75% rate (I address the question of what is a good false positive rate in one of the articles, below), but those institutions know that by doing so, they avoid the hundreds of millions of dollars in potential fines for missing that one big case, or series of cases, that their regulator, with hindsight, determines should have been caught.

Running an AML monitoring and surveillance program that produces 95% false positives is not “helping us catch the bad guys that are taking advantage of the banking industry” as the Comptroller noted at the beginning of the podcast. Perhaps a renewed and coordinated, cooperative effort between technologists, bankers, BSA/AML professionals, law enforcement, and the Office of the Comptroller of the Currency can lead us to a monitoring/surveillance regime enhanced with more effective technologies and better feedback on what is providing tactical and strategic value to law enforcement … and, hopefully, tempered by a more forgiving regulatory approach.

Below are two articles I’ve written on monitoring, false positive rates, the use of artificial intelligence, among other things. Let’s work together to get to a more effective and efficient AML regime.

Rules-Based Monitoring, Alert to SAR Ratios, and False Positive Rates – Are We Having The Right Conversations?

This article was published on December 20, 2018. It is available at RegTech Article – Are We Having the Right Conversations?

There is a lot of conversation in the industry about the inefficiencies of “traditional” rules-based monitoring systems, Alert-to-SAR ratios, and the problem of high false positive rates. Let me add to that conversation by throwing out what could be some controversial observations and suggestions …

Current Rules-Based Transaction Monitoring Systems – are they really that inefficient?

For the last few years AML experts have been stating that rules-based or typology-driven transaction monitoring strategies that have been deployed for the last 20 years are not effective, with high false positive rates (95% false positives!) and enormous staffing costs to review and disposition all of the alerts.  Should these statements be challenged? Is it the fact the transaction monitoring strategies are rules-based or typology-driven that drives inefficiencies, or is it the fear of missing something driving the tuning of those strategies? Put another way, if we tuned those strategies so that they only produced SARs that law enforcement was interested in, we wouldn’t have high false positive rates and high staffing costs.  Graham Bailey, Global Head of Financial Crimes Analytics at Wells Fargo, believes it is a combination of basic rules-based strategies coupled with the fear of missing a case. He writes that some banks have created their staffing and cost problems by failing to tune their strategies, and by “throwing orders of magnitude higher resources at their alerting.”  He notes that this has a “double negative impact” because “you then have so many bad alerts in some banks that they then run into investigators’ ‘repetition bias’, where an investigator has had so many bad alerts that they assume the next one is already bad” and they don’t file a SAR. So not only are the SAR/alert rates so low, you run the risk of missing the good cases.

After 20+ years in the AML/CTF field – designing, building, running, tuning, and revising programs in multiple global banks – I am convinced that rules-based interaction monitoring and customer surveillance systems, running against all of the data and information available to a financial institution, managed and tuned by innovative, creative, courageous financial crimes subject matter experts, can result in an effective, efficient, proactive program that both provides timely, actionable intelligence to law enforcement and meets and exceeds all regulatory obligations. Can cloud-based, cross-institutional, machine learning-based technologies assist in those efforts? Yes! If properly deployed and if running against all of the data and information available to a financial institution, managed and tuned by innovative, creative, courageous financial crimes subject matter experts.

Alert to SAR Ratios – is that a ratio that we should be focused on?

A recent Mid-Size Bank Coalition of America (MBCA) survey found the average MBCA bank had: 9,648,000 transactions/month being monitored, resulting in 3,908 alerts/month (0.04% of transactions alerted), resulting in 348 cases being opened (8.9% of alerts became a case), resulting in 108 SARs being filed (31% of cases or 2.8% of alerts). Note that the survey didn’t ask whether any of those SARs were of interest or useful to law enforcement. Some of the mega banks indicate that law enforcement shows interest in (through requests for supporting documentation or grand jury subpoenas) 6% – 8% of SARs.

So I argue that the Alert/SAR and even Case/SAR (in the case of Wells, Package/Case and Package/SAR) ratios are all of interest, but tracking to SARs filed is a little bit like a car manufacturer tracking how many cars it builds but not how many cars it sells, or how well those cars perform, how well they last, and how popular they are.  The better measure for AML programs is “SARs purchased”, or SARs that provide value to law enforcement.

How do you determine whether a SAR provides value to Law Enforcement? One way would be to ask Law Enforcement, and hope you get an answer. That could prove to be difficult.  Can you somehow measure Law Enforcement interest in a SAR?  Many banks do that by tracking grand jury subpoenas received to prior SAR suspects, Law Enforcement requests for supporting documentation, and other formal and informal requests for SARs and SAR-related information. As I write above, an Alert-to-SAR rate may not be a good measure of whether an alert is, in fact, “positive”. What may be relevant is an Alert-to-TSV SAR rate (see my previous article for more detail on TSV SARs).  What is a “TSV SAR”? A SAR that has Tactical or Strategic Value to Law Enforcement, where the value is determined by Law Enforcement providing a response or feedback to the filing financial institution within five years of the filing of the SAR that the SAR provided tactical (it led to or supported a particular case) or strategic (it contributed to or confirmed a typology) value. If the filing financial institution does not receive a TSV SAR response or feedback from law enforcement or FinCEN within five years of filing a SAR, it can conclude that the SAR had no tactical or strategic value to law enforcement or FinCEN, and may factor that into decisions whether to change or maintain the underlying alerting methodology. Over time, the financial institution could eliminate those alerts that were not providing timely, actionable intelligence to law enforcement, and when that information is shared across the industry, others could also reduce their false positive rates.

Which leads to …

False Positive Rates – if 95% is bad … what’s good?

There is a lot of lamenting, and a lot of axiomatic statements, about high false positive rates for AML alerts: 95% or even 98% false positive rates.  I’d make three points.

First, vendors selling their latest products, touting machine learning and artificial intelligence as the solution to high false positive rates, are doing what they should be doing: convincing consumers that their current product is out-dated and ill-equipped for its purpose by touting the next, new product. I argue that high false positive rates are not caused by the current rules-based technologies; rather, they’re caused by inexperienced AML enthusiasts or overwhelmed AML experts applying rules that are too simple against data that is mis-labeled, incomplete, or simply wrong, and erring on the side of over-alerting and over-filing for fear of regulatory criticism and sanctions.

If the regulatory problems with AML transaction monitoring were truly technology problems, then the technology providers would be sanctioned by the regulators and prosecutors.  But an AML technology provider has never been publicly sanctioned by regulators or prosecutors … for the simple reason that any issues with AML technology aren’t technology issues: they are operator issues.

Second, are these actually “false” alerts? Rather, they are alerts that, at the present time, based on the information currently available, do not rise to the level of either (i) requiring a complete investigation, or (ii) if completely investigated, do not meet the definition of “suspicious”. Regardless, they are now valuable data points that go back into your monitoring and case systems and are “hibernated” and possibly come back if that account or customer alerts at a later time, or there is another internally- or externally-generated reason to investigate that account or customer.

Third, if 95% or 98% false positive rates are bad … what is good? What should the target rate be? I’ll provide some guidance, taken from a Treasury Office of Inspector General (OIG) Report: OIG-17-055 issued September 18, 2017 titled “FinCEN’s information sharing programs are useful but need FinCEN’s attention.” The OIG looked at 314(a) statistics for three years (fiscal years 2010-2012) and found that there were 711 314(a) requests naming 8,500 subjects of interest sent out by FinCEN to 22,000 financial institutions. Those requests came from 43 Law Enforcement Agencies (LEAs), with 79% of them coming from just six LEAs (DEA, FBI, ICE, IRS-CI, USSS, and US Attorneys’ offices). Those 711 requests resulted in 50,000 “hits” against customer or transaction records by 2,400 financial institutions.

To analogize those 314(a) requests and responses to monitoring alerts, there were 2,400 “alerts” (financial institutions with positive matches) out of 22,000 “transactions” (total financial institutions receiving the 314(a) requests). That is an 11% hit rate or, arguably, a 89% false positive rate. And keep in mind that in order to be included in a 314(a) request, the Law Enforcement Agency must certify to FinCEN that the target “is engaged in, or is reasonably suspected based on credible evidence of engaging in, terrorist activity or money laundering.” So Law Enforcement considered that all 8,500 of the targets in the 711 requests were active terrorists or money launderers, and 11% of the financial institutions positively responded.

With that, one could argue that a “hit rate” of 10% to 15% could be optimal for any reasonably designed, reasonably effective AML monitoring application.

But a better target rate for machine-generated alerts is the rate generated by humans. Bank employees – whether bank tellers, relationship managers, or back-office personnel – all have the regulatory obligation of reporting unusual activity or transactions to the internal bank team that is responsible for managing the AML program and filing SARs. For the twenty plus years I was a BSA Officer or head of investigations at large multi-national US financial institutions, I found that those human-generated referrals resulted in a SAR roughly 40% to 50% of the time.

An alert to SAR ratio goal of machine-based alert generation systems should be to get to the 40% to 50% referral-to-SAR ratio of human-based referral generation programs.

Flipping the Three AML Ratios with Machine Learning and Artificial Intelligence (why Bartenders and AML Analysts will survive the AI Apocalypse)

This article was posted on December 14, 2018. It remains the most viewed article on my website. It is available at RegTech Article – Flipping the Ratios

Machine Learning and Artificial Intelligence proponents are convinced – and spend a lot of time trying to convince others – that they will disrupt and revolutionize the current “broken” AML regime. Among other targets within this broken regime is AML alert generation and disposition and reducing the false positive rate (more on false positives in another article!). The result, if we believe the ML/AI community, is a massive reduction in the number of AML analysts that are churning through the hundreds and thousands of alerts, looking for the very few that are “true positives” worthy of being labelled “suspicious” and reported to the government.

But is it that simple? Can the job of AML Analyst be eliminated or dramatically changed – in scope and number of positions – by machine learning and AI? Much has been and continues to be written about the impact of artificial intelligence on jobs.  Those writers have categorized jobs along two axes – a Repetitive-to-Creative axis, and an Asocial-to-Social axis – resulting in four “buckets” of jobs, with each bucket of jobs being more or less likely to be disrupted or even eliminated:

A good example is the “Social & Repetitive” job of Bartender: Bartenders spend much of their time doing very routine, repetitive tasks: after taking a drink order, they assemble the correct ingredients in the correct amounts, and put those ingredients in the correct glass, then present the drink to the customer. All of that could be more efficiently and effectively done with an AI-driven machine, with no spillage, no waste, and perfectly poured drinks. So why haven’t we replaced bartenders? Because a good bartender has empathy, compassion, and instinct, and with experience can make sound judgments on what to pour a little differently, when to cut-off a customer, when to take more time or less with a customer. A good bartender adds value that a machine simply can’t.

Another example could be the “Asocial & Creative” (or is it “Social & Repetitive”?) job of an AML Analyst: much of an AML Analyst’s time is spent doing very routine, repetitive tasks: reviewing the alert, assembling the data and information needed to determine whether the activity is suspicious, writing the narrative. So why haven’t we replaced AML Analysts? Because a good Analyst, like a good bartender, has empathy, compassion, and instinct, and with experience can make sound judgments on what to investigate a little differently, when to cut-off an investigation, when to take more time or less on an investigation. A good Analyst adds value that a machine simply can’t.

Where AI and Machine Learning, and Robot Process Automation, can really help is by flipping the three currently inefficient AML ratios:

  1. The False Positive Ratio– the currently accepted, but highly axiomatic and anecdotal, ratio is that 95% to 98% of alerts do not result in SARs, or are “false positives” … although no one has ever boldly stated what an effective or acceptable false positive rate is (even with ROC curves providing some empirical assistance), perhaps the ML/AI/RPA communities can flip this ratio so that 95% of alerts result in SARs. If they can do this, they can also convince the regulatory community that this new ratio meets regulatory expectations (because as I’ll explain in an upcoming article, the  false positive ratio problem may be more of a regulatory problem than a technology problem).
  2. The Forgotten SAR Ratio– like false positive rates, there are anecdotes and some evidence that very few SARs provide tactical or strategic value to law enforcement. Recent Congressional testimony suggests that ~20% of SARs provide TSV (tactical or strategic value) to law enforcement … perhaps the ML/AI/RPA communities can help to flip this ratio so that 80% of SARs are TSV SARs. This also will take some effort from the regulatory and law enforcement communities.
  3. The Analysts’ Time Ratio– 90% of an AML Analyst’s time can be spent simply assembling the data, information, and documents needed to investigate a case, and only 10% of their time thinking and using their empathy, compassion, instinct, judgment, and experience to make good decisions and file TSV SARs … perhaps the ML/AI/RPA communities can help to flip this ratio so that Analysts spend 10% of their time assembling and 90% of their time thinking.

We’ve seen great strides in the AML world in the last 5-10 years when it comes to applying machine learning and creative analytics to the problems of AML monitoring, alerting, triaging, packaging, investigations, and reporting. My good friend and former colleague Graham Bailey at Wells Fargo designed and deployed ML and AI systems for AML as far back as 2008-2009, and the folks at Verafin have deployed cloud-based machine learning tools and techniques to over 1,600 banks and credit unions.

I’ve outlined three rather audacious goals for the machine learning/artificial intelligence/robotic process automation communities:

  1. The False Positive Ratio – flip it from 95% false positives to 5% false positives
  2. The Forgotten SAR Ratio – flip it from 20% TSV SARs to 80% TSV SARs
  3. The Analysts’ Time Ratio – flip it from 90% gathering data to 10% gathering data

Although many new AML-related jobs are being added – data scientist, model validator, etc. – and many existing AML-related jobs are changing, I am convinced that the job of AML Analyst will always be required. Hopefully, it will shift over time from being predominantly that of a gatherer of information and more of a hunter of criminals and terrorists. But it will always exist. If not, I can always fall back on being a Bartender. Maybe …

Colorado’s Roadmap to Cannabis Banking – A Roadmap Without a Destination

Kudos to all of those involved in this effort in Colorado, but I’m not sure how this advances the effort to get more Colorado financial services providers to serve more cannabis related businesses. Most importantly, the “Wildly Important Goal” set out in the Roadmap – to increase the number of Colorado-chartered financial institutions serving cannabis related businesses by 20% – doesn’t actually address the underlying problem that the Roadmap otherwise tries to address. It’s not important how many financial institutions are providing financial services to cannabis related businesses: what is important is how many cannabis related businesses have access to financial services.

First, the Roadmap is limited to Colorado-chartered banks, trust companies, money transmitters, credit unions, and savings & loans. Federally-chartered financial institutions are not included: in fairness, Colorado has no jurisdiction over federally-chartered entities. Regardless, all of those Colorado entities have some sort of federal agency oversight (OCC, FRB, NCUA, IRS, etc.) and none of those federal agencies have been willing or able to provide any formal regulatory fixes. And it should be noted that none of those agencies have formally acknowledged the February 2014 FinCEN Guidance on providing financial services to marijuana-related businesses: they’ve had six years to do so, and haven’t. That should tell you something.

Second, if you read the seven goals and the “key strategies” accompanying each of the goals, there doesn’t appear to be much that is new or ground-breaking:

Goal 1 – Establish a working group – the Roadmap shows this goal as “complete and ongoing since January 2019”

Goal 2 – Increase transparency – “On track” with references to cannabis industry meetings in July 2019 and hemp industry meetings in September 2019

Goal 3 – Engage trade associations – “on track” and “complete”

Goal 4 – Encourage new and emerging technologies – The Division of Banking has issued its Interim Regulatory Guidance for Virtual Currencies and the
Colorado Money Transmitter Act, and (here’s something that isn’t new but almost complete) “obtaining legal guidance from the Attorney General regarding providing services under the Money Transmission Action and the Trust Companies Act to issue public guidance for consumers and the industry” is targeted for “spring 2020”

Goal 5 – Provide regulatory guidance – “Ongoing”

Goal 6 – Reduce barriers to entry (to new financial institutions) – “In progress” and “ongoing”

Goal 7 – Demonstrate support – “Ongoing”

So it looks like two of the seven goals are complete, four are on track/in progress,ongoing, and one goal is targeted for completion this spring. The seven goals are laudable, but not particularly bold or ambitious.

Third, although the Roadmap includes a “Wildly Important Goal” of implementing a plan to increase the number of (Colorado) financial service providers who serve CRBs by 20% by June 30 of this year, there is nothing about how many such financial service providers there are or how many of those are currently serving CRBs. According to the Colorado Division of Banking website, it regulates 799 Colorado-chartered commercial banks, trust companies, and money transmitters. According to the Colorado Division of Financial Services, it regulates 46 credit unions and savings & loans. So that’s 845 Colorado-chartered financial institutions: how many of those are currently knowingly providing financial services to Colorado CRBs? And what types of financial services are those financial institutions providing? Also, how many non-regulated businesses are providing financial services to CRBs and indirectly using Colorado-chartered financial institutions (in the same manner as Chime and Varo Money use The Bancorp Bank, or SoFi uses Cross River Bank)? We don’t know, because the Roadmap doesn’t provide any information.

Nor is there anything about how many CRBs there are in Colorado or how many currently have access to Colorado financial services providers. The Colorado Marijuana Enforcement Division website shows 2,707 licensed marijuana businesses – Colorado Marijuana Enforcement Division – and 1,712 licensed owners. How many of those businesses and owners don’t have any access to financial services? How many of them are currently obtaining services from Colorado-chartered financial institutions? The Roadmap is silent.

It’s tough to increase something by 20% if you don’t know what that something is.

Fourth, the wildly important goal of increasing the number of Colorado financial institutions serving cannabis related businesses doesn’t necessarily address the underlying problem to be solved, which is the lack of financial services available to cannabis related businesses. There are 845 Colorado-chartered financial institutions available to serve 2,707 Colorado cannabis related businesses. Assuming, for argument’s sake, that there are currently 100 financial institutions serving 500 cannabis related businesses in Colorado. Increasing the number of financial institutions by 20% to 120 doesn’t mean that the number of cannabis related businesses with access to financial services goes up at all, let alone by 20% to 600. Rather, the Wildly Important Goal should be to increase the number of Colorado cannabis related businesses with full and complete access to Colorado-chartered financial institution services by 20%.

Conclusion

Like the ABA’s response to Senator Crapo’s December 18, 2019 opposition to the SAFE Banking Act (see ABA Response), the Colorado Roadmap would have been more effective if it had provided data on the size and scope of the actual problem of the cannabis industry’s lack of access to financial services. The best the Roadmap does is: “Colorado state-chartered banks and credit unions have generally not provided services to the marijuana industry … as a result, there are a substantial number of cannabis and cannabis-related businesses that do not have access to banking services.” Given the public and private sector efforts in Colorado since full legalization in 2014, they authors and contributors to the Roadmap should have had the data to be able to write something like this (using numbers that may be wildly off): “only 20 of the 564 Colorado state-chartered banks, and 6 of the 41 credit unions are actively, knowingly provide full financial services to only 200 of the 2,707 licensed Colorado marijuana businesses. Our Wildly Important Goal is to increase the number of banks and credits unions serving those businesses by 20%, and to increase the number of Colorado marijuana businesses with access to those banks and credit unions by 50% …”.

That would be a goal worth shooting for, or in the case of this roadmap, driving towards.

The SAR Safe Harbor – Please, Supreme Court, no jiggery-pokery! Keep our Safe Harbor safe!

Updated February 14, 2020 – Anything but “absolute immunity” will cripple the U.S. Anti-Money Laundering regime

There is a petition currently before the US Supreme Court asking the Court to take up a case to decide whether the so-called “safe harbor” provision gives banks and bank employees absolute immunity from any liability when filing a Suspicious Activity Report, or SAR, or something less than absolute immunity.  The case is AER Advisors, Inc., Deutsche et al., Petitioners v. Fidelity Brokerage Services, LLC, petition for writ of certiorari, Docket 19-347 (US Supreme Court).[1] It was “distributed for conference” on January 22, 2020, and the conference – or meeting of the Justices – is scheduled for February 21, 2020: a week from the date of this updated article!

In this case, the Court of Appeals for the First Circuit held that Fidelity had absolute immunity in filing Suspicious Activity Reports, and dismissed the petitioners’ claims against Fidelity that it filed a SAR against the petitioners in bad faith. The petitioners sought review by way of a petition for writ of certiorari – basically, an appeal – to the US Supreme Court. Their petition, Fidelity’s Response, and the petitioners’ Reply are now before the Court for a decision whether the Court will take up the case.

The petitioners framed the main question as whether 31 USC section 5318(g), added by the Annunzio-Wylie Money Laundering Act of 1992, confers (a) absolute immunity for any disclosure; or (b) immunity only if the disclosure is an objectively possible criminal violation and/or is made in good faith and/or is not fraudulent.[2] The respondent Fidelity framed the main question differently: Is a financial institution immune from private suit under the Bank Secrecy Act when it files a Suspicious Activity Report as required by the Act?

The section in question is unequivocal:

31 USC s. 5318(g)(3) Liability for Disclosures

(A) In general. –Any financial institution that makes a voluntary disclosure of any possible violation of law or regulation to a government agency or makes a disclosure pursuant to this subsection or any other authority, and any director, officer, employee, or agent of such institution who makes, or requires another to make any such disclosure, shall not be liable to any person under any law or regulation of the United States, any constitution, law, or regulation of any State or political subdivision of any State, or under any contract or other legally enforceable agreement (including any arbitration agreement), for such disclosure or for any failure to provide notice of such disclosure to the person who is the subject of such disclosure or any other person identified in the disclosure.

Leaving aside all the legal arguments, Fidelity’s Opposition Brief includes an interesting description of the policy considerations favoring absolute immunity for financial institutions for filing Suspicious Activity Reports (beginning on page 18, the policy consideration began with “if financial institutions face liability for filing a report …”). As I began reading that section, I (as a former large bank BSA Officer responsible for the filing of well over one million SARs over the years) immediately thought of two things.

First, counsel was (rightly) focused on his client, the financial institution. But as I read the case, I was thinking “what about the BSA Officer who is the FIRST person the plaintiff’s lawyer is going to sue?!” And “who cares about the financial institution that makes a gazillion dollars a year … what about the poor BSA Officer?!”.

After recovering from that, I then thought that the obvious policy consideration favoring absolute immunity was the chilling effect that anything but absolute immunity would have on the way a BSA program is run. Without that absolute immunity, you would need to have multiple layers of review of every possible SAR, quality assurance reviews, testing requirements, auditing of those processes, etc. You would need to have multiple sign-offs on every SAR, then checking and testing of the policies and procedures and processes supporting those sign-offs. You would have checkers checking checkers checking checkers. And with large banks filing hundreds of SARs every business day, the process and personnel requirements to review every SAR for a “good faith” standard, could double the number of people needed to investigate, prepare, and file SARs. (my mind then drifted back to the personal liability of the BSA Officer overseeing such a program and of the supervisors and managers reviewing SARs).

In short, BSA Officers and AML investigations teams would be overwhelmed with oversight, to the point of paralysis. The effect of a limited or qualified immunity would be to have no immunity, and the BSA regime as we know it – monitoring for unusual activity, investigating that activity, and to the best of your ability and based on all the available facts, filing reports of suspicious activity – would end.

But none of that was on the mind of the lawyers. No, they weren’t worried about the potential impact on the suspicious activity reporting regime itself, or the BSA personnel in financial institutions facing personal ruin from plaintiffs/ law suits, they were worried about the burden on the financial institutions and on the institutions’ lawyers and the cost of those lawyers. At page 18 counsel for Fidelity wrote:

“… policy considerations favor absolute immunity. ‘Any qualification on immunity poses practical problems.’ Id. The most immediate problem is ‘a risk of second guessing.’ Id. If financial institutions face liability for filing a report, they may delay reporting or under report. Id. But even where a financial institution has a good-faith belief that a law has been violated, the institution may still think twice before reporting if Petitioners’ view of the law prevailed … In the face of potential litigation burdens of this magnitude, there is a substantial risk that financial institutions would be chilled in the filing of suspicious activity reports. Institutions will certainly think twice before reporting if expensive litigation is the cost of complying with the law. And because institutions file millions of these reports a year, if these reports were subject to litigation, financial institutions would be overwhelmed.”

Now, this is not to say that counsel is wrong. Indeed, he is right: institutions will certainly think twice before reporting suspicious activity if expensive litigation is the cost of doing so. But as a former BSA Officer, I would have felt better if one of the policy considerations favoring absolute immunity for filing Suspicious Activity Reports – even the primary policy consideration – was to protect the men and women on the front lines of financial institutions’ AML programs from second-guessing and personal liability for doing their jobs as best they can: for filing the Suspicious Activity Reports that give law enforcement and intelligence agencies the actionable, timely intelligence they need to protect the financial system from money laundering, terrorism, and other crimes. Not to protect the lawyers.

How Might the Supreme Court Rule?

There is plenty of case law on how courts interpret a statute, or a part of a statute. An example is a famous case* the US Supreme Court decided in 2015, King et al v Burwell et al, 576 US 988 (2015). This is the “ObamaCare” decision where the Supreme Court was considering the requirement in the law that people had to purchase insurance on an exchange established by their state, or, if there was no such state exchange, the federal exchange. In particular, the Court was considering whether a tax credit was available to individuals who purchased insurance on the federal exchange. The phrase in question was “an Exchange established by the State”, because tax credits were only available to those who purchased insurance on “an Exchange established by the State”. The decision of the majority of the Court was 21 pages long. At the end was the following:

Reliance on context and structure in statutory interpretation is a “subtle business, calling for great wariness lest what professes to be mere  rendering becomes creation and attempted interpretation of legislation becomes legislation itself.” Palmer v. Massachusetts, 308 U. S. 79, 83 (1939).
For the reasons we have given, however, such reliance is appropriate in this case, and leads us to conclude that Section 36B allows tax credits for insurance purchased on any Exchange created under the Act. Those credits are necessary for the Federal Exchanges to function like their State Exchange counterparts, and to avoid the type of calamitous result that Congress plainly meant to avoid.
* * *
In a democracy, the power to make the law rests with those chosen by the people. Our role is more confined—“to say what the law is.” Marbury v. Madison, 1 Cranch 137, 177 (1803). That is easier in some cases than in others. But in every case we must respect the role of the Legislature, and take care not to undo what it has done. A fair reading of legislation demands a fair understanding of the legislative plan. Congress passed the Affordable Care Act to improve health insurance markets, not to destroy them. If at all possible, we must interpret the Act in a way that is consistent with the former, and avoids the latter. Section 36B can fairly be read consistent with what we see as Congress’s plan, and that is the reading we adopt.

The judgment of the United States Court of Appeals for
the Fourth Circuit is Affirmed.

* The case is famous not only because it upheld a main provision of the Affordable Care Act, but also because of the blistering dissent of Justice Antonin Scalia, a dissent that included his famous phrase “interpretive jiggery-pokery”. Among other things, Justice Scalia wrote:

“The Court holds that when the Patient Protection and Affordable Care Act says “Exchange established by the State” it means “Exchange established by the State or the Federal Government.” That is of course quite absurd, and the Court’s 21 pages of explanation make it no less so.” (Dissent, page 1)

Then, after almost 8 pages of examples of the poor reasoning of the majority, Justice Scalia unloads his famous line:

“The Court’s next bit of interpretive jiggery-pokery involves other parts of the Act that purportedly presuppose the availability of tax credits on both federal and state Exchanges.”

Page 12 was, perhaps, an even better line: “For its next defense of the indefensible, the Court turns to the Affordable Care Act’s design and purposes.” And at page 17 is: “Perhaps sensing the dismal failure of its efforts to show that “established by the State” means “established by the State or the Federal Government,” the Court tries to palm off the pertinent statutory phrase as “inartful drafting.” Ante, at 14. This Court, however, has no free-floating power “to rescue Congress from its drafting errors.” Lamie v. United States Trustee, 540 U. S. 526, 542 (2004) (internal quotation marks omitted). Only when it is patently obvious to a reasonable reader that a drafting mistake has occurred may a court correct the mistake.”

And in closing on page 21: “The somersaults of statutory interpretation they have performed (“penalty” means tax, “further [Medicaid] payments to the State” means only incremental Medicaid payments to the State, “established by the State” means not established by the State) will be cited by litigants endlessly, to the confusion of honest jurisprudence. And the cases will publish forever the discouraging truth that the Supreme Court of the United States favors some laws over others, and is prepared to do whatever it takes
to uphold and assist its favorites.  I dissent.”

No jiggery-pokery, no defense of the indefensible, and no somersaults of statutory interpretation, but more important …

… is my message to the US Supreme Court to refuse to take this case up and send it back to the 1st Circuit with an affirmation of the Safe Harbor for banks, lawyers, and BSA Officers alike.

So to John Roberts and the Supremes, as you consider whether to take this case, please remember the words of Diana Ross and the Supremes:

Stop! In the name of love
Before you break my heart
Think it over
Think it over

[1] https://www.supremecourt.gov/search.aspx?filename=/docket/docketfiles/html/public/19-347.html

[2] An interesting quirk appeared in Annunzio-Wylie. Section 1517, titled “suspicious transactions and enforcement programs”, intended to add subsections (g) and (h) to section 5318 of title 31. As AML practitioners know, 5318(g) is the suspicious activity reporting requirement, and 5318(h) is the AML program requirement. However, section 1517 of Annunzio-Wylie had a typographical error, and instead of adding (g) and (h) to section 5318, it added them to section 5314, the section requiring records and reports on foreign financial agency transactions (the so-called “FBAR” section, or Foreign Bank Account Report section). This typo wasn’t corrected until two years later by section 330017(b) of the Violent Crime Control & Law Enforcement Act of 1994, PL 103-322, enacted on September 13, 1994. That section provided: “Amendment relating to Title 31, U.S.C.— (1) Effective as of the date of enactment of the Annunzio Wylie Anti-Money Laundering Act, section 1517(b) of that Act is amended by striking ‘‘5314’’ and inserting ‘‘5318’’.” In another oddity, one day after the Violent Crime Control Act was sent to the President to be signed, the Money Laundering Suppression Act (MLSA) was sent to the President. The MLSA also included a section to correct the 1992 typo; in fact, section 413(b)(1) of the MLSA was identical to section 330017(b) of the Violent Crime Control Act. Congress made doubly sure to fix the typo!

Proceeds of Crime and GDP – Are We Comparing Apples to Oranges?

The Estimate for US Money Laundering – $300 billion a year, or 2% of GDP

The 2015 National Money Laundering Risk Assessment – available at 2015 NMLRA – estimated that the total amount of criminal proceeds generated in the United States was approximately $300 billion, or 2% of gross domestic produce (GDP). The report provided:

“United Nations Office on Drugs and Crime (UNODC) estimated proceeds from all forms of financial crime in the United States, excluding tax evasion, was $300 billion in 2010, or about two percent of the U.S. economy. [Footnote: United Nations Office on Drugs and Crime, Estimating Illicit Financial Flows Resulting From Drug Trafficking and other Transnational Organized Crimes, October 2011.] This is comparable to U.S. estimates. UNODC estimates illicit drug sales were $64 billion, which the DEA believes is a reasonable current estimate, putting the proceeds for all other forms of financial crime in the United States at $236 billion, most of which is attributable to fraud.” (citations omitted)

The figures of $300 billion in 2010 and two percent of the US economy are the midpoints of estimates based on a 2004 report. The UNODC report provided:

“… the criminal income in 2010 (excluding tax evasion) may have amounted to some US$350 bn in the world’s largest national economy [the United States]. This would probably be the upper limit estimate. A lower limit estimate – assuming that the nominal increases found over the 1990-2000 period continued unchanged over the 2000-2010 period, would result in an estimate of around US$235 bn for the year 2010 or 1.6% of GDP. A mid-point estimate would show criminal income of some US$300 bn (rounded) or 2% of GDP for 2010. (UNODC Report, page 20).”

A critical review of the UNODC report, and the reports that it relies on, suggests that these estimates need to updated. For example, the amount of criminal proceeds from illegal drug sales dropped by almost 50% from 1990 to 2010 from $97 billion to $64 billion, but the amount of criminal proceeds from all other crimes (excluding tax evasion), more than doubled in that same period, from $112 billion to $236 billion. And excluding tax evasion is meaningful: the 1990 estimate of tax evasion was $236 billion – dwarfing both drugs and other criminal proceeds.

$300 Billion in Criminal Proceeds – How Much is Reported by Financial Institutions?

We don’t know. But what is interesting about the 2015 National Money Laundering Risk Assessment figure of $300 billion in estimated proceeds of criminal activity, is that it may be reasonably close to the total amount reported in Suspicious Activity Reports. Although FinCEN has not (yet) provided total amounts reported in Suspicious Activity Reports and Currency Transaction Reports, some anecdotal evidence (based on off-the-record discussions with people in the industry) suggests that the average depository institution (bank and credit union) SAR reports approximately $250,000 in suspicious activity, and the average money services business (MSB) SAR reports approximately $35,000 to $40,000. And I’ll guess that all other filers’ SARs average $50,000 each. Using 2018 SAR totals:

Depository Institutions                 975,000 SARs @ $245,000       ~$239 billion

Money Services Businesses          875,000 SARs @ $35,000         ~$   31 billion

“Other” and all other filers          275,000 @ $50,000                   ~$  14 billion

~$284 billion

And if we assume that some of the activity reported in Currency Transaction Reports (CTRs) is, in fact, the proceeds of criminal activity, we could arguably add another $36 billion (18 million CTRs @ $20,000 each with 10% “dirty money”). The total reported by financial institutions in the US is then roughly $320 billion. So US financial institutions may be doing a pretty good job at reporting suspicious activity!

Total Suspected Proceeds of Crime Reported in the US: ~$320 billion. Estimated proceeds of criminal activity in the US: ~$300 billion.

Proceeds of Crime and GDP – Are We Comparing Apples to Oranges?

There is another flaw in comparing the amount of criminal proceeds to global (or national) gross domestic product, or GDP. GDP is a measure of the total final value of everything produced. Its components include personal consumption expenditures, business investment, government spending, and exports less imports (and there is nominal GDP and real GDP, with the latter factoring in inflation). A better measure of the effectiveness of the financial system in identifying, interdicting, and reporting criminal proceeds would be to compare the total amount of criminal proceeds flowing through the financial system to the total amount of funds flowing through the financial system.

The US Financial System – Two Quintilian Dollars A Year

The 2015 National Money Laundering Risk Assessment (pages 35 and 36) estimates that the total amount of FedWire, CHIPS, ACH, debit card, and cash transactions moving through the US financial system in a year is approximately two Quintilian dollars:

“The global dominance of the U.S. dollar generates trillions of dollars of daily transaction volume through U.S. banks, creating significant exposure to potential money laundering activity. The Federal Reserve System’s real-time gross settlement system, Fedwire, which is used to clear and settle payments with immediate finality, processed an average of $3.5 trillion in daily funds transfers in 2014. The Clearing House Interbank Payment System (CHIPS) is the largest private-sector U.S.-dollar funds-transfer system in the world, clearing and settling an average of $1.5 trillion in cross-border and domestic payments daily. CHIPS estimates that it is responsible for processing more than 95 percent of U.S. dollar-denominated cross-border transactions, and nearly half of all domestic wire transactions. The average value of a transaction on Fedwire and CHIPS is in the millions of dollars. The automated clearinghouse network (ACH), through which U.S. banks transfer electronic payments that are not settled in real time, processes more than $10 trillion in transactions annually.”

Converting those daily amounts to annual amounts gives us a total of approximately two Quintilian dollars. Of that, $300 billion is criminal proceeds. Therefore, criminal proceeds make up approximately 0.00000007% of the total amount moving through the American financial system.

The US Government’s National Money Laundering Risk Assessment believes that for every one billion dollars of money flowing through the US financial system, seven dollars is criminal proceeds.

The private sector participants in the US financial system are subject to a regulatory regime that requires them to have complex systems, processes, and programs that collectively cost tens of billions of dollars, if not hundreds of billions of dollars, to develop, operate, and enhance. And the administrative and criminal penalties for failing to have reasonably effective AML programs can be severe. As the 2015 NMLRA concludes (on page 36):

“This exposure to a daily flow of trillions of dollars in transaction volume from large value to small value payment systems requires banks to maintain robust safeguards to minimize the potential for illicit activity. Like any other financial industry, deficient compliance practices and complicit insiders are vulnerabilities, but the stakes are higher for banks given the volume and value of transactions that U.S. banks engage in daily. Preserving the integrity of the U.S. financial system requires that banks effectively monitor and control the money laundering risks to which they are exposed. To this end, banks are required to establish a written AML program reasonably designed to prevent their financial institutions from being used to facilitate money laundering and the financing of terrorist activities. The introduction of illicit proceeds into the financial system is the first and critical step in the money laundering process and banks are most vulnerable to being used for this purpose by criminals. Once illicit proceeds are placed into the financial system, the continued use of banks to move those funds both domestically and internationally can further obscure their criminal origins and facilitate their integration into the system. Therefore, establishing and maintaining an effective customer identification program (CIP) is a key control.”

The American anti-money laundering regime – which is now in its fiftieth year – has been built to identify and report the seven dollars of criminal activity out of every one billion dollars of total activity that flows through that financial system. It is critical that the public and private sectors continue to work together to not only make this regime as effective and efficient as possible; but perhaps because of the daunting task that the private sector has been given – to detect and report the 0.00000007% of activity flowing through the system that is criminal proceeds – the regulatory agencies that examine them for compliance with the regime’s rules and regulations should focus less on how those institutions comply with the rules, and more on how well those institutions provide actionable, timely intelligence to law enforcement.

FinCEN’s BSA Value Project is A Year Old … How Is It Going?

In January 2019, FinCEN launched its “BSA Value Project” – an effort to “catalogue the value of BSA reporting across the entire value chain of its creation and use” and “result in a comprehensive and quantitative understanding of the broad value of BSA reporting and other BSA information to all types of consumers of that information” (quoting the prepared remarks of FinCEN Director Kenneth A. Blanco delivered at the 12th annual Law Vegas AML Conference for casinos and card clubs, August 13, 2019, available at Director Blanco Remarks 8-13-2019).

FinCEN is now one year into the BSA Value Project … how is that project going?

Again, quoting from Director Blanco’s remarks last August, “so far, the study has confirmed there are extensive and extremely varied uses of BSA information across all stakeholders (including by the private sector) consistent with their missions.”

It appears that there are, indeed, extensive uses of BSA information by the public sector, as Director Blanco has told us that almost one in four FBI and IRS-CI investigations use BSA data. Director Blanco made the following remarks (again, on August 13, 2019) on the usefulness of BSA data:

“All FBI subject names are run against the BSA database. More than 21 percent of FBI investigations use BSA data, and for some types of crime, like organized crime, nearly 60 percent of FBI investigations use BSA data. Roughly 20 percent of FBI international terrorism cases utilize BSA data. The Internal Revenue Service-Criminal Investigation section alone conducts more than 126,000 BSA database inquiries each year. And as much as 24 percent of its investigations involving criminal tax, money laundering, and other BSA violations are directly initiated by, or associated with, a BSA report.

In addition to providing controlled access to the data to law enforcement, FinCEN also proactively pushes certain information to them on critical topics. On a daily basis, FinCEN takes the suspicious activity reports and we run them through several categories of business rules or algorithms to identify reports that merit further review by our analysts. Our terrorist financing-related business rules alone generate over 1,000 matches each month for review and further dissemination to our law enforcement and regulatory partners in what we call a Flash report. These Flash reports enable the FBI, for example, to identify, track, and disrupt the activities of potential terrorist actors. It is incredibly valuable information.”

Four months later, in prepared remarks delivered at the American Bankers Association/American Bar Association Financial Crimes Conference (December 10, 2019, available at Director Blanco at ABA December 10 2019) Director Blanco provided another perspective on the public sector use of BSA data:

“FinCEN grants more than 12,000 agents, analysts, and investigative personnel from over 350 unique federal, state, local, and tribal agencies across the United States with direct access to this critical reporting by financial institutions. There are approximately 30,000 searches of the BSA data each day. Further, there are more than 100 Suspicious Activity Report (SAR) review teams and financial crimes task forces across the country, bringing together prosecutors and investigators from different agencies to review BSA reports. Collectively, these teams reviewed approximately 60% of all SARs filed. Each day, FinCEN, law enforcement, regulators, and others query this data—that equates to an average of 7.4 million queries per year. Those queries identify an average of 18.2 million filings that are responsive or useful to ongoing investigations, examinations, victim identification, analysis and network development, sanctions development, and U.S. national security activities, among many, many other uses that help protect our nation, deter crime, and save lives.”

But Which BSA Filings are Providing Real Value to Law Enforcement?

There is no doubt that the (roughly) 20 million BSA reports that are filed each year provide great value to law enforcement. But questions remain about the utility of those filings, and the costs of preparing them. Some of those questions include: (i) which of those reports provide value? (ii) what kind of value is being provided – tactical and/or strategic? (iii) can financial institutions eliminate the “no value” filings and deploy those resources to higher-value filings? (iv) can financial institutions automate the preparation and filing of the low value filings and deploy those resources to the highest-value filings?

FinCEN’s BSA Value Project, and its “Value Quantification Model”, May Answer Those Questions

In his December 2019 remarks, Director Blanco updated us on the BSA Value Project and revealed the “value quantification model” FinCEN is building:

FinCEN is using the BSA Value Project to improve how we communicate the value and use of BSA information, and to develop metrics to track and measure the value of its use on an ongoing basis. The project has involved the gathering and review of reams of data, statistics, case studies, and other information, as well as holding detailed interviews with a wide range of government and private-sector stakeholders, including many of the organizations in this room today. That information has informed us about how each stakeholder uses and gains value from BSA reporting and the value-add activities of other stakeholders. This “value chain” of BSA reporting is being developed for each type of stakeholder:  FinCEN, law enforcement, industry, regulators, and others.

We are validating these results with the agencies and firms that have contributed to their development, and soon we will be talking with some of you about the value chain that has been developed for financial institutions to ensure it captures every aspect properly.

As of today, the team has identified over 500 different metrics that are being incorporated into the valuation model. We expect the model to show us the relative value of specific forms and even key fields—what is seen as more valuable and what is seen as less valuable.

    • This value quantification model will help us assess how the regulatory and compliance changes we are considering making with our government partners will affect the value of BSA reporting—we want any changes to lead to more effective outcomes and increase the value of BSA reporting, not just provide greater industry efficiency.
    • It will help us provide you better and more targeted feedback on the information you report so you can identify whether it is the automated tools and databases or the more manual work of your internal financial intelligence units and investigators that is driving that value creation in specific instances.
    • The project also is showing us specific challenges that we need to address, particularly in the area of communication and the development of shared AML priorities on which we can focus our efforts.

I also want to make very clear that the value of BSA data is not just confined to FinCEN, law enforcement, or the government. Industry also benefits. Financial institutions and other reporting entities derive important value from their BSA compliance and reporting activities. Throughout the study, industry consistently has confirmed that their BSA obligations, while incurring costs, also help them:

    • Identify and exit bad actors to avoid reputational and financial risks;
    • Manage risks more effectively to permit greater responsible revenue generation;
    • Secure partnerships and investment opportunities domestically and internationally in a responsible, risk-sensitive manner, something particularly important for emerging entrants in the financial services arena; and, of course;
    • Avoid financial, operational, and reputational costs from non-compliance.

I want to stress that we intend to be as transparent and public facing as possible about the results from this project. FinCEN hopes to show the tremendous variety of uses we have for your reporting.”

Conclusion

Kudos to Director Blanco and his FinCEN team for their initiative and efforts around the BSA Value Project. The results of the Project, notably the BSA Value Quantification Model, could be a game-changer for the financial industry’s BSA/AML programs. The industry is being inundated with calls to apply machine learning and artificial intelligence to make their AML programs more effective and efficient. But if those institutions don’t know which of their filings provide value, and arguably only one in four is providing value, they cannot effectively use machine learning or AI.

The entire industry is looking forward to the results of FinCEN’s BSA Value Project!

For other articles on the need for better reporting on the utility of SAR filings, see:

BSA Value Project August 19 2019

SAR Feedback 314(d) – July 30 2019

BSA Reports and Federal Criminal Cases – June 5 2019

The TSV SAR Feedback Loop – June 4 2019

Like Sam Loves Free Fried Chicken, Law Enforcement Loves “Free” Suspicious Activity Reports … But What If Law Enforcement Had to Earn the Right to Use the Private Sector’s “Free” SARs?

“Well, I’m here in the freezing cold getting’ free chicken sandwiches. Because the food tastes great. I mean, it’s chicken. Fried chicken. I like fried chicken.”

Eleven year-old Sam Caruana of Buffalo, New York waited outside a Chick-fil-A restaurant in the freezing cold in order to be one of the 100 people given free fried chicken for one year (actually, one chicken sandwich a week for fifty-two weeks). In a video that went viral (Sam Caruana YouTube – Free Chicken), young Sam explained that he simply loved fried chicken, and he’d stand in the cold for free fried chicken.

Just as Sam loves free fried chicken, law enforcement loves free Suspicious Activity Reports, or SARs. In the United States, over 30,000 private sector financial institutions – from banks to credit unions, to money transmitters and check cashers, to casinos and insurance companies, to broker dealers and investment advisers – file more than 2,000,000 SARs every year. And it costs those financial institutions billions of dollars to have the programs, policies, procedures, processes, technology, and people to onboard and risk-rate customers, to monitor for and identify unusual activity, to investigate that unusual activity to determine if it is suspicious, and, if it is, to file a SAR with the Treasury Department’s Financial Crimes Enforcement Network, or FinCEN. From there, hundreds of law enforcement agencies across the country, at every level of government, can access those SARs and use them in their investigations into possible tax, criminal, or other investigations or proceedings. To law enforcement, those SARs are, essentially, free. And like Sam loves free fried chicken, law enforcement loves free SARs. Who wouldn’t?

But should those private sector SARs, that cost billions of dollars to produce, be “free” to public sector law enforcement agencies? Put another way, should the public sector law enforcement agency consumers of SARs need to provide something in return to the private sector producers of SARs?

I say they should. And here’s what I propose: that in return for the privilege of accessing and using private sector SARs, law enforcement shouldn’t have to pay for that privilege with money, but with effort. The public sector consumers of SARs should let the private sector producers know which of those SARs provide tactical or strategic value.

A recent Mid-Size Bank Coalition of America (MBCA) survey found the average MBCA bank had: 9,648,000 transactions/month being monitored, resulting in 3,908 alerts/month (0.04% of transactions alerted), resulting in 348 cases being opened (8.9% of alerts became a case), resulting in 108 SARs being filed (31% of cases or 2.8% of alerts). Note that the survey didn’t ask whether any of those SARs were of interest or useful to law enforcement. Some of the mega banks indicate that law enforcement shows interest in (through requests for supporting documentation or grand jury subpoenas) 6% – 8% of SARs.

I argue that the Alert/SAR and even Case/SAR ratios are all of interest, but tracking to SARs filed is a little bit like a car manufacturer tracking how many cars it builds but not how many cars it sells, or how well those cars perform, how long they last, and how popular they are. And just like the automobile industry measuring how many cars are purchased, the better measure for AML programs is “SARs purchased”, or SARs that provide value to law enforcement.

Also, there is much being written about how machine learning and artificial intelligence will transform anti-money laundering programs. Indeed, ML and AI proponents are convinced – and spend a lot of time trying to convince others – that they will disrupt and revolutionize the current “broken” AML regime. Among other targets within this broken regime is AML alert generation and disposition and reducing the false positive rate. The result, if we believe the ML/AI community, is a massive reduction in the number of AML analysts that are churning through the hundreds and thousands of alerts, looking for the very few that are “true positives” worthy of being labelled “suspicious” and reported to the government. But the fundamental problem that every one of those ML/AI systems has is that they are using the wrong data to train their algorithms and “teach” their machines: they are looking at the SARs that are filed, not the SARs that have tactical or strategic value to law enforcement.

Tactical or Strategic Value Suspicious Activity Reports – TSV SARs

The best measure of an effective and efficient financial crimes program is how well it is providing timely, effective intelligence to law enforcement. And the best measure of that is whether the SARs that are being filed are providing tactical or strategic value to law enforcement. How do you determine whether a SAR provides value to law enforcement? One way would be to ask law enforcement, and hope you get an answer. That could prove to be difficult.  Can you somehow measure law enforcement interest in a SAR?  Many banks do that by tracking grand jury subpoenas received to prior SAR suspects, law enforcement requests for supporting documentation, and other formal and informal requests for SARs and SAR-related information. As I write above, an Alert-to-SAR rate may not be a good measure of whether an alert is, in fact, “positive”. What may be relevant is an Alert-to-TSV SAR rate.

A TSV SAR is one that has either tactical value – it was used in a particular case – or strategic value – it contributed to understanding a typology or trend. And some SARs can have both tactical and strategic value. That value is determined by law enforcement indicating, within seven years of the filing of the SAR (more on that later), that the SAR provided tactical (it led to or supported a particular case) or strategic (it contributed to or confirmed a typology) value.  That law enforcement response or feedback is provided to FinCEN through the same BSA Database interfaces that exist today – obviously, some coding and training will need to be done (for how FinCEN does it, see below). If the filing financial institution does not receive a TSV SAR response or feedback from law enforcement or FinCEN within seven years of filing a SAR, it can conclude that the SAR had no tactical or strategic value to law enforcement or FinCEN, and may factor that into decisions whether to change or maintain the underlying alerting methodology. Over time, the financial institution could eliminate those alerts that were not providing timely, actionable intelligence to law enforcement. And when FinCEN shares that information across the industry, others could also reduce their false positive rates.

FinCEN’s TSV SAR Feedback Loop

FinCEN is working to provide more feedback to the private sector producers of BSA reports. As FinCEN Director Ken Blanco recently stated:[1]

“Earlier this year, FinCEN began the BSA Value Project, a study and analysis of the value of the BSA information we receive. We are working to provide comprehensive and quantitative understanding of the broad value of BSA reporting and other BSA information in order to make it more effective and its collection more efficient. We already know that BSA data plays a critical role in keeping our country strong, our financial system secure, and our families safe from harm — that is clear. But FinCEN is using the BSA Value Project to improve how we communicate the way BSA information is valued and used, and to develop metrics to track and measure the value of its use on an ongoing basis.”

FinCEN receives every SAR. Indeed, FinCEN receives a number of different BSA-related reporting: SARs, CTRs, CMIRs, and Form 8300s. It’s a daunting amount of information. As FinCEN Director Ken Blanco noted in the same speech:

FinCEN’s BSA database includes nearly 300 million records — 55,000 new documents are added each day. The reporting contributes critical information that is routinely analyzed, resulting in the identification of suspected criminal and terrorist activity and the initiation of investigations.

“FinCEN grants more than 12,000 agents, analysts, and investigative personnel from over 350 unique federal, state, and local agencies across the United States with direct access to this critical reporting by financial institutions. There are approximately 30,000 searches of the BSA data taking place each day. Further, there are more than 100 Suspicious Activity Report (SAR) review teams and financial crimes task forces across the country, which bring together prosecutors and investigators from different agencies to review BSA reports. Collectively, these teams reviewed approximately 60% of all SARs filed.

Each day, law enforcement, FinCEN, regulators, and others are querying this data:  7.4 million queries per year on average. Those queries identify an average of 18.2 million filings that are responsive or useful to ongoing investigations, examinations, victim identification, analysis and network development, sanctions development, and U.S. national security activities, among many, many other uses that protect our nation from harm, help deter crime, and save lives.”

This doesn’t tell us how many of those 55,000 daily reports are SARs, but we do know that in 2018 there were 2,171,173 SARs filed, or about 8,700 every (business) day. And it appears that FinCEN knows which law enforcement agencies access which SARs, and when. And we now know that there are “18.2 million filings that are responsive or useful to ongoing investigations, examinations, victim identification, analysis and network development, sanctions development, and U.S. national security activities” every year. But which filings?

The law enforcement agencies know which SARs provide tactical or strategic value, or both. So if law enforcement finds value in a SAR, it should acknowledge that, and provide that information back to FinCEN. FinCEN, in turn, could provide an annual report to every financial institution that filed, say, more than 250 SARs a year (that’s one every business day, and is more than three times the number filed by the average bank or credit union). That report would be a simple relational database indicating which SARs had either or both tactical or strategic value. SAR filers would then be able to use that information to actually train or tune their monitoring and surveillance systems, and even eliminate those alerting systems that weren’t providing any value to law enforcement.

Why give law enforcement seven years to respond? Criminal cases take years to develop. And sometimes a case may not even be opened for years, and a SAR filing may trigger an investigation. And sometimes a case is developed and the law enforcement agency searches the SAR database and finds SARs that were filed five, six, seven or more years earlier. Between record retention rules and practical value, seven years seems reasonable.

Law enforcement agencies have tremendous responsibilities and obligations, and their resources and budgets are stretched to the breaking point. Adding another obligation – to provide feedback to the banks, credit unions, and other private sector institutions that provide them with reports of suspicious activity – may not be feasible. But the upside of that feedback – that law enforcement may get fewer, but better, reports, and the private sector institutions can focus more on human trafficking, human smuggling, and terrorist financing and less on identifying and reporting activity that isn’t of interest to law enforcement – may far exceed the downside.

Free Suspicious Activity Reports are great. But like Sam being prepared to stand in the freezing cold for his fried chicken, perhaps law enforcement is prepared to let us know whether the reports we’re filing have value.

For more on alert-to-SAR rates, the TSV feedback loop, machine learning and artificial intelligence, see other articles I’ve written:

The TSV SAR Feedback Loop – June 4 2019

AML and Machine Learning – December 14 2018

Rules Based Monitoring – December 20 2018

FinCEN FY2020 Report – June 4 2019

FinCEN BSA Value Project – August 19 2019

BSA Regime – A Classic Fixer-Upper – October 29 2019

[1] November 15, 2019, prepared remarks for the Chainalysis Blockchain Symposium, available at https://www.fincen.gov/news/speeches/prepared-remarks-fincen-director-kenneth-blanco-chainalysis-blockchain-symposium

A Bank’s Bid for Innovative AML Solutions: Innovation Remains A Perilous Endeavor

One Bank Asked the OCC to Have an “Agile Approach to Supervisory Oversight”

On September 27, 2019 the OCC published an Interpretive Letter answering an unknown bank’s request to make some innovative changes to how it files cash structuring SARs. Tacked onto its three technical questions was a request by the bank to do this innovation along with the OCC itself through something the bank called an “agile approach to supervisory oversight.” After qualified “yes” answers to the three technical questions, the OCC’s Senior Deputy Comptroller and Chief Counsel indicated that the OCC was open to “an agile and transparent supervisory approach while the Bank is building this automated solution” but he didn’t actually write that the OCC would, in fact, adopt an agile approach. This decision provides some insight, and perhaps the first public test, of (i) the regulators’ December 2018 statement on using innovative efforts to fight money laundering, and (ii) the OCC’s April 2019 proposal around innovation pilot programs. Whether the OCC passed the test is open to discussion: what appears settled, though, is that AML innovation in the regulated financial sector remains a perilous endeavor.

Regulators’ December 2018 Joint Statement on Innovative AML Efforts

On December 3, 2018 the five main US Bank Secrecy Act (BSA) regulators issued a joint statement titled “Innovative Efforts to Combat Money Laundering and Terrorist Financing”.[1] The intent of the statement was to encourage banks to use modern-era technologies to bolster their BSA/AML compliance programs. The agencies asked banks “to consider, evaluate, and, where appropriate, responsibly implement innovative approaches to meet their Bank Secrecy Act/anti-money laundering (BSA/AML) compliance obligations, in order to further strengthen the financial system against illicit financial activity” and “[t]he Agencies recognize[d] that private sector innovation, including new ways of using existing tools or adopting new technologies, can help banks” to do so.

The statement was a very positive step to encourage private sector innovation in fighting financial crime by testing new ways of using existing tools as well as adopting new technologies.

But it wasn’t the “green light to innovate” that some people have said it is. There was some language in the statement that made it, at best, a cautionary yellow light. And the September 27th OCC letter seems to clarify that banks can innovate, but the usual regulatory oversight and potential sanctions still apply.

The Agencies’ December 2018 statement included five things that bear repeating:

  1. “The Agencies recognize that private sector innovation, including new ways of using existing tools or adopting new technologies, can help banks identify and report money laundering, terrorist financing, and other illicit financial activity by enhancing the effectiveness and efficiency of banks’ BSA/AML compliance programs. To assist banks in this effort, the Agencies are committed to continued engagement with the private sector and other interested parties.”
  2. “The Agencies will not penalize or criticize banks that maintain effective BSA/AML compliance programs commensurate with their risk profiles but choose not to pursue innovative approaches.”
  3. “While banks are expected to maintain effective BSA/AML compliance programs, the Agencies will not advocate a particular method or technology for banks to comply with BSA/AML requirements.”
  4. Where test or implemented “artificial intelligence-based transaction monitoring systems … identify suspicious activity that would not otherwise have been identified under existing processes, the Agencies will assess the adequacy of banks’ existing suspicious activity monitoring processes independent of the results of the pilot program”
  5. “… the implementation of innovative approaches in banks’ BSA/AML compliance programs will not result in additional regulatory expectations.”

Note the strong, unqualified language: “the Agencies are committed to continued engagement”, “the Agencies will not penalize or criticize”, “the Agencies will not advocate …”, “the Agencies will assess”, and “the implementation of innovative approaches will not result in additional regulatory expectations”.

The qualified “assurances” come in the paragraph about pilot programs (with emphasis added):

“Pilot programs undertaken by banks, in conjunction with existing BSA/AML processes, are an important means of testing and validating the effectiveness of innovative approaches.  While the Agencies may provide feedback, pilot programs in and of themselves should not subject banks to supervisory criticism even if the pilot programs ultimately prove unsuccessful.  Likewise, pilot programs that expose gaps in a BSA/AML compliance program will not necessarily result in supervisory action with respect to that program.  For example, when banks test or implement artificial intelligence-based transaction monitoring systems and identify suspicious activity that would not otherwise have been identified under existing processes, the Agencies will not automatically assume that the banks’ existing processes are deficient.  In these instances, the Agencies will assess the adequacy of banks’ existing suspicious activity monitoring processes independent of the results of the pilot program.  Further, the implementation of innovative approaches in banks’ BSA/AML compliance programs will not result in additional regulatory expectations.”

Here there are the qualified assurances (a qualified assurance is not an assurance, by the way): “should not” is different than “will not”; “will not necessarily” is very different than “will not”; and “not automatically assume” isn’t the same as “not assume”.  These are important distinctions. The agencies could have written something very different:

“… pilot programs in and of themselves will not subject banks to supervisory criticism even if the pilot programs ultimately prove unsuccessful.  Likewise, pilot programs that expose gaps in a BSA/AML compliance program will not result in supervisory action with respect to that program.  For example, when banks test or implement artificial intelligence-based transaction monitoring systems and identify suspicious activity that would not otherwise have been identified under existing processes, the Agencies will not assume that the banks’ existing processes are deficient …”

The OCC’s April 2019 Innovation Pilot Program

On April 30, 2019 the OCC sought public comment on its proposed Innovation Pilot Program, a voluntary program designed to provide fintech providers and financial institutions “with regulatory input early in the testing of innovative activities that could present significant opportunities or benefits to consumers, businesses, financial institutions, and communities.” See OCC Innovation Pilot Program. As the OCC has written, the Innovation Pilot Program clearly notes that the agency would not provide “statutory or regulatory waivers and does not absolve entities participating in the program from complying with applicable laws and regulations.”

Twenty comments were posted to the OCC’s website. A number of them included comments that innovators needed some formalized regulatory forbearance in order to be able encourage them to innovate. The Bank Policy Institute’s letter (BPI Comment), submitted by Greg Baer (a long-standing and articulate proponent of reasonable and responsible regulation), provided that:

“… the OCC should clarify publicly that a bank is not required to seek the review and approval of its examination team prior to developing or implementing a new product, process, or service; that unsuccessful pilots will not warrant an MRA or other sanction unless they constitute and unsafe and unsound practice or a violation of law; and that innovations undertaken without seeking prior OCC approval will not be subject to stricter scrutiny or a ‘strict liability’ regime. We also recommend that the OCC revisit and clarify all existing guidance on innovation to reduce the current uncertainty regarding the development of products, processes and services; outdated or unnecessary supervisory expectations should be rescinded.”

The American Bankers Association comment ABA Comment also asks for similar guidance:

“For institutions to participate confidently in a pilot, there must be internal agreement that OCC supervision and enforcement will not pursue punitive actions. In other words, the program should produce decisions that have the full support of the OCC and bind the agency to those conclusions going forward … One way for the OCC to accomplish this is to clarify that a participating bank will not be assigned Matters Requiring Attention (MRAs) if it acts in good faith as part of a Pilot Program. The nature of technological innovation means that banks must try new things, experiment, and sometimes make mistakes. The Pilot Program has been designed as a short-term limited-scale test to ensure that any mistakes made are unlikely to have an impact on the safety and soundness of an institution. Clarifying that MRAs will not be issued for mistakes made in good faith may help give banks the certainty they need to participate in a Pilot Program.”

And the Securities Industry and Financial Markets Association (SIFMA) comment letter SIFMA Comment Letter included the following:

“Relief from strict regulatory compliance is a vital prerequisite to draw firms into the test environment, precisely so that those areas of noncompliance may be identified and remediated and avoid harm to the consumers. Without offering this regulatory relief, the regulatory uncertainty associated with participating in the Pilot Program could, by itself, deter banks from participating. Similarly, the lack of meaningful regulatory relief could limit the opportunity the program provides for firms to experiment and innovate.”

So where did that leave banks that were thinking of innovative approaches to AML?  For those that choose not to pursue innovative pilot programs, it is clear that they will not be penalized or criticized, but for those that try innovative pilot programs that ultimately expose gaps in their BSA/AML compliance program, the agencies will not automatically assume that the banks’ existing processes are deficient. In response to this choice – do not innovate and not be penalized, or innovate and risk being penalized – many banks have chosen the former. As a result, advocates for those banks – the BPI and ABA, for example – have asked the OCC to clarify that it will not pursue punitive actions against banks that unsuccessfully innovate.

How has the OCC replied? It hasn’t yet finalized its Innovation Program, but it has responded to a bank’s request for guidance on some innovative approaches to monitoring for, alerting on, and filing suspicious activity reports on activity and customers that are structuring cash transactions.

A Bank’s Request to Have the OCC Help It Innovate

The OCC published an Interpretive Letter on September 27, 2019 that sheds some light on how it looks at its commitments under the December 2018 innovation statement.[2]  According to the Interpretive Letter, on February 22, 2019 an OCC-regulated bank submitted a request to streamline SARs for potential structuring activity (the Bank also sought the same or a similar ruling from FinCEN: as of this writing, FinCEN has not published a ruling). The bank asked three questions (and the OCC responded):

  1. Whether the Bank could file a structuring SAR based solely on an alert, without performing a manual investigation, and if so, under what circumstances (yes, but with some significant limitations);
  2. Whether the proposed automated generation of SAR narratives for structuring SARs was consistent with the OCC’s SAR regulations (yes, but with some significant limitations);
  3. Whether the proposed automation of SAR filings was consistent with the OCC’s BSA program regulations (yes, but with some significant limitations).

The most interesting request by the Bank, though, was its request that the OCC take an “agile approach to supervisory oversight” for the bank’s “regulatory sandbox” initiative. Pages 6 and 7 of the OCC letter provide the particulars of this request. There, the OCC writes:

“Your letter also requested regulatory relief to conduct this initiative within a “regulatory sandbox.” Your regulatory sandbox request states ‘This relief would be in the form of an agile approach to supervisory oversight, which would include the OCC’s full access, evaluation, and participation in the initiative development, but would not include regulatory outcomes such as matters requiring attention, violations of law or financial penalties. [The Bank] welcomes the OCC to consider ways to participate in reviewing the initiative outcomes outside of its standard examination processes to ensure effectiveness and provide feedback about the initiative development.’”

NOTE: I had to read the key sentence a few times to settle on its intent and meaning. That sentence is “This relief would be in the form of an agile approach to supervisory oversight, which would include the OCC’s full access, evaluation, and participation in the initiative development, but would not include regulatory outcomes such as matters requiring attention, violations of law or financial penalties.”

Was the bank saying the relief sought was an agile approach to supervisory oversight that included the OCC’s full participation in the process and no adverse regulatory outcomes? Or was the bank saying the relief sought was an agile approach to supervisory oversight that included the OCC’s full participation in the process, but did not include anything to do with adverse regulatory outcomes?

I settled on the latter meaning: that the bank was seeking the OCC’s full participation, but did not expect any regulatory forbearance.

The OCC first reiterated its position from the December 2018 joint statement by writing that it “supports responsible innovation in the national banking system that enhances the safety and soundness of the federal banking system, including responsibly implemented innovative approaches to meeting the compliance obligations under the Bank Secrecy Act.” It then wrote that it “is also open to an agile and transparent supervisory approach while the Bank is building this automated solution for filing Structuring SARs and conducting user acceptance testing.” This language is a bit different than what the OCC wrote at the top of page 2 of the letter: “the OCC is open to engaging in regular discussions between the Bank and appropriate OCC personnel, including providing proactive and
timely feedback relating to this automation proposal.”

Notably, the OCC wrote that it is “open to an agile and transparent supervisory approach”, and “open to engaging in regular discussions between the Bank and appropriate OCC personnel”, but being open to something doesn’t mean you approve of it or agree to it. In fact, the OCC didn’t appear to grant the bank’s request. In the penultimate sentence the OCC wrote: “The OCC will monitor any such changes through its ordinary supervisory processes.”

How About Forbearance to Innovate Without Fear of Regulatory Sanctions?

As set out above, in June 2019 the BPI and ABA (and eighteen others) commented on the OCC’s proposal for an innovation pilot program. The BPI commented that “the OCC should clarify publicly that … unsuccessful pilots will not warrant an MRA or other sanction unless they constitute and unsafe and unsound practice or a violation of law”, and the ABA commented that the OCC should “clarify that a participating bank will not be assigned Matters Requiring Attention (MRAs) if it acts in good faith as part of a Pilot Program”.

The OCC seems to have obliquely responded to both of those comments. In its September 2019 Interpretative Letter, the OCC took the time to write that it “will not approve a regulatory sandbox that includes forbearance on regulatory issues for the Bank’s initiative for the automation of Structuring SAR filings.” Note that the OCC made this statement even though the bank appears to have specifically indicated that the requested relief did not include forbearance from “regulatory outcomes such as matters requiring attention, violations of law or financial penalties”. And the OCC letter includes a reference to both the Interagency statement on responsible innovation and the OCC’s April 2019 Innovation Pilot Program (see footnote 25 on page 7): “banks must continue to meet their BSA/AML compliance obligations, as well as ensure the ongoing safety and soundness of the bank, when developing pilot programs and other innovative approaches.”

So although the OCC hasn’t formally responded to the comments to its June 2019 innovation program to allow banks to innovate without fear of regulatory sanction if that innovation doesn’t go well, it has made it clearer that a bank still has the choice to not innovate and not be penalized, or to innovate and risk being penalized.

(In fairness, in its Spring 2019 Semiannual Risk Perspective Report, the OCC noted that a bank’s inability to innovate is “a source of significant strategic risk.” See OCC Semiannual Risk Perspective, 2019-49 (May 20, 2019)).

Timely Feedback – Is Seven Months Timely?

As set out above, the OCC wrote that it “is open to engaging in regular discussions between the Bank and appropriate OCC personnel, including providing proactive and timely feedback …”.  The bank’s request was submitted on February 22, 2019. The OCC’s feedback was sent on September 27, 2019. So it took the OCC seven months to respond to the bank’s request for an interpretive letter. In this age of high-speed fintech disruption, seven months should not be considered “timely.” What would be timely? I would aim for 90 days.

Conclusion

This unnamed OCC-regulated bank appears to have a flashing green or cautionary yellow light from the OCC to deploy some technology and process enhancements to streamline a small percentage if its SAR monitoring, alerting, and filing.  The OCC will remain vigilant, however, warning the bank that it “must ensure that it has developed and deployed appropriate risk governance to enable the bank to identify, measure, monitor, and control for the risks associated with the automated process. The bank also has a continuing obligation to employ appropriate oversight of the automated process.”

So the message to the 1,700 or so OCC banks appears to be this: there’s no peril in not innovating, but if you decide to innovate, do so at your peril.

[1] The Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation (FDIC), the Financial Crimes Enforcement Network (FinCEN), the National Credit Union Administration, and the Office of the Comptroller of the Currency. The statement is available at https://www.occ.gov/news-issuances/news-releases/2018/nr-occ-2018-130a.pdf

[2] https://www.occ.gov/topics/charters-and-licensing/interpretations-and-actions/2019/int1166.pdf