Loading…

OCC Comptroller Talks About AML “False Negatives” and Technology

Whether “False Negatives” or “False Positives”, the Answer May Not Lie Just in New or Improved Technologies, but in an Improved Mix of New Technologies and More Forgiving Regulatory Requirements


On January 24, 2020, Jo Ann Barefoot had Thomas Otting, Comptroller of the Currency, as her guest on her podcast. The link is available at Barefoot Otting Podcast. Among other things, the Comptroller talked about BSA/AML, or as he put it “AML/BSA”.

Approximately 12:00 minutes into the podcast, the Comptroller had this to say about BSA/AML:

“Are we doing it the most effective way? … what we’re doing, is it helping us catch the bad guys as they’re coming into the banking industry and taking advantage of it?”

In a discussion on technology trends, the Comptroller spoke about how banks are using new technologies to learn about their customers and for risk management. Beginning at the 20:45 mark, he stated:

“Today our AML/BSA relies upon a lot of systems to kick out a lot of data that often has an enormous amount of false negatives associated with it that requires a lot of resources to go through that false negative, and I think if we can get to the point where we have better fine-tuned data with artificial intelligence about tracking information is and the type of activities that are occurring, I think ultimately we’ll have better risk management practices within the institutions as well.”

Having been a guest on Jo Ann’s podcast myself (see Richards Podcast), I know how unforgiving the literal transcript of a podcast can be, so it is fair to write that the Comptroller’s point was that the current systems kick out a lot of false negatives that require a lot of manual investigations; and better data and artificial intelligence could reduce those false negatives, resulting in greater efficiencies and better risk management.

But it is curious that he refers to “false negatives” – which are transactions that do not alert but should have alerted – rather than “false positives” – which are transactions that did alert and, after being investigated, prove not to be suspicious and therefore falsely alerted.  The Comptroller has many issues to deal with, and it’s easy to confuse false negatives with false positives. In fairness, his ultimate point was well made: the current regulatory requirements and expectations around AML monitoring, alerting, investigations, and reporting have resulted in a regime that is not efficient (he didn’t addressed the effectiveness of the SAR regime).

At the 21:30 mark, Jo Ann Barefoot commented on the recent FinTech Hackathon she hosted that looked at using new technology to make suspicious activity  monitoring and reporting more efficient and effective, and stated that “we need to get rid of the false flags in the system” (I got the sense that she was uncomfortable with using the Comptroller’s phrase of “false negatives” – Jo Ann is well-versed in BSA and AML and familiar with the issue of high rates of false positives). Comptroller Otting replied:

“If you think just in the SARs space, that 7 percent of transactions kind of hit the tripwire, and then ultimately about 2 percent generally have SARs filed against them, that 5 percent is an enormous amount of resources that organizations are dedicating towards that compliance function that I’m convinced that with new technology we can improve that process.”

Again, podcast transcripts can be unforgiving, and I believe the point that the Comptroller was making was that a small percentage of transactions are alerted on by AML monitoring systems, and an even smaller percentage of those alerts are eventually reported in SARs. His percentages, and math, may not foot back to any verifiable data, but his point is sound: the current AML monitoring, alerting, investigations, and reporting system isn’t as efficient as it should be and could be (again, he didn’t address its effectiveness).

I don’t believe that the inefficiencies in the current AML system are wholly caused by outdated or poorly deployed technology. Rather, financial institutions are (rightfully) deathly afraid of a regulatory sanction for missing a potentially suspicious transaction, and will err on the side of alerting and filing on much more than is truly suspicious. For larger institutions, it will cost them a few million dollars more to run at a 95% false positive rate rather than an 85% rate, or 75% rate (I address the question of what is a good false positive rate in one of the articles, below), but those institutions know that by doing so, they avoid the hundreds of millions of dollars in potential fines for missing that one big case, or series of cases, that their regulator, with hindsight, determines should have been caught.

Running an AML monitoring and surveillance program that produces 95% false positives is not “helping us catch the bad guys that are taking advantage of the banking industry” as the Comptroller noted at the beginning of the podcast. Perhaps a renewed and coordinated, cooperative effort between technologists, bankers, BSA/AML professionals, law enforcement, and the Office of the Comptroller of the Currency can lead us to a monitoring/surveillance regime enhanced with more effective technologies and better feedback on what is providing tactical and strategic value to law enforcement … and, hopefully, tempered by a more forgiving regulatory approach.

Below are two articles I’ve written on monitoring, false positive rates, the use of artificial intelligence, among other things. Let’s work together to get to a more effective and efficient AML regime.

Rules-Based Monitoring, Alert to SAR Ratios, and False Positive Rates – Are We Having The Right Conversations?

This article was published on December 20, 2018. It is available at RegTech Article – Are We Having the Right Conversations?

There is a lot of conversation in the industry about the inefficiencies of “traditional” rules-based monitoring systems, Alert-to-SAR ratios, and the problem of high false positive rates. Let me add to that conversation by throwing out what could be some controversial observations and suggestions …

Current Rules-Based Transaction Monitoring Systems – are they really that inefficient?

For the last few years AML experts have been stating that rules-based or typology-driven transaction monitoring strategies that have been deployed for the last 20 years are not effective, with high false positive rates (95% false positives!) and enormous staffing costs to review and disposition all of the alerts.  Should these statements be challenged? Is it the fact the transaction monitoring strategies are rules-based or typology-driven that drives inefficiencies, or is it the fear of missing something driving the tuning of those strategies? Put another way, if we tuned those strategies so that they only produced SARs that law enforcement was interested in, we wouldn’t have high false positive rates and high staffing costs.  Graham Bailey, Global Head of Financial Crimes Analytics at Wells Fargo, believes it is a combination of basic rules-based strategies coupled with the fear of missing a case. He writes that some banks have created their staffing and cost problems by failing to tune their strategies, and by “throwing orders of magnitude higher resources at their alerting.”  He notes that this has a “double negative impact” because “you then have so many bad alerts in some banks that they then run into investigators’ ‘repetition bias’, where an investigator has had so many bad alerts that they assume the next one is already bad” and they don’t file a SAR. So not only are the SAR/alert rates so low, you run the risk of missing the good cases.

After 20+ years in the AML/CTF field – designing, building, running, tuning, and revising programs in multiple global banks – I am convinced that rules-based interaction monitoring and customer surveillance systems, running against all of the data and information available to a financial institution, managed and tuned by innovative, creative, courageous financial crimes subject matter experts, can result in an effective, efficient, proactive program that both provides timely, actionable intelligence to law enforcement and meets and exceeds all regulatory obligations. Can cloud-based, cross-institutional, machine learning-based technologies assist in those efforts? Yes! If properly deployed and if running against all of the data and information available to a financial institution, managed and tuned by innovative, creative, courageous financial crimes subject matter experts.

Alert to SAR Ratios – is that a ratio that we should be focused on?

A recent Mid-Size Bank Coalition of America (MBCA) survey found the average MBCA bank had: 9,648,000 transactions/month being monitored, resulting in 3,908 alerts/month (0.04% of transactions alerted), resulting in 348 cases being opened (8.9% of alerts became a case), resulting in 108 SARs being filed (31% of cases or 2.8% of alerts). Note that the survey didn’t ask whether any of those SARs were of interest or useful to law enforcement. Some of the mega banks indicate that law enforcement shows interest in (through requests for supporting documentation or grand jury subpoenas) 6% – 8% of SARs.

So I argue that the Alert/SAR and even Case/SAR (in the case of Wells, Package/Case and Package/SAR) ratios are all of interest, but tracking to SARs filed is a little bit like a car manufacturer tracking how many cars it builds but not how many cars it sells, or how well those cars perform, how well they last, and how popular they are.  The better measure for AML programs is “SARs purchased”, or SARs that provide value to law enforcement.

How do you determine whether a SAR provides value to Law Enforcement? One way would be to ask Law Enforcement, and hope you get an answer. That could prove to be difficult.  Can you somehow measure Law Enforcement interest in a SAR?  Many banks do that by tracking grand jury subpoenas received to prior SAR suspects, Law Enforcement requests for supporting documentation, and other formal and informal requests for SARs and SAR-related information. As I write above, an Alert-to-SAR rate may not be a good measure of whether an alert is, in fact, “positive”. What may be relevant is an Alert-to-TSV SAR rate (see my previous article for more detail on TSV SARs).  What is a “TSV SAR”? A SAR that has Tactical or Strategic Value to Law Enforcement, where the value is determined by Law Enforcement providing a response or feedback to the filing financial institution within five years of the filing of the SAR that the SAR provided tactical (it led to or supported a particular case) or strategic (it contributed to or confirmed a typology) value. If the filing financial institution does not receive a TSV SAR response or feedback from law enforcement or FinCEN within five years of filing a SAR, it can conclude that the SAR had no tactical or strategic value to law enforcement or FinCEN, and may factor that into decisions whether to change or maintain the underlying alerting methodology. Over time, the financial institution could eliminate those alerts that were not providing timely, actionable intelligence to law enforcement, and when that information is shared across the industry, others could also reduce their false positive rates.

Which leads to …

False Positive Rates – if 95% is bad … what’s good?

There is a lot of lamenting, and a lot of axiomatic statements, about high false positive rates for AML alerts: 95% or even 98% false positive rates.  I’d make three points.

First, vendors selling their latest products, touting machine learning and artificial intelligence as the solution to high false positive rates, are doing what they should be doing: convincing consumers that their current product is out-dated and ill-equipped for its purpose by touting the next, new product. I argue that high false positive rates are not caused by the current rules-based technologies; rather, they’re caused by inexperienced AML enthusiasts or overwhelmed AML experts applying rules that are too simple against data that is mis-labeled, incomplete, or simply wrong, and erring on the side of over-alerting and over-filing for fear of regulatory criticism and sanctions.

If the regulatory problems with AML transaction monitoring were truly technology problems, then the technology providers would be sanctioned by the regulators and prosecutors.  But an AML technology provider has never been publicly sanctioned by regulators or prosecutors … for the simple reason that any issues with AML technology aren’t technology issues: they are operator issues.

Second, are these actually “false” alerts? Rather, they are alerts that, at the present time, based on the information currently available, do not rise to the level of either (i) requiring a complete investigation, or (ii) if completely investigated, do not meet the definition of “suspicious”. Regardless, they are now valuable data points that go back into your monitoring and case systems and are “hibernated” and possibly come back if that account or customer alerts at a later time, or there is another internally- or externally-generated reason to investigate that account or customer.

Third, if 95% or 98% false positive rates are bad … what is good? What should the target rate be? I’ll provide some guidance, taken from a Treasury Office of Inspector General (OIG) Report: OIG-17-055 issued September 18, 2017 titled “FinCEN’s information sharing programs are useful but need FinCEN’s attention.” The OIG looked at 314(a) statistics for three years (fiscal years 2010-2012) and found that there were 711 314(a) requests naming 8,500 subjects of interest sent out by FinCEN to 22,000 financial institutions. Those requests came from 43 Law Enforcement Agencies (LEAs), with 79% of them coming from just six LEAs (DEA, FBI, ICE, IRS-CI, USSS, and US Attorneys’ offices). Those 711 requests resulted in 50,000 “hits” against customer or transaction records by 2,400 financial institutions.

To analogize those 314(a) requests and responses to monitoring alerts, there were 2,400 “alerts” (financial institutions with positive matches) out of 22,000 “transactions” (total financial institutions receiving the 314(a) requests). That is an 11% hit rate or, arguably, a 89% false positive rate. And keep in mind that in order to be included in a 314(a) request, the Law Enforcement Agency must certify to FinCEN that the target “is engaged in, or is reasonably suspected based on credible evidence of engaging in, terrorist activity or money laundering.” So Law Enforcement considered that all 8,500 of the targets in the 711 requests were active terrorists or money launderers, and 11% of the financial institutions positively responded.

With that, one could argue that a “hit rate” of 10% to 15% could be optimal for any reasonably designed, reasonably effective AML monitoring application.

But a better target rate for machine-generated alerts is the rate generated by humans. Bank employees – whether bank tellers, relationship managers, or back-office personnel – all have the regulatory obligation of reporting unusual activity or transactions to the internal bank team that is responsible for managing the AML program and filing SARs. For the twenty plus years I was a BSA Officer or head of investigations at large multi-national US financial institutions, I found that those human-generated referrals resulted in a SAR roughly 40% to 50% of the time.

An alert to SAR ratio goal of machine-based alert generation systems should be to get to the 40% to 50% referral-to-SAR ratio of human-based referral generation programs.

Flipping the Three AML Ratios with Machine Learning and Artificial Intelligence (why Bartenders and AML Analysts will survive the AI Apocalypse)

This article was posted on December 14, 2018. It remains the most viewed article on my website. It is available at RegTech Article – Flipping the Ratios

Machine Learning and Artificial Intelligence proponents are convinced – and spend a lot of time trying to convince others – that they will disrupt and revolutionize the current “broken” AML regime. Among other targets within this broken regime is AML alert generation and disposition and reducing the false positive rate (more on false positives in another article!). The result, if we believe the ML/AI community, is a massive reduction in the number of AML analysts that are churning through the hundreds and thousands of alerts, looking for the very few that are “true positives” worthy of being labelled “suspicious” and reported to the government.

But is it that simple? Can the job of AML Analyst be eliminated or dramatically changed – in scope and number of positions – by machine learning and AI? Much has been and continues to be written about the impact of artificial intelligence on jobs.  Those writers have categorized jobs along two axes – a Repetitive-to-Creative axis, and an Asocial-to-Social axis – resulting in four “buckets” of jobs, with each bucket of jobs being more or less likely to be disrupted or even eliminated:

A good example is the “Social & Repetitive” job of Bartender: Bartenders spend much of their time doing very routine, repetitive tasks: after taking a drink order, they assemble the correct ingredients in the correct amounts, and put those ingredients in the correct glass, then present the drink to the customer. All of that could be more efficiently and effectively done with an AI-driven machine, with no spillage, no waste, and perfectly poured drinks. So why haven’t we replaced bartenders? Because a good bartender has empathy, compassion, and instinct, and with experience can make sound judgments on what to pour a little differently, when to cut-off a customer, when to take more time or less with a customer. A good bartender adds value that a machine simply can’t.

Another example could be the “Asocial & Creative” (or is it “Social & Repetitive”?) job of an AML Analyst: much of an AML Analyst’s time is spent doing very routine, repetitive tasks: reviewing the alert, assembling the data and information needed to determine whether the activity is suspicious, writing the narrative. So why haven’t we replaced AML Analysts? Because a good Analyst, like a good bartender, has empathy, compassion, and instinct, and with experience can make sound judgments on what to investigate a little differently, when to cut-off an investigation, when to take more time or less on an investigation. A good Analyst adds value that a machine simply can’t.

Where AI and Machine Learning, and Robot Process Automation, can really help is by flipping the three currently inefficient AML ratios:

  1. The False Positive Ratio– the currently accepted, but highly axiomatic and anecdotal, ratio is that 95% to 98% of alerts do not result in SARs, or are “false positives” … although no one has ever boldly stated what an effective or acceptable false positive rate is (even with ROC curves providing some empirical assistance), perhaps the ML/AI/RPA communities can flip this ratio so that 95% of alerts result in SARs. If they can do this, they can also convince the regulatory community that this new ratio meets regulatory expectations (because as I’ll explain in an upcoming article, the  false positive ratio problem may be more of a regulatory problem than a technology problem).
  2. The Forgotten SAR Ratio– like false positive rates, there are anecdotes and some evidence that very few SARs provide tactical or strategic value to law enforcement. Recent Congressional testimony suggests that ~20% of SARs provide TSV (tactical or strategic value) to law enforcement … perhaps the ML/AI/RPA communities can help to flip this ratio so that 80% of SARs are TSV SARs. This also will take some effort from the regulatory and law enforcement communities.
  3. The Analysts’ Time Ratio– 90% of an AML Analyst’s time can be spent simply assembling the data, information, and documents needed to investigate a case, and only 10% of their time thinking and using their empathy, compassion, instinct, judgment, and experience to make good decisions and file TSV SARs … perhaps the ML/AI/RPA communities can help to flip this ratio so that Analysts spend 10% of their time assembling and 90% of their time thinking.

We’ve seen great strides in the AML world in the last 5-10 years when it comes to applying machine learning and creative analytics to the problems of AML monitoring, alerting, triaging, packaging, investigations, and reporting. My good friend and former colleague Graham Bailey at Wells Fargo designed and deployed ML and AI systems for AML as far back as 2008-2009, and the folks at Verafin have deployed cloud-based machine learning tools and techniques to over 1,600 banks and credit unions.

I’ve outlined three rather audacious goals for the machine learning/artificial intelligence/robotic process automation communities:

  1. The False Positive Ratio – flip it from 95% false positives to 5% false positives
  2. The Forgotten SAR Ratio – flip it from 20% TSV SARs to 80% TSV SARs
  3. The Analysts’ Time Ratio – flip it from 90% gathering data to 10% gathering data

Although many new AML-related jobs are being added – data scientist, model validator, etc. – and many existing AML-related jobs are changing, I am convinced that the job of AML Analyst will always be required. Hopefully, it will shift over time from being predominantly that of a gatherer of information and more of a hunter of criminals and terrorists. But it will always exist. If not, I can always fall back on being a Bartender. Maybe …

PETITION DENIED – The US Supreme Court Defends the SAR Safe Harbor!

Updated February 24, 2020 – The US Supreme Court denied a petition that challenged the SAR Safe Harbor

On September 13, 2020 a petition was filed with the US Supreme Court asking the Court to take up a case to decide whether the so-called “safe harbor” provision gives banks and bank employees absolute immunity from any liability when filing a Suspicious Activity Report, or SAR, or something less than absolute immunity.  The case is AER Advisors, Inc., Deutsche et al., Petitioners v. Fidelity Brokerage Services, LLC, petition for writ of certiorari, Docket 19-347 (US Supreme Court).[1] It was “distributed for conference” on January 22, 2020, and the conference – or meeting of the Justices – was scheduled for, and held on, February 21, 2020. On February 24th the Court published its decision: PETITION DENIED!

This was a critical case for the US anti-money laundering regime. In this case, the Court of Appeals for the First Circuit held that Fidelity had absolute immunity in filing Suspicious Activity Reports, and dismissed the petitioners’ claims against Fidelity that it filed a SAR against the petitioners in bad faith. The petitioners sought review by way of a petition for writ of certiorari – basically, an appeal – to the US Supreme Court.

The petitioners framed the main question as whether 31 USC section 5318(g), added by the Annunzio-Wylie Money Laundering Act of 1992, confers (a) absolute immunity for any disclosure; or (b) immunity only if the disclosure is an objectively possible criminal violation and/or is made in good faith and/or is not fraudulent.[2] The respondent Fidelity framed the main question differently: Is a financial institution immune from private suit under the Bank Secrecy Act when it files a Suspicious Activity Report as required by the Act?

The section in question is unequivocal:

31 USC s. 5318(g)(3) Liability for Disclosures

(A) In general. –Any financial institution that makes a voluntary disclosure of any possible violation of law or regulation to a government agency or makes a disclosure pursuant to this subsection or any other authority, and any director, officer, employee, or agent of such institution who makes, or requires another to make any such disclosure, shall not be liable to any person under any law or regulation of the United States, any constitution, law, or regulation of any State or political subdivision of any State, or under any contract or other legally enforceable agreement (including any arbitration agreement), for such disclosure or for any failure to provide notice of such disclosure to the person who is the subject of such disclosure or any other person identified in the disclosure.

Leaving aside all the legal arguments, Fidelity’s Opposition Brief includes an interesting description of the policy considerations favoring absolute immunity for financial institutions for filing Suspicious Activity Reports (beginning on page 18, the policy consideration began with “if financial institutions face liability for filing a report …”). As I began reading that section, I (as a former large bank BSA Officer responsible for the filing of well over one million SARs over the years) immediately thought of two things.

First, counsel was (rightly) focused on his client, the financial institution. But as I read the case, I was thinking “what about the BSA Officer who is the FIRST person the plaintiff’s lawyer is going to sue?!” And “who cares about the financial institution that makes a gazillion dollars a year … what about the poor BSA Officer?!”.

After recovering from that, I then thought that the obvious policy consideration favoring absolute immunity was the chilling effect that anything but absolute immunity would have on the way a BSA program is run. Without that absolute immunity, you would need to have multiple layers of review of every possible SAR, quality assurance reviews, testing requirements, auditing of those processes, etc. You would need to have multiple sign-offs on every SAR, then checking and testing of the policies and procedures and processes supporting those sign-offs. You would have checkers checking checkers checking checkers. And with large banks filing hundreds of SARs every business day, the process and personnel requirements to review every SAR for a “good faith” standard, could double the number of people needed to investigate, prepare, and file SARs. (my mind then drifted back to the personal liability of the BSA Officer overseeing such a program and of the supervisors and managers reviewing SARs).

In short, BSA Officers and AML investigations teams would be overwhelmed with oversight, to the point of paralysis. The effect of a limited or qualified immunity would be to have no immunity, and the BSA regime as we know it – monitoring for unusual activity, investigating that activity, and to the best of your ability and based on all the available facts, filing reports of suspicious activity – would end.

But none of that was on the mind of the lawyers. No, they weren’t worried about the potential impact on the suspicious activity reporting regime itself, or the BSA personnel in financial institutions facing personal ruin from plaintiffs/ law suits, they were worried about the burden on the financial institutions and on the institutions’ lawyers and the cost of those lawyers. At page 18 counsel for Fidelity wrote:

“… policy considerations favor absolute immunity. ‘Any qualification on immunity poses practical problems.’ Id. The most immediate problem is ‘a risk of second guessing.’ Id. If financial institutions face liability for filing a report, they may delay reporting or under report. Id. But even where a financial institution has a good-faith belief that a law has been violated, the institution may still think twice before reporting if Petitioners’ view of the law prevailed … In the face of potential litigation burdens of this magnitude, there is a substantial risk that financial institutions would be chilled in the filing of suspicious activity reports. Institutions will certainly think twice before reporting if expensive litigation is the cost of complying with the law. And because institutions file millions of these reports a year, if these reports were subject to litigation, financial institutions would be overwhelmed.”

Now, this is not to say that counsel is wrong. Indeed, he is right: institutions will certainly think twice before reporting suspicious activity if expensive litigation is the cost of doing so. But as a former BSA Officer, I would have felt better if one of the policy considerations favoring absolute immunity for filing Suspicious Activity Reports – even the primary policy consideration – was to protect the men and women on the front lines of financial institutions’ AML programs from second-guessing and personal liability for doing their jobs as best they can: for filing the Suspicious Activity Reports that give law enforcement and intelligence agencies the actionable, timely intelligence they need to protect the financial system from money laundering, terrorism, and other crimes. Not to protect the lawyers.

Interpreting statutes – what does the Supreme Court look at?

There is plenty of case law on how courts interpret a statute, or a part of a statute. An example is a famous case* the US Supreme Court decided in 2015, King et al v Burwell et al, 576 US 988 (2015). This is the “ObamaCare” decision where the Supreme Court was considering the requirement in the law that people had to purchase insurance on an exchange established by their state, or, if there was no such state exchange, the federal exchange. In particular, the Court was considering whether a tax credit was available to individuals who purchased insurance on the federal exchange. The phrase in question was “an Exchange established by the State”, because tax credits were only available to those who purchased insurance on “an Exchange established by the State”. The decision of the majority of the Court was 21 pages long. At the end was the following:

Reliance on context and structure in statutory interpretation is a “subtle business, calling for great wariness lest what professes to be mere  rendering becomes creation and attempted interpretation of legislation becomes legislation itself.” Palmer v. Massachusetts, 308 U. S. 79, 83 (1939).
For the reasons we have given, however, such reliance is appropriate in this case, and leads us to conclude that Section 36B allows tax credits for insurance purchased on any Exchange created under the Act. Those credits are necessary for the Federal Exchanges to function like their State Exchange counterparts, and to avoid the type of calamitous result that Congress plainly meant to avoid.
* * *
In a democracy, the power to make the law rests with those chosen by the people. Our role is more confined—“to say what the law is.” Marbury v. Madison, 1 Cranch 137, 177 (1803). That is easier in some cases than in others. But in every case we must respect the role of the Legislature, and take care not to undo what it has done. A fair reading of legislation demands a fair understanding of the legislative plan. Congress passed the Affordable Care Act to improve health insurance markets, not to destroy them. If at all possible, we must interpret the Act in a way that is consistent with the former, and avoids the latter. Section 36B can fairly be read consistent with what we see as Congress’s plan, and that is the reading we adopt.

The judgment of the United States Court of Appeals for
the Fourth Circuit is Affirmed.

* The case is famous not only because it upheld a main provision of the Affordable Care Act, but also because of the blistering dissent of Justice Antonin Scalia, a dissent that included his famous phrase “interpretive jiggery-pokery”. Among other things, Justice Scalia wrote:

“The Court holds that when the Patient Protection and Affordable Care Act says “Exchange established by the State” it means “Exchange established by the State or the Federal Government.” That is of course quite absurd, and the Court’s 21 pages of explanation make it no less so.” (Dissent, page 1)

Then, after almost 8 pages of examples of the poor reasoning of the majority, Justice Scalia unloads his famous line:

“The Court’s next bit of interpretive jiggery-pokery involves other parts of the Act that purportedly presuppose the availability of tax credits on both federal and state Exchanges.”

Page 12 was, perhaps, an even better line: “For its next defense of the indefensible, the Court turns to the Affordable Care Act’s design and purposes.” And at page 17 is: “Perhaps sensing the dismal failure of its efforts to show that “established by the State” means “established by the State or the Federal Government,” the Court tries to palm off the pertinent statutory phrase as “inartful drafting.” Ante, at 14. This Court, however, has no free-floating power “to rescue Congress from its drafting errors.” Lamie v. United States Trustee, 540 U. S. 526, 542 (2004) (internal quotation marks omitted). Only when it is patently obvious to a reasonable reader that a drafting mistake has occurred may a court correct the mistake.”

And in closing on page 21: “The somersaults of statutory interpretation they have performed (“penalty” means tax, “further [Medicaid] payments to the State” means only incremental Medicaid payments to the State, “established by the State” means not established by the State) will be cited by litigants endlessly, to the confusion of honest jurisprudence. And the cases will publish forever the discouraging truth that the Supreme Court of the United States favors some laws over others, and is prepared to do whatever it takes
to uphold and assist its favorites.  I dissent.”

How did the Supreme Court rule?

The Supreme Court simply denied the petition. But in the original article that appeared on this site, I asked that the US Supreme Court “refuse to take this case up and send it back to the 1st Circuit with an affirmation of the Safe Harbor for banks, lawyers, and BSA Officers alike” and:

To John Roberts and the Supremes, as you consider whether to take this case, please remember the words of Diana Ross and the Supremes:

Stop! In the name of love
Before you break my heart
Think it over
Think it over

[1] https://www.supremecourt.gov/search.aspx?filename=/docket/docketfiles/html/public/19-347.html

[2] An interesting quirk appeared in Annunzio-Wylie. Section 1517, titled “suspicious transactions and enforcement programs”, intended to add subsections (g) and (h) to section 5318 of title 31. As AML practitioners know, 5318(g) is the suspicious activity reporting requirement, and 5318(h) is the AML program requirement. However, section 1517 of Annunzio-Wylie had a typographical error, and instead of adding (g) and (h) to section 5318, it added them to section 5314, the section requiring records and reports on foreign financial agency transactions (the so-called “FBAR” section, or Foreign Bank Account Report section). This typo wasn’t corrected until two years later by section 330017(b) of the Violent Crime Control & Law Enforcement Act of 1994, PL 103-322, enacted on September 13, 1994. That section provided: “Amendment relating to Title 31, U.S.C.— (1) Effective as of the date of enactment of the Annunzio Wylie Anti-Money Laundering Act, section 1517(b) of that Act is amended by striking ‘‘5314’’ and inserting ‘‘5318’’.” In another oddity, one day after the Violent Crime Control Act was sent to the President to be signed, the Money Laundering Suppression Act (MLSA) was sent to the President. The MLSA also included a section to correct the 1992 typo; in fact, section 413(b)(1) of the MLSA was identical to section 330017(b) of the Violent Crime Control Act. Congress made doubly sure to fix the typo!

Proceeds of Crime and GDP – Are We Comparing Apples to Oranges?

The Estimate for US Money Laundering – $300 billion a year, or 2% of GDP

The 2015 National Money Laundering Risk Assessment – available at 2015 NMLRA – estimated that the total amount of criminal proceeds generated in the United States was approximately $300 billion, or 2% of gross domestic produce (GDP). The report provided:

“United Nations Office on Drugs and Crime (UNODC) estimated proceeds from all forms of financial crime in the United States, excluding tax evasion, was $300 billion in 2010, or about two percent of the U.S. economy. [Footnote: United Nations Office on Drugs and Crime, Estimating Illicit Financial Flows Resulting From Drug Trafficking and other Transnational Organized Crimes, October 2011.] This is comparable to U.S. estimates. UNODC estimates illicit drug sales were $64 billion, which the DEA believes is a reasonable current estimate, putting the proceeds for all other forms of financial crime in the United States at $236 billion, most of which is attributable to fraud.” (citations omitted)

The figures of $300 billion in 2010 and two percent of the US economy are the midpoints of estimates based on a 2004 report. The UNODC report provided:

“… the criminal income in 2010 (excluding tax evasion) may have amounted to some US$350 bn in the world’s largest national economy [the United States]. This would probably be the upper limit estimate. A lower limit estimate – assuming that the nominal increases found over the 1990-2000 period continued unchanged over the 2000-2010 period, would result in an estimate of around US$235 bn for the year 2010 or 1.6% of GDP. A mid-point estimate would show criminal income of some US$300 bn (rounded) or 2% of GDP for 2010. (UNODC Report, page 20).”

A critical review of the UNODC report, and the reports that it relies on, suggests that these estimates need to updated. For example, the amount of criminal proceeds from illegal drug sales dropped by almost 50% from 1990 to 2010 from $97 billion to $64 billion, but the amount of criminal proceeds from all other crimes (excluding tax evasion), more than doubled in that same period, from $112 billion to $236 billion. And excluding tax evasion is meaningful: the 1990 estimate of tax evasion was $236 billion – dwarfing both drugs and other criminal proceeds.

$300 Billion in Criminal Proceeds – How Much is Reported by Financial Institutions?

We don’t know. But what is interesting about the 2015 National Money Laundering Risk Assessment figure of $300 billion in estimated proceeds of criminal activity, is that it may be reasonably close to the total amount reported in Suspicious Activity Reports. Although FinCEN has not (yet) provided total amounts reported in Suspicious Activity Reports and Currency Transaction Reports, some anecdotal evidence (based on off-the-record discussions with people in the industry) suggests that the average depository institution (bank and credit union) SAR reports approximately $250,000 in suspicious activity, and the average money services business (MSB) SAR reports approximately $35,000 to $40,000. And I’ll guess that all other filers’ SARs average $50,000 each. Using 2018 SAR totals:

Depository Institutions                 975,000 SARs @ $245,000       ~$239 billion

Money Services Businesses          875,000 SARs @ $35,000         ~$   31 billion

“Other” and all other filers          275,000 @ $50,000                   ~$  14 billion

~$284 billion

And if we assume that some of the activity reported in Currency Transaction Reports (CTRs) is, in fact, the proceeds of criminal activity, we could arguably add another $36 billion (18 million CTRs @ $20,000 each with 10% “dirty money”). The total reported by financial institutions in the US is then roughly $320 billion. So US financial institutions may be doing a pretty good job at reporting suspicious activity!

Total Suspected Proceeds of Crime Reported in the US: ~$320 billion. Estimated proceeds of criminal activity in the US: ~$300 billion.

Proceeds of Crime and GDP – Are We Comparing Apples to Oranges?

There is another flaw in comparing the amount of criminal proceeds to global (or national) gross domestic product, or GDP. GDP is a measure of the total final value of everything produced. Its components include personal consumption expenditures, business investment, government spending, and exports less imports (and there is nominal GDP and real GDP, with the latter factoring in inflation). A better measure of the effectiveness of the financial system in identifying, interdicting, and reporting criminal proceeds would be to compare the total amount of criminal proceeds flowing through the financial system to the total amount of funds flowing through the financial system.

The US Financial System – Two Quintilian Dollars A Year

The 2015 National Money Laundering Risk Assessment (pages 35 and 36) estimates that the total amount of FedWire, CHIPS, ACH, debit card, and cash transactions moving through the US financial system in a year is approximately two Quintilian dollars:

“The global dominance of the U.S. dollar generates trillions of dollars of daily transaction volume through U.S. banks, creating significant exposure to potential money laundering activity. The Federal Reserve System’s real-time gross settlement system, Fedwire, which is used to clear and settle payments with immediate finality, processed an average of $3.5 trillion in daily funds transfers in 2014. The Clearing House Interbank Payment System (CHIPS) is the largest private-sector U.S.-dollar funds-transfer system in the world, clearing and settling an average of $1.5 trillion in cross-border and domestic payments daily. CHIPS estimates that it is responsible for processing more than 95 percent of U.S. dollar-denominated cross-border transactions, and nearly half of all domestic wire transactions. The average value of a transaction on Fedwire and CHIPS is in the millions of dollars. The automated clearinghouse network (ACH), through which U.S. banks transfer electronic payments that are not settled in real time, processes more than $10 trillion in transactions annually.”

Converting those daily amounts to annual amounts gives us a total of approximately two Quintilian dollars. Of that, $300 billion is criminal proceeds. Therefore, criminal proceeds make up approximately 0.00000007% of the total amount moving through the American financial system.

The US Government’s National Money Laundering Risk Assessment believes that for every one billion dollars of money flowing through the US financial system, seven dollars is criminal proceeds.

The private sector participants in the US financial system are subject to a regulatory regime that requires them to have complex systems, processes, and programs that collectively cost tens of billions of dollars, if not hundreds of billions of dollars, to develop, operate, and enhance. And the administrative and criminal penalties for failing to have reasonably effective AML programs can be severe. As the 2015 NMLRA concludes (on page 36):

“This exposure to a daily flow of trillions of dollars in transaction volume from large value to small value payment systems requires banks to maintain robust safeguards to minimize the potential for illicit activity. Like any other financial industry, deficient compliance practices and complicit insiders are vulnerabilities, but the stakes are higher for banks given the volume and value of transactions that U.S. banks engage in daily. Preserving the integrity of the U.S. financial system requires that banks effectively monitor and control the money laundering risks to which they are exposed. To this end, banks are required to establish a written AML program reasonably designed to prevent their financial institutions from being used to facilitate money laundering and the financing of terrorist activities. The introduction of illicit proceeds into the financial system is the first and critical step in the money laundering process and banks are most vulnerable to being used for this purpose by criminals. Once illicit proceeds are placed into the financial system, the continued use of banks to move those funds both domestically and internationally can further obscure their criminal origins and facilitate their integration into the system. Therefore, establishing and maintaining an effective customer identification program (CIP) is a key control.”

The American anti-money laundering regime – which is now in its fiftieth year – has been built to identify and report the seven dollars of criminal activity out of every one billion dollars of total activity that flows through that financial system. It is critical that the public and private sectors continue to work together to not only make this regime as effective and efficient as possible; but perhaps because of the daunting task that the private sector has been given – to detect and report the 0.00000007% of activity flowing through the system that is criminal proceeds – the regulatory agencies that examine them for compliance with the regime’s rules and regulations should focus less on how those institutions comply with the rules, and more on how well those institutions provide actionable, timely intelligence to law enforcement.

Like Sam Loves Free Fried Chicken, Law Enforcement Loves “Free” Suspicious Activity Reports … But What If Law Enforcement Had to Earn the Right to Use the Private Sector’s “Free” SARs?

“Well, I’m here in the freezing cold getting’ free chicken sandwiches. Because the food tastes great. I mean, it’s chicken. Fried chicken. I like fried chicken.”

Eleven year-old Sam Caruana of Buffalo, New York waited outside a Chick-fil-A restaurant in the freezing cold in order to be one of the 100 people given free fried chicken for one year (actually, one chicken sandwich a week for fifty-two weeks). In a video that went viral (Sam Caruana YouTube – Free Chicken), young Sam explained that he simply loved fried chicken, and he’d stand in the cold for free fried chicken.

Just as Sam loves free fried chicken, law enforcement loves free Suspicious Activity Reports, or SARs. In the United States, over 30,000 private sector financial institutions – from banks to credit unions, to money transmitters and check cashers, to casinos and insurance companies, to broker dealers and investment advisers – file more than 2,000,000 SARs every year. And it costs those financial institutions billions of dollars to have the programs, policies, procedures, processes, technology, and people to onboard and risk-rate customers, to monitor for and identify unusual activity, to investigate that unusual activity to determine if it is suspicious, and, if it is, to file a SAR with the Treasury Department’s Financial Crimes Enforcement Network, or FinCEN. From there, hundreds of law enforcement agencies across the country, at every level of government, can access those SARs and use them in their investigations into possible tax, criminal, or other investigations or proceedings. To law enforcement, those SARs are, essentially, free. And like Sam loves free fried chicken, law enforcement loves free SARs. Who wouldn’t?

But should those private sector SARs, that cost billions of dollars to produce, be “free” to public sector law enforcement agencies? Put another way, should the public sector law enforcement agency consumers of SARs need to provide something in return to the private sector producers of SARs?

I say they should. And here’s what I propose: that in return for the privilege of accessing and using private sector SARs, law enforcement shouldn’t have to pay for that privilege with money, but with effort. The public sector consumers of SARs should let the private sector producers know which of those SARs provide tactical or strategic value.

A recent Mid-Size Bank Coalition of America (MBCA) survey found the average MBCA bank had: 9,648,000 transactions/month being monitored, resulting in 3,908 alerts/month (0.04% of transactions alerted), resulting in 348 cases being opened (8.9% of alerts became a case), resulting in 108 SARs being filed (31% of cases or 2.8% of alerts). Note that the survey didn’t ask whether any of those SARs were of interest or useful to law enforcement. Some of the mega banks indicate that law enforcement shows interest in (through requests for supporting documentation or grand jury subpoenas) 6% – 8% of SARs.

I argue that the Alert/SAR and even Case/SAR ratios are all of interest, but tracking to SARs filed is a little bit like a car manufacturer tracking how many cars it builds but not how many cars it sells, or how well those cars perform, how long they last, and how popular they are. And just like the automobile industry measuring how many cars are purchased, the better measure for AML programs is “SARs purchased”, or SARs that provide value to law enforcement.

Also, there is much being written about how machine learning and artificial intelligence will transform anti-money laundering programs. Indeed, ML and AI proponents are convinced – and spend a lot of time trying to convince others – that they will disrupt and revolutionize the current “broken” AML regime. Among other targets within this broken regime is AML alert generation and disposition and reducing the false positive rate. The result, if we believe the ML/AI community, is a massive reduction in the number of AML analysts that are churning through the hundreds and thousands of alerts, looking for the very few that are “true positives” worthy of being labelled “suspicious” and reported to the government. But the fundamental problem that every one of those ML/AI systems has is that they are using the wrong data to train their algorithms and “teach” their machines: they are looking at the SARs that are filed, not the SARs that have tactical or strategic value to law enforcement.

Tactical or Strategic Value Suspicious Activity Reports – TSV SARs

The best measure of an effective and efficient financial crimes program is how well it is providing timely, effective intelligence to law enforcement. And the best measure of that is whether the SARs that are being filed are providing tactical or strategic value to law enforcement. How do you determine whether a SAR provides value to law enforcement? One way would be to ask law enforcement, and hope you get an answer. That could prove to be difficult.  Can you somehow measure law enforcement interest in a SAR?  Many banks do that by tracking grand jury subpoenas received to prior SAR suspects, law enforcement requests for supporting documentation, and other formal and informal requests for SARs and SAR-related information. As I write above, an Alert-to-SAR rate may not be a good measure of whether an alert is, in fact, “positive”. What may be relevant is an Alert-to-TSV SAR rate.

A TSV SAR is one that has either tactical value – it was used in a particular case – or strategic value – it contributed to understanding a typology or trend. And some SARs can have both tactical and strategic value. That value is determined by law enforcement indicating, within seven years of the filing of the SAR (more on that later), that the SAR provided tactical (it led to or supported a particular case) or strategic (it contributed to or confirmed a typology) value.  That law enforcement response or feedback is provided to FinCEN through the same BSA Database interfaces that exist today – obviously, some coding and training will need to be done (for how FinCEN does it, see below). If the filing financial institution does not receive a TSV SAR response or feedback from law enforcement or FinCEN within seven years of filing a SAR, it can conclude that the SAR had no tactical or strategic value to law enforcement or FinCEN, and may factor that into decisions whether to change or maintain the underlying alerting methodology. Over time, the financial institution could eliminate those alerts that were not providing timely, actionable intelligence to law enforcement. And when FinCEN shares that information across the industry, others could also reduce their false positive rates.

FinCEN’s TSV SAR Feedback Loop

FinCEN is working to provide more feedback to the private sector producers of BSA reports. As FinCEN Director Ken Blanco recently stated:[1]

“Earlier this year, FinCEN began the BSA Value Project, a study and analysis of the value of the BSA information we receive. We are working to provide comprehensive and quantitative understanding of the broad value of BSA reporting and other BSA information in order to make it more effective and its collection more efficient. We already know that BSA data plays a critical role in keeping our country strong, our financial system secure, and our families safe from harm — that is clear. But FinCEN is using the BSA Value Project to improve how we communicate the way BSA information is valued and used, and to develop metrics to track and measure the value of its use on an ongoing basis.”

FinCEN receives every SAR. Indeed, FinCEN receives a number of different BSA-related reporting: SARs, CTRs, CMIRs, and Form 8300s. It’s a daunting amount of information. As FinCEN Director Ken Blanco noted in the same speech:

FinCEN’s BSA database includes nearly 300 million records — 55,000 new documents are added each day. The reporting contributes critical information that is routinely analyzed, resulting in the identification of suspected criminal and terrorist activity and the initiation of investigations.

“FinCEN grants more than 12,000 agents, analysts, and investigative personnel from over 350 unique federal, state, and local agencies across the United States with direct access to this critical reporting by financial institutions. There are approximately 30,000 searches of the BSA data taking place each day. Further, there are more than 100 Suspicious Activity Report (SAR) review teams and financial crimes task forces across the country, which bring together prosecutors and investigators from different agencies to review BSA reports. Collectively, these teams reviewed approximately 60% of all SARs filed.

Each day, law enforcement, FinCEN, regulators, and others are querying this data:  7.4 million queries per year on average. Those queries identify an average of 18.2 million filings that are responsive or useful to ongoing investigations, examinations, victim identification, analysis and network development, sanctions development, and U.S. national security activities, among many, many other uses that protect our nation from harm, help deter crime, and save lives.”

This doesn’t tell us how many of those 55,000 daily reports are SARs, but we do know that in 2018 there were 2,171,173 SARs filed, or about 8,700 every (business) day. And it appears that FinCEN knows which law enforcement agencies access which SARs, and when. And we now know that there are “18.2 million filings that are responsive or useful to ongoing investigations, examinations, victim identification, analysis and network development, sanctions development, and U.S. national security activities” every year. But which filings?

The law enforcement agencies know which SARs provide tactical or strategic value, or both. So if law enforcement finds value in a SAR, it should acknowledge that, and provide that information back to FinCEN. FinCEN, in turn, could provide an annual report to every financial institution that filed, say, more than 250 SARs a year (that’s one every business day, and is more than three times the number filed by the average bank or credit union). That report would be a simple relational database indicating which SARs had either or both tactical or strategic value. SAR filers would then be able to use that information to actually train or tune their monitoring and surveillance systems, and even eliminate those alerting systems that weren’t providing any value to law enforcement.

Why give law enforcement seven years to respond? Criminal cases take years to develop. And sometimes a case may not even be opened for years, and a SAR filing may trigger an investigation. And sometimes a case is developed and the law enforcement agency searches the SAR database and finds SARs that were filed five, six, seven or more years earlier. Between record retention rules and practical value, seven years seems reasonable.

Law enforcement agencies have tremendous responsibilities and obligations, and their resources and budgets are stretched to the breaking point. Adding another obligation – to provide feedback to the banks, credit unions, and other private sector institutions that provide them with reports of suspicious activity – may not be feasible. But the upside of that feedback – that law enforcement may get fewer, but better, reports, and the private sector institutions can focus more on human trafficking, human smuggling, and terrorist financing and less on identifying and reporting activity that isn’t of interest to law enforcement – may far exceed the downside.

Free Suspicious Activity Reports are great. But like Sam being prepared to stand in the freezing cold for his fried chicken, perhaps law enforcement is prepared to let us know whether the reports we’re filing have value.

For more on alert-to-SAR rates, the TSV feedback loop, machine learning and artificial intelligence, see other articles I’ve written:

The TSV SAR Feedback Loop – June 4 2019

AML and Machine Learning – December 14 2018

Rules Based Monitoring – December 20 2018

FinCEN FY2020 Report – June 4 2019

FinCEN BSA Value Project – August 19 2019

BSA Regime – A Classic Fixer-Upper – October 29 2019

[1] November 15, 2019, prepared remarks for the Chainalysis Blockchain Symposium, available at https://www.fincen.gov/news/speeches/prepared-remarks-fincen-director-kenneth-blanco-chainalysis-blockchain-symposium

SAFE Banking Act of 2019 – Some Suggestions for the Senate

The SAFE Banking Act, HR 1595, was approved by the House on September 25, 2019. As written, it is a “bill to create protections for depository institutions that provide financial services to cannabis-related legitimate businesses and service providers for such businesses, and for other purposes.” There has been much written about the SAFE Banking Act, but as I went through it, I saw a number of things that need to be addressed.  So below are some general comments and observations – written in blue italics – and some suggestions for the Senate – written in red bold italics – as the Senate considers what, if any, changes to make to the House version, and whether to actually vote on their version of the SAFE Banking Act.

The link to the text is SAFE Banking Act – congress.gov

SAFE Banking Act, HR 1595 as approved by the House of Representatives, September 25, 2019

Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,

SECTION 1. SHORT TITLE; PURPOSE.

(a) SHORT TITLE.—This Act may be cited as the ‘‘Secure And Fair Enforcement Banking Act of 2019’’ or the ‘‘SAFE Banking Act of 2019’’.

(b) PURPOSE.—The purpose of this Act is to increase public safety by ensuring access to financial services to cannabis-related legitimate businesses and service providers and reducing the amount of cash at such businesses.

Comment – The purpose statement focuses on public safety and getting cash out of cannabis businesses. But there is very little else in the Act that specifically addresses public safety or cash. Note the modifier “legitimate” (see section 14 definition)

SEC. 2. SAFE HARBOR FOR DEPOSITORY INSTITUTIONS.

(a) IN GENERAL.—A Federal banking regulator may not—

(1) terminate or limit the deposit insurance or share insurance of a depository institution under the Federal Deposit Insurance Act (12 U.S.C. 1811 et seq.), the Federal Credit Union Act (12 U.S.C. 1751 et seq.), or take any other adverse action against a depository institution under section 8 of the Federal Deposit Insurance Act (12 U.S.C. 1818) solely because the depository institution provides or has provided financial services to a cannabis-related legitimate business or service provider;

(2) prohibit, penalize, or otherwise discourage a depository institution from providing financial services to a cannabis-related legitimate business or service provider or to a State, political subdivision of a State, or Indian Tribe that exercises jurisdiction over cannabis-related legitimate businesses;

Comment – Section 2 is clearly a safe harbor from actions taken by a federal banking regulator – not from the Department of Justice. Compare this to section 4’s broader protections. Note that 12 USC 1818 is the “cease and desist” section. The phrase “solely because” is significant: the intent and effect of this is that a federal banking regulator can bring an adverse action against a depository institution providing financial services to a cannabis-related legitimate business if that institution otherwise violates banking laws or regulations.

(3) recommend, incentivize, or encourage a depository institution not to offer financial services to an account holder, or to downgrade or cancel the financial services offered to an account holder solely because— (A) the account holder is a cannabis-related legitimate business or service provider, or is an employee, owner, or operator of a cannabis-related legitimate business or service provider; (B) the account holder later becomes an employee, owner, or operator of a cannabis-related legitimate business or service provider; or (C) the depository institution was not aware that the account holder is an employee, owner, or operator of a cannabis-related legitimate business or service provider;

Comment – Section 2(a)(3) introduces protections for account holders who are employees, owners, and operators. Also, note that (2) provides that regulators cannot discourage financial institutions from providing services, and (3) provides that regulators cannot encourage financial institutions not to provide services. What was the legislative intent?

(4) take any adverse or corrective supervisory action on a loan made to— (A) a cannabis-related legitimate business or service provider, solely because the business is a cannabis-related legitimate business or service provider; (B) an employee, owner, or operator of a cannabis-related legitimate business or service provider, solely because the employee, owner, or operator is employed by, owns, or operates a cannabis-related legitimate business or service provider, as applicable; or (C) an owner or operator of real estate or equipment that is leased to a cannabis-related legitimate business or service provider, solely because the owner or operator of the real estate or equipment leased the equipment or real estate to a cannabis-related legitimate business or service provider, as applicable; or

(5) prohibit or penalize a depository institution (or entity performing a financial service for or in association with a depository institution) for, or otherwise discourage a depository institution (or entity performing a financial service for or in association with a depository institution) from, engaging in a financial service for a cannabis-related legitimate business or service provider.

(b) SAFE HARBOR APPLICABLE TO DE NOVO INSTITUTIONS.—Subsection (a) shall apply to an institution applying for a depository institution charter to the same extent as such subsection applies to a depository institution.

Comment – Section 2(a)(5) is interesting with the addition of “(or entity performing a financial service for or in association with a depository institution) …”. Subsections 2(a)(2) and (5) could be combined without loss of meaning.

SEC. 3. PROTECTIONS FOR ANCILLARY BUSINESSES.

For the purposes of sections 1956 and 1957 of title 18, United States Code, and all other provisions of Federal law, the proceeds from a transaction involving activities of a cannabis-related legitimate business or service provider shall not be considered proceeds from an unlawful activity solely because—

(1) the transaction involves proceeds from a cannabis-related legitimate business or service provider; or

(2) the transaction involves proceeds from— (A) cannabis-related activities described in section 14(4)(B) conducted by a cannabis-related legitimate business; or (B) activities described in section 14(13)(A) conducted by a service provider.

Senate Suggestion 1 – The title of section 3 is the only reference to “ancillary businesses”. This is a left-over from the original SAFE Banking Act. This section should be changed to  “Protections from Federal Laws Relating to Specified Unlawful Activity”

SEC. 4. PROTECTIONS UNDER FEDERAL LAW.

(a) IN GENERAL.—With respect to providing a financial service to a cannabis-related legitimate business or service provider within a State, political subdivision of a State, or Indian country that allows the cultivation, production, manufacture, sale, transportation, display, dispensing, distribution, or purchase of cannabis pursuant to a law or regulation of such State, political subdivision, or Indian Tribe that has jurisdiction over the Indian country, as applicable, a depository institution, entity performing a financial service for or in association with a depository institution, or insurer that provides a financial service to a cannabis-related legitimate business or service provider, and the officers, directors, and employees of that depository institution, entity, or insurer may not be held liable pursuant to any Federal law or regulation— (1) solely for providing such a financial service; or (2) for further investing any income derived from such a financial service.

Comment – Section 4’s protections extend more broadly than the narrower section 2 safe harbor, notably because individuals are protected.

(b) PROTECTIONS FOR FEDERAL RESERVE BANKS AND FEDERAL HOME LOAN BANKS.—With respect to providing a service to a depository institution that provides a financial service to a cannabis-related legitimate business or service provider (where such financial service is provided within a State, political subdivision of a State, or Indian country that allows the cultivation, production, manufacture, sale, transportation, display, dispensing, distribution, or purchase of cannabis pursuant to a law or regulation of such State, political subdivision, or Indian Tribe that has jurisdiction over the Indian country, as applicable), a Federal reserve bank or Federal Home Loan Bank, and the officers, directors, and employees of the Federal reserve bank or Federal Home Loan Bank, may not be held liable pursuant to any Federal law or regulation— (1) solely for providing such a service; or (2) for further investing any income derived from such a service.

(c) PROTECTIONS FOR INSURERS.—With respect to engaging in the business of insurance within a State, political subdivision of a State, or Indian country that allows the cultivation, production, manufacture, sale, transportation, display, dispensing, distribution, or purchase of cannabis pursuant to a law or regulation of such State, political subdivision, or Indian Tribe that has jurisdiction over the Indian country, as applicable, an insurer that engages in the business of insurance with a cannabis-related legitimate business or service provider or who otherwise engages with a person in a transaction permissible under State law related to cannabis, and the officers, directors, and employees of that insurer may not be held liable pursuant to any Federal law or regulation— (1) solely for engaging in the business of insurance; or (2) for further investing any income derived from the business of insurance.

(d) FORFEITURE.— (1) DEPOSITORY INSTITUTIONS.—A depository institution that has a legal interest in the collateral for a loan or another financial service provided to an owner, employee, or operator of a cannabis-related legitimate business or service provider, or to an owner or operator of real estate or equipment that is leased or sold to a cannabis-related legitimate business or service provider, shall not be subject to criminal, civil, or administrative forfeiture of that legal interest pursuant to any Federal law for providing such loan or other financial service. (2) FEDERAL RESERVE BANKS AND FEDERAL HOME LOAN BANKS.—A Federal reserve bank or Federal Home Loan Bank that has a legal interest in the collateral for a loan or another financial service provided to a depository institution that provides a financial service to a cannabis-related legitimate business or service provider, or to an owner or operator of real estate or equipment that is leased or sold to a cannabis-related legitimate business or service provider, shall not be subject to criminal, civil, or administrative forfeiture of that legal interest pursuant to any Federal law for providing such loan or other financial service.

SEC. 5. RULES OF CONSTRUCTION.

(a) NO REQUIREMENT TO PROVIDE FINANCIAL SERVICES.—Nothing in this Act shall require a depository institution, entity performing a financial service for or in association with a depository institution, or insurer to provide financial services to a cannabis-related legitimate business, service provider, or any other business.

(b) GENERAL EXAMINATION, SUPERVISORY, AND ENFORCEMENT AUTHORITY.—Nothing in this Act may be construed in any way as limiting or otherwise restricting the general examination, supervisory, and enforcement authority of the Federal banking regulators, provided that the basis for any supervisory or enforcement action is not the provision of financial services to a cannabis-related legitimate business or service provider.

Comment – Section 5(a) allows financial service providers to decide not to engage with cannabis-related legitimate businesses or service providers. It does not extend that to the employees, officer, or operators of those businesses, though. Section 5(b) gives teeth to the section 2 safe harbor language (“solely because the depository institution provides or has provided financial services to a cannabis-related legitimate business or service provider”). However, section 5(b) could be better written by including the “solely” term.

SEC. 6. REQUIREMENTS FOR FILING SUSPICIOUS ACTIVITY REPORTS.

Section 5318(g) of title 31, United States Code, is amended by adding at the end the following:

‘‘(5) REQUIREMENTS FOR CANNABIS-RELATED LEGITIMATE BUSINESSES.—

‘‘(A) IN GENERAL.—With respect to a financial institution or any director, officer, employee, or agent of a financial institution that reports a suspicious transaction pursuant to this subsection, if the reason for the report relates to a cannabis-related legitimate business or service provider, the report shall comply with appropriate guidance issued by the Financial Crimes Enforcement Network. The Secretary shall ensure that the guidance is consistent with the purpose and intent of the SAFE Banking Act of 2019 and does not significantly inhibit the provision of financial services to a cannabis-related legitimate business or service provider in a State, political subdivision of a State, or Indian country that has allowed the cultivation, production, manufacture, transportation, display, dispensing, distribution, sale, or purchase of cannabis pursuant to law or regulation of such State, political subdivision, or Indian Tribe that has jurisdiction over the Indian country.

Senate Suggestion 2 – Section 6 adds a new subsection (5). Subsection (1) doesn’t change: it provides “The Secretary may require any financial institution, and any director, officer, employee, or agent of any financial institution, to report any suspicious transaction relevant to a possible violation of law or regulation.” This section calls for “guidance” from FinCEN, not a regulation or regulations. First, is this the existing (2014) FinCEN guidance, or does it contemplate new, yet to be issued, guidance? If the latter, there is no time frame for issuing such guidance. I would make this clear: FinCEN guidance to be issued within 180 days. Compare this to section 7. And see comments on section 10. Second, question whether that guidance would satisfy the Administrative Procedures Act. See the (excellent) testimony of Margaret (Meg) Tahyar: https://www.banking.senate.gov/imo/media/doc/Tahyar%20Testimony%204-30-19.pdf and the federal banking regulators Interagency Statement on Clarifying the Role of Supervisory Guidance, https://www.fdic.gov/news/news/press/2018/pr18059a.pdf

‘‘(B) DEFINITIONS.—For purposes of this paragraph: ‘‘(i) CANNABIS.—The term ‘cannabis’ has the meaning given the term ‘marihuana’ in section 102 of the Controlled Substances Act (21 U.S.C. 802). ‘‘(ii) CANNABIS-RELATED LEGITIMATE BUSINESS.—The term ‘cannabis-related legitimate business’ has the meaning given that term in section of the SAFE Banking Act of 2019. ‘‘(iii) INDIAN COUNTRY.—The term ‘Indian country’ has the meaning given that term in section 1151 of title 18. ‘‘(iv) INDIAN TRIBE.—The term ‘Indian Tribe’ has the meaning given that term in section 102 of the Federally Recognized Indian Tribe List Act of 1994 (25 7 U.S.C. 479a). ‘‘(v) FINANCIAL SERVICE.—The term ‘financial service’ has the meaning given that term in section 14 of the SAFE Banking Act of 2019. ‘‘(vi) SERVICE PROVIDER.—The term ‘service provider’ has the meaning given that term in section 14 of the SAFE Banking Act of 2019. ‘‘(vii) STATE.—The term ‘State’ means each of the several States, the District of Columbia, Puerto Rico, and any territory or possession of the United States.’’.

SEC. 7. GUIDANCE AND EXAMINATION PROCEDURES.

Not later than 180 days after the date of enactment of this Act, the Financial Institutions Examination Council shall develop uniform guidance and examination procedures for depository institutions that provide financial services to cannabis-related legitimate businesses and service providers.

Senate Suggestion 3 – See the comments for section 6. Between these two sections, CRLB/SP program requirements, including SAR reporting guidance, won’t be available to financial institutions for ~6 months after the enactment of the Act. That creates problems for the section 10 report. And why is this language – FFIEC guidance and exam procedures in 180 days – different than the similar hemp section 11(b) – federal banking regulators to publish best practices within 90 days?

SEC. 8. ANNUAL DIVERSITY AND INCLUSION REPORT.

The Federal banking regulators shall issue an annual report to Congress containing—

(1) information and data on the availability of access to financial services for minority-owned and women-owned cannabis-related legitimate businesses; and

(2) any regulatory or legislative recommendations for expanding access to financial services for  minority-owned and women-owned cannabis-related legitimate businesses.

SEC. 9. GAO STUDY ON DIVERSITY AND INCLUSION.

(a) STUDY.—The Comptroller General of the United States shall carry out a study on the barriers to market-place entry, including in the licensing process, and the access to financial services for potential and existing minority-owned and women-owned cannabis-related legitimate businesses.

(b) REPORT.—The Comptroller General shall issue a report to the Congress—(1) containing all findings and determinations made in carrying out the study required under subsection (a); and (2) containing any regulatory or legislative recommendations for removing barriers to marketplace entry, including in the licensing process, and expanding access to financial services for potential and existing minority-owned and women-owned cannabis-related legitimate businesses.

SEC. 10. GAO STUDY ON EFFECTIVENESS OF CERTAIN REPORTS ON FINDING CERTAIN PERSONS.

Not later than 2 years after the date of the enactment of this Act, the Comptroller General of the United States shall carry out a study on the effectiveness of reports on suspicious transactions filed pursuant to section 15 5318(g) of title 31, United States Code, at finding individuals or organizations suspected or known to be engaged with transnational criminal organizations and whether any such engagement exists in a State, political subdivision, or Indian Tribe that has jurisdiction over Indian country that allows the cultivation, production, manufacture, sale, transportation, display, dispensing, distribution, or purchase of cannabis. The study shall examine reports on suspicious transactions as follows: (1) During the period of 2014 until the date of the enactment of this Act, reports relating to marijuana-related businesses. (2) During the 1-year period after date of the enactment of this Act, reports relating to cannabis-related legitimate businesses.

Senate Suggestion 4 – Why is this study limited to looking at whether SARs are effective at identifying transnational criminal organization connections to CRLBs? The study should look at whatever patterns, trends, typologies can be identified from all 5318(g)(5) SARs (as well as CTRs), not just connections to TCOs. This is a lost opportunity.

Senate Suggestion 5 – Comparing the MRB SAR regime to the CRLB SAR regime is a sound idea, but the mechanics or timing are not right. CRLB SARs won’t immediately be filed by financial institutions: FinCEN must first either enact a regulation or issue guidance relating to CRLB SAR filings. The triggering event cannot be until/after the date of enactment of this Act, but until/after a regulation or guidance is published or written.

SEC. 11. BANKING SERVICES FOR HEMP BUSINESSES.

(a) FINDINGS.—The Congress finds that— (1) the Agriculture Improvement Act of 2018 (Public Law 115–334) legalized hemp by removing it from the definition of ‘‘marihuana’’ under the Controlled Substances Act; (2) despite the legalization of hemp, some hemp businesses (including producers, manufacturers, and retailers) continue to have difficulty gaining access to banking products and services; and (3) businesses involved in the sale of hemp-derived cannabidiol (‘‘CBD’’) products are particularly affected, due to confusion about their legal status.

(b) FEDERAL BANKING REGULATOR HEMP BANKING GUIDANCE.—Not later than the end of the 90-day period beginning on the date of enactment of this Act, the Federal banking regulators shall jointly issue guidance to financial institutions—(1) confirming the legality of hemp, hemp-derived CBD products, and other hemp-derived cannabinoid products, and the legality of engaging in financial services with businesses selling hemp, hemp-derived CBD products, and other hemp-derived cannabinoid products, after the enactment of the Agriculture Improvement Act of 2018; and (2) to provide recommended best practices for financial institutions to follow when providing financial services and merchant processing services to businesses involved in the sale of hemp, hemp-derived CBD products, and other hemp-derived cannabinoid products.

Senate Suggestion 6 – See section 7, which calls for FFIEC guidance and exam procedures in 180 days. Why is this section calling for the federal banking regulators to publish best practices within 90 days? Also, if a financial institution knows that its customer is selling unapproved hemp-derived CBD products in violation of the FFD&C Act, is it protected by this section?

Senate Suggestion 7 – Why are merchant processing services called out in this section, and nowhere else? If merchant processing services are not “financial services”, then this is a huge gap in the Act, as (arguably) the most important financial service a CRLB can obtain is merchant services. See section 14(7).

(c) FINANCIAL INSTITUTION DEFINED.—In this section, the term ‘‘financial institution’’ means any person providing financial services.

Senate Suggestion 8 – What is the purpose of subsection (c)?

SEC. 12. APPLICATION OF SAFE HARBORS TO HEMP AND CBD PRODUCTS.

(a) IN GENERAL.—Except as provided under subsection (b), the provisions of this Act (other than sections 6 and 10) shall apply to hemp (including hemp-derived cannabidiol and other hemp-derived cannabinoid products) in the same manner as such provisions apply to cannabis.

Senate Suggestion 9 – The House version excludes hemp from Section 6, the SAR reporting section, and Section 10, the study of SARs to determine if there are any transnational criminal organizations connections to the cannabis industry. Is it the intent of Congress that hemp and hemp products are not covered by the SAR reporting obligations but are otherwise covered by FFIEC guidance and examination procedures?

(b) RULE OF APPLICATION.—In applying the provisions of this Act described under subsection (a) to hemp, the definition of ‘‘cannabis-related legitimate business’’ shall be treated as excluding any requirement to engage in activity pursuant to the law of a State or political subdivision thereof.

(c) HEMP DEFINED.—In this section, the term ‘‘hemp’’ has the meaning given that term under section 297A of the Agricultural Marketing Act of 1946 (7 U.S.C. 1639o).

SEC. 13. REQUIREMENTS FOR DEPOSIT ACCOUNT TERMINATION REQUESTS AND ORDERS.

(a) TERMINATION REQUESTS OR ORDERS MUST BE VALID.—

(1) IN GENERAL.—An appropriate Federal banking agency may not formally or informally request or order a depository institution to terminate a specific customer account or group of customer accounts or to otherwise restrict or discourage a depository institution from entering into or maintaining a banking relationship with a specific customer or group of customers unless— (A) the agency has a valid reason for such request or order; and (B) such reason is not based solely on reputation risk.

(2) TREATMENT OF NATIONAL SECURITY THREATS.—If an appropriate Federal banking agency believes a specific customer or group of customers is, or is acting as a conduit for, an entity which— (A) poses a threat to national security; (B) is involved in terrorist financing; (C) is an agency of the Government of Iran, North Korea, Syria, or any country listed from time to time on the State Sponsors of Terrorism list; (D) is located in, or is subject to the jurisdiction of, any country specified in subparagraph (C); or (E) does business with any entity described in subparagraph (C) or (D), unless the appropriate Federal banking agency determines that the customer or group of customers has used due diligence to avoid doing business with any entity described in subparagraph (C) or (D), such belief shall satisfy the requirement under paragraph (1).

(b) NOTICE REQUIREMENT.—

(1) IN GENERAL.—If an appropriate Federal banking agency formally or informally requests or orders a depository institution to terminate a specific customer account or a group of customer accounts, the agency shall— (A) provide such request or order to the institution in writing; and (B) accompany such request or order with a written justification for why such termination is needed, including any specific laws or regulations the agency believes are being violated by the customer or group of customers, if any.

(2) JUSTIFICATION REQUIREMENT.—A justification described under paragraph (1)(B) may not be based solely on the reputation risk to the depository institution.

(c) CUSTOMER NOTICE.—

(1) NOTICE REQUIRED.—Except as provided under paragraph (2) or as otherwise prohibited from being disclosed by law, if an appropriate Federal banking agency orders a depository institution to terminate a specific customer account or a group of customer accounts, the depository institution shall inform the specific customer or group of customers of the justification for the customer’s account termination described under subsection (b).

(2) NOTICE PROHIBITED.— (A) NOTICE PROHIBITED IN CASES OF NATIONAL SECURITY.—If an appropriate Federal banking agency requests or orders a depository institution to terminate a specific customer account or a group of customer accounts based on a belief that the customer or customers pose a threat to national security, or are otherwise described under subsection (a)(2), neither the depository institution nor the appropriate Federal banking agency may inform the customer or customers of the justification for the customer’s account termination. (B) NOTICE PROHIBITED IN OTHER CASES.—If an appropriate Federal banking agency determines that the notice required under paragraph (1) may interfere with an authorized criminal investigation, neither the depository institution nor the appropriate Federal banking agency may inform the specific customer or group of customers of the justification for the customer’s account termination.

(d) REPORTING REQUIREMENT.—Each appropriate Federal banking agency shall issue an annual report to the Congress stating— (1) the aggregate number of specific customer accounts that the agency requested or ordered a depository institution to terminate during the previous year; and (2) the legal authority on which the agency relied in making such requests and orders and the frequency on which the agency relied on each such authority.

(e) DEFINITIONS.—For purposes of this section: (1) APPROPRIATE FEDERAL BANKING AGENCY.—The term ‘‘appropriate Federal banking agency’’ means— (A) the appropriate Federal banking agency, as defined under section 3 of the Federal Deposit Insurance Act (12 U.S.C. 1813); and (B) the National Credit Union Administration, in the case of an insured credit union. (2) DEPOSITORY INSTITUTION.—The term ‘‘depository institution’’ means— (A) a depository institution, as defined under section 3 of the Federal Deposit Insurance Act (12 U.S.C. 1813); and (B) an insured credit union.

SEC. 14. DEFINITIONS.

In this Act:

(1) BUSINESS OF INSURANCE.—The term ‘‘business of insurance’’ has the meaning given such term in section 1002 of the Dodd-Frank Wall Street Reform and Consumer Protection Act (12 U.S.C. 5481).

(2) CANNABIS.—The term ‘‘cannabis’’ has the meaning given the term ‘‘marihuana’’ in section 102 of the Controlled Substances Act (21 U.S.C. 802).

(3) CANNABIS PRODUCT.—The term ‘‘cannabis product’’ means any article which contains cannabis,  including an article which is a concentrate, an edible, a tincture, a cannabis-infused product, or a topical.

(4) CANNABIS-RELATED LEGITIMATE BUSINESS.—The term ‘‘cannabis-related legitimate business’’ means a manufacturer, producer, or any person or company that— (A) engages in any activity described in subparagraph (B) pursuant to a law established by a State or a political subdivision of a State, as determined by such State or political subdivision; and (B) participates in any business or organized activity that involves handling cannabis or cannabis products, including cultivating, producing, manufacturing, selling, transporting, displaying, dispensing, distributing, or purchasing cannabis or cannabis products.

Senate Suggestion 10 – This appears to be an unnecessarily complicated definition. It could be simplified to: “CRLB “means any person or legal entity that engages in or participates in any business or organized activity pursuant to a law established by a State or a political subdivision of a State, as determined by such State or political subdivision, that involves cultivating, producing, manufacturing, selling, transporting, displaying, dispensing, distributing, or purchasing cannabis or cannabis products.” Does the inclusion of the word “legitimate” mean that those cannabis-related businesses that are in violation of their state-licensing requirements are not covered by the SAFE Banking Act, and banks providing services to those non-legitimate cannabis-related businesses also not protected?

(5) DEPOSITORY INSTITUTION.—The term ‘‘depository institution’’ means— (A) a depository institution as defined in section 3(c) of the Federal Deposit Insurance Act (12 U.S.C. 1813(c)); (B) a Federal credit union as defined in section 101 of the Federal Credit Union Act (12 U.S.C. 1752); or (C) a State credit union as defined in section 101 of the Federal Credit Union Act (12 U.S.C. 1752).

(6) FEDERAL BANKING REGULATOR.—The term ‘‘Federal banking regulator’’ means each of the Board of Governors of the Federal Reserve System, the Bureau of Consumer Financial Protection, the Federal Deposit Insurance Corporation, the Federal Housing Finance Agency, the Financial Crimes Enforcement Network, the Office of Foreign Asset Control, the Office of the Comptroller of the Currency, the National Credit Union Administration, the Department of the Treasury, or any Federal agency or department that regulates banking or financial services, as determined by the Secretary of the Treasury.

(7) FINANCIAL SERVICE.—The term ‘‘financial service’’— (A) means a financial product or service, as defined in section 1002 of the Dodd-Frank Wall Street Reform and Consumer Protection Act (12 U.S.C. 5481); (B) includes the business of insurance; (C) includes, whether performed directly or indirectly, the authorizing, processing, clearing, settling, billing, transferring for deposit, transmitting, delivering, instructing to be delivered, reconciling, collecting, or otherwise effectuating or facilitating of payments or funds, where such payments or funds are made or transferred by any means, including by the use of credit cards, debit cards, other payment cards, or other access devices, accounts, original or substitute checks, or electronic funds transfers; (D) includes acting as a money transmitting business which directly or indirectly makes use of a depository institution in connection with effectuating or facilitating a payment for a cannabis-related legitimate business or service provider in compliance with section 5330 of title 31, United States Code, and any applicable State law; and (E) includes acting as an armored car service for processing and depositing with a depository institution or a Federal reserve bank with respect to any monetary instruments (as defined under section 1956(c)(5) of title 18, United States Code.

Senate Suggestion 11 – See section 7, which provides, in part, “financial services and merchant processing services to businesses involved in the sale of hemp, hemp-derived CBD products, and other hemp-derived cannabinoid products.” This definition of “financial services” appears to include merchant services. Sections 7 and 14 need to be reconciled.

(8) INDIAN COUNTRY.—The term ‘‘Indian country’’ has the meaning given that term in section 1151 of title 18.

(9) INDIAN TRIBE.—The term ‘‘Indian Tribe’’ has the meaning given that term in section 102 of the Federally Recognized Indian Tribe List Act of 1994 (25 U.S.C. 479a).

(10) INSURER.—The term ‘‘insurer’’ has the meaning given that term under section 313(r) of title 31, United States Code.

(11) MANUFACTURER.—The term ‘‘manufacturer’’ means a person who manufactures, compounds, converts, processes, prepares, or packages cannabis or cannabis products.

(12) PRODUCER.—The term ‘‘producer’’ means a person who plants, cultivates, harvests, or in any way facilitates the natural growth of cannabis.

(13) SERVICE PROVIDER.—The term ‘‘service provider’’— (A) means a business, organization, or other person that— (i) sells goods or services to a cannabis-related legitimate business; or (ii) provides any business services, including the sale or lease of real or any other property, legal or other licensed services, or any other ancillary service, relating to cannabis; and (B) does not include a business, organization, or other person that participates in any business or organized activity that involves handling cannabis or cannabis products, including cultivating, producing, manufacturing, selling, transporting, displaying, dispensing, distributing, or purchasing cannabis or cannabis products.

Comment – This is an expansive definition as it includes those that sell a good or service to a CRLB that could have no connection to the actual cannabis business (e.g. is a Starbucks a “service provider” if it sells coffee to budtender?). Perhaps regulations or regulatory guidance will narrow this down.

(14) STATE.—The term ‘‘State’’ means each of the several States, the District of Columbia, Puerto Rico, and any territory or possession of the United States.

SEC. 15. DISCRETIONARY SURPLUS FUNDS.

Section 7(a)(3)(A) of the Federal Reserve Act (12 U.S.C. 289(a)(3)(A)) is amended by striking ‘‘$6,825,000,000’’ and inserting ‘‘$6,821,000,000’’.

SEC. 16. DETERMINATION OF BUDGETARY EFFECTS.

The budgetary effects of this Act, for the purpose of complying with the Statutory Pay-As-You-Go Act of 2010, shall be determined by reference to the latest statement titled ‘‘Budgetary Effects of PAYGO Legislation’’ for this Act, submitted for printing in the Congressional Record by the Chairman of the House Budget Committee, provided that such statement has been submitted prior to the vote on passage.

FinCEN’s BSA Value Project – An Effort to Provide Actionable Information for SAR Filers

Two Million SARs are Filed Every Year … But Which Ones Provide Tactical or Strategic Value to Law Enforcement?

Included in the Director’s remarks was some interesting information on an eight-month old “BSA Value Project” that may have been started because, as Director Blanco remarked, FinCEN has “heard during our discussions that there continues to be a desire for more feedback on what FinCEN is seeing in the BSA data in terms of trends [and] we need to do better SAR analysis for wider trends and typologies …”. Director Blanco noted that “We want to provide more feedback, and we will.”

There has not been much public mention of the BSA Value Project: a quick Google search shows that FinCEN’s Associate Director Andrea Sharrin introduced the BSA Value Project at a Florida International Bankers Association (FIBA) conference on March 12, 2019, and then Director Blanco described it in his August 13th remarks:

In January 2019, FinCEN began an ambitious project to catalogue the value of BSA reporting across the entire value chain of its creation and use. The project will result in a comprehensive and quantitative understanding of the broad value of BSA reporting and other BSA information to all types of consumers of that information.

We already know that BSA data plays a critical role in keeping our country strong, our financial system secure, and our families safe from harm. But FinCEN is using the BSA Value Project to improve how we communicate the way BSA information is valued and used, and to develop metrics to track and measure the value of its use on an ongoing basis. The project has included hundreds of interviews with stakeholder groups, including casinos.

So far, the study has confirmed there are extensive and extremely varied uses of BSA information across all stakeholders (including by the private sector) consistent with their missions.

Almost One in Four FBI and IRS-CI Investigations Use BSA Data

Director Blanco made the following remarks on the usefulness of BSA data:

All FBI subject names are run against the BSA database. More than 21 percent of FBI investigations use BSA data, and for some types of crime, like organized crime, nearly 60 percent of FBI investigations use BSA data. Roughly 20 percent of FBI international terrorism cases utilize BSA data.

The Internal Revenue Service-Criminal Investigation section alone conducts more than 126,000 BSA database inquiries each year. And as much as 24 percent of its investigations involving criminal tax, money laundering, and other BSA violations are directly initiated by, or associated with, a BSA report.

In addition to providing controlled access to the data to law enforcement, FinCEN also proactively pushes certain information to them on critical topics. On a daily basis, FinCEN takes the suspicious activity reports and we run them through several categories of business rules or algorithms to identify reports that merit further review by our analysts.

Our terrorist financing-related business rules alone generate over 1,000 matches each month for review and further dissemination to our law enforcement and regulatory partners in what we call a Flash report. These Flash reports enable the FBI, for example, to identify, track, and disrupt the activities of potential terrorist actors. It is incredibly valuable information.

But Which BSA Filings are Providing Real Value to Law Enforcement?

There is no doubt that the (roughly) 20 million BSA reports that are filed each year provide great value to law enforcement. But questions remain about the utility of those filings, and the costs of preparing them. Some of those questions include: (i) which of those reports provide value? (ii) what kind of value is being provided – tactical and/or strategic? (iii) can financial institutions eliminate the “no value” filings and deploy those resources to higher-value filings? (iv) can financial institutions automate the preparation and filing of the low value filings and deploy those resources to the highest-value filings?

I have written a number of articles on the need for better reporting on the utility of SAR filings. Links to three of them are:

SAR Feedback 314(d) – July 30 2019

BSA Reports and Federal Criminal Cases – June 5 2019

The TSV SAR Feedback Loop – June 4 2019

Conclusion

Kudos to Director Blanco and his FinCEN team for their initiative and efforts around the BSA Value Project. The results of the Project could be a game-changer for the financial industry’s BSA/AML programs. The industry is being inundated with calls to apply machine learning and artificial intelligence to make their AML programs more effective and efficient. But if those institutions don’t know which of their filings provide value, and arguably only one in four is providing value, they cannot effectively use machine learning or AI.

The entire industry is looking forward to the results of FinCEN’s BSA Value Project!

A Better Way to Fight Money Laundering – American Banker quotes Jim Richards and Others

Jim Richards was quoted in an August 2019 American Banker article titled “Is There a Better Way to Fight Money Laundering?” by Victoria Finkel. AB Link

The article is well-researched, well-written, and accurately and fairly makes the point that there are better ways to fight money laundering, but there are impediments. Like all articles, though, the editors are required to edit, and quotes are often trimmed to fit the flow, cadence, and tone of the article.

Below are the two quotes that are in the article. I’ll add the context for each.

“Everybody in the regime wants to try to make it more efficient and effective, but everybody’s got a different definition of efficient and effective,” said Jim Richards, the former global head of financial crimes risk management for Wells Fargo and the founder of RegTech Consulting.

What was not included in the article was the next sentence, where I stated that:

“The prudential regulators are focused on safety and soundness, or how we do our jobs: conducting risk assessments, writing policies and procedures, risk rating and performing due diligence on our customers, documenting and validating the models developed for monitoring transactions, and documenting the reasons why we don’t file a suspicious activity report. Law enforcement, on the other hand, is focused on how well we do our jobs: providing timely, actionable intelligence to law enforcement in order to fight financial crime. And since it is the regulators, not law enforcement, that are examining us, our focus is rightly on compliance – how we do our jobs – and not on how well we provide intelligence to law enforcement.”

The article also quotes Greg Baer of the Bank Policy Institute, who has this take on the dilemma of being examined on how we do our jobs, not on how well we do our jobs:

“The examiners who determine compliance are not allowed to know, in all but rare cases, what becomes of the suspicious activity reports that are filed,” Baer of the Bank Policy Institute said. “So that compliance rating is driven far more by things like, are there written policies and procedures, has there been strict one hundred percent adherence to those policies and procedures, rather than the efficacy of the SARs that are filed. What that leads to is, AML is examined much the same way as any other function — through a check-box kind of approach,” Baer said. This in turns shifts the balance with regard to bank priorities, with compliance becoming the main focus. That includes an over reliance on defensive SARs and a fixation on minutiae, according to industry experts.”

John Byrne, a long-time industry expert, is also quoted:

“We have these laws for one reason and one reason alone — and that’s to get valuable data and information in the hands of law enforcement, so there can be a reaction,” said John Byrne, an expert on anti-money-laundering issues and vice chairman of AML RightSource. “When regulators are criticizing banks for being a couple of days late in a filing or putting a company on a cash reporting exemption list by error, that’s a problem.”

The next Richards quote deals with the lack of actionable feedback on the reports that are being filed:

“What the CFOs and the CEOs are saying is, what are we getting for all this money we’re pumping into the AML/BSA regime?” said Richards, the former Wells Fargo executive. “Can we produce fewer alerts and have it cost less and investigate fewer cases and file better SARs? The answer to that is maybe — but we don’t know what a better SAR is.”

We don’t know what a better SAR is because the feedback SAR filers get from regulators, law enforcement, and FinCEN is scattered and ad hoc, at best, and non-existent, at worst. I have written about the need for feedback through what I have called TSV SARs, or Tactical or Strategic Value SARs, on multiple occasions. See, for example, https://regtechconsulting.net/money-laundering-terrorist-financing-general/fincens-fy2020-report-to-congress-reveals-its-priorities-and-performance/

The American Banker article has some other excerpts that deserve mention. First is an estimate of the amount of illicit funds in the US financial system:

“The United Nations Office on Drugs and Crime estimates that as much as $2 trillion is illegally laundered around the world each year — while law enforcement reportedly catches less than 1% of that. As much as $300 billion in illicit funds make their way through the U.S. financial system in a given year, according to the Treasury Department.”

The estimate of the amount of illicit funds flowing through the US financial system is close to the amount of illicit funds reported by SAR filings!

In 2018, banks and credit unions filed ~975,000 SARs. Based on some empirical data and some conversations with BSA Officers, the average depository institution SAR reports ~$245,000. In 2018, MSBs filed ~875,000 SARs. Those average about $36,000. “Others” filed another $275,000 SARs, and I’ll guess that those averaged ~$50,000. The total? Almost $300 billion. And that doesn’t include a percentage of the 18 million Currency Transaction Reports: if the average CTR reported $20,000 and 20% of the CTRs involved illicit funds, that would add another $70 billion being reported by financial institutions. So it may not be a reporting issue at all.

So, financial institutions are reporting over $300 billion in potential illicit funds flowing through the US financial system every year. But what percentage of the total flow of funds is illicit? Based on excerpts from the 2015 and 2018 US National Money Laundering Risk Assessments, the total annual flow of funds through the two main wire transfers systems (Fedwire and CHIPS), ACH, debit cards, and cash is about $2 quadrillion dollars. So the illicit funds flowing through the US system represent about 0.0001% of the total funds. Interesting …

A second excerpt that caught my eye is the following:

“… broad AML legislation recently introduced by a bipartisan group of senators — Mark Warner, D-Va., Doug Jones, D-Ala., Tom Cotton, R-Ark., and Mike Rounds, R-S.D. — would require the Department of Justice to report annually on how frequently law enforcement agencies use Bank Secrecy Act reporting as part of their investigations.”

What is interesting is that while it would be great to have a new law to compel the Justice Department to report annually on how law enforcement is using BSA reports, there already is a law that compels the Treasury Department to report semi-annually on how law enforcement is using BSA reports, and it is not being enforced! Take a look at the USA PATRIOT Act’s section 314(d). Once again, I’ve written about this: https://regtechconsulting.net/aml-regulations-and-enforcement-actions/sar-feedback-what-ever-happened-to-section-314d/

Hopefully, this well-researched, well-written American Banker article will be well-received by everyone who has an interest in seeing the US BSA/AML regime become more effective, more efficient, and better serve the global, national, and local financial systems and financial institutions as we continue the fight against financial crime.

SAR Feedback? What Ever Happened to Section 314(d)?

Wouldn’t it be great if Treasury published a report, perhaps semi-annually, that contained a detailed analysis identifying patterns of suspicious activity and other investigative insights derived from suspicious activity reports (SARs) and investigations conducted by federal, state, and local law enforcement agencies (to the extent appropriate) and distributed that report to financial institutions that filed those SARs?

To get Treasury to do that, though, would probably require Congress to pass a law compelling it to do so.

Hold it. Congress did pass that law.  Almost 18 years ago. And, by all accounts, it’s still on the books. What happened to those semi-annual reports? When did they begin? If they began, when did they end?

Section 314(d) – Its Origins

What became 314(d) was introduced in the House version of what became the USA PATRIOT Act. The House version, the Financial Anti-Terrorism Act, was introduced on October 3, 2001. It was marked up by the House Financial Services Committee on October 11. The Senate version, originally titled the Uniting and Strengthening America Act, or USA Act, was introduced on October 4th and had sections 314(a) (public to private sector information sharing), 314(b) (cooperation among financial institutions, or private-to-private sector information sharing), and 314(c) (“rule of construction”). There was no 314(d) in that early version.

On October 17th, HR 3004, the Financial Anti-Terrorism Act, was passed by the House 412-1. Title II was “public-private cooperation”. Section 203 was:

“Reports to the Financial Services Industry on Suspicious Financial Activities – at least once each calendar quarter, the Secretary shall (1) publish a report containing a detailed analysis identifying patterns of suspicious activity and other investigative insights derived from suspicious activity reports and investigations conducted by federal, state, and local law enforcement agencies to the extent appropriate; and (2) distribute such report to financial institutions as defined in section 5312 of title 31, US code.”

The Senate and House versions were reconciled, and on October 23rd the House Congressional Record shows a consideration of what was then the USA PATRIOT Act. That version of the bill then included what had been section 203 and was now 314(d). It was the same, except instead of a quarterly report it was a semi-annual report (“at least once each calendar quarter” was changed to “at least semiannually”).

SAR Activity Review – Was That The Answer to 314(d)?

The ABA has written, and at least one former FinCEN employee has stated that the “SAR Activity Review – Trends, Tips, and Issues” was the response to 314(d). The SAR Activity Reviews were excellent resources. They contained sections on SAR statistics, national trends and analysis, law enforcement cases, tips on SAR form preparation and filing, issues and guidance, and an industry forum. The first SAR Activity Review noted that it was published under the auspices of the BSAAG, was to be published semi-annually in October and April, and was “the product of a continuing collaboration among the nation’s financial institutions, federal law enforcement, and regulatory agencies to provide meaningful information about the preparation, use, and utility of SARs.”  Although that certainly sounds like it is responsive to section 314(d), there is no reference to 314(d).

And the first SAR Activity Review was published more than a year before 314(d) was passed. Even the first SAR Activity Review published after the enactment of the USA PATRIOT Act and section 314(d) – the 4th issue published on July 31, 2002 – didn’t make any reference to 314(d). Beginning with the 6th issue of the SAR Activity Review, published in October 2003, the authors broke out the statistics from the “Trends, Tips & Issues” document and published a separate, and more detailed, “SAR Activity Review – By The Numbers”. The last SAR Activity Review (the 23rd) and the last “By The Numbers” (the 18th) were published on April 30, 2013. None of those forty-one publications referenced 314(d). After the SAR Activity Reviews stopped, FinCEN continued to publish “SAR Statistics”, and did so three times from June 2014 through March 2017.  For the last few years, FinCEN has maintained SAR Stats on its website – https://www.fincen.gov/reports/sar-stats  – that is updated on a monthly basis. Those statistics are useful, but cannot be thought of as “containing a detailed analysis identifying patterns of suspicious activity and other investigative insights derived from suspicious activity reports and investigations conducted by federal, state, and local law enforcement agencies to the extent appropriate”, quoting the 314(d) language.

Does Anyone Know What Happened to 314(d)?

I don’t have the answer to that question. Perhaps 314(d) is seen as satisfied by the accumulation of advisories, guidance, bulletins, etc., published by FinCEN and other Treasury bureaus and agencies and departments from time to time. Perhaps there is a Treasury Memorandum out there that I’m not aware of that provides a simple explanation. Perhaps not: most BSA/AML experts I speak with are not even aware of 314(d), and if the SAR Activity Review did satisfy the spirit and intent of 314(d), the last one was published more than six years ago. But everyone in the private sector BSA/AML risk management space has been clamoring for more feedback from law enforcement and FinCEN on the effectiveness and usefulness of their SAR filings. Perhaps a renewed (or any) focus on 314(d) is the answer.  The revival of 314(d) could give FinCEN the mandate they’ve been looking for to provide more valuable information to the private sector producers of Suspicious Activity Reports. We would all benefit.

A Contempt Fine of $50,000 a Day for “Stashing Documents” But Not Producing Them

Three Chinese “multi-billion dollar banks disregarding an order to produce records or a witness essential to an investigation into a state-sponsor of terrorism’s proliferation of nuclear weapons” are hit with a fine of $50,000 for every day they refuse to comply, concluded Federal District Court Justice Beryl A. Howell in a May 15, 2019 Opinion that was only recently unsealed. Judge Howell noted that “Bank Three’s stashing documents somewhere in its facilities is not responsible to the subpoena.”

In story published June 24th – Link – the Washington Post identified the three Chinese banks as Bank of Communications, China Merchant’s Bank, and Shanghai Pudong Development Bank. This writer offers no comment on the accuracy of the Post’s claims.

This will be an interesting case, or series of cases, to follow. Titles 18 and 50 are impacted and US/Chinese relations could be impacted.

 

The original (March 18, 2019) Order is available on PACER at March 18 Order to Compel

The May 15th Order is available on PACER at May 15 Contempt Order

REAL ID Act of 2005 … REAL Beneficial Owners Act of 2019?

Can something like the REAL ID Act of 2005 be used to solve the beneficial ownership issue?

Without a national registry of beneficial ownership (BO) information, banks can collect BO information, but have no way to verify it

The REAL ID Act of 2005 compelled the 50 states to have their citizens’ state-issued identification documents meet certain minimum requirements and issuance standards … could a similar thing be done to compel the 50 states to have their state-created legal entities meet certain minimum requirements for beneficial ownership information?

The REAL ID Act of 2005 established minimum security standards for state-issued driver’s licenses and identification cards by prohibiting Federal agencies from accepting non-compliant state-issued driver’s licenses and identification cards that do not meet the Act’s minimum standards. The REAL ID Act was a way for the Federal Government to compel (sort of) the fifty states to meet certain standards for their drivers’ licenses. The Federal Government essentially told the fifty states “you have the power to issue state drivers’ licenses, and you can do what you’d like, but if you want those licenses to be used for any federal purposes, such as accessing Federal facilities, entering nuclear power plants, and, notably, boarding federally regulated commercial aircraft, then they have to meet our standards.”

The REAL ID Act’s genesis was the attacks of 9/11. It enacted recommendations from the July 2002 National Strategy for Homeland Security and the July 2004 9/11 Commission Report that the Federal Government “set standards for the issuance of sources of identification, such as driver’s licenses.” The REAL ID Act was included in the Emergency Supplemental Appropriation for Defense, the Global War on Terror, and Tsunami Relief Act of 2005 (PL 109-13, 119 Stat. 231 at 302), and the actual ID provisions are in Title II, Improved Security for Drivers’ Licenses and Personal Identification Cards, section 202, “minimum document requirements and issuance standards for federal recognition.” (Section 204 provides for grants to states to implement the document requirements and issuance standards).

The main part of section 202 provides:

REAL ID Act regulations weren’t finalized until January 2008, at which time it was clear that it would take billions of dollars and many years to get states into compliance. States were originally required to be compliant by May 2008 (the regulations weren’t published until January 2008). That deadline was extended multiple times to 2009, then 2011, then 2013, then 2015, and extended again to January 22, 2018. As of April 2018, only thirty states were compliant and the remaining twenty had obtained extensions. For those with non-compliant driver’s licenses issued by compliant states, they have until October 1, 2020 to get a compliant driver’s license.

To find out more about the REAL ID Act requirements, California’s DMV site has a good section: CA DMV on REAL ID Act

Can’t Board an Airplane … Can’t Bid on Federal Contracts

How could something like the REAL ID Act help banks with the beneficial ownership issue? Like driver’s licenses, creation of legal entities is left to each state, and (anecdotally) only three states currently require the collection and verification of beneficial ownership information.

Like they did to effectively compel the fifty states to issue individuals’ driver’s licenses that met federal standards, the federal government could pass a law that would prevent entities created in states that do not meet certain Beneficial Ownership standards from bidding on and winning federal government contracts. In other words, those states would not be compelled to collect, verify, and maintain accurate beneficial ownership information on state-incorporated legal entities, but would need to have an incorporation regime that did so if it wanted those legal entities to be able to bid on federal government contracts.

This might be a radical idea, full of legal and regulatory pitfalls. There might be dozens of reasons why it can’t work. But it might work. Or something similar could work (it doesn’t have to be about bidding on federal contracts).  But there must be something that could work. As Arthur C. Clarke wrote, “new ideas pass through three phases: it can’t be done; it probably can be done, but it’s not worth doing; I knew it was a good idea all along!”

One word of further caution. It will have taken fifteen years for all states to comply with the REAL ID Act of 2005 requirements. Hopefully it wouldn’t take states fifteen years to comply with the REAL Beneficial Owners Act of 2019.