AML Act of 2020: Renewing America’s AML/CFT Regime

Executive Summary of the AML Act of 2020

On December 3, 2020 the Senate and House jointly issued a Conference Report on the National Defense Authorization Act for Fiscal Year 2021 (the “NDAA”). The Conference Report is 4,517 pages long.[1] The NDAA contains eight divisions – Division F is the Anti-Money Laundering Act of 2020 (the “AML Act of 2020”). The House passed the NDAA on December 8th with a vote of 335-78 (out of 435 Members): the Senate passed the NDAA on December 11th with a vote of 84-13 (out of 100 Senators). The NDAA will be headed to the President’s desk, where he can sign it into law or veto it. If vetoed, both chambers have veto-proof majorities (two-thirds) and can over-ride the veto, if they choose to exercise those powers.

If signed by the President, or Congress over-rides a Presidential veto, the AML Act of 2020 will usher in the most profound changes to the U.S. anti-money laundering regime since the USA PATRIOT Act of 2001.[2] As described in more detail below, the AML Act of 2020 broadens the mission or purpose of the Bank Secrecy Act (“BSA”) to include national security; formalizes the risk-based approach for financial institutions’ compliance programs; greatly expands the duties, powers, and functions of FinCEN; aligns the regulatory agencies’ supervision and examination priorities with the expanded purposes of the BSA; increases civil and criminal penalties for violations of the BSA; calls for multiple studies and reports; and establishes a beneficial ownership information reporting regime. The result is that the US is moving from a US-focused, regulator-versus-regulated, compliance-focused regime to a global, public/private partnership focused on fighting all financial crimes.

Of note is what is not in the AML Act that should be there. What is not in the AML Act are any references to, or changes to, the laws that give duties and powers to the Federal functional regulators. What we call the Bank Secrecy Act is actually three different laws, or parts of the US Code: 12 USC s. 1829b (“retention of records by insured depository institutions”), 12 USC Part 21 (“financial recordkeeping”, sections 1951-1959), and 31 USC subchapter II (“ records and reports on monetary instruments and transactions”, sections 5311-5314, 5316-5322). As explained in the following section, title 12 is “Banks & Banking” and includes the laws relating to the Federal functional regulators, and title 31 is “Money & Finance” and includes the laws relating to Treasury and FinCEN. The AML Act changes the title 31 laws (and regulations) but not the title 12 laws (and regulations) that collectively make up the BSA.[3] It remains to be seen how the title 12 regulators will be impacted, and how willing they will be to being impacted, by the title 31 changes.

Finally, whatever the impacts of the AML Act will be may not be fully realized for years. For example, the USA PATRIOT Act, which included Title III, the International Counter-Money Laundering and Anti-Terrorist Financing Act of 2001, was passed in October 2001; regulations implementing the Act were issued in 2002 and 2003; and regulatory guidance, in the form of the first FFIEC BSA/AML Exam Manual, wasn’t published until April 2005 (and that Manual was revised in 2006, 2007, 2010, and 2014 to reflect changing regulatory guidance). We can expect something similar with the AML Act of 2020: it calls for multiple studies and reports to Congress over the next two years; regulations will need to be issued over the next year to three years; the Exam Manual will need to be revised; regulators will need to be trained; and regulatory guidance will evolve.

I was pleased to see that many of the things I’ve been calling for over the years have been included in the AML Act. Most notably are the provisions relating to – even requiring – the public sector consumers of BSA reports to provide feedback to the private sector producers of BSA reports. My most recent article on what I’ve called “TSV SARs” or Tactical or Strategic Value SARs, is from October 1, 2020: Reforming the AML Regime Through TSV SARs

Background on the US Code, Code of Federal Regulations, and Regulatory Guidance

For those not familiar with how US laws and regulations work, a short primer is in order.

The Conference Report and AML Act of 2020 contain references to the United States Code (“USC”), the Code of Federal Regulations (“CFR”), and regulatory guidance such as the FFIEC BSA/AML Examination Manual.

Legislation, or laws, are set out in the United States Code, the codification by subject matter of the general and permanent laws of the United States. The U.S. Code is divided by broad subjects into 53 titles and published by the Office of the Law Revision Counsel of the U.S. House of Representatives.[4] The first six titles set out the laws relating to the functioning of the government generally. Titles 7 through 50 are alphabetical: title 7 is Agriculture, title 50 is War & National Defense. The main titles relating to anti-money laundering (AML) and countering the financing of terrorism (CFT) are:

  • Title 12 Banks & Banking – laws relating to the Federal financial regulatory agencies such as the Federal Reserve, FDIC, OCC
  • Title 18 Crimes & Criminal Procedure – criminal laws such as structuring and operating an unlicensed money transmitter
  • Title 26 – Internal Revenue Code – tax-related crimes and some BSA-related forms such as the Form 8300 (reporting cash received by a trade or business)
  • Title 31 Money & Finance – the Bank Secrecy Act is part of title 31: subchapter II, sections 5311 – 5322. The AML Act of 2020 adds sections 5333-5336 to subchapter II
  • Title 50 War & National Defense – U.S. sanctions laws administered by OFAC are in this title.[5]

Laws are described by the title and the section: 31 USC s. 5311, for example, is the “purpose” section of the laws known as the BSA that are codified in title 31.

Where laws generally describe “what” Congress has enacted, how those laws are implemented and enforced are set out in regulations issued by the appropriate executive branch agency or department, such as the Treasury Department and the Federal financial regulators. Regulations are set out in the Code of Federal Regulations. The OCC’s regulations are set out in Part 21 of title 12 of the Code ofFederal Regulations – 12 CFR Part 21 – while FinCEN’s regulations are set out in Part X of title 31 of the Code of Federal Regulations – 31 CFR Part X.[6]

Regulations provide the “how” and follow the “what of the law: an example of laws and corresponding regulations is 31 USC s. 5318(h), the law that requires all financial institutions to have AML/CFT programs, and its implementing regulation at 31 CFR s. 1020.200, the general program requirements for banks.

All of the Federal functional regulators and FinCEN issue what is called “supervisory guidance” to set out their expectations or priorities. For AML and CFT purposes, this supervisory guidance has been collected and compiled by the Federal Financial Institutions Examination Council, or FFIEC, into an examination manual that includes their collective guidance to their examiners on AML and CFT laws, regulations, and expectations. It is available at https://bsaaml.ffiec.gov. Although this guidance does not create enforceable requirements – those requirements are in the laws and regulations – the guidance does shape how financial institutions design, build, maintain, and update their programs, and how auditors and examiners test and examine those programs.

Explanation of this Summary of the AML Act of 2020

As set out above, the Conference Report for the NDAA is over 4,500 pages long. The AML Act of 2020, Division F of the NDAA, is at pages 2,843 – 3,078 (it is 235 pages long). The AML Act of 2020 is made up of 56 sections in five titles.[7] Sections 6001-6003 set out the title of the act, its purposes, and definitions of key terms. Following those three introductory sections are the five titles:

  • Title LXI – Strengthening Treasury Financial Intelligence, Anti-Money Laundering, and Countering the Financing of Terrorism Programs (sections 6101-6112)
  • Title LXII – Modernizing the Anti-Money Laundering and Countering the Financing of Terrorism System (sections 6201-6216)
  • Title LXIII – Improving Anti-Money Laundering and Countering the Financing of Terrorism Communication, Oversight, and Processes (sections 6301-6314)
  • Title LXIV – Establishing Beneficial Ownership Information Reporting Requirements (sections 6401-6403)
  • Title LXV – Miscellaneous (sections 6501-6511)

Scattered throughout many of the titles and sections are changes to particular aspects of, or themes of, the current AML/CFT regime. This summary, therefore, is arranged by those aspects or themes rather than going through the fifty-six sections and five titles in order. Text appearing in red font indicates a change or addition to language in laws or regulations: the intent is for the reader to see what has been added (or, in one case, taken away) from existing laws or regulations.

This is by no means a complete review, assessment, analysis, and commentary on the AML Act of 2020. However, I trust it is a good primer for those interested in contributing to the discussion around, and efforts to promote, a more effective, efficient, courageous, compassionate, and inclusive public and private sector effort at mitigating and, to the extent possible, eliminating money laundering ,terrorist financing, and other financial crimes.

Purposes of the Anti-Money Laundering Act of 2020

Section 6202 of the AML Act describes the purposes of the Act.  The full text of this section is set out below:

  • to improve coordination and information sharing among the agencies tasked with administering anti-money laundering and countering the financing of terrorism requirements, the agencies that examine financial institutions for compliance with those requirements, Federal law enforcement agencies, national security agencies, the intelligence community, and financial institutions;
  • to modernize anti-money laundering and countering the financing of terrorism laws to adapt the government and private sector response to new and emerging threats;
  • to encourage technological innovation and the adoption of new technology by financial institutions to more effectively counter money laundering and the financing of terrorism;
  • to reinforce that the anti-money laundering and countering the financing of terrorism policies, procedures, and controls of financial institutions shall be risk-based;
  • to establish uniform beneficial ownership in formation reporting requirements to (A) improve transparency for national security, intelligence, and law enforcement agencies and financial institutions concerning corporate structures and insight into the flow of illicit funds through those structures; (B) discourage the use of shell corporations as a tool to disguise and move illicit funds; (C) assist national security, intelligence, and law enforcement agencies with the pursuit of crimes; and (D) protect the national security of the United States; and
  • to establish a secure, nonpublic database at FinCEN for beneficial ownership information.

The Conference Report (at page 4,456 of the 4,517-page report) included some interesting language on the purposes of the Act:

“One overarching improvement now included in the conference agreement is to broaden the mission of the BSA to specifically safeguard national security as well as the more traditional investigatory pursuits of law enforcement … Currently, there is no clear statutory mandate for BSA stakeholders – law enforcement, financial regulators, and financial institutions – to provide routine, standardized feedback to one another for the purpose of improving the effectiveness of BSA AML programs … [and there is a] clear mandate for innovation.”

Changes to the Purpose of the Bank Secrecy Act – 31 USC s. 5311

The additions to the “purpose” section of the BSA may be the single biggest change to the current AML/CFT regime. As set out below, section 5311 of title 31 is the declaration of purpose. From 1970 through 2001, that purpose was simply “to require certain reports or records where they have a high degree of usefulness in criminal, tax, or regulatory investigations, or proceedings.” The USA PATRIOT Act of 2001 added a clause relating to international terrorism: the amended section provided that the purpose was “to require certain reports or records where they have a high degree of usefulness in criminal, tax, or regulatory investigations, or proceedings, or intelligence or counterintelligence activities, including analysis, to protect against international terrorism.”

As can be seen below, the original (post-2001) purpose has been changed in three ways. First, changing reports “where they have a high degree of usefulness” to reports “that are highly useful”. [8] Second, those reports are now to be used in regulatory risk assessments. And third, it appears that BSA reports are intended for all terrorism purposes, not just international terrorism (domestic and international). The new section 5311 declaration adds four new purposes: strong private sector programs, tracking dirty money, conduct national risk assessments to protect the financial system and national security generally, and to encourage public private sector information sharing. And note the language in subsection (5) where “service providers” has been added, a recognition of the growing regtech/fintech industry. The Declaration of Purpose now provides that:

It is the purpose of this subchapter (except section 5315) to –

  1. require certain reports or records where they have a high degree of usefulness that are highly useful in – (A) criminal, tax, or regulatory investigations, risk assessments, or proceedings; or (B) intelligence or counterintelligence activities, including analysis, to protect against international terrorism;
  2. prevent the laundering of money and the financing of terrorism through the establishment by financial institutions of reasonably designed risk based programs to combat money laundering and the financing of terrorism;
  3. facilitate the tracking of money that has been sourced through criminal activity or is intended to promote criminal or terrorist activity;
  4. assess the money laundering, terrorism finance, tax evasion, and fraud risks to financial institutions, products, or services to – (A) protect the financial system of the United States from criminal abuse; and (B) safeguard the national security of the United States; and
  5. establish appropriate frameworks for information sharing among financial institutions, their agents and service providers, their regulatory authorities, associations of financial institutions, the Department of the Treasury, and law enforcement authorities to identify, stop, and apprehend money launderers and those who finance terrorists.

Changes to the AML/CFT Program Requirements – 31 USC s. 5318(h)

Section 5318 of title 31 is the catch-all “compliance” section of the BSA. In addition to the SAR reporting requirements in subsection 5318(g), and the Customer Identification Program requirements in subsection 5318(l), this section has the requirements for financial institutions’ AML/CFT programs in subsection 5318(h).

Subsection (h)(1) is the so-called “four pillars” or minimum requirements of a program: “In order to guard against money laundering through financial institutions, each financial institution shall establish anti-money laundering programs, including, at a minimum –

(A) the development of internal policies, procedures, and controls;

(B) the designation of a compliance officer;

(C) an ongoing employee training program; and

(D) an independent audit function to test programs.

Subsection (h)(1) is changed to reflect the CFT aspects of the regime. It now requires financial institutions to “establish AML and countering the financing of terrorism programs in order to guard against money laundering and the financing of terrorism”. The minimum standards, or “four pillars”, did not change.

Perhaps this was a lost opportunity to reconcile the four pillar program requirements in 31 USC s. 5318(h) with the five pillar program requirements in 31 CFR s. 1010.210 and with the four pillar program requirements in 12 CFR s. 21.21.[9]

Subsection (h)(2) gives the Treasury Secretary the power to prescribe rules (regulations) for the AML program standards. This subsection is dramatically altered with the addition of factors that the Secretary shall take into consideration. And a new subsection, (h)(4), is added that sets out a new requirement that the Government shall establish national priorities, updated every four years, that need to be incorporated into institutions’ AML/CFT programs and, notably, how those national priorities are incorporated will be examined by the regulatory agencies:

(h)(2)(B) – Factors that the Secretary shall take into account when prescribing minimum standards and regulators shall take into account in supervising and examining: (i) financial institutions are spending private funds for public and private benefit; (ii) key policy goals of the US are extending financial services to the underbanked and facilitating global remittances while preventing criminals from abusing the system; (iii) effective AML and CFT programs safeguard national security and generate public benefit; (iv) AML and CFT programs should be (I) “reasonably designed to assure and monitor compliance with the requirements of this subchapter and regulations promulgated under this subchapter; and (II) risk-based, including that more attention and resources of financial institutions should be directed toward higher-risk customers and activities, consistent with the risk profile of a financial institution, rather than toward lower-risk customers and activities.”

(h)(4) – Priorities: (A) within 180 days the Government shall establish AML And CFT priorities; (B) those priorities will be renewed every 4 years; (C) these priorities will be aligned with national security priorities; (D) FinCEN will promulgate regulations within 180 days of (A); (E) financial institutions shall incorporate those priorities into their AML/CFT programs and will be supervised and examined thereon.

Changes to FinCEN’s Duties, Powers, and Scope – 31 USC s. 310

Part 3 of title 31 sets out the organization, function, powers, and duties of the Treasury Department generally, and each of the bureaus or divisions within the Treasury Department. Section 310 of Part 3 is the section for the Financial Crimes Enforcement Network, or FinCEN.

As can be seen below, the duties and powers of the FinCEN director set out in section 310(b) have been greatly expanded. The current subsection has nine duties – (A) through (I) – and a catch-all (J). That catch-all has been moved down to (O) as five new duties and powers have been added – (J) through (N):

(A) Provide advice and make recommendations to the Under Secretary for Enforcement

(B) Maintain a government-wide database of BSA reports

(C) Analyze and disseminate intel from that database

(D) Maintain a communications center for law enforcement

(E) Furnish research, analytical, and informational services to the private and public sectors

(F) Assist law enforcement and regulators in combatting informal value transfer systems

(G) Support the tracking of foreign assets

(H) Coordinate with foreign FIUs

(I) Administer the requirements of the BSA

(J) Promulgate regulations to implement the exam and supervision priorities of BSA/AML programs

(K) Communicate regularly with the private sector, regulators, and law enforcement to explain the Government’s AML/CFT exam and supervision priorities

(L) Give and receive feedback to and from the private sector and State bank and credit union supervisors

(M) Maintain money laundering and terrorist financing experts to support federal civil and criminal investigations

(N) Maintain emerging technology experts

(O) Such other duties and powers as the Secretary may delegate

Subsection 310(c) on FinCEN’s requirements relating to maintenance and use of its data banks, did not change. However, the AML Act added seven new subsections that greatly expand FinCEN’s purpose, reach, authority, and staffing/budget:

  • 310(d) – FinCEN Exchange (added by s. 6103, which (i) codifies in the statute the Exchange that FinCEN established two years ago; and (ii) requires FinCEN to report to Congress on the effectiveness of the Exchange within one year then once every two years for five years)
  • 310(e) – Special hiring authority for terrorism and intel (added by s. 6105, this gives both FinCEN and its parent agency, the Office of Terrorism and Financial Intelligence, or OTFI, the ability to makes certain hires without going through the usual federal government steps. Like section 6305, FinCEN and OTFI must report to Congress within a year)
  • 310(f) – adds at least 6 FinCEN Domestic Liaisons (added by s. 6107)
  • 310(g) – adds Chief of Domestic Liaison (added by s. 6107, which creates a Deputy Director of Domestic Liaison reporting to the FinCEN Director, with an Office of Domestic Liaison located in Washington DC. The six Domestic Liaisons will report regionally, and can be co-located with Federal Reserve offices, as needed. Same requirements to report to Congress.)
  • 310(h) – adds at least 6 Foreign FIU Liaisons (added by s. 6108, these positions will be similar to Treasury attaches and will work with Egmont and FATF)
  • 310(i) – FOIA protection of information shared with international FIUs (added by s. 6109)
  • 310(j) – requires analytical experts for FinCEN’s “Analytical Hub” (added by s. 6304)
  • 310(l) – Appropriation for FY2021 of $136 million, adding $10 million by s. 6509

In addition to the changes set out in 31 USC s. 310, the AML Act added some general provisions. Section 6203(a) of the AML Act provides that FinCEN shall solicit feedback from a cross section of BSA Officers on their financial institution’s SARs and trends observed by FinCEN, and FinCEN will provide that information to the institution’s regulator. Section 6203(b) of the AML Act requires that FinCEN shall periodically disclose to each financial institution, in summary form, information on SARs filed that proved useful to law enforcement and to DOJ. And section 6208 creates a new position of BSA Innovation Officer reporting directly to Director of FinCEN (similar positions for the Federal functional regulators).

Other Changes to the Bank Secrecy Act – 31 USC Subchapter II, ss. 5311 – 5322

31 USC s. 5321 Civil Penalties – section 6309 adds new subsection 31 USC 5321(f) and provides for enhanced or additional penalties for repeat offenders of 3x the profit gained or loss avoided as a result of the violation or 2x the maximum penalty. Section 6310 adds new subsection 31 USC 5321(g) and bans those who have committed “egregious violations”, defined as criminal convictions where the maximum sentence is more than one year and civil violations where the individual willfully committed the violation and the violation facilitated money laundering or terrorist financing, from serving on a financial institution board for ten years.

Section 6312 adds subsection 31 USC s. 5322(e) to the criminal penalties section. It requires the return of any profit gained by reason of the criminal violation and, if the offender was a partner, director, officer, or employee, they must repay the institution any bonus paid during the calendar year in which the violation occurred or the year thereafter. I expect there to be some questions raised about this subsection around why the offending institution is re-paid bonuses, and situations where directors are not paid bonuses (they rarely are).

Expanded Whistleblower Awards and Protections – 31 USC s. 5323

Section 6314 extensively altered and expanded the whistleblower section of title 31. The current section only allows for “informants” to receive rewards of between $12,500 and $150,000, and there is nothing in the section about protecting informants (whistleblowers) from retaliation. This new section increases the rewards to up to 30% of the penalty, and includes detailed provisions on protecting whistleblowers.

Modernizing the AML/CFT System Generally

Title LXII (sections 6201 – 6216) and title LXV (sections 6502 – 6508) collectively are intended to, and do, modernize the AML/CFT system.

  • 6201 – The Attorney General shall report annually on the use of BSA reports, including whether the reports contain “actionable information” that leads to further proceedings by law enforcement, intelligence community, or national security; and extent to which arrests, indictments, convictions result. Note the term “actional information”: is it different from information that provides a “high degree of usefulness” (the current language of section 5311) or is “highly useful” (the new language of section 5311)?
  • Sections 6204, 6205 call for a review of the contents, forms, and thresholds of CTRs and SARs. I have argued against raising the SAR or CTR thresholds[10]
  • Section 6209 adds 31 USC 5318(o) – a review of whether and how Model Validation applies to AML/CFT. Following that review, the new standards would be put into a regulation and incorporated in the FFIEC BSA/AML Examination Manual. This could be an impactful change: the current pedantic application of strict model validation requirements is a drain and distraction on effective financial crime programs. As I recently wrote:

Revising existing model-risk-management guidance to AML systems assumes there is existing model-risk-management guidance to AML systems. But there isn’t any such guidance. The model risk management guidance – from 2000 and revised in 2011 – was never intended to be applied against AML systems. None of the five editions of the FFIEC Exam Manual, the four after the original 2000 guidance and the one following the 2011 revision of the guidance, make any reference to the model risk management guidance. If AML systems are to be subject to strict model governance, then that governance must be set out in binding regulation subject to public review and comment. And AML systems should not be subject to the same strict model governance requirements as Value-At-Risk models, liquidity models, or even consumer lending models. Nothing has more adversely impacted the ability of large financial institutions to fight financial crime, human trafficking, kleptocracy, nuclear proliferation, etc., as the strict, pedantic, dogmatic application of model risk governance. [11]

  • Section 6213 adds 31 USC s. 5318(p), thereby codifying the October 2018 interagency statement on sharing BSA resources
  • Section 6214 encourages information sharing and Public/Private Partnerships, and requires the Secretary to convene a supervisory team of agencies, private sector experts, etc., to examine strategies to increase such cooperation.
  • Section 6215 requires the GAO to publish a de-risking analysis within one year, followed by a strategy from the Secretary one year thereafter. This section includes a definition of de-risking: “actions taken by a financial institution to terminate, fail to initiate, or restrict a business relationship with a customer, or a category of customers, rather than manage the risk associated with that relationship consistent with risk-based supervisory or regulatory requirements, due to drivers such as profitability, reputational risk, lower risk appetites of banks, regulatory burdens or unclear expectations, and sanctions regimes.”
  • Section 6216 requires a review of regulations and guidance within one year.
  • Title LXV calls for multiple GAO and Treasury studies:
    • Study on beneficial ownership information reporting requirements (section 6502 and both GAO and Treasury shall report separately within two years),
    • Study on feedback loops (section 6503 and GAO to report within eighteen months),
    • Study on CTRs (section 6504 and GAO to report no later than December 31, 2025)[12],
    • Study on trafficking networks (section 6505 and GAO to report within one year),
    • Study on trade-based money laundering (TBML) (section 6506 and Treasury to report within one year)[13],
    • Study on money laundering by China (section 6507 and Treasury to report within one year), and
    • Study on the efforts of authoritarian regimes to exploit the financial system of the US (Treasury and Justice to conduct the study within one year and report within two years).
  • Section 6305 is an assessment of (actually, it contemplates the creation of) BSA No-Action Letters. Within 180 days of the passage of the Act, the Director must report to the House Financial Services Committee and the Senate Banking Committee on (i) whether to establish a process to issue no-action letters in response to inquiries on the application of the BSA or any AML/CFT law or regulation to specific conduct, including a request for a statement as to whether FinCEN or any relevant Federal functional regulator intends to take an enforcement action against the person with respect to such conduct. This would be a major change. Since 1987 FinCEN has an “Administrative Ruling” regime, whereby a financial institution may submit an Administrative Ruling request seeking FinCEN’s interpretation of a particular BSA regulation to the facts set out in the request. FinCEN’s response, the Administrative Ruling itself, has precedential value and may be relied upon by others similarly situated only if the ruling is published on FinCEN’s website. According to a notice published in the Federal Register on December 11, 2020, FinCEN received 98 Administrative Ruling requests from 2018-2020. According to FinCEN’s website, it only published 5 of those 98 requests (so 93 of the 98 are not of value to other institutions). And it takes months, sometimes years, for FinCEN to issue these rulings. For all of these reasons, a “No Action Letter” regime may be more effective than the current Administrative Ruling regime.

Changes to the Reporting of Suspicious Transactions – 31 USC s. 5318(g)

Reporting of suspicious transactions, or Suspicious Activity Reports (SARs), is set out in subsection (g) of section 5318. The AML Act changes the SAR regime in a number of ways, including .

5318(g)(1) – gives the Secretary the ability to issue regulations to require financial institutions to report suspicious transactions.

(g)(2) – Notification Prohibited – A filing financial institution and any officer, director, or employee of a filing financial institution cannot notify or disclose to any person involved in a reported suspicious transaction that the transaction has been reported or otherwise reveal any information that would reveal that the transaction has been reported (this language was added by section 6212 and codifies what was in the regulation and regulatory guidance).

(g)(3) – Liability for disclosure of SAR

(g)(4) – Single designee for SARs (FinCEN)

(g)(5) – Establish streamlined, including automated, processes to, as appropriate, permit the filing of noncomplex categories of SARs (added by section 6202, this is similar to provisions that were in FinCEN’s September 16, 2020 Advance Notice of Proposed Rulemaking)

(g)(6) – FinCEN shall share threat pattern and trend information at least semiannually to provide meaningful information about the preparation, use, and value of BSA reports. It shall include typologies, including data that can be adapted in algorithms, if appropriate on emerging money laundering and terrorist financing threat patterns and trends (added by s. 6206, this appears to compel FinCEN to go back to its semi-annual SAR Activity Reports, which were discontinued in 2013)

(g)(7) – Rules of construction (added by s. 6206)

(g)(8) – Pilot program within one year to allow a US financial institution to share SAR-related information with its foreign branches and affiliates (added by s. 6212, this would close an anomaly in the law and regulation, where foreign banks operating in the United States could share SAR information with their home-country head office, but US banks could not share SAR information with their foreign branches and affiliates. There was an exception: prohibited jurisdictions are China and Russia, any state sponsor of terrorism, any jurisdiction subject to sanctions, and any jurisdiction determined by the Secretary that cannot reasonably protect the security and confidentiality of such information).

New Sections Have Been Added to the BSA (subchapter II of Title 31)

  1. 5333 – Safe harbor for “Keep Open Directives” (added by s. 6306, this section would require law enforcement to notify FinCEN of any “keep open request” made of a financial institution to keep an account “or transaction” open. Financial institutions are not required to comply)
  2. 5334 – Required annual training for Federal financial regulators’ examiners (added by s. 6307, one would have assumed that examiners would be required to be trained on the regulatory requirements they are examining. This new section requires annual training, and the training is to be done in consultation with FinCEN and all levels of law enforcement – federal, state, tribal, and local.)
  3. 5335 – Penalties for concealing PEPs’ source of funds (added by s. 6313, this new section applies to PEPs or Senior Foreign Political Figures where the aggregate value of monetary transactions is not less than $1 million and the transaction(s) affect(s) interstate or foreign commerce. It provides that no person shall knowingly conceal, falsify, or misrepresent, ot attempt to do so, a material fact concerning the ownership or control of assets involved in a monetary transactions. And, if the transaction(s) involve(s) an entity found to be of primary money laundering concern under section 5318A, the same person cannot conceal the source of funds. This section will be complex to administer.)
  4. 5336 – Beneficial Ownership Information Reporting requirements (added by s. 6403 – see below)

Two New BSAAG Subcommittees

Section 1564 of the Annunzio-Wylie AML Act of 1992 created the BSA Advisory Group (BSAAG). The AML Act of 2020 adds two subcommittees: the Subcommittee on Innovation and Technology added by s. 6207 (adding subsection 1564(d)) and the Subcommittee on Information Security & Confidentiality added by s. 6302 (adding subsection 1564(e)). Both subcommittees have a five-year “sunset” clause, or terminate in five years, unless the Secretary renews them for as many one-year terms as the Secretary chooses. The mandate of the Subcommittee on Innovation and Technology is to study and make recommendations on how to “most effectively encourage and support technological innovation [and reduce] obstacles to innovation that may arise from existing regulations, guidance, and examination practices.” This subcommittee will also include the BSA Innovation Officers authorized by section 6208.

New Beneficial Ownership Information Reporting Requirements

The New Requirements

Title LXIV – sections 6401-6403 adds 31 USC s. 5336

Section 6402 is the “Sense of Congress” section. That section provides, in part, that the beneficial ownership information “will be directly available only to authorized government authorities” and the database is intended to be “highly useful to national security, intelligence, and law enforcement agencies and Federal functional regulators”. There is no mention of making the information directly available to financial information or even having it benefit financial institutions. As seen from Congressman McHenry’s comments (see Appendix A), that was the intent: the registry is quite limited.

Under the AML Act:

  • Beneficial Owner is defined as an individual who directly or indirectly exercises substantial control or owns or controls not less than 25%.
  • Reporting Company is defined as not including companies with more than 20 FTE, more than $5 million in gross revenues, and with an operating presence in the United States.
  • Existing companies have two years to report. New companies shall report at the time of formation. Changes in beneficial ownership must be reported within a year.
  • Financial institutions can only query the database about a company with the consent of that company. The existing beneficial ownership rule of May 11, 2016 will be brought into conformance with this section within a year.

Why were the beneficial ownership registry provisions watered down so much? The answer to that question could be found in comments made by Congressman Patrick McHenry, (R. NC 10). His floor comments from December 8, 2020, as captured in the House Congressional Record, are included in Appendix A. His comments bear particular weight, as Congressman McHenry is the Ranking Member on the House Financial Services Committee.

The Impact on the Current Beneficial Ownership Rule

Congressman McHenry commented that this new reporting rule “rescinds the current beneficial ownership reporting regime set out in 31 CFR 1010.230 (b)–(j), which is costly and burdensome to small businesses.” However, it may not be as cut-and-dried as he states. The section that Rep. McHenry is referring to is 6403(d). That section provides:


(1) IN GENERAL. – Not later than 1 year after the effective date of the regulations promulgated under section 5336(b)(4) of title 31, United States Code, as added by subsection (a) of this section, the Secretary of the Treasury shall revise the final rule entitled “Customer Due Diligence Requirements for Financial Institutions” (81 Fed. Reg. 29397 (May 11, 2016)) to –

(A) bring the rule into conformance with this division and the amendments made by this division;

(B) account for the access of financial institutions to beneficial ownership information filed by reporting companies under section 5336, and provided in the form and manner prescribed by the Secretary, in order to confirm the beneficial ownership information provided directly to the financial institutions to facilitate the compliance of those financial institutions with anti-money laundering, countering the financing of terrorism, and customer due diligence requirements under applicable law; and

(C) reduce any burdens on financial institutions and legal entity customers that are, in light of the enactment of this division and the amendments made by this division, unnecessary or duplicative.


(A) IN GENERAL. – In carrying out paragraph (1), the Secretary of the Treasury shall rescind paragraphs (b) through (j) of section 1010.230 of title 31, Code of Federal Regulations upon the effective date of the revised rule promulgated under this subsection.

(B) RULE OF CONSTRUCTION. – Nothing in this section may be construed to authorize the Secretary of the Treasury to repeal the requirement that financial institutions identify and verify beneficial owners of legal entity customers under section 1010.230(a) of title 31, Code of Federal Regulations.

(3) CONSIDERATIONS. – In fulfilling the requirements under this subsection, the Secretary of the Treasury shall consider—

(A) the use of risk-based principles for requiring reports of beneficial ownership information;

(B) the degree of reliance by financial institutions on information provided by FinCEN for purposes of obtaining and updating beneficial ownership information;

(C) strategies to improve the accuracy, completeness, and timeliness of the beneficial ownership information reported to the Secretary; and

(D) any other matter that the Secretary determines is appropriate.

The result of this is that the Secretary shall rescind the current beneficial ownership rule but can replace it with a rule that is similar, if not identical to the current beneficial ownership rule. The current beneficial ownership rule provides financial institutions with more information on more legal entities sooner and requires them to use that information for not only onboarding due diligence, including customer risk rating, but ongoing due diligence (investigations of potential suspicious activity). It also gives financial institutions immediate access to existing legal entities’ beneficial ownership information where those entities open new accounts. This new beneficial ownership information registration requirement only includes the smallest legal entities, existing legal entities have two years to provide their owners’ information, and, most importantly, financial institutions have limited access to the registry as they need their customer’s approval to access the customer’s information. The differences between the existing rule and new law are recognized in subsection (B), which directs the Secretary to “account for the access of financial institutions to beneficial ownership information filed by reporting companies under section 5336 … in order to confirm the beneficial ownership information provided directly to the financial institutions to facilitate the compliance of those financial institutions with” AML, CFT, and CDD requirements.

Division H – Other Matters, Title XCVII, Subtitles A, B

  • Subtitle A – Kleptocracy Asset Recovery Rewards Act
  • Subtitle B – Combating Russian Money Laundering Act

Appendix A – Corporate Transparency Act – Congressional Comments

House Congressional Record from December 8, 2020 CREC-2020-12-08-pt1-PgH6919-3.pdf (congress.gov) at pages H6932-6933 (bold red font has been added for emphasis, and the footnote has been added from the original text):

Mr. MCHENRY. Mr. Speaker, I rise in support of the conference report to the National Defense Authorization Act for fiscal year 2021. Combating illicit finance and targeting bad actors is a nonpartisan issue. However, Congress’ actions must be thoughtful and data driven. An example of this is H.R. 2514, the COUNTER Act, which is included in this conference report. Division G is a compilation of bipartisan policies that will modernize and reform the Bank Secrecy Act and anti-money laundering regimes. These policies will strengthen the Department of Treasury’s financial intelligence, anti-money laundering, and counter terrorism programs.

I would like to thank Chairman CLEAVER and Ranking Member STIVERS for their work on this bill and the language included in Division G. In addition to Division G, the conference report contains an amendment replacing the text of H.R. 2513, the Corporate Transparency Act, with new legislation. H.R. 2513, which passed the House on October 22, 2019, and again as an amendment to H.R. 6395 on July 21, 2020, attempted to establish a new beneficial ownership information reporting regime to assist law enforcement in tracking down terrorists and other bad actors who finance terrorism and illicit activities. But, it did so to the detriment of America’s small businesses.

Beneficial ownership information is the personally identifiable information (PII) on a company’s beneficial owners. This information is currently collected and held by financial institutions prior to a company gaining access to our financial system.

However, bad actors and nation states, such as China and Russia, are becoming more proficient in using our financial system to support illicit activity. As bad actors become more sophisticated, so to must our tools to deter and catch them. One such tool is identifying the beneficial owners of shell companies, which are used as fronts to launder money and finance terrorism or other illicit activity. Beneficial ownership information assists law enforcement to better target these bad actors.

Although well-intentioned, H.R. 2513 had numerous deficiencies in its reporting regime. First, H.R. 2513 placed numerous reporting and costly reporting requirements on small businesses. It lacked protections to properly protect small businesses’ personal information stored with a little-known government office within the Department of Treasury—known as FinCEN. The bill authorized access to this sensitive information without any limitation on who could access the information and when it could be accessed. Finally, it failed to hold FinCEN accountable for its actions.

The text of H.R. 2513 is replaced with new language that I negotiated, along with Senate Banking Committee Chairman CRAPO. This substitute, which is reflected in Division F of the conference report, is a significant improvement over the House-passed bill in three key areas.

First, Division F limits the burdens on small businesses. Unlike H.R. 2513, the language included in the conference report protects our nation’s small businesses. It prevents duplicative, burdensome, and costly reporting requirements for beneficial ownership data from being imposed in two ways. It rescinds the current beneficial ownership reporting regime set out in 31 CFR 1010.230 (b)–(j), which is costly and burdensome to small businesses. Rescinding these provisions ensures that it cannot be used in a future rule to impose another duplicative, reporting regime on America’s small businesses. In addition, Division F requires the Department of Treasury to minimize the burdens the new reporting regime will have on small businesses, including eliminating any duplicative requirements.

House Republicans ensured the directive to minimize burdens on small businesses is fulfilled. Division F directs the Secretary of the Treasury to report to the House Committee on Financial Services and the Senate Committee on Banking annually for the first three years after the new rule is promulgated. The report must assess: the effectiveness of the new rule; the steps the Department of Treasury took to minimize the reporting burdens on reporting entities, including eliminating duplicative reporting requirements, and the accuracy of the new rule in targeting bad actors. The Department of Treasury is also required to identify the alternate procedures and standards that were considered and rejected in developing its new reporting regime. This report will help the Committees understand the effectiveness of the new rule in identifying and prosecuting bad actors. Moreover, it will give the Committees the data needed to understand whether the reporting threshold is sufficient or should be revised.

Second, Division F includes the strongest privacy and disclosure protections for America’s small businesses as it relates to the collection, maintenance, and disclosure of beneficial ownership information. The new protections set out in Division F ensure that small business beneficial ownership information will be protected just like an individual’s tax return information. The protections in Division F mirror or exceed the protections set out in 26 U.S.C. 6103, including:

  1. Agency Head Certification. Division F requires an agency head or designee to certify that an investigation or law enforcement, national security or intelligence activity is authorized and necessitates access to the database. Designees may only be identified through a process that mirrors the process followed by the Department of Treasury for those designations set out in 26 U.S.C. 6103.
  2. Semi-annual Certification of Protocols. Division F requires an Agency head to make a semi-annual certification to the Secretary of the Treasury that the protocols for accessing small business ownership data ensure maximum protection of this critically important information. This requirement is non-delegable.
  3. Court authorization of State, Local and Tribal law enforcement requests. Division F requires state, local and tribal law enforcement officials to obtain a court authorization from the court system in the local jurisdiction. Obtaining a court authorization is the first of two steps state, local and tribal governments must take prior to accessing the database. Separately, state, local and tribal law enforcement agencies must comply with the protocols and safeguards established by the Department of Treasury.
  4. Limited Disclosure of Beneficial Ownership Information. Division F prohibits the Secretary of Treasury from disclosing the requested beneficial ownership information to anyone other than a law enforcement or national security official who is directly engaged in the investigation.
  5. System of Records. Division F requires any requesting agency to establish and maintain a system of records to store beneficial ownership information provided directly by the Secretary of the Treasury.
  6. Penalties for Unauthorized Disclosure. Division F prohibits unauthorized disclosures. Specifically, the agreement reiterates that a violation of appropriate protocols, including unauthorized disclosure or use, is subject to criminal and civil penalties (up to five years in prison and $250,000 fine).

Third, Division F contains the necessary transparency, accountability and oversight provisions to ensure that the Department of Treasury promulgates and implements the new beneficial ownership reporting regime as intended by Congress. Specifically, Division F requires each requesting agency to establish and maintain a permanent, auditable system of records describing: each request, how the information is used, and how the beneficial ownership information is secured. It requires requesting agencies to furnish a report to the Department of Treasury describing the procedures in place to ensure the confidentiality of the beneficial ownership information provided directly by the Secretary of the Treasury.

Separately, Division F requires two additional audits. First, it directs the Secretary of Treasury to conduct an annual audit to determine whether beneficial ownership information is being collected, stored and used as intended by Congress. Separately, Division F directs the Government Accountability Office to conduct an audit for five years to ensure that the Department of Treasury and requesting agencies are using the beneficial ownership information as set out in Division F. This is the same audit that GAO conducts as it relates to the Department of Treasury’s collection, maintenance and protection of tax return information. This information will ensure that Congress has independent data on the efficacy of the reporting regime and whether confidentiality is being maintained.

Division F also requires the Department of Treasury to issue an annual report on the total number of court authorized requests received by the Secretary to access the database. The report must detail the total number of court authorized requests approved and rejected and a summary justifying the action. This report to Congress will ensure the Department of Treasury does not misuse its authority to either approve or reject court authorized requests.

Finally, Division F requires the Director of FinCEN, who is responsible for implementing this reporting regime, to testify annually for five years. This testimony is critical. For far too long FinCEN has evaded any type of congressional check on its activities. Yet, it has amassed a great deal of authority. Now, Congress will shine a light on its operations. It is my expectation that FinCEN will provide Congress with hard data on its effectiveness in targeting bad actors, including the effectiveness of this new authority to collect, maintain, and use beneficial ownership information.

One final comment about the importance of FinCEN’s annual testimony. In the months leading up to the House’s consideration of H.R. 2513 last October, I sought data from FinCEN and from the Treasury Department, along with the Department of Justice, to better understand the need for this legislation. No such data was forthcoming. Rather, FinCEN gave anecdotes of very scary stories to justify the need for a new reporting regime. It is my expectation that FinCEN will provide Congress with the necessary data to justify this new reporting regime and the burdens it is placing on legitimate companies. I will conclude by thanking Chairwoman MALONEY for her work over the last twelve years on this issue and her willingness to work with me to strengthen this bill. I believe we have a better product. I urge my colleagues to support the conference agreement.


[1] https://docs.house.gov/billsthisweek/20201207/CRPT-116hrpt617.pdf

[2] The NDAA has broad, bipartisan support in both the House and the Senate. If the President vetoes the bill, as he has threatened to do, Congress can override the veto with a two-thirds super-majority vote in both chambers. More than two-thirds of the members of each chamber voted in favor of that chamber’s version of the bill. The Conference Report is the agreed-upon reconciliation of the two versions.

[3] See footnote 7 for an example of this anomaly of changing the title 31 laws and regulations but not the corresponding title 12 laws and regulations.

[4] US laws are available at https://uscode.house.gov

[5] In an article I published on October 28, 2019, I referred to the sometimes conflicting nature of these titles as “the clash of the titles”. See The Current BSA/AML Regime is a Classic Fixer-Upper … and Here’s Seven Things to Fix – RegTech Consulting, LLC

[6] Regulations are available at https://www.govinfo.gov/app/collection/cfr/2020

[7] There are also two titles in Division H (“Other Matters”) that also impact financial crimes, specifically kleptocracy and Russian money laundering. Those are described below.

[8] Records and reports that have a “high degree of usefulness” were also referenced in the two parts of title 12 – 12 USC s. 1829b and 12 USC Part 21, sections 1951-1959 – that, with 31 USC sections 5311-5314, 5316-5332, make up the Bank Secrecy Act. The AML Act is changing “high degree of usefulness” to “highly useful” in title 31, but not in title 12. That may be an oversight.

[9] In addition, Congress could have, but chose not to treat the Customer Identification Program, or CIP requirements, as a new fifth (or sixth) pillar or minimum standard. Subsection 5318(i) is the “customer identification program” section. It requires financial institutions to identify and verify accountholders, and for the Secretary to implement regulations for the minimum standards in doing so. The regulations set out whether and to what extent the eleven different types of financial institutions are to implement a formal customer identification program (for banks, broker dealers, mutual funds, and futures commission merchants in 31 CFR 1020, 1023, 1024, and 1026, respectively), or to implement some form of customer verification as part of their overall AML program (for casinos, MSBs, insurance companies, loan or finance companies, and government supervised entities in 31 CFR 1021, 1022, 1025, 1029, and 1030, respectively). Two of the eleven types of financial institutions, dealers in precious metals and credit card system operators, do not have to identify or verify the identity of customers. The result is that most financial institutions must have both an AML program and a Customer Identification Program: Congress had the opportunity to consolidate these two programs into one overall program but chose not to. It was a lost opportunity to further streamline the regulatory regime.

[10] See FinCEN Files – Reforming AML Regimes Through TSV SARs (Tactical or Strategic Value Suspicious Activity Reports) – RegTech Consulting, LLC

[11] FinCEN’s Proposed AML Program Effectiveness Rule – Comments of RegTech Consulting LLC – RegTech Consulting, LLC

[12] This was an interesting timeline: a GAO study on the effectiveness of the CTR regime, the utility of CTRs, and an analysis of the effects of raising the reporting threshold must begin no later than January 1, 2025 – four years from the passage of the AML Act! – and must be reported no later than December 31, 2025.

[13] Section 6506 is the only “study and report” section that specifically provides that (in this case) the GAO can contract out the study.

A GAO Report on GTOs Reveals the Underlying Flaws In the Entire American BSA/AML Regime

The General Accountability Office, or GAO, issued a Report on August 14, 2020 titled “FinCEN Should Enhance Procedures for Implementing and Evaluating Geographic Targeting Orders”.[1] The Geographic Targeting Orders, or GTOs, subject to this report are a series of nine GTOs issued since 2016 targeting all-cash (or non-financed) purchases of residential real estate in certain areas of the country over a certain amount.

Most people will read this report for what it is – a full-fledged year-long, not-very-positive audit of FinCEN’s management of the real estate Geographic Targeting Order program. But the GTO program, and FinCEN’s management of it (which, by the way, I don’t think FinCEN got enough credit from the GAO for taking the initiative in the first place), are lesser issues than a single observation the GAO reported more than half way through (on page 22) the Report:

“Officials from five federal law enforcement agencies told us that their agencies do not systematically track the specific types of BSA reports used in investigations …”.

The GAO didn’t indicate which five federal law enforcement agencies these were, but the agencies interviewed for the Report were the DEA, FBI, ICE-HSI, IRS-CI, the DOJ’s Criminal Division, the US Attorneys Offices for the Southern District of New York and Southern District of Florida, FinCEN, and two task forces (OCDETF and El Dorado). So it’s likely that at least four of the five agencies that do not systematically track which Bank Secrecy Act or BSA reports are used in investigations are the “big four” of AML/CFT: the FBI, DEA, Homeland Security, and IRS.

Why is this important?

The entire purpose of the BSA regime is for the private sector to provide timely, actionable intelligence to law enforcement in order to protect the financial system, and society at large, from underlying criminal and terrorist activity. In the “Background” section of the Report, on page 5, the GAO explained the purpose behind the BSA:

“The BSA authorizes the Secretary of the Treasury to issue regulations requiring financial institutions to keep records and file reports the Secretary determines ‘have a high degree of usefulness in criminal, tax, or regulatory investigations or proceedings, or in the conduct of intelligence or counterintelligence activities, including analysis, to protect against international terrorism.’ The Secretary also is authorized to impose AML program requirements on certain financial institutions. The authority of the Secretary to administer the BSA has been delegated to the Director of FinCEN.” [citations omitted][2]

Approximately 20 million BSA reports are filed by tens of thousands of private sector financial institutions every year: the most common are Currency Transaction Reports or CTRs (roughly 16 million) and Suspicious Activity Reports, or SARs (roughly 2.7 million). Those institutions are spending billions of dollars in running BSA programs intended to allow them to prepare and file those 20 million reports, and they face regulatory and even criminal sanctions for failing to maintain an adequate program or failing to detect and report suspicious activity or large currency transactions. And yet the primary users of those reports, the federal law enforcement agencies, “do not systematically track the specific types of BSA reports used in investigations …”.

It is time that the public sector consumers of BSA reports – primarily law enforcement agencies – provide feedback to the private sector producers of BSA reports – tens of thousands of financial institutions – on exactly which reports “have a high degree of usefulness in criminal, tax, or regulatory investigations or proceedings, or in the conduct of intelligence or counterintelligence activities, including analysis, to protect against international terrorism”. It’s not enough for the private sector to know anecdotally that the reports it is filing are generally useful to law enforcement. In this age of machine learning and artificial intelligence, financial institutions are using these tools to teach and train their monitoring, surveillance, and alerting systems that churn through millions or billions of customer, account, and transaction data, in an effort to be more effective and efficient. And all of those machine learning and artificial intelligence efforts are for naught if the private sector doesn’t have the training data needed to identify those reports that are providing tactical and/or strategic value. Training a surveillance and alerting system against the SARs that are filed is a fool’s errand if you don’t know whether that SAR has ever been looked at by law enforcement, whether it was useful, whether it provided tactical or strategic value.

Lack of Law Enforcement Feedback Is One of the Two Main Flaws in the US BSA/AML Regime: the Other is the Lack of Corporate Transparency

The United States does not have an effective beneficial ownership regime. Even the Treasury Secretary calls this a “glaring hole in our system”, and I have written about this on a number of occasions. See, for example, https://regtechconsulting.net/beneficial-ownership-customer-due-diligence/lack-of-beneficial-ownership-information-a-glaring-hole-in-our-system-says-treasury-secretary/. And this GAO Report includes a section on the lack of a true beneficial ownership regime (notwithstanding FinCEN’s 2016 rule on customer due diligence and beneficial ownership), and how a FATF-compliant beneficial ownership regime would enhance the US AML/CFT regime and be complimentary to the real estate GTO.

The other flaw, as described in this article, is lack of law enforcement feedback. I have been writing about this flaw in our system for years. See my article from November 2019 https://regtechconsulting.net/fintech-financial-crimes-and-risk-management/like-sam-loves-free-fried-chicken-law-enforcement-loves-free-suspicious-activity-reports-but-what-if-law-enforcement-had-to-earn-the-right-to-use-the-private-sector/ and my article from July 2020 https://regtechconsulting.net/aml-regulations-and-enforcement-actions/anti-money-laundering-act-of-2020-pay-to-play-arrives-and-perhaps-we-have-an-answer-to-the-whereabouts-of-section-314d/. Both of these articles reference other articles I’ve written on this subject. The July 2020 article offers some solutions.

This is not a criticism of law enforcement or the intelligence community. They simply haven’t had the means to provide feedback to the private sector. Bills, or provisions in bills, currently before Congress aim to address this issue and provide the means for the public sector to begin the process of providing feedback to the private sector. If the purpose of the multi-billion dollar anti-money laundering regime is to compel the private sector to provide law enforcement and the intelligence agencies with timely, actionable reports of cross-border flows of cash, foreign bank accounts, suspicious activity, possible terrorist financing activity, and large cash transactions, then it is incumbent on law enforcement and the intelligence agencies to provide feedback on which of those reports have a high degree of usefulness in criminal, tax, or regulatory investigations or proceedings, or in the conduct of intelligence or counterintelligence activities, including analysis, to protect against international terrorism. Without that feedback, both the private and public sector, and society at large, will fail in their collective efforts to keep our financial system safe and secure. And for law enforcement and the intelligence community to get the means to provide that feedback, it is incumbent on Congress to act and pass the necessary legislation.

We all know what needs to be done to make the BSA/AML regime more effective and more efficient. Now Congress must act.

[1] See GAO-20-546 available at https://www.gao.gov/assets/710/708115.pdf

[2] The language “high degree of usefulness in criminal, tax, or regulatory investigations or proceedings, or in the conduct of intelligence or counterintelligence activities, including analysis, to protect against international terrorism” is pulled directly from the purpose statement of the main “BSA” statute, 31 USC section 5311.

AML360 Podcast – Jim Richards with Stephen Platt

On June 12, 2020 I enjoyed an hour with AML360 talk show host Stephen Platt. For an hour – live! – we talked about a broad range of issues facing the financial crimes community today:

  • The scourge of misaligned incentives, where regulators are looking at how banks run their programs, and not on how well those banks are getting timely, actionable intelligence to law enforcement. I argued that the Exam Manual needs to be changed from “a sound BSA/AML compliance program is critical in deterring and preventing money laundering and terrorist financing” (page 7, 2014 edition) to “providing actionable, timely intelligence to law enforcement is critical in deterring and preventing money laundering and terrorist financing, and a sound BSA/AML compliance program provides the foundation for being able to do so.”
  • Artificial intelligence and machine learning are critical tools, but we need to be wary of the results when those tools are used on SARs filed with law enforcement, rather than SARs used by law enforcement. I used the analogy of a car manufacturer: it’s not relevant how many cars it builds, what is relevant is how many cars are bought, and the quality of those cars. Same for SARs: it’s not relevant how many SARs a bank files, what is relevant is how many SARs are used by law enforcement, and the effectiveness of those SARs.
  • False positives, and whether high false positives rates are caused, in large part, by banks’ fear of regulatory sanctions for missing a possible actionable alert rather than by poor technology.
  • The importance of clean, consistent data. I argued that AML is 80% customer due diligence and 50% clean data (paraphrasing Yogi Berra), and that most legacy, large financial institutions still struggle to have and maintain an Enterprise Customer Risk Rating.
  • Whether and why financial institutions are falling further behind criminals and criminal organizations. They are, in large part because financial institutions need to be mindful of running their programs, testing their systems, model validation, audit requirements, regulatory exams, etc., while criminals and criminal organizations don’t need to deal with any of those things.
  • The impacts of COVID-19 on financial institutions’ fraud and AML programs. I argued that we’re able to adapt our systems to detect and prevent fraud, which is an objective event lending itself well to systemic monitoring and surveillance, but it’s too early to tell whether our AML systems will be as effective. For AML, both the numerator (alerts) and denominator (the volumes, velocities, and types of transactions) are changing so quickly, our AML models may not be as effective as they were.
  •  Transaction Monitoring – I made the statement that account-based, traditional transaction monitoring is not only dead, it’s never worked effectively. Instead, relationship-based interaction surveillance is what is required.
  • The value of Deferred Prosecution Agreements, or DPAs.
  • The importance of understanding internal bad actors’ roles in identifying and reporting fraud and money laundering.

The podcast is available at https://podcasts.apple.com/us/podcast/aml-talk-show-brought-to-you-by-kyc360-com-hosts-martin/id1484784236?i=1000477739453

FinCEN’s Estimate of the Costs and Burden of Filing SARs Is Evolving, But Needs Private Sector Input

For years, FinCEN has used a one-size-fits-all-SARs method of determining the costs and burden of filing Suspicious Activity Reports (SARs): a flat two hours, or 120 minutes. With a new-found ability to slice-and-dice its SAR data, FinCEN has now determined that the back half of the SAR filing process takes between 45 and 315 minutes, depending on the type of SAR. And it’s looking for feedback from the private sector on how to enhance this estimate.

Posted June 2, 2020

On May 26, 2020, FinCEN published a notice in the Federal Register titled “Proposed Updated Burden Estimate for Reporting Suspicious Transactions Using FinCEN Report 111 – Suspicious Activity Report”. This is a notice required under the Paperwork Reduction Act, or PRA: agencies are required to periodically assess and estimate the burdens and costs of their regulatory regimes.

This is a ground-breaking notice, for it is the first such notice where: (1) FinCEN has been able to analysis the SAR Database to quantitatively assess the numbers, characteristics, and types of SARs, by institution type, by type of work required to be done, and by what types of involved positions; and (2) perhaps just as important, FinCEN has shown a willingness to provide this information and to seek feedback from the private sector on other available information that could be incorporated into future analyses. FinCEN must be commended for both.

In prior PRA notices, FinCEN has simply estimated that the SAR filing process takes a total of two hours for each and every SAR filed. With this notice, FinCEN identified and attempted to capture burden and cost estimates for, five categories of SARs, two types of filing (batch and discrete), the six stages in the SAR filing process, and the four types of positions involved in the process.

Five categories of SARs: (1) depository institutions’ (banks and credit unions) original SARs with standard content; (2) depository institutions’ original SARs with extended content; (3) non-depository institutions’ original SARs with standard content; (4) non-depository institutions’ original SARs with extended content; and (5) all filers’ continuing activity SARs. The standard and extended content analysis looked at combinations of (1) the number of named suspects; (2) the number of suspicious activities’ categories marked on the SAR form; (3) the length and make-up of the narrative; and (4) whether there was an attachment.

Six stages in the SAR filing process: (1) maintaining a monitoring system; (2) reviewing alerts; (3) transforming alerts into cases; (4) case review; (5) documentation of the SAR/no SAR determination; and (6) the SAR filing process. The current two-hour per SAR PRA estimate only considered the 6th stage: this notice added the 4th and 5th stage, and FinCEN acknowledged that it needs further data, and comments from the private sector, in order to include the 1st, 2nd, and 3rd stages.

Four types of people: (1) general supervision (oversight); (2) direct supervision; (3) clerical (SAR investigation); and (4) clerical (filing).

With this notice, FinCEN is changing its PRA burden estimate of 120 minutes per SAR to an estimate ranging from 25 minutes to 315 minutes per SAR for the last 3 of the 6 stages in the SAR filing process, and is inviting comments on these new estimates and on how to include and estimate the first 3 of the 6 stages.

Comments from the public are due by July 27, 2020.

Below is my analysis and commentary on the FinCEN notice. The text of the Notice is in regular font: my analysis and comments are in red italics.

Renewal Without Change of the Bank Secrecy Act Reports by Financial Institutions of Suspicious Transactions


Agency Information Collection Activities; Proposed Renewal; Comment Request;

AGENCY: Financial Crimes Enforcement Network (FinCEN), Treasury.

ACTION: Notice and request for comments.

SUMMARY: As part of its continuing effort to reduce paperwork and respondent burden, FinCEN invites comments on the proposed renewal, without change, of currently approved information collections relating to reports of suspicious transactions. Under the Bank Secrecy Act regulations, financial institutions are required to report suspicious transactions using FinCEN Report 111 (the suspicious activity report, or SAR). Although no changes are proposed to the information collections themselves, this request for comments covers a proposed updated burden estimate for the information collections.

This request for comments is made pursuant to the Paperwork Reduction Act of 1995.

DATES: Written comments are welcome, and must be received on or before [INSERT


JRR Comment: Very simply, FinCEN is proposing updates to the way it estimates the burden – both time and cost – for preparing and filing Suspicious Activity Reports, and is seeking comments on these proposed updates. FinCEN’s newfound ability to analyze the data it has seems to have allowed it to shift from a two-hours-for-all-SARs approach to a much more nuanced, data-driven approach.

ADDRESSES: Comments may be submitted by any of the following methods:

  • Federal E-rulemaking Portal: http://www.regulations.gov. Follow the instructions for submitting comments. Refer to Docket Number FINCEN-2020-0004 and the specific Office of Management and Budget (OMB) control numbers 1506-0001, 1506-0006, 1506-0015, 1506-0019, 1506-0029, 1506-0061, and 1506-0065.
  • Mail: Policy Division, Financial Crimes Enforcement Network, P.O. Box 39, Vienna, VA 22183. Refer to Docket Number FINCEN-2020-0004 and OMB control numbers 1506-0001, 1506-0006, 1506-0015, 1506-0019, 1506-0029, 1506-0061, and 1506-0065.

Please submit comments by one method only. Comments will also be incorporated into FinCEN’s review of existing regulations, as provided by Treasury’s 2011 Plan for Retrospective Analysis of Existing Rules. All comments submitted in response to this notice will become a matter of public record. Therefore, you should submit only information that you wish to make publicly available.

FOR FURTHER INFORMATION CONTACT: The FinCEN Regulatory Support Section at 1-800-767-2825 or electronically at frc@fincen.gov.


I. Statutory and Regulatory Provisions

The legislative framework generally referred to as the Bank Secrecy Act (BSA) consists of the Currency and Financial Transactions Reporting Act of 1970, as amended by the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (USA PATRIOT Act) (Public Law 107– 56) and other legislation. The BSA is codified at 12 U.S.C. 1829b, 12 U.S.C. 1951–1959, 31 U.S.C. 5311–5314 and 5316–5332, and notes thereto, with implementing regulations at 31 CFR Chapter X.

The BSA authorizes the Secretary of the Treasury, inter alia, to require financial institutions to keep records and file reports that are determined to have a high degree of usefulness in criminal, tax, and regulatory matters, or in the conduct of intelligence or counter-intelligence activities, to protect against international terrorism, and to implement counter-money laundering programs and compliance procedures.[1] Regulations implementing Title II of the BSA appear at 31 CFR Chapter X. The authority of the Secretary to administer the BSA has been delegated to the Director of FinCEN.[2] Under 31 U.S.C. 5318(g), the Secretary of the Treasury is authorized to require financial institutions to report any suspicious transaction relevant to a possible violation of law or regulation. Regulations implementing 31 U.S.C. 5318(g) are found at 31 CFR 1020.320, 1021.320, 1022.320, 1023.320, 1024.320, 1025.320, 1026.320, 1029.320, and 1030.320. The information collected under these requirements are made available to appropriate agencies and organizations as disclosed in FinCEN’s Privacy Act System of Records Notice relating to BSA Reports.[3]

II. Paperwork Reduction Act (PRA)[4]

Title: Reports by Financial Institutions of Suspicious Transactions (31 CFR 1020.320, 1021.320, 1022.320, 1023.320, 1024.320, 1025.320, 1026.320, and 1029.320). OMB Control Numbers: 1506-0001, 1506-0006, 1506-0015, 1506-0019, 1506-0029, 1506-0061, and 1506-0065.[5]

Report Number: FinCEN Report 111 – Suspicious Activity Report (SAR).

Abstract: FinCEN is issuing this notice to renew the OMB control numbers for the SAR regulations and the SAR report.

Type of Review: Renewal without change of currently approved information collections.

Affected Public: Businesses or other for-profit institutions, and non-profit institutions.

SAR Regulations

Estimated Burden: An administrative burden of one hour is assigned to each of the SAR regulation OMB control numbers in order to maintain the requirements in force.[6]

JRR Comment: One hour is the current “administrative burden” of preparing and filing a SAR.

The reporting and recordkeeping burden is reflected in FinCEN Report 111 – SAR, under OMB control number 1506-0065. The rationale for assigning one burden hour to each of the SAR regulation OMB control numbers is that the annual burden hours would be double counted if FinCEN estimated burden in the industry SAR regulation OMB control numbers and in the FinCEN Report 111 – SAR OMB control number.

FinCEN Report 111 – SAR

Type of Review:

  • Propose for review and comment a re-calculation of the portion of the PRA burden that has been subject to notice and comment in the past (the “traditional annual PRA burden”).
  • Propose for review and comment a method to estimate the portion of the PRA burden that FinCEN previously had not included (the “supplemental annual PRA burden”).

JRR Comment: FinCEN is acknowledging that its current burden estimate (i) needs to be re-calculated, and (ii) needs to be augmented.  And it now has the means to do so through its BSA Value Project.

Frequency: As required.

Estimated Number of Respondents: 12,148 financial institutions.[7]

JRR Comment: The estimated number of respondents – 12,148 financial institutions – and the accompanying footnote is the first interesting nugget of information. The footnote includes the phrase “not all financial institutions identify suspicious activity that would warrant a SAR filing”. This is a benign phrase, hidden in a footnote, that could be the headline of a GAO report: arguably, every regulated financial institution, no matter how small, should identify and report at least one suspicious transaction in any given year. See my comments below Table 1.

Estimated Reporting and Recordkeeping Burden:

In this notice, FinCEN introduces two substantial modifications to the scope and the methodology we previously used to estimate the annual PRA burden associated with the SAR. First, with respect to the scope of the estimate, FinCEN’s traditional annual PRA burden estimate associated with the SAR included only the filer’s annual operational burden and cost associated with (a) producing and filing the report, and (b) storing a copy of the filed report. Starting with this notice, FinCEN intends to add a supplemental annual PRA burden estimate that reflects the annual costs involved in (a) determining whether alerts that were elevated for further review merit filing a SAR, and (b) documenting the decision not to file a SAR when a case does not merit it.[8]

JRR Comment: This is where FinCEN explains what it is proposing to do. FinCEN recognizes that there is a complex process to monitor for and alert on unusual activity, determine whether to investigate that activity, to investigate that activity and, if it is suspicious to prepare and file a SAR or if not suspicious to document why it is not suspicious. Later, FinCEN describes these as the six stages in the SAR filing process. In Footnote 8, though, FinCEN acknowledges that it “lacks the granular data to estimate the costs of certain steps in that process”. In fact, it lacks the data to include the burdens for steps 1-3, which arguably may be the most burdensome from both time and cost perspectives.

Second, with respect to the methodology underlying the PRA burden and cost estimates, rather than continuing to allocate a single PRA burden and cost to the completion, submission, and storage of any type of SAR, FinCEN proposes to estimate the individual PRA burden and cost of different categories of SARs, grouped by the SARs’ estimated degree of complexity. Because there is no direct way to measure the complexity and related effort and cost of producing each SAR, FinCEN uses key features of SARs filed in 2019 to categorize them based on similar combinations of those key features, under the assumption that such combinations of key features reflect similar levels of effort and cost necessary to produce the SARs.

JRR Comment: This is where FinCEN is acknowledging that not all SARs are the same. Later, FinCEN identifies five types of SARs for its burden estimates, differentiated by (i) whether they are original SARs or “continuing activity” SARs; (ii) whether filed by banks and credit unions (collectively, “depository institutions” or “DIs”) or all other types of filers (“Non-DIs”); (iii) whether they are “standard” complexity or “extended” complexity; and (iv) whether they were batch-filed or filed as a discrete, stand-alone SAR.

Part 1 below sets out the breakdown of the SARs filed during 2019 according to the key features that are used to group SARs into categories subject to similar PRA burden and cost. Part 1 also contains the analysis of how some combinations of key features worked or failed to work as proxies for a SAR’s complexity and, therefore, burden and cost.

Part 2 uses the results of the analysis in Part 1 to estimate the individual and total annual PRA burden and cost of each category of SARs. The methodology described in Part 2 covers both the traditional and the supplemental annual PRA burden estimate.

Part 1. Breakdown of the 2019 SAR Filings

In 2019, 12,148 financial institutions (the “filing population”) submitted 2,751,694 SARs (the 2019 SAR submissions).[9] The distribution of the 2019 SAR submissions, by type of filing (original or continuing),[10] type of financial institution,[11] number of reports per filer per year, and method of filing (batch or discrete),[12] is presented in Table 1 below:

Table 1 shows that banks submitted slightly over half of the total number of SARs filed in 2019. Money services businesses (MSBs) and credit unions contributed 32.9% and 7.3% of the total, respectively. Approximately 85% of the filings from all financial institutions consisted of original reports. In addition, approximately 85% of the reports were batch filed.

JRR Comment: The most interesting aspect of Table 1 is not what is included in the Table – which is the number of financial institutions, by type, that filed SARs in 2019, but what is not included in the Table – the total number of financial institutions, by type.

  • Banks – FDIC data shows that there were 5,186 banks at the end of 2019. So 95% of banks filed at least one SAR in 2019, which means that 5% or 250 banks didn’t file a single SAR in 2019.
  • Credit Unions – NCUA data shows that there were 5,236 credit unions at the end of 2019. Using this data, 62% of credit unions filed at least one SAR in 2019, which means that 38% or 2,001 credit unions didn’t file a single SAR in 2019. 
  • Securities/Futures – In this “catch all” category, FinCEN’s May 11, 2016 Final Rule for CDD/Beneficial Ownership provided that there were 16,404 entities in this class. SEC data suggests ~3,800 registered entities. At best, 15% of the regulated financial institutions in the Securities/Futures class are filing SARs.
  • Money Services Businesses (MSBs) – There are 22,736 MSBs registered with FinCEN. So less than 10% of registered MSBs filed at least one SAR in 2019.

To determine the concentration of 2019 SAR submissions among the filing population, FinCEN grouped filers in tranches according to the number of SARs filed during the year. Table 2 sets out the number of reports per tranche,[13] and Table 3 sets out (i) each tranche as a percentage of the total filer population, and (ii) each tranche’s reports as a percentage of the 2019 SAR submissions.[14]

JRR Comment: It is useful to group filers according to the number of SARs filed. But what would be more useful is to group them by size of institution. The problem, though, is determining what “size” is across diverse institution types. Total deposits might be the best proxy for banks and credit unions (better than total assets, which can be located outside the United States and aren’t tied to transactions as much as deposits are), but that measure doesn’t work for MSBs or Casinos.

However, 95% of SARs are filed by Depository Institutions (62%) and MSBs (33%). I would propose that Depository Institutions be grouped by tranches of Total Deposits, and MSBs be grouped by number of domestic agent locations.

Ten filers (six banks and four MSBs) made up the first tranche (00_LARGEST FILERS). As set out in Table 3, these ten filers accounted for nearly half of the 2019 SAR submissions. Slightly less than 2% of the filing population (Tranches 00 to 03) submitted 81% of all the reports. Additionally, out of the filing population, 81% contributed slightly less than 4% of the filings, while 56% submitted fewer than 10 reports per year.

JRR Comment: These two tables are critical. First, though, is some much-needed context for banks and credit unions. Of the 5,236 credit unions, only 10 have assets greater than $10 billion, and the largest is $90 billion. 90% of credit unions have less than $565 million in assets. Of the 5,186 banks, 143 have assets of more than $10 billion, 32 are larger than $90 billion, and the 4 largest are all over $1.5 trillion in assets. But most banks, like credit unions, are very small: 75% of banks have less than $565 million in assets.

Looking at 50 or fewer SARs filed per year – or less than one per week – shows that 80% of banks and 81% of credit unions that filed SARs in 2019 filed fewer than 1 per week on average. And almost 60% of each filed fewer than 10 in the entire year. The 10 largest filers – 6 banks and 4 MSBs – filed more than 700 per week on average. The top 2% of banks and credit unions filed more than 80% of the SARs.

Question – is it time for a bifurcated regulatory approach, similar to the CCAR/DFAST approach taken for capital and liquidity purposes?

JRR Comment: The main flaw in the approach of grouping institutions by the number of SARs filed is that you could have a $100 million asset (deposits) institution, or a 10-agent MSB appropriately filing 50 SARs a year, and a $100 billion asset institution or a 100-agent MSB inappropriately filing 50 SARs a year, yet they are included in the same tranche.

Unlike currency transaction reports, for example, which are more easily categorized because they are filed based on objective criteria (i.e., transaction type and threshold), each SAR may require a widely disparate level of effort depending largely on the amount of research and subjective analysis required to determine: (a) whether to file a report; (b) how to attribute the suspicious behavior to money laundering, financing of terrorism, or fraud typologies; (c) who the main persons involved in the activity are; and (d) how to explain in concise terms the rationale that led the filer to decide to file a SAR.

As FinCEN has no direct way to gauge the amount of work involved in the production of each SAR, FinCEN broke down the 2019 SAR submissions by additional key features, so that, individually or in combination, these additional key features could serve as a proxy to group SARs with similar levels of estimated complexity, and therefore, with similar estimated PRA burden. The additional key features in the SARs that FinCEN has concentrated its analysis on are: (a) the number of persons identified as subjects; (b) the number of distinct suspicious activities selected;[15] (c) the length of the narrative section; and (d) whether or not the report contains an attachment.[16]

JRR Comment: One can debate whether these are the best proxies for complexity, but this is a tremendous first step in determining relative complexity and estimated PRA burden.

  • Number of Subjects/Suspects – this is a good proxy. As a general rule, the more suspects, the more complex the underlying activity.
  • Number of distinct suspicious activities selected – Footnote 15 indicates that the SAR has 18 categories of suspicious activities. I’m not sure where that number comes from. There are 11 categories of suspicious activity, each with 1 or more sub-types of activity (a total of 79 sub-types plus “other” for each category). There are also 10 instrument types and 21 product types. I recommend that FinCEN use some AI/Machine Learning techniques to analyze the combinations of suspicious activity types, instruments, and products. FinCEN attempted this in its “tractable segmentation” approach, below.
  • Length of narrative – FinCEN recognizes some of the shortcomings of this attribute, and adjusts for it, but this is a good first step.
  • Attachment – FinCEN recognizes the shortcomings, adjusts for it … and it is a good first step.

I didn’t see anything about the amount being reported (with more reported activity indicating more complexity), or the period of time between the first reported activity and the last reported activity (the greater the period of activity indicating more complexity), or the period of time between the first reported activity and the date of the SAR (which could indicate a lookback or review).

Once FinCEN identifies the combination of key features that are common to the largest number of reports submitted by a given type of filer (the “standard content” for that type of filer), FinCEN may take such combination as a proxy for the content and estimated complexity of a “standard” SAR for that filer type. Reports submitted by filers of the same type that contain different features (more subjects, more suspicious activities, a longer narrative) may represent SARs with “extended content” that are more complex, and therefore carry a larger PRA burden and cost for that filer type. Based on the data available, FinCEN is considering only two levels of SAR complexity.

Table 4A shows a breakdown of the 2019 SAR submissions by type of financial institution and narrative length. Table 4B shows the percentage of reports with and without attachments, by type of financial institution, and narrative length.

Table 5 breaks down the 2019 SAR submissions by type of financial institution and number of suspicious activities identified in each report.[17]

JRR Comment: The differences in the number of selected suspicious activities can be caused by differences in style, practices, or training from one institution to another. For example, one filer may consider a check fraud involving an elderly customer to be one category (check fraud), another two categories (check fraud, Elder Financial Exploitation), another six categories (check fraud, identity theft, providing questionable or false documentation, Elder Financial Exploitation, forgeries, identity theft).

I would combine the “tranche and type” data from Tables 2 and 3 with the number of suspicious activity categories from Table 5: the data may show that the fewer SARs an institution files, the fewer suspicious activity categories there are.

Approximately 44% of the SARs submitted by all filers have narratives not exceeding 2,000 characters (half a page), and another 39% have narratives above half a page but not exceeding one page. Most SARs (60%) identify up to two suspicious activities, while another 38% list between three and five.

FinCEN analyzed key features of the 2019 SAR submissions described in Tables 1 through 5 to generate a tractable segmentation of the SAR universe into different levels of burden. FinCEN based this segmentation on the following observations:

  • FinCEN was not able to limit the criteria for selecting categories of SAR burden to the type of financial institution or the tranche of a filer alone because of large variations in the combination of features within each type of financial institution or tranche. It was possible, however, to arrive at a small number of complexity categories by combining key features that highlight significant differences between depository institution filers (banks and credit unions), MSBs, and other types of financial institution filers (non-depository institutions).
  • Based on the analyzed complexity features as well as FinCEN’s extensive use of SARs in its work, in general and on average,[18] the content of SARs shows the following general features:
  1. There appears to be a positive correlation between the number and complexity of a financial institution’s main business lines, and the value registered by some of the key features selected: the higher the number and complexity of the filer’s business lines, the higher the number of suspicious transactions identified and the longer the narrative.
  2. In general, non-depository institutions with a single primary business line (i.e., loan and finance companies or casinos) file reports that (a) list up to two suspicious transactions involving one subject and a single transaction or a small number of transactions over a short period of time, and (b) use relatively short narratives of up to half a page to explain the basis for their suspicion.
  3. Some SARs filed by non-depository institutions have features indicating complexity, particularly longer narratives, despite the SARs not being complex. A sample of the SARs filed by two of the largest non-depository institutions showed that in 94% of the SARs with longer narratives, the increased length was due to listing transactions the filer appeared to have tracked automatically. Six percent of those SARs appeared to have required greater analytical effort. To estimate the number of SARs with extended content filed by non-depository institutions in 2019, FinCEN therefore applied the six percent threshold to the total number of SARs with narratives over one page filed by non-depository institutions.
  4. Nearly three quarters of original SARs filed by depository institutions report only up to two subjects involved in up to five suspicious activities, described in a narrative that does not exceed one page, and on their face do not appear complex.

JRR Comment: This is one of the most important statements in this Notice. Essentially, FinCEN is saying that ¾ of the 2.7 million SARs filed are not complex. Can these SARs be filed without human intervention with little, if any, material loss in utility or value to law enforcement?

Many SARs filed by depository institutions, however, have features indicating complexity. This may reflect any combination of the factors laid out in the tables above – number of subjects per SAR, number of suspicious transactions listed per SAR, length of the narrative, and presence of an attachment. However, some SARs that appear complex based on these features often are not in reality. Depository institutions, which in general tend to offer many business lines mostly to established customers, sometimes include in SARs a comparison of other information they maintain. This can increase the apparent complexity of SARs analyzed against the complexity factors FinCEN identified without necessarily being indicative of a SAR requiring extensive research. FinCEN controlled for this by removing from the complex category SARs that had a high ratio of digits to non-digit text in the SAR narrative, because a high ratio of digits often indicates the algorithmic inclusion of transaction data in the SAR narrative.

JRR Comment: This was a great catch by FinCEN. And below might have been a miss by FinCEN. Whether “continuing activity” SARs require “substantially less effort”, or any less effort than original SARs, is worth exploring.

  • For all financial institutions, FinCEN estimates that the review of cases documenting the need to file continuing SARs, and the filing of the continuing SARs themselves, will require substantially less effort than the review of cases leading to the filing of original SARs, and the actual filing of such original SARs.
  • Lastly, FinCEN assumes that financial institutions that batch file SARs have a degree of automation they can employ to the partial filling of the report. Batch filers will also store electronic files that may contain several reports per file. Based on these assumptions, FinCEN allocates a lower PRA burden per report to these filers. This burden consists of the actual time of submission per report (which may be close to instantaneous), and the administrative and supervisory tasks involved in this stage.

As noted, reflecting the observations above, FinCEN identified five categories of SARs to generate a tractable segmentation of complexity for analyzing estimated PRA burden: (a) continuing SARs; (b) original SARs with standard content filed by nondepository institutions; (c) original SARs with extended content filed by non-depository institutions; (d) original SARs with standard content filed by depository institutions; and (e) original SARs with extended content filed by depository institutions.

JRR Comment: This is the first of three steps FinCEN takes in estimating the SAR burden – identifying the five categories of SARs. The second and third steps follow: identifying the six stages in the SAR filing process, and the four types of people involved in that process, respectively.

Part 2. PRA Burden and Cost Estimates

Based on industry input, including input obtained over the past year in a project assessing how to improve the effectiveness of BSA data and measure its value for each stakeholder group, FinCEN understands that the SAR filing process comes at the end of a larger process that varies in complexity depending on the type and size of the financial institution:[19]

JRR Comment: On the following page is FinCEN’s six-stage SAR production process. This is a good first step, but I disagree with the approach that, for purposes of the PRA burden and cost estimates, the SAR process is distinct from the overall BSA/AML program process (and burden and cost). The singular purpose of the BSA/AML program regime is to provide timely, actionable intelligence to law enforcement and the intelligence community by way of BSA reports and recordkeeping – primarily SARs and CTRs. Therefore, integral to the SAR production process are the program requirements of risk assessment, CIP/CDD, training, independent testing, examination management, etc. These costs will be included in future notices.

Stage 1 – Maintaining a Monitoring System: Commensurate with the size of the filer and the complexity of its operations, each filer will run, update, and upgrade a monitoring system that reflects its assessment of risk. This monitoring system will vary in complexity from a manual review process to a fully automated one.[20]

JRR Comment: The use of the singular “monitoring system” minimizes the complexity of even the smallest institution’s program to have employees escalate unusual activity (referrals), to have manual or automated monitoring systems identify unusual activity (alerts), and the regulatory and operational requirements to run, update, and upgrade those systems. Larger, more complex institutions will run dozens of monitoring and surveillance systems.

Stage 2 – Reviewing Alerts: When the monitoring system issues an alert, the filer will have to determine whether the alert reveals a true potential risk event, or is a false positive.

JRR Comment: As FinCEN explains below, it is not including this stage in its burden and cost estimate “due to the lack of the necessary granular information”. Transaction monitoring and customer surveillance systems, and the alerts that are generated, are a major part of the burden and cost of AML programs. The issue of high false positive rates – anecdotally 95 percent or more of alerts are so-called “false positives” – is often-discussed, always-lamented, and remains an intractable problem. See: https://regtechconsulting.net/uncategorized/rules-based-monitoring-alert-to-sar-ratios-and-false-positive-rates-are-we-having-the-right-conversations/. Also see: https://regtechconsulting.net/uncategorized/flipping-the-three-aml-ratios-with-machine-learning-and-artificial-intelligence-why-bartenders-and-aml-analysts-will-survive-the-ai-apocalypse/

Stage 3 – Transforming Alerts into Cases: If, based on the filer’s analysis, the alert points to a true potential risk event, the filer will gather additional information to present the case to the reviewing level that will eventually decide whether the event merits the filing of a SAR.

JRR Comment: FinCEN has done a good job recognizing that many institutions have an alert review or alert triage process to determine if an alert should “go to case” or not. But like stages 1 and 2, this third stage is not included in the burden and cost analysis at this time.

Stage 4 – Case Review: The appropriate level will review the case to determine whether or not the event constitutes a suspicious activity that must be reported.

Stage 5 – Documentation of Determination: This notice takes into account that filers document decisions they make as part of Stage 4 that lead them to conclude that an event does not warrant the filing of a SAR.

Stage 6 – SAR Filing Process: If an event warrants the filing of a SAR, the filer will follow its SAR filing process, including: (a) selecting supporting documentation; (b) completing the report, including drafting the narrative; (c) filing the report through batch or discrete filing; and (d) storing the filed report and supporting documentation in physical or electronic form.

Each stage requires the filer’s use of human and technological resources, which combination will vary according to the sophistication of the filer. Previously, FinCEN limited its annual SAR PRA burden estimate to Stage 6 mentioned above, the SAR filing process (the “traditional annual PRA burden”). In this notice, FinCEN expands its PRA burden estimate to include Stages 4 and 5 listed above (the “supplemental annual PRA burden”).

JRR Comment: Stages 4 and 5 are the “supplemental annual PRA burden” that FinCEN is adding. Until now, FinCEN only included Stage 6 in its PRA estimate. Now FinCEN is considering Stages 4, 5, and 6.

FinCEN is not addressing the burden associated with Stages 1 to 3 above due to the lack of the necessary granular information. Notably, FinCEN would need information regarding: (i) the levels of burden and cost attributed to differing monitoring systems; (ii) varying levels of complexity in determining whether alerts represent true alerts; and (iii) the amount of research involved in assembling cases to determine whether true alerts warrant the filing of a SAR. Furthermore, FinCEN would need additional information to identify the proportion of these costs that are strictly connected to the filing of a SAR relative to the same costs associated with a filer’s other regulatory or business requirements. FinCEN intends to address the information required for the estimate of the burden and cost of Stages 1 to 3 in a future notice. FinCEN acknowledges that each stage of the SAR production contributes to the next (including those stages of the process not included in this notice). FinCEN assesses, however, that the information provided by this notice, though not a complete estimate of the SAR PRA burden, improves the estimate and creates a foundation for a future estimate of the costs of all six stages.

JRR Comment: It is incumbent on the industry to provide FinCEN with data and information on Stages 1, 2, and 3 of the process, as well as on the other aspects of a program that are not reflected in these six stages: the program requirements of risk assessment, CIP/CDD, training, independent testing, examination management, etc., that are integral to, and part of, the SAR production and filing process.

FinCEN recognizes that SAR cases that are more complex may take a longer time to review at multiple stages, such as the case investigation point in Stage 4 and the SAR filing point in Stage 6. However, for ease of presentation, FinCEN calculated the extra burden of handling complex cases in our burden estimate for Stage 6, and attributed a burden that represents our estimate of the standard administrative work connected to continuing and original SARs to Stages 4 and 5. Therefore, the total estimate proposed in this notice will be the aggregate of the following estimates of the PRA burden related to:

  • Evaluating cases for potential SAR filing (Stage 4). This will be part of the supplemental annual PRA burden calculation.
  • Recordkeeping of cases not converted into SARs (Stage 5). This will be part of the supplemental annual PRA burden calculation.
  • The SAR filing process (Stage 6). This will be part of the traditional annual PRA burden calculation and will include the PRA burden associated with the filing of (i) continuing SARs, (ii) original SARs filed by non-depository financial institutions, and (iii) original SARs filed by depository financial institutions.

JRR Comment: Up to this point, FinCEN has introduced the first two of the three components of its PRA burden and cost estimate: the five categories of SARs, and the six stages of the SAR filing process. Now FinCEN turns to the third component: the people involved in the process. FinCEN has identified four.

FinCEN identified four staff positions and corresponding roles involved in the SAR process in order to estimate the hourly costs associated with the burden hour estimates calculated in this part. Those are: (i) general supervision (providing process oversight); (ii) direct supervision (reviewing operational-level work and cross-checking all or a sample of the filings against their supporting documentation); (iii) clerical work (engaging in case evaluation to support the determination of whether a SAR must be filed); and (iv) clerical work (engaging in producing, filing, and storing SARs and supporting documentation).

JRR Comment: This is where the private sector should provide detailed comments. It has not been my experience that fraud investigators and AML analysts are performing “clerical work”, classified by the Bureau of Labor Statistics as “Financial Clerks” with a mean (average) hourly wage of $20.40. Based on that same data, the mean annual wage is $43,500, with a broad range across the US of $25,980 to $60,600. The same job code for the financial services NAICS (522000) shows an annual mean salary of $44,500 and a 90th percentile salary of $62,330 (10% of the people in that category make more than $62,330). Data from the private sector will (I believe) show that the annual average salary for financial crimes investigators and analysts will be more than $62,330.  

FinCEN calculated the fully loaded hourly wage for each of these four roles by taking the median wage as estimated by the U.S. Bureau of Labor Statistics (BLS), and computing an additional benefits cost as follows:[21]

JRR Comment: Financial institutions must provide comments (supported by data and information) to FinCEN on these four roles and the range and median salaries for those roles. For example, the BLS data shows that the average salary for the Compliance Officer position is $66,236 with a broad range of $39,790 to $111,640. Data should show that most compliance officers earn in excess of $100,000. And differentiating between Depository Institutions, Securities/Futures, and Non-DIs will be critical.

FinCEN estimates that, in general and on average, each role would spend different amounts of time on each stage of the process covered by this notice, as described in the specific estimates below.

1. Estimate of the burden and cost of evaluating cases for potential SAR filing

To estimate the PRA burden involved in evaluating each case generated by one or more alerts, FinCEN starts with the number of cases that, after review, resulted in the filing of 2,751,694 SARs in 2019. As set out in Table 1 above, of that total number of filings, 2,335,559 reports were original SARs, and 416,135 were continuing SARs.

JRR Comment: This may not be an accurate assumption. Again, the private sector needs to provide comments (supported by data) on the burdens and costs of filing continuing activity SARs. 

In the case of continuing SARs, FinCEN assumes that the filer will be monitoring the specific transactions of the previously identified subject, and filing a continuing SAR every ninety days (if the subject did not discontinue the activity), and noting the cumulative monetary amount involved in the suspicious activity. FinCEN therefore assesses that the number of continuing suspicious activity cases will equal the number of continuing SARs.

In the case of original SARs, however, a filer may need to review a large number of cases to determine which cases justify the filing of a report. A paper issued by the Bank Policy Institute in 2018 (the “BPI Paper”)[22] contains the estimates of 13 large, midsize, and small banks (with assets under management of more than $500 billion, between $200 to $500 billion, and between $50 and $200 billion, respectively) about their average conversion rate[23] of cases to SARs. The BPI Paper states that, on average, banks filed SARs on 42% of alerts turned into cases (i.e., alerts that are not considered false positives).[24] In the absence of similar data for other types of financial institutions, FinCEN adopts the bank average conversion rate from cases to SARs set out in the BPI Paper (42%) to approximate the number of cases that could have generated the number of original SARs filed in 2019. If 42% of cases result in the filing of a SAR, the total filing population would have had to review approximately 5,560,854 cases[25] to report the 2,335,559 original SARs submitted in 2019.[26]

JRR Comment: FinCEN got the case-to-SAR conversion rate of 42 percent from the BPI paper. FinCEN refers to pages 5-7 of the BPI paper. Notably, the BPI survey respondents were 19 banks that all had assets of $50 billion or more: there are only 43 such banks. These 19 banks were grouped into small ($50 – $200 billion, at which time there were 33 such banks in total), midsize ($200 – $500 billion in assets, at which time there were 6 such banks in total), and large (greater than $500 billion, at which the time there were 4 such banks). Thirteen (13) of the 19 banks provided data on Alert-to-Case-to-SAR numbers:

  • Large Banks – generated 2.8 million alerts of which 20% (560,000) became cases, of which 42% (235,200) became SARs;
  • Midsize banks – generated 117,000 alerts of which 9.5% (11,115) became cases, of which 54% (6,002) became SARs;
  • Small banks – generated 107,000 alerts of which 8% (8,560) because cases, of which 53% (4,537) became SARs.

Combined, the three tranches of banks generated 3,024,000 alerts which resulted in 579,675 cases, which eventually became 245,739 SARs. This overall Case-to-SAR conversion rate was 42%.

FinCEN estimates that the average burden involved in considering whether a case merits filing an original SAR, for all types of financial institutions and for any type of suspicious transactions, would be 20 minutes per case. FinCEN estimates that the average burden involved in reviewing cases involving continuing SARs will be much lower, at 3 minutes per case.

JRR Comment: These two assumptions – 20 minutes to determine whether a case merits filing an original SAR, and 3 minutes to determine whether continuing activity merits filing a continuing activity SAR – should be tested by financial institutions’ comments to FinCEN. These are important assumptions which may not prove true. 

FinCEN assumes that the review of cases will involve the participation of three of the roles described above, as follows:[27]

Table 7

JRR Comment: Once a case is opened, the common practice is to assign it to a fraud investigator or AML analyst to determine whether the overall activity of the customer meets the definition of “suspicious activity”. If it does, the analyst will then prepare a SAR: if the analyst determines that a SAR is not warranted, they will document their decisioning and close the case. Depending on the type of case, there may be procedures for reviewing those decisions.

Financial institutions should review their data and provide comments to FinCEN: the data will likely show that 80%-90% of the total time spent determining whether a SAR is merited is on case review, 10%-20% on direct supervision, and 0%-10% on indirect supervision.

Footnote 27 below is confusing to me: in my experience, fraud investigators and AML analysts – those people that are working cases, determining whether a SAR should be filed, and preparing and filing the SAR – are not maintaining agendas, documenting minutes of meetings, or assembling files for review by SAR committees.

The total annual PRA burden of this stage involving cases related to both continuing and original SARs would be 1,874,424 hours, at a total cost of $91,846,776, as described in Tables 8A and 8B below.

Tables 8A, 8B

2. Estimate of the burden and cost of documenting cases not converted into SARs

With 2,335,559 cases resulting in SAR filings and an estimated conversion rate of 42%, out of the estimated 5,560,854 cases, 3,225,295 would be cases involving a decision not to file. FinCEN estimates that the average burden hours of documenting the rationale as to why a case does not merit filing a SAR, for all types of financial institutions and in the context of any type of suspicious transactions, would be 25 minutes per report.

JRR Comment: FinCEN is estimating that it takes 20 minutes to determine whether a SAR is merited, and an extra 5 minutes to document the reasons for not filing a SAR if a SAR is not merited. Financial institutions should provide comments, supported by data and information, on these estimates.   

FinCEN assumes that documenting the rationale for not filing a SAR and the storage of the case documents will involve the participation of three of the roles described above, as follows:

Table 9

JRR Comment: In Table 7, FinCEN is estimating that the work done to determine whether a SAR is merited, and a SAR results, involves 10% indirect supervision, 60% indirect supervision, and 30% clerical work. In Table 9, FinCEN is estimating that the work done to determine whether a SAR is merited, and a SAR does not result, involves 1% indirect supervision, 19% indirect supervision, and 80% clerical work. However, with the exception of documenting no-SAR decisions, this is the same work performed by the same fraud investigators or AML analysts, supervised by the same direct supervisors. The ratios of work should be the same, or roughly the same, for both processes.    

The total annual PRA burden of this stage would be 1,343,872 hours, at a total cost of $38,972,288, as described in Table 10 below:

Table 10

3. Estimate of the burden of the SAR filing process

JRR Comment: To this point, FinCEN has laid out the five categories of SARs, the six stages of the SAR filing process, and the four types of positions involved in that process. FinCEN has also described the updated or new burden and cost estimate of evaluating cases for potential SAR filing and, for those cases that result in a “no-SAR” decision, the burden and cost of documenting that decision. In this section, FinCEN turns to the burden and cost estimate of the process of preparing and filing a SAR once the decision has been made that the case merits a SAR.

But first FinCEN describes its current estimate, made ten years ago before mandatory electronic filing, before attachments were allowed, and based on the old SAR forms. That estimate, or estimates, are crude and simple: two hours for the 99% and more of SARs filed by single financial institutions, and 2.5 hours for the rare (less than 1% of the SARs) filings made jointly by two or more financial institutions.

FinCEN’s prior estimate of the traditional average burden hours associated with the SAR filing process[28] was based on a 2010 assessment of the manual effort involved in the drafting, writing, filing, and storing of a paper-based SAR with a standard narrative of 4,000 characters (i.e., one page), and the storing or segregation of paper-based supporting documentation. Since 2011, financial institutions have been able to (a) file SARs electronically either in batch or discrete format, and (b) include with their SARs an attachment containing tabular data such as transaction data providing additional suspicious activity information not suitable for inclusion in the narrative. This attachment must be an MS Excel-compatible comma separated value (CSV) file with a maximum size of 1 megabyte. These new features contribute to a substantial decrease in the hourly burden of the mechanical aspects of the filing and storage of SARs and supporting documentation.

As set out in the estimates above, the review of approximately 5,560,854 cases would result in the closing out of 3,225,295 cases, and the filing of 2,335,559 original and 416,135 continuing SARs. In the previous part, FinCEN identified a tractable segmentation of SAR complexity: (a) continuing SARs; (b) original SARs with standard content filed by non-depository institutions; (c) original SARs with extended content filed by non-depository institutions; (d) original SARs with standard content filed by depository institutions; and (e) original SARs with extended content filed by depository institutions. In all cases, the estimate represents the administrative burden involved in producing and reviewing a SAR, overseeing the process of filing a SAR, and the actual filing of a SAR, and not just the mechanical process of generating, submitting, and storing the SAR (which might be very small for fully-automated filers using the batch filing method).

FinCEN assumes that the SAR filing process involves the following four roles described in Table 6, in varying proportions depending on whether the burden accounts for the reporting or the recordkeeping stage of the process:

JRR Comment: Tables 11A, 11B, and 12 set out FinCEN’s estimates for the percentage of time and resulting cost that it takes, by role, for drafting, writing, and submitting “Standard Content” SARs (Table 11A); for drafting, writing, and submitting “Extended Content” or complex SARs (Table 11B); and for the recordkeeping required for both (Table 12). Where there were stark differences in the SAR/No SAR determinations, FinCEN estimates that there are only subtle differences in the ratio of time/cost for standard or simple SARs and extended or complex SARs. Financial institutions should assess their data and information and provide comments to FinCEN: my experience is that complex investigations are often handled by more experienced investigators/analysts, and not necessarily more supervision.

3.1. Continuing SARs

In the case of a suspicious transaction that continues over time, filers must submit continuing SARs every ninety days. Financial institutions filed 416,135 continuing SARs as part of the 2019 SAR submissions. FinCEN estimates that, on average, the burden involved in filing a continuing SAR will be relatively low, and will be substantially the same among all types of financial institutions. The estimated hourly burden and its cost for continuing SARs are as follows:

JRR Comment: FinCEN phrases these as “estimates”, but they appear to be assumptions unsupported by data rather than estimates based on data. Financial institutions should provide comments to FinCEN on the burden and costs of continuing activity SARs compared to original SARs.  

3.2. Original SARs filed by non-depository institutions

Based on the application of the percentage described in Part 1 to SARs with narratives over one page filed by non-depository institution, FinCEN identified 988,377 reports with standard content and 6,897 with extended content.

Original SARs filed by non-depository institutions (standard content)

For the purpose of calculating the burden of original SARs with standard content filed by non-depository institutions, FinCEN estimates that the average burden involved in the filing of original SARs will be higher than that of continuing SARs. Specifically, FinCEN uses an estimate of 40 minutes per batch-filed report and 60 minutes per discrete-filed report for drafting, writing, and submitting the SARs, and 5 minutes per batch-filed reports and 15 minutes per discrete-filed report for storing filed reports and supporting documentation.

JRR Comment: FinCEN has developed a much more nuanced and granular estimate of the burden and cost of filing SARs. The old methodology was a single 120 minutes (2 hours) per SAR. With this new approach, there is a low estimate of 25 minutes for batch-filed, standard content continuing SARs, all the way to 315 minutes (more than 5 hours) for discrete-filed, extended content original SARs.  All of the combinations are set out in the following sections: Depository Institution versus Non-Depository Institution; standard content versus extended content; batch-filing versus discrete-filing; and drafting, writing, and submitting SARs versus recordkeeping for SARs.

The estimated hourly burden and its cost for this subset of SARs are therefore as follows:

Original SARs filed by non-depository institutions (extended content)

For the purpose of calculating the burden of original SARs with extended content filed by non-depository institutions, FinCEN estimates that the average burden will be several times higher than that of standard content SARs, and the related cost will include a larger proportion of the levels of the organization with higher fully-loaded hourly wages (those representing indirect and direct supervision). The estimated hourly burden and its cost for this subset of SARs are therefore as follows:

3.3. Original SARs filed by depository institutions

Based on the segmentation described in Part 1 of depository institution SARs into standard content and extended content, FinCEN identified 1,313,774 reports with standard content, and 26,513 that included extended content.

The estimate of the reporting and recordkeeping burden of these two SAR subsets is as follows, using the per-SAR burden estimates included in the tables:

JRR Comment: This is another significant estimate. Of the 1,340,287 original SARs filed by banks and credit unions (roughly half of all SARs filed), only 26,513 had “extended content”, which is FinCEN’s proxy for complex or, perhaps, significant SARs.

Less than 2% of the original depository institution SARs had extended content or were otherwise complex or significant SARs. The 2018 Bank Policy Institute survey of 19 large banks found that less than 4% of those SARs garnered law enforcement interest.   

Estimated Reporting and Recordkeeping Burden:

The estimated reporting and recordkeeping burden by type of process and report is as follows:

JRR Comment: At the end of this document I have included a chart that visualizes the different estimated time burdens for the twelve (12) combinations of SAR filings: Original versus Continuing Activity; DI versus Non-DI; standard content versus extended content; and batch- versus discrete-filing.

Estimated Total Annual Reporting and Recordkeeping Burden:

The total estimated reporting and recordkeeping burden and cost per type of process and type of report are as follows. As detailed in Table 22 below, the total estimated recordkeeping and reporting annual PRA burden for the case review and SAR filing process of the seven OMB control numbers covered by this notice is 5,462,026 hours, for a total cost of $206,422,989.

JRR Comment: FinCEN estimates that the total costs of the SAR filing process (or at least the last three of the six stages of the SAR filing process) costs $206,422,989. The Bank Policy Institute survey of 19 large banks found that 14 of those banks (that responded to the survey questions on costs) reported that they spent, on aggregate, $2,400,000,000 on AML and CFT (Countering the Financing of Terrorism) compliance. FinCEN’s estimates for 12,148 SAR filers has captured less than 10% of what 14 large banks have reported in a private survey. There is some work to be done to reconcile these numbers. FinCEN acknowledges that there is work still to be done: and I acknowledge and applaud the work that FinCEN has done to date.

The distribution of the total estimated annual PRA burden and cost, by type of financial institution and SAR (original or continuing), and by SAR production process stage is as follows:[29]

FinCEN acknowledges that some of the partial estimates may over- or under-state the burden and cost of some the stages of the SAR production process covered by this notice, due to generalization and lack of more detailed information. FinCEN wishes to emphasize that the total burden presented in Table 22 is spread across a number of different SAR reporting requirements involving different types of financial institutions. Indeed, in the case of depository institutions, both FinCEN and the Federal banking agencies have regulations requiring SAR reporting.[30] However, only one SAR form is filed in satisfaction of the rules of both FinCEN and the Federal banking agencies. FinCEN has historically never attempted to allocate the burden between agencies for SARs required by the rules of more than one agency. FinCEN intends to conduct more granular studies of the filing population in the near future, to arrive at more realistic estimates that take into consideration a more specific breakdown of the SAR production process, including estimating the burden to financial institutions of Stages 1 to 3, which may include the inter-agency burden allocation referred to above. The data obtained in these studies may result in a significant variation of the estimated total annual PRA burden.

An agency may not conduct or sponsor, and a person is not required to respond to, a collection of information unless the collection of information displays a valid OMB control number. Records required to be retained under the BSA must be retained for five years.

Part 3. Request for Comments

JRR Comment: This is the most important part of the notice. FinCEN has six specific requests for comments, and also invites general comments. Financial institutions must take this opportunity to provide FinCEN with actual data and information: anecdotes that “the SAR regime costs too much and doesn’t produce tangible, direct benefits to financial institutions” must be replaced with data-driven information. Only then can better collective, public/private sector decisions be made.

a. Specific Requests for Comments:

Comments submitted in response to this notice will be summarized and/or included in the request for OMB approval. All comments will become a matter of public record. Comments are invited on the calculation of the total PRA burden of filing the SAR, under the current regulatory requirements. Specifically, comments are invited on the following issues:

1. FinCEN has based the estimates contained in this notice on the actual SARs filed in 2019. We have restricted the analysis to features we could measure and statements we were able to support with data extracted from the 2019 filers and submissions, using limited external data for estimates of parameters such as labor costs and conversion rates for alerts into filed SARs. FinCEN is not able to factor in its estimate of the PRA burden the burden of portions of the process for which FinCEN lacks information in filed reports or reliable existing studies. All requests for comments ask the public to suggest other factors that may affect the burden and cost of SAR reporting. Suggested factors that FinCEN could quantify by analyzing the contents of the BSA database, or by referring to statistical information publicly available, and without conducting a formal survey of the reporting financial institutions would be especially appreciated.

JRR Comment: FinCEN is looking for data and information that comes from (i) the BSA Database (accessible on FinCEN’s website) and other publicly available, reliable sources. FinCEN does not seem interested in survey-based information, such as the BPI survey that FinCEN has, in fact, relied on for this notice.

2. FinCEN proposes to expand the annual PRA burden estimate to cover three stages of the SAR production process: (a) the review of cases based on monitoring alerts considered true positives; (b) the documentation of the decision not to turn a case into a SAR; and (c) the SAR filing process. A sample conversion rate of cases that lead to SARs for depository institutions was used to calculate how many total cases at all financial institutions would have to be evaluated to produce the total number of original SARs filed in 2019. FinCEN invites comments on the characterization of these three stages, the general case conversion rate utilized, and the existence of other generally available research documents that may show different case conversion rates for different financial institution types.

JRR Comment: This is the critical issue. FinCEN is inviting financial institutions (and their trade associations and other interested parties) to provide comments, supported by data, on the first three stages of the SAR process that are not currently included in the PRA burden and cost estimate. Those three stages are: (1) maintaining a monitoring system; (2) reviewing alerts; and (3) transforming alerts into cases.

3. FinCEN estimates that, in general, the cost of labor involved in the three stages of the SAR production process covered by this notice will depend on the level of involvement in each stage of at least four different types of labor within the organization (general supervision, direct supervision, clerical work for evaluation, and clerical work for recordkeeping). Is this a reasonable identification of the roles involved in the SAR process? Has FinCEN calculated labor costs reasonably? Within the calculations of PRA burden, has FinCEN reasonably estimated the involvement of the different kinds of labor identified?

JRR Comment: FinCEN is also seeking comments on the four types of people, or positions, in the SAR filing process, their costs (salaries and benefits), and the relative time each spends on the five types of SARs across the six stages of the SAR filing process. The data in the Bureau of Labor Statistics materials, cited by FinCEN should be analyzed and compared against what FinCEN has used. See my comments above: hourly rates of $15 to $60 per hour for all participants in the SAR process appear to be materially low.

4. FinCEN arrived at estimates for (i) the hour burden of the review of all cases based on true positive alerts, and (ii) the decision not to file SARs based on the proportion of the cases that were not converted into original SARs. In general and on average, are these estimates reasonable?

JRR Comment: As indicated, this is really two issues that FinCEN is seeking comments on. One could argue that any estimate made in good faith is, in general and on average, reasonable. But I believe FinCEN is looking for something to support a higher standard than generally, on average, reasonable. It is incumbent on financial institutions to provide FinCEN with data and information to support a higher standard.

5. FinCEN segmented the universe of SAR filings into several different categories for purposes of estimating SAR complexity: (a) continuing SARs; (b) original SARs with standard content filed by non-depository institutions; (c) original SARs with extended content filed by non-depository institutions; (d) original SARs with standard content filed by depository institutions; and (e) original SARs with extended content filed by depository institutions. For each of these categories, FinCEN adjusted the estimated SAR filing burden depending on the filing method (batch or discrete). Is this segmentation reasonable? Are there other categories of SARs which FinCEN could quantify by analyzing the contents of the BSA database and without conducting a formal survey of the reporting financial institutions?

JRR Comment: Money Services Businesses (MSBs) were bucketed into the “non-depository institution” category along with the securities/futures industries’ institutions, casinos, card clubs, housing agencies, insurance companies, loan companies, and the “undetermined”. Given that 33% of all SARs were filed by MSBs, it may be better to have three categories: Depository Institutions, MSBs, and Other Non-Depository Institutions.

6. Are the other assumptions FinCEN made to calculate the burden associated with filing the different categories of SARs reasonable, such as the number of minutes required for each category of report?

b. General Request for Comments:

Comments submitted in response to this notice will be summarized and/or included in the request for OMB approval. All comments will become a matter of public record. Comments are invited on: (1) whether the collection of information is necessary for the proper performance of the functions of the agency, including whether the information shall have practical utility; (2) the accuracy of the agency’s estimate of the burden of the collection of information; (3) ways to enhance the quality, utility, and clarity of the information to be collected; (4) ways to minimize the burden of the collection of information on respondents, including through the use of automated collection techniques or other forms of information technology; and (5) estimates of capital or start-up costs and costs of operation, maintenance, and purchase of services to provide information.

Summary of the total time to prepare, file, and record a SAR: FinCEN PRA burden and cost estimate


[1] Section 358 of the USA PATRIOT Act added language expanding the scope of the BSA to intelligence or counter-intelligence activities to protect against international terrorism.

[2] Treasury Order 180-01 (re-affirmed January 14, 2020).

[3] FinCEN’s System of Records Notice for the BSA Reports System was most recently published at 79 FR 20969 (April 14, 2014).

[4] Public Law 104-13, 44 U.S.C. 3506(c)(2)(A).

[5] The SAR regulatory reporting requirements are currently covered under the following OMB control numbers: 1506-0001 (31 CFR 1020.320 – Reports by banks of suspicious transactions); 1506-0006 (31 CFR 1021.320 – Reports by casinos of suspicious transactions); 1506-0015 (31 CFR 1022.320 – Reports by money services businesses of suspicious transactions); 1506-0019 (31 CFR 1023.320 – Reports by brokers or dealers in securities of suspicious transactions, 31 CFR 1024.320 – Reports by mutual funds of suspicious transactions, and 31 CFR 1026.320 – Reports by futures commission merchants and introducing brokers in commodities of suspicious transactions); 1506-0029 (31 CFR 1025.320 – Reports by insurance companies of suspicious transactions); and 1506-0061 (31 CFR 1029.320 – Reports by loan or finance companies of suspicious transactions). The PRA does not apply to reports by one government entity to another government entity. For that reason, there is no OMB control number associated with 31 CFR 1030.320 – Reports of suspicious transactions by housing government sponsored enterprises. OMB control number 1506-0065 applies to FinCEN Report 111 – SAR.

[6] One hour of burden is estimated under each of the following OMB control numbers: 1506-0001, 1506- 0006, 1506-0015, 1506-0019, 1506-0029, and 1506-0061.

[7] See Table 1 below for a breakdown of the types of financial institutions that filed SARs in 2019. Note that all banks, casinos and card clubs, money services businesses, brokers or dealers in securities, mutual funds, providers of covered insurance products, futures commission merchants and introducing brokers in commodities, loan or finance companies, and housing government sponsored enterprises are required to comply with the SAR regulatory requirements; however, not all financial institutions identify suspicious activity that would warrant a SAR filing. See 31 CFR 1020.320 (banks), 31 CFR 1021.320 (casinos and card clubs), 31 CFR 1022.320 (money services businesses), 31 CFR 1023.320 (brokers or dealers in securities), 31 CFR 1024.320 (mutual funds), 31 CFR 1025.320 (insurance companies), 31 CFR 1026.320 (futures commission merchants and introducing brokers in commodities), 31 CFR 1029.320 (loan or finance companies), and 31 CFR 1030.320 (housing government sponsored enterprises).

[8] Despite the expanded scope, FinCEN has not presented in this notice an estimate of the entire burden that is associated with SAR filings because, as described further in Part 2, FinCEN lacks the granular data to estimate the costs of certain steps in that process.

[9] Numbers are based on actual 2019 filings as reported to the BSA E-Filing System, as of 12/31/2019. Assumptions and estimates are also based on actual 2019 SAR filings.

[10] An original (or initial) report is the first SAR filed on suspicious activity no later than 30 days after the date of initial detection by the filer. (See e.g., 31 CFR 1020.320(a)(3)). A continuing SAR must be filed on suspicious activity that continues after an initial SAR is filed. Continuing reports must be filed on successive 90-day review periods until the suspicious activity ceases, but may be filed more frequently if circumstances warrant. For more information on continuing reports, see page 142 of the FinCEN Suspicious Activity Report (FinCEN SAR) Electronic Filing Requirements – XML Schema 2.0. https://bsaefiling.fincen.treas.gov/docs/XMLUserGuide_FinCENSAR.pdf

[11] In Table 1, the category “Securities/Futures” includes brokers or dealers in securities, mutual funds, futures commission merchants, and introducing brokers in commodities. The category “Undetermined” includes filers with missing, incomplete, or contradictory information about the type of financial institution to which they belong.

[12] In batch filing, a filer submits a single electronic file containing several reports. In discrete filing, the filer fills in an electronic report individually, using a data entry screen that FinCEN provides. While exceptions apply, batch filing is generally used by large-volume filers that have automated the filing process, while discrete filing is generally employed by filers that submit fewer reports per year and rely more on manual data entry methods.

[13] The category “Other” in Table 2 includes securities and futures, housing government sponsored enterprises, providers of covered insurance products, and filers for which the type of financial institution was still being determined at the moment of publication of this notice, as defined above. We adopt the same criteria for the rest of the tables contained in the notice, such as in Tables 4A, 4B, and 5 below.

[14] The percentage of filers contained in each tranche, and the percentage of reports submitted by those filers, are contained in the fields “pct_filers” and “pct_forms”, respectively. The cumulative percentage of filers contained in all tranches up to and including the current one, and the cumulative percentage of reports submitted by such filers, are shown in the fields “cumm_pct_filers” and “cumm_pct_forms”, respectively.

[15] FinCEN Report 111 – SAR contains checkboxes that allow filers to identify a variety of suspicious activities, such as structuring, terrorist financing, fraud, money laundering, and a cyber-event. FinCEN Report 111 – SAR has 18 categories of suspicious activities.

[16] Some filers attach a supplemental file to the report that in general contains a list of individual transactions that raised the alert about a potential suspicious transaction. The length of the narrative is sometimes impacted by whether the filer submits an attachment to the report listing these transactions, or uses the narrative section of the report to include such a list.

[17] The number of suspicious activities identified in each report represents the number of check boxes selected by the filer.

[18] By “in general,” FinCEN is speaking without regard to outliers (e.g., reports exhibiting features that are uncommonly higher or lower than those of the population at large), or that apply to a very narrow type of filer or type of transaction. By “on average,” FinCEN means the mean of the distribution of each subset of the population (although FinCEN uses median labor cost data to calculate weighted hourly worker compensation allocated to each PRA burden hour in Table 6 below).

[19] FinCEN acknowledges that the description of the SAR production process in this notice seems to imply that the process is always linear, with each stage following the previous one. While this situation may reflect a large proportion of the cases reviewed and SARs filed, certain situations will require the filer to return to an earlier stage (such as requiring additional information from the case managers, or drafting several versions of a narrative). The breakdown of the SAR production process in a discrete number of linear stages is intended as a conceptual framework to guide FinCEN’s estimates of the different levels of PRA burden. Such framework does not involve or imply any modification to, or new interpretation of the actual rule text of BSA regulations. The details provided in each stage of the framework serve only as a list of the features FinCEN did or did not consider when estimating the PRA burden of such stage. While FinCEN believes the tasks described in the framework represent the work generally required to produce a SAR, there is no obligation for a financial institution to adopt either formally or informally a process such as the one presented by the framework.

[20] FinCEN recognizes that filers may use the monitoring system to comply with additional BSA and non-BSA regulatory requirements, as well as for other business purposes such as protecting against reputational risks of money laundering and fraud against the filer or the filer’s customers.

[21] See U.S. Bureau of Labor Statistics, Occupational Employment Statistics-National, May 2019, available at https://www.bls.gov/oes/tables.htm . The most recent data from the BLS corresponds to May 2019. For the benefits component of total compensation, see U.S. Bureau of Labor Statistics, Employer’s Cost per Employee Compensation as of December 2019, available at https://www.bls.gov/news.release/ecec.nr0.htm . The ratio between benefits and wages for financial activities, credit intermediation and related activities is $15.80 (hourly benefits)/$31.45 (hourly wages) = 0.502. The benefit factor is 1 plus the benefit/wages ratio, or 1.502. Multiplying each hourly wage by the benefit factor produces the fully-loaded hourly wage per position.

[22] ‘Getting to Effectiveness – Report on U.S. Financial Institution Resources Devoted to BSA/AML and Sanctions Compliance’, Bank Policy Institute, October 29, 2018, available at https://bpi.com/wp-content/uploads/2018/10/BPI-AML-Sanctions-Study-vF.pdf . See pages 5-7.

[23] The average conversion rate represents the percentage of the total number of cases that, after receiving further review and consideration, warranted the filing of a SAR.

[24] Ibid. The BPI Paper identifies several provisos regarding the correlation among the different metrics (such as the number of alerts related to AML issues only, while the number of SARs filed included both fraud and AML-related transactions). FinCEN considers that these qualifications do not affect the rationale of applying the bank conversion rate of cases into SARs to the full filer population.

[25] The number of original SARs submitted in 2019 (2,335,559) divided by the 42% conversion rate.

[26] FinCEN acknowledges that this estimate simplifies the conversion, stipulating that one case will generate or fail to generate one SAR, when in practice several cases may be reported in a single SAR. It is also possible, while not very probable, that a single case may require the filing of more than one simultaneous SAR.

[27] FinCEN’s assumption is that the clerical work involved in the case review stage would include general administrative and coordination responsibilities, such as the maintaining of agendas, documentation of minutes, assembly of files to be presented to the appropriate authority (for example, a filer’s SAR Committee), and the summarization of the reasons not to file.

[28] FinCEN’s estimate of the traditional average burden hours involved in the SAR filing process was 2 hours for SARs filed individually (60 minutes attributed to reporting, and 60 minutes attributed to recordkeeping), and 2.5 hours per SAR for joint filings (90 minutes attributed to reporting, and 60 minutes attributed to recordkeeping). Joint filings are a single SAR filed by two or more separate financial institutions. This type of filing constitutes less than 1% of total filings.

[29] FinCEN obtained the breakdown by applying the percentages of continuing and original SARs by type of financial institution listed in Table 1, to the burden and cost estimates contained in Tables 8A, 8B, 10, and 13 to 20. Financial institutions the type of which is “undetermined” are included in the “Other nondepository” category in Tables 23 and 24.

[30] See 12 CFR 208.62, 211.5(k), 211.24(f), and 225.4(f) (Federal Reserve Board); 12 CFR 353.3 (Federal Deposit Insurance Corporation); 12 CFR 748.1(c) (National Credit Union Administration); 12 CFR 21.11 and 12 CFR 163.180 (Office of the Comptroller of Currency); and 31 CFR Chapter X (FinCEN).

FinCEN Director Ken Blanco is Crystal Clear on Virtual Currency Risks & Requirements

FinCEN Director Kenneth A. Blanco, delivered Prepared Remarks at the Consensus Blockchain Conference on May 13, 2020. They are available at Prepared Remarks and reproduced in full below.

Borrowing a page from Federal Reserve Chairman Jerome Powell, Director Blanco’s remarks are a clear tell-it-like-it-is message to the virtual assets/blockchain community.[1]

It is a refreshing change from many senior people in the public and private sectors who, coached by consultants and tamed by lawyers, are unwilling or unable to provide clear and concise guidance. Director Blanco’s remarks were clear and concise. Well done!

Below is the text of Director Blanco’s prepared remarks. My comments appear in blue italics.

Text of Director Blanco’s Prepared Remarks, Consensus Blockchain Conference (Virtual)


Good morning, everyone.  Thank you so much for that very kind introduction.

It is great to be with you today, a bit ironic, via this virtual technology to discuss FinCEN, its mission, and how we—government and the virtual currency industry (all of you)—can work together to shape the virtual currency environment to combat criminal exploitation of this space, including the tech industry, to better ensure our national security and protect our financial system, our communities, and our families from harm.

This is truer today than ever before given the global situation we now find ourselves in—the need for our collaboration is clear and undeniable.

Joining this conference today are many financial institutions, including virtual currency service providers.  As I have said many times before, you are the backbone of the financial system and are on the front lines of the anti-money laundering (AML) and countering the financing of terrorism (CFT) framework—protecting people from harm.  I also know that many of FinCEN’s government partners are joining today too, experts and key leaders from the Department of Justice and other law enforcement agencies, fellow regulators, and many other government partners with whom we work on a daily basis to protect people from harm.

JRR Comment – I applaud Director Blanco’s statement that the front line of the AML/CFT regime is protecting people from harm (“the front lines of the anti-money laundering (AML) and countering the financing of terrorism (CFT) framework—protecting people from harm”). The front lines, or main focus of an AML/CFT regime has to be on protecting people from harm, and that is done by providing timely, actionable intelligence to law enforcement. The focus of financial institutions’ BSA, AML, and CFT programs must be on providing timely, actionable intelligence to law enforcement, and prudential regulators must examine and judge those programs solely on that basis … and not on whether they are complying with the technical requirements of documenting compliance with regulatory requirements for BSA/AML compliance programs..   

Both the public and private sectors are critical to combating exploitation of virtual currency, and when working together, our national security and citizens are safer.  There is no substitute for the private sector’s visibility into and ability to prevent criminal exploitation of virtual currency products and platforms—particularly those of you who are organizing, developing, and administering these products and platforms.  Our work together plays a significant role not just in advancing financial transparency, inclusion, and the development of the future of payment systems, but also in identifying, tracking, and stopping criminals including terrorists and other bad actors from harming others, particularly the most vulnerable.  It is our shared responsibility to ensure that this technology does not get hijacked by criminals and bad actors—we cannot let innovation become the conduit for crime, hate, and harm—it is a national security issue.

As many of you know, FinCEN plays two roles in the U.S. national security apparatus:

First:  FinCEN is the primary regulator and the administrator of the Bank Secrecy Act, or BSA, part of the comprehensive legal architecture in the fight against money laundering and its related crimes, and terrorism and its financing.  FinCEN, through its administration of the BSA, is a global leader in both regulating convertible virtual currency activity and taking action against its illicit use.

Second:  FinCEN is the Financial Intelligence Unit, or FIU, of the United States—the world’s largest and most powerful economy.

Today, I would like to share with you some of our recent work in the virtual currency space and use my brief time today to clarify a few misconceptions.

I will address three things:

  1. FinCEN’s efforts to provide guidance and combat money laundering and its related crimes, and terrorism and its financing, involving virtual currency related to the COVID-19 pandemic;
  2. The Travel Rule and trends FinCEN is seeing with respect to compliance; and
  3. Opportunities for collaboration in the fight against the illicit use of virtual currencies and key challenges.


These are, without a doubt, unprecedented times.  The last few months have had a profound effect on the world as we know it or knew it, including in the area of illicit finance threats and related crimes.  With businesses and individuals in our country and across the globe facing new and challenging circumstances, along with the rollout of major new Federal, State, local, and foreign government initiatives to combat the COVID-19 pandemic and its economic consequences, the entire AML community has been adapting in real time.

Over the last couple of months, FinCEN has pursued several important public-facing and strategic lines of effort relevant to your institutions:

  • First, AML Resources:  FinCEN has issued two Notices—one on March 16 and another on April 3 of this year—to financial institutions advising them to stay alert for malicious or fraudulent transactions, with examples of similar indicators that we have seen in the wake of natural disasters.  These Notices also provide financial institutions with information regarding AML operations during the COVID-19 pandemic and a direct contact mechanism for urgent COVID-19-related issues.  Please reach out to us proactively if you anticipate challenges fulfilling your BSA reporting obligations due to the pandemic.
  • Second, Criminal Typologies and Investigative Support:  FinCEN is also continuously monitoring criminal activity exploiting the current pandemic.  We are supporting law enforcement investigations into COVID-19-related cybercrime, scams, and fraud.  FinCEN also plans to publish multiple advisories highlighting common typologies used in the pervasive fraud, theft, and money laundering activities related to the pandemic to better help the financial sector detect and report this activity.  The mission for all of us in the financial space is to get badly needed funds to the intended recipients who need it—some for their financial survival—not to exploitive criminals and fraudsters.


I want to spend a few moments covering various forms of cybercrime that criminals continue to pursue and adapt during the pandemic.  FinCEN has observed that cybercriminals predominantly launder their proceeds and purchase the tools to conduct their malicious activities via virtual currency.  Your institutions have the opportunity, and obligation, to help identify these illicit criminal networks in your suspicious activity reporting to FinCEN, so that FinCEN can aggregate and analyze this information to identify red flags, permitting industry to spot risks.

JRR Comment: Director Blanco couldn’t be clearer: “FinCEN has observed that cybercriminals predominantly launder their proceeds and purchase the tools to conduct their malicious activities via virtual currency.”

To be clear, this obligation goes much deeper than to FinCEN or the law or to regulations—it is an obligation to others, your families, your loved ones, your friends, your neighbors, and fellow citizens who are victims or potential victims of these crimes.  During this time of crisis where our people could be more at risk and more vulnerable than ever, we, all of us, have a duty and  responsibility to use our abilities, tools, and talents to protect others and ensure the stability of this ecosystem that we are creating and that depends on trust.

Here is some of what we are seeing:

  • COVID-19 as Lure:  FinCEN and U.S. law enforcement have seen reports of cybercriminals leveraging COVID-19 themes as lures, often targeting vulnerable individuals and companies that seek healthcare information and products or are contributing to relief efforts.  This type of cybercrime in the COVID-19 environment is especially despicable, because these criminals leverage altered business operations, decreased mobility, and increased anxiety to prey on those seeking critical healthcare information and supplies, including the elderly and infirm.
  • Adapting to Opportunities Because of increased remote work by many companies and government institutions worldwide, many distinct threat vectors, risk considerations, and mitigation strategies are being used by criminals and bad actors.  FinCEN is aware that cybercriminals are targeting vulnerabilities in remote applications—including virtual private networks and remote desktop protocol exploits—to steal sensitive information and compromise transactions.  Whether with COVID-19 lures or not, cybercriminals and malicious state actors are using wide-scale phishing campaigns, malware, extortion, business email compromise, and other exploits against remote platforms to steal credentials, conduct fraud, and spread disinformation.
  • Scams:  Many prevalent scams involving virtual currency payments exploit COVID-19, from extortion, ransomware, and the sale of fraudulent medical products, to initial coin offering investment scams, which will likely continue to grow during the pandemic.
  • Undermining Due Diligence:  Criminals are also working to undermine “know your customer” processes in the remote environment.  Virtual currency businesses should remain vigilant against attacks targeting their onboarding and authentication processes, for example “deepfakes” manipulating digital images and account takeovers facilitated by credential stuffing attacks.  Financial institutions should consider the risks of the current environment in their business processes, and the appropriate level of assurance needed for digital identity solutions to mitigate criminal exploitation of your products and platforms.  Even financial institutions that typically manage their lines of business remotely, such as some virtual currency exchangers, may find themselves more exposed given the changing threat environment.

JRR Comment – Director Blanco has set this out in a way that makes it easy to understand and manage through the COVID-19 pandemic: lures, opportunities, scams, and fakes.


I now want to turn to another major topic, and the primary theme of today’s discussions, the Travel Rule.  The United States has long maintained an expectation that financial institutions identify counterparties involved in transactions for a variety of purposes, including AML/CFT and sanctions, even for transactions in virtual currency.  Any asset that allows the instant, anonymized transmission of value around the world with no diligence or recordkeeping is a magnet for criminals, including terrorists, money launderers, rogue states, and sanctions evaders.

As a result, we applaud steps taken by the Financial Action Task Force (FATF) last June to establish a consistent approach to the position we have taken when it adopted, as an International Standard, Interpretive Note to FATF Recommendation 15, which included, among other things, FATF’s interpretation that countries should apply FATF Recommendation 16’s Travel Rule to virtual asset service providers such as virtual currency exchanges.

We are encouraged that so many creative solutions are being developed by industry to address these Travel Rule obligations.

In particular, FinCEN is optimistic about the growth of various cross-sector organizations and working groups focusing on developing international standards and solutions addressing the Travel Rule.  I know those efforts involve many of you here today.  FinCEN will continue to monitor your developments, whether as observers in working groups, learning about your efforts in forums like this, or meeting with you under the FinCEN Innovation Hours Program, where fintech and regtech companies present to FinCEN new and innovative products and services for potential use in the financial sector.

While we are glad to see the increased emphasis on compliance, I must emphasize again that the United States has maintained this expectation to understand who is on the other side of a transaction for years.

JRR Comment – Director Blanco could have been more specific than “the United States has long maintained an expectation that financial institutions identify counterparties involved in transactions for a variety of purposes, including AML/CFT and sanctions, even for transactions in virtual currency” or “the United States has maintained this expectation to understand who is on the other side of a transaction for years.” The Travel Rule has been part of the BSA/AML regime for more than 20 years; and virtual currency exchanges and administrators have been subject to the BSA/AML regime since at least 2013.

As I mentioned at the Chainalysis conference in November, recordkeeping violations are the most commonly cited violation by our delegated Internal Revenue Service (IRS) examiners against money services businesses (MSBs) engaged in virtual currency transmission.

JRR Comment – Director Blanco was clear in remarks he made at a November 2019 ChainAlysis Blockchain Symposium, where he said the travel rule “applies to CVC, and we expect you to comply, period.” And CoinBase reported at that same symposium that Director Blanco said “you can’t build a car that only goes 150 miles per hour and ask us to change the speed limit. That’s not happening. Build your car to meet the requirements.”

We have also previously highlighted our confidence that industry can absolutely carry out this requirement.  We know technologies exist to support compliance with all recordkeeping obligations.  Most challenges we see across the sector relate to governance and process rather than technologies, and many solutions in both governance and technology models could ultimately comply.  FinCEN takes a technology neutral approach and we encourage the virtual currency sector to continue collaborative efforts to develop and implement these solutions and to keep FinCEN apprised of their progress, including by considering participating in FinCEN’s Innovation Hours Program.


Finally, I would like to briefly highlight some of our key opportunities for collaboration in combating illicit virtual currency use and the top remaining challenges we see, which hopefully those of you here today can help address.

Our partnerships across regulators, supervisors, law enforcement, and industry are the cornerstone of our efforts to disrupt the illicit use of virtual currency and illicit cyber activity.  FinCEN has worked alongside law enforcement initiatives like the National Cyber Investigative Joint Task Force (NCIJTF) and the Joint Criminal Opioid Darknet Enforcement (J-CODE) to investigate criminal networks exploiting virtual currency for the purchase of fentanyl, narcotics, cybercrime tools, and child pornography on darknet marketplaces.  We also work with international partners bilaterally or through multilateral forums like the Egmont Group of 164 FIUs, the Heads of FATF FIUs Symposium, of which we are a founding and leading member, and separately with FATF itself, with Europol, and with our FVEY partners as well, to enhance international capacity to investigate and prosecute criminals using virtual currencies for illicit purposes.

And of course, our partnerships with industry are paramount in the virtual currency space.  FinCEN has provided priority information on typologies of illicit virtual currency use to financial institutions through our advisory and FinCEN Exchange programs.  FinCEN is also sharing cyber indicators of compromise to help the financial sector detect, report, and defend against cyber activity that may be connected with illicit financial activity.

JRR Comment – Director Blanco is spot on with his comments. Effective Public/Private sector Partnerships, or PPPs, are the only way to combat AML and CFT, whether in the crypto space or fiat space.

The information we are able to share with industry is built on top of high quality information we receive in BSA reporting.

Since 2013, FinCEN has received nearly 70,000 Suspicious Activity Reports (SARs) involving virtual currency exploitation.  Just over half of these reports come from virtual currency industry filers, likely many of you participating today.  We also get valuable reporting from more traditional financial institutions that also have a unique window into illicit financial flows involving virtual currency, such as banks that may see ransomware payments made by customers or MSBs that see funds transfers derived from account takeovers.

This reporting is incredibly valuable to FinCEN and law enforcement, especially when you include technical indicators associated with the illicit activity, such as Internet Protocol (IP) addresses, malware hashes, malicious domains, and virtual currency addresses associated with ransomware or other illicit transactions.

JRR Comment – I would encourage Director Blanco to provide more information on the trends and patterns. There were 70,000 SARs filed: how many of those provided tactical or strategic value to law enforcement (I have called these TSV, or Tactical or Strategic Value, SARs)? Reporting financial institutions tune and enhance their monitoring and surveillance systems using an Alert-to-SAR analysis: the tuning and enhancing of those systems would be more effective, and the institutions more efficient, if they were able to use an Alert-to-TSV SAR analysis. Only the public sector can provide TSV information.

However, there remain significant issues that concern us in the virtual currency space.  Many of these are issues some of you may have heard me address before:

  • Risks associated with anonymity-enhanced cryptocurrencies, or AECs, remain unmitigated across many virtual currency financial institutions.  We expect each financial institution to have appropriate controls in place based on the products or services it offers, consistent with the obligation to maintain a risk-based AML program.  This means we are taking a close look at the AML/CFT controls you put on the types of virtual currency you offer—whether it be Monero, Zcash, Bitcoin, Grin, or something else—and you should too.  To be sure, FinCEN and our delegated examiners at the IRS are focused on this.

JRR Comment – I agree with Director Blanco that anonymity-enhanced cryptocurrencies are a key risk. Just as anonymity-enhanced legal entities are a key risk: lack of a federal standard that legal entities disclose their beneficial ownership, and provide that information to a publicly-available central registry, remains the biggest risk facing the American AML/CFT regime. 

  • We are also increasingly concerned that businesses located outside the United States continue to try to do business with U.S. persons without complying with our rules.  These include registering, maintaining a risk-based AML program, and reporting suspicious activity, among other requirements.  If you want access to the U.S. financial system and the U.S. market, you must abide by the rules.  We are serious about enforcing our regulations, including against foreign businesses operating in the United States as unregistered MSBs.  We take this very seriously and encourage you to include detailed information about such businesses in your SAR filings when you identify suspicious activity.  If you are going to avail yourself of the U.S. financial system from abroad, you cannot do so without engaging in the financial integrity practices that make this financial system so powerful, stable, trusted, and desirable.


As I conclude, I want to thank you all again for giving me this time today.  FinCEN is committed to enhancing our capabilities and understanding of virtual currencies and to encouraging and fostering responsible innovation.  We look forward to continuing our efforts with all of you in this regard.

Thank you.

JRR Conclusion – In an article I wrote and posted on July 11, 2019 – see RegTech Consulting Article July 11, 2019 – I wrote that “I have followed four Federal Reserve chairs (Greenspan, Bernanke, Yellen, and Powell), and have found that Chairman Powell is the only one of the four that I could consistently understand! In fact, Alan Greenspan’s infamous line – ‘Since becoming a central banker, I have learned to mumble with great incoherence. If I seem unduly clear to you, you must have misunderstood what I said’ – seems to have been the modus operandi of his successors, also … except for Chairman Powell.”

FinCEN Director Ken Blanco is another public official who is not only easy to understand, he makes it crystal clear what he and FinCEN expect of financial institutions when it comes to their AML/CFT obligations. It is refreshing, courageous, and essential as we all fight through the global pandemic of 2020 and try to emerge on the other side better and stronger. 

FOOTNOTE [1] On July 10, 2019, Federal Reserve Chairman Jerome Powell appeared before the House Financial Services Committee for his semi-annual report to Congress. Ranking Member McHenry’s opening statement included that Chairman Powell’s “candor is welcome and encouraged, and we thank you for attempting to speak like a normal human being …”.

The CARES Act and the Paycheck Protection Program – We Know A Surge of Fraud is Coming, Let’s Prevent it Now

SBA’s disaster loan programs suffer increased vulnerability to fraud and unnecessary losses when loan transactions are expedited to provide quick relief and sufficient controls are not in place. The expected increase in loan volume and amounts, and expedited processing timeframes will place additional stress on existing controls. – SBA Inspector General White Paper, “Risk Awareness and Lessons Learned from Audits and Inspections of Economic Injury Disaster Loans and Other Disaster Lending”. April 3, 2020

This article has been updated from its original publication date of April 6, 2020.

The Coronavirus Aid, Relief, and Economic Security Act (CARES Act) was signed into law by the President on March 27, 2020. It is a stunning piece of legislation meant to support our first responders and medical personnel treating those that are stricken, and to provide emergency economic relief to individuals, small businesses, and even large corporations that have been so adversely impacted by the pandemic.

The ink was barely dry on the CARES Act (enacted March 27th), which created the $349 billion Small Business Administration’s Paycheck Protection Program loan program, when the Interim Final Rules were published on various government websites (April 3rd, with publication in the Federal Register scheduled for April 15th). Those PPP loans will be doled out by qualified lenders to qualified Applicants, in increments of up to $10 million per Applicant based on the Applicant’s monthly payroll (essentially 2.5 times the monthly payroll, with some exceptions and limitations), with a limit of one PPP loan per Applicant. Those loans will bear interest at 1% per year, with interest and principle payments deferred for six months and – here’s the best part – the Government will forgive “qualifying” loans.

As soon as the program launched, two things happened. First, thousands of new lenders applied to be PPP lenders – from a pre-PPP of about 1,800 qualified lenders to over 4,000 qualified lenders in a matter of days. Second, many of the qualified lenders were inundated with applications. One of the lenders, Wells Fargo, publicly stated that it had max’ed out its funding capacity ($10 billion) to lend under this new PPP loan program: Wells Fargo was only able to extend its participation after the Federal Reserve relaxed some terms of an asset cap order it had imposed back in February 2020. Bank of America reported that it received 177,000 applications in the first two days seeking $32.6 billion in PPP loans. One week into the program, the SBA apparently had “approved” (more on that later) over 660,000 applications from 4,300 qualified lenders for loans of more than $168 billion. And yet the rules are not yet fully understood, and new guidance is coming out daily.

In 2006 I wrote about the dilemma facing BSA/AML programs:

We’ll be judged tomorrow on what we’re doing today, under standards and expectations that haven’t yet been set, based on best practices that haven’t been shared.

This lament has never been more applicable than it is today with these SBA PPP loans and the BSA obligations that follow.

As I read the Interim Final Rules – the 13 CFR Part 120 IFRs around eligibility generally as well as the 13 CFR Part 121 IFRs around affiliates and the common management standard – it LOOKS like lenders can rely on the documents submitted and certifications given by the borrower and its authorized representative in order to determine eligibility of the borrower, use of the loan proceeds, loan amount, and eligibility for forgiveness … but lenders “must comply with the applicable lender obligations set forth in this interim final rule”.

Here is some of the guidance set out in the Interim Final Rule:

At page 5: “SBA will allow lenders to rely on certifications of the borrower in order to determine eligibility of the borrower and use of loan proceeds and to rely on specified documents provided by the borrower to determine qualifying loan amount and eligibility for loan forgiveness. Lenders must comply with the applicable lender obligations set forth in this interim final rule, but will be held harmless for borrowers’ failure to comply with program criteria; remedies for borrower violations or fraud are separately addressed in this interim final rule.”

That is positive. The Interim Final Rule then poses a question, “What do lenders need to know and do?” then answers it in three sections, each posing a question:

a. Who is eligible to make PPP loans?

b. What do lenders have to do in terms of loan underwriting?

c. Can lenders rely on borrower’s documentation for loan forgiveness?

In response to the second question – what do lender have to do in terms of loan underwriting – the SBA provides the following answer (at pages 21-23 of the Interim Final Rule):

“Each lender shall:

i. Confirm receipt of borrower certifications contained in Paycheck Protection Program Application form issued by the Administration;

ii. Confirm receipt of information demonstrating that a borrower had employees for whom the borrower paid salaries and payroll taxes on or around February 15, 2020;

iii. Confirm the dollar amount of average monthly payroll costs for the preceding calendar year by reviewing the payroll documentation submitted with the borrower’s application; and

iv. Follow applicable BSA requirements:

I. Federally insured depository institutions and federally insured credit unions should continue to follow their existing BSA protocols when making PPP loans to either new or existing customers who are eligible borrowers under the PPP. PPP loans for existing customers will not require reverification under applicable BSA requirements, unless otherwise indicated by the institution’s risk-based approach to BSA compliance.

II. Entities that are not presently subject to the requirements of the BSA, should, prior to engaging in PPP lending activities, including making PPP loans to either new or existing customers who are eligible borrowers under the PPP, establish an anti-money laundering (AML) compliance program equivalent to that of a comparable federally regulated institution. Depending upon the comparable federally regulated institution, such a program may include a customer identification program (CIP), which includes identifying and verifying their PPP borrowers’ identities (including e.g., date of birth, address, and taxpayer identification number), and, if that PPP borrower is a company, following any applicable beneficial ownership information collection requirements. Alternatively, if available, entities may rely on the CIP of a federally insured depository institution or federally insured credit union with an established CIP as part of its AML program. In either instance, entities should also understand the nature and purpose of their PPP customer relationships to develop customer risk profiles. Such entities will also generally have to identify and report certain suspicious activity to the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN). If such entities have questions with regard to meeting these requirements, they should contact the FinCEN Regulatory Support Section at FRC@fincen.gov. In addition, FinCEN has created a COVID-19-specific contact channel, via a specific drop-down category, for entities to communicate to FinCEN COVID-19-related concerns while adhering to their BSA obligations. Entities that wish to communicate such COVID-19-related concerns to FinCEN should go to www.FinCEN.gov, click on “Need Assistance,” and select “COVID19” in the subject drop-down list.

Each lender’s underwriting obligation under the PPP is limited to the items above and reviewing the “Paycheck Protection Application Form.” Borrowers must submit such documentation as is necessary to establish eligibility such as payroll processor records, payroll tax filings, or Form 1099-MISC, or income and expenses from a sole proprietorship. For borrowers that do not have any such documentation, the borrower must provide other supporting documentation, such as bank records, sufficient to demonstrate the qualifying payroll amount.

So it looks like the obligations include some detailed BSA-related customer due diligence requirements, citing an April 3rd FinCEN press release on risk-based approaches to BSA.

The new (as of April 2nd) Form 2483 PPP Borrower Application has a lot of detail on 20% or more owners as well as whether entities are “Affiliates” based on the Common Management Standard … so can lenders rely on the borrowers’ certifications contained in these forms absolutely, no matter how patently false or incomplete? Probably not. There must be an implied level of due diligence, as there is with beneficial ownership information.

So it looks like risk-based BSA/AML customer due diligence will trump otherwise willfully blind reliance on patently false certifications, and when the PPP lending storm is over and the tide is out two years from now, the SBA will be holding lenders to account for fraudulent applications, dubious certifications, and sloppy underwriting.

The opportunities for PPP-related fraud are off-the-charts.

Every fraudster on the planet knows that the US Government just created a $350 billion pot of money that needs to be lent out in the next 90 days based on eligibility determined by the “certifications” the borrowers will submit. Even if deliberate fraud (fraudulent or fake borrowers created by professional fraudsters) and opportunity fraud (legitimate small businesses that deliberately “fudge” a few facts in order to qualify for a loan or even inadvertently misstate a few facts) amounts to only 1% of this pot of money, that is $3.5 billion, or enough to pay the promised $1,200 to 3 million Americans.[1]

Even if banks can process hundreds of thousands of PPP loans, can the SBA approve them?

This is a trick question, written to make a point. And that point is that it doesn’t look like the SBA will be “approving” these PPP loans like they did (and continue to do) for “regular” 7(a) loans. In 2019 the Small Business Administration approved a total of just under 59,000 loans totaling about $30 billion. In 2020, through March 20th, the SBA approved 24,745 loans for ~$12.5 billion. According to the SBA’s last congressional report (Fiscal 2021 Congressional Justification & Fiscal 2019 Performance Report), it noted that “The time to process a 7(a) non-delegated loan greater than $350,000 decreased from 15 days to 9 days (40 percent efficiency gain) [from FY 2017] and for loans under $350,000, from 6 to 2 days (67 percent efficiency gain).” So in fiscal 2019, the SBA approved about 46,100 7(a) loans totaling $23.2 billion. Each of those took between 2 and 9 days.

There will be hundreds of thousands of SBA PPP loans written in the next 90 days for as much as $349 billion – over 660,000 loans in the first week for almost $170 billion. But the SBA isn’t approving these; it is simply acknowledging that it received the necessary borrower and lender forms and sending the lender back a Loan Number. With that, the lender then processes, underwrites, and disburses the loan proceeds.

SBA’s E-Tran System Has Been Glitchy … and according to the SBA’s most recent report to Congress, it had 4,191 employees in 2019 but only 3,274 in 2020.

The SBA’s E-Tran system is its electronic loan processing system that allows approved lenders to submit loan information and documentation. Lenders upload the information and documentation and provide a certification (more on that later) and the SBA returns a loan number. With that, the lender has the delegated authority to fund the loan.

And my guess is that the first PPP loans to go to the SBA will be from existing (experienced) lenders lending to their current (experienced) borrowers … to be followed by experienced lenders lending to new (inexperienced) borrowers … to be followed by those new (inexperienced) lenders the SBA is currently approving who will likely lend to new (inexperienced) borrowers. Inexperience + Inexperience = Opportunities for Fraud. So expect the fraudsters to migrate to the inexperienced borrowers.

What will the bank lenders need to do to meet their BSA obligations?

It’s too early to know. The SBA requirements for beneficial owners seem to require 20% or more legal ownership (so up to five persons with legal ownership) and a stunningly complex “control” disclosure requirement set out in 13 CFR Part 121. But, it looks like the SBA is going to allow lenders to rely on the certifications of their borrowers. For SBA purposes. Those lenders still must comply with their BSA requirements.

So the SBA lenders will have information on up to five owners and, perhaps, on some affiliated persons under the SBA’s “common management standard”. The BSA requirements for beneficial owners seem simple in comparison: 25% or more legal ownership (so up to four persons with legal ownership) and a simple “control prong” of one person set out in 31 CFR Part X.

And where SBA expectations or guidance is still to be provided, BSA regulatory expectations have been set with FinCEN’s Ruling (in FIN-2018-R004). That Ruling carves out an exemption from the beneficial ownership rule so that banks – in this case lenders – do not need to re-verify beneficial ownership information for extensions of loans that do not require underwriting review and approval. Based on that Ruling, the exemption does not appear to apply to these PPP loans, as they are, by definition, underwritten. So even though FinCEN’s unofficial press release from April 2nd – it wasn’t formal Guidance or a Ruling – says that PPP loans for existing customers will not require re-verification under applicable BSA requirements, that is qualified by “unless otherwise indicated by the institution’s risk-based approach to BSA compliance.” That risk-based approach should have followed the FIN-2008-R004 Ruling that exempted renewals of loans that didn’t require underwriting.

So where does that leave us? Nobody knows. As Yogi Berra once said,

It’s tough to make predictions, especially about the future.

Three things I will predict with certainty, though. First, we will get new guidance, advisories, press releases, and rulings to come from the SBA and from multiple agencies that oversee the BSA, probably on a daily basis (as I was writing this, the Federal Reserve issued a press release that it will establish a facility to facilitate lending to small businesses via the Small Business Administration’s Paycheck Protection Program (PPP) by providing term financing backed by PPP loans). Second, fraudsters are going to exploit the Paycheck Protection Program. And third, we’ll manage through this and come out stronger and better for it.

Back in January and early February, we failed to recognize that the then-nascent COVID-19 epidemic raging through Asia would, by mid-February, become a full-blown pandemic that would ravage the planet. Comparing the inevitable fraud that will emerge from the Paycheck Protection Program to the coronavirus pandemic is ridiculous, but we can learn from our pandemic planning and take the steps now to prevent, detect, and mitigate the fraud that will accompany the PPP.

Late Tuesday evening, April 6, the Treasury Department published FAQs on the PPP program. Treasury PPP FAQs April 6, 2020. The 18th and last Q/A was the following:

18. Question: Are PPP loans for existing customers considered new accounts for FinCEN Rule CDD purposes? Are lenders required to collect, certify, or verify beneficial ownership information in accordance with the rule requirements for existing customers?

Answer: If the PPP loan is being made to an existing customer and the necessary information was previously verified, you do not need to re-verify the information. Furthermore, if federally insured depository institutions and federally insured credit unions eligible to participate in the PPP program have not yet collected beneficial ownership information on  existing customers, such institutions do not need to collect and verify beneficial ownership information for those customers applying for new PPP loans, unless otherwise indicated by the lender’s risk-based approach to BSA compliance.

Parsing this answer out, Treasury is giving guidance only on PPP loans for existing customers: existing customers with verified beneficial ownership information, and existing customers without verified beneficial ownership information … unless otherwise indicated by the lender’s BSA policies and procedures. There is nothing about PPP loans for new customers.

What has FinCEN said about the PPP loans? In an April 3rd press release  FinCEN wrote:

Compliance with BSA Obligations – Compliance with the Bank Secrecy Act (BSA) remains crucial to protecting our national security by combating money laundering and related crimes, including terrorism and its financing.  FinCEN expects financial institutions to continue following a risk-based approach, and to diligently adhere to their BSA obligations.  FinCEN also appreciates that financial institutions are taking actions to protect employees, their families, and others in response to the COVID-19 pandemic, which has created challenges in meeting certain BSA obligations, including the timing requirements for certain BSA report filings.  FinCEN will continue outreach to regulatory partners and financial institutions to ensure risk-based compliance with the BSA, and FinCEN will issue additional new information as appropriate.

Beneficial Ownership Information Collection Requirements for Existing Customers – One of the primary components of the CARES Act is the Paycheck Protection Program (PPP).  For eligible federally insured depository institutions and federally insured credit unions, PPP loans for existing customers will not require re-verification under applicable BSA requirements, unless otherwise indicated by the institution’s risk-based approach to BSA compliance.

For non-PPP loans, FinCEN reminds financial institutions of FinCEN’s September 7, 2018 ruling (FIN-2018-R004) offering certain exceptive relief to beneficial ownership requirements.  To the extent that renewal, modification, restructuring, or extension for existing legal entity customers falls outside of the scope of that ruling, FinCEN recognizes that a risk-based approach taken by financial institutions may result in reasonable delays in compliance.

FinCEN will continue to assess reasonable risk-based approaches to BSA obligations and will issue further information, as appropriate, particularly as the CARES Act is implemented.

April 13 FAQs Provide More Guidance

The 25th and last question in the April 13 FAQs provides some clearer guidance on the beneficial ownership issue:

25. Question: Does the information lenders are required to collect from PPP applicants regarding every owner who has a 20% or greater ownership stake in the applicant business (i.e., owner name, title, ownership %, TIN, and address) satisfy a lender’s obligation to collect beneficial ownership information (which has a 25% ownership threshold) under the Bank Secrecy Act?

Answer: For lenders with existing customers: With respect to collecting beneficial ownership information for owners holding a 20% or greater ownership interest, if the PPP loan is being made to an existing customer and the lender previously verified the necessary information, the lender does not need to re-verify the information. Furthermore, if federally insured depository institutions and federally insured credit unions eligible to participate in the PPP program have not yet collected such beneficial ownership information on existing customers, such institutions do not need to collect and verify beneficial ownership information for those customers applying for new PPP loans, unless otherwise indicated by the lender’s risk-based approach to Bank Secrecy Act (BSA) compliance.

For lenders with new customers: For new customers, the lender’s collection of the following information from all natural persons with a 20% or greater ownership stake in the applicant business will be deemed to satisfy applicable BSA requirements and FinCEN regulations governing the collection of beneficial ownership information: owner name, title, ownership %, TIN, address, and date of birth. If any ownership interest of 20% or greater in the applicant business belongs to a business or other legal entity, lenders will need to collect appropriate beneficial ownership information for that entity. If you have questions about requirements related to beneficial ownership, go to FinCEN Resources Link . Decisions regarding further verification of beneficial ownership information collected from new customers should be made pursuant to the lender’s risk-based approach to BSA compliance.

So where does that leave us?

According to the SBA’s March 20th weekly update, roughly 13% of the 21,106 7(a) loans it has approved in 2020 are categorized as “change of ownership”. So beneficial ownership is a dynamic attribute that needs to be managed. Below are my thoughts on where we are at 8:20 a.m. PST on April 7, 2020:

  1. Compliance with the Bank Secrecy Act (BSA) remains crucial. FinCEN expects financial institutions to diligently adhere to their BSA obligations. Not to adhere to BSA obligations, to diligently adhere.
  2. PPP loans for existing customers will not require re-verification (if you’ve already verified them) or verification (if you haven’t previously verified beneficial ownership), unless otherwise indicated by your risk-based approach to BSA compliance. So for your higher- and high-risk customers applying for PPP loans, whether previously verified or not, re-verify beneficial ownership. Be diligent about those “cash intensive” businesses that you likely have characterized as higher- or high-risk.
  3. As to new customers, there appears to be a trade-off of sorts. For Title 31 BSA purposes, non-PPP lenders need to collect and verify the name, TIN, address, and DOB of up to four legal owners and one control person. For Title 13 SBA purposes, PPP lenders need to collect but perhaps not verify the name, TIN, address, DOB, title, and ownership percentage of up to four legal owners. The April 13th guidance doesn’t say anything about the BSA control person and whether the SBA Authorized Representative would or could be that control person.
  4. In answering the question “can lenders rely on borrower’s documentation for loan forgiveness?” the Interim Final Rule – again, published by the SBA and Treasury – provides, “Yes. The lender does not need to conduct any verification … the Administrator [of the SBA] will hold harmless any lender that relies on such borrower’s documents and attestation … section 1106(h) [of the CARES Act] prohibits the Administrator from taking any enforcement action …”. So in two places the rule provides that the SBA Administrator will not and cannot take any action against a lender. That is pretty specific. It doesn’t provide that the Federal Government will not and cannot take any action against a lender … does that mean that the lender’s functional regulator (e.g., the OCC) can bring a “safety and soundness” action against a sloppy PPP lender under Title 12? Can FinCEN bring a Title 31 action? Can the Department of Justice bring a Title 18 action? The answer to those three questions is “probably, maybe, perhaps.”

My advice? As FinCEN reminded us, compliance with the BSA remains crucial. Be diligent and confirm – in writing – whatever you decide to do in your policies and procedures and with your regulators. Remember, you will be judged tomorrow on what you’re doing today, under standards and expectations that haven’t yet been set, based on best practices that haven’t been shared.

[1] This paper deals only with the PPP. There are other COVID-19 related disaster loan programs, such as the emergency Economic Injury Disaster Loan (EIDL) program. The SBA Inspector General issued a White Paper on April 3, 2020 titled “Risk Awareness and Lessons Learned from Audits and Inspections of Economic Injury Disaster Loans and Other Disaster Lending”. In that paper, the IG noted that “SBA’s disaster loan programs suffer increased vulnerability to fraud and unnecessary losses when loan transactions are expedited to provide quick relief and sufficient controls are not in place. The expected increase in loan volume and amounts, and expedited processing timeframes will place additional stress on existing controls.” See https://www.sba.gov/sites/default/files/2020-04/SBA_OIG_WhitePaper_20-12_508_0.pdf

The Perfect Storm: More Alerts, Fewer Investigators, & More False Positives

The Focus Has Always Been On the Increase in Fraud

Natural disasters bring out the best in some people and the worst in others. Almost fifteen years ago, in the wake of Hurricane Katrina, the Department of Justice formed the National Center for Disaster Fraud[1] to coordinate the investigations and prosecutions of benefits, charities, and cyber-related frauds that sprang up when billions of dollars in federal disaster relief poured into the Gulf Coast region. In October 2017, after a series of hurricanes in the southeast US and Caribbean (Harvey, Irma, and Maria), and California wildfires, the Financial Crimes Enforcement Network (FinCEN) issued an “Advisory to Financial Institutions Regarding Disaster-Related Fraud” that described some of the same fraud scams and instructed firms how to identify and report that activity.

FinCEN Recognizes The Strain on Resources

On March 16, 2020, three days after the President declared a National Emergency in response to COVID-19, FinCEN issued a press release (not an Advisory) encouraging financial institutions to (1) communicate concerns related to the “coronavirus disease 2019 (COVID-19)”, and (2) to remain alert to related illicit financial activity.[2]

Specifically, FinCEN requested that financial institutions contact FinCEN and their functional regulator as soon as practicable if it “has concern about any potential delays in its ability to file required Bank Secrecy Act (BSA) reports.”

This is an important acknowledgment by FinCEN. The previous Advisory focused on the increase in fraud as a result of natural disasters. This press release adds another element: at the same time fraud is increasing, the ability of financial institutions to manage that increase is impacted because of the “shelter in place” or work from home requirements. To put it in simple terms, where a bank may have had 1,000 fraud alerts handled by 50 investigators prior to the pandemic, it may now have 2,000 alerts being handled by only 20 investigators.

The Third Issue – Your Existing Fraud Alerting Logic May Produce More False Positives

Not only will the alerting “numerator” be going up (that is the transactions that a financial institution’s rules find are anomalous) but the denominator, or the volume of and types of transactions, is also changing. Very simply, people transact differently because of the pandemic. There will be more cash withdrawals (both numbers and amounts), and more activity (transactions and interactions) will shift from in-person to mobile, online, and telephone.

Elder fraud is a good example of the impact of the pandemic. The older population is most at risk from COVID-19, and most at risk of various fraud schemes. The alerting logic a bank had programmed was based on historical data relating to, say, changes in elderly customers’ use of online and mobile channels. With the pandemic, elderly customers are using those channels more often, and those alerts will now be hitting on anomalous but now-expected activity. This new current activity will be different than the historical activity on which the bank based its alerting logic.

And all of this at a time when banks have fewer investigators able to handle the output: they’re at home and either unable to access bank systems or less efficient in doing so.

Communication is the Key

As FinCEN points out, financial institutions need to communicate with their regulators if they’re finding that their investigations teams cannot keep up with the increase in fraud cases. One aspect a bank needs to consider is whether it should – and can – move analysts and investigators from AML over to fraud and sanctions screening. Sanctions screening and fraud monitoring requires real- and near-time screening and monitoring to prevent transactions from occurring – whether those are transactions with sanctioned entities, possible Business E-mail Compromise (BEC) frauds, or other frauds. Sanctions and fraud analysts and investigators need to be able to prevent certain transactions and investigate others in real- or near-time. AML analysts and investigators do not operate in the same time-sensitive environment: as a general rule, an AML alert generated in March will involve activity that occurred in February, it will be investigated in April in order to determine whether it was “suspicious”, then a SAR will be filed in May. So part of the external and internal communications a bank will need to have will involve shifting its AML resources over to sanctions and fraud monitoring and investigations.

But more important are the communications banks need to have with their clients and customers to warn them about common disaster-related frauds, and the communications within the bank to adapt to the changes in overall customer activity. How will the changes in customer activity impact the sanctions and fraud monitoring, detection, and alerting systems?

It’s the perfect storm: more alerts, more false positives, fewer investigators.

[1] https://www.justice.gov/disaster-fraud

[2] https://www.fincen.gov/news/news-releases/financial-crimes-enforcement-network-fincen-encourages-financial-institutions

When it comes to BSA/AML compliance programs, success has a hundred fathers, but failure is, apparently, an orphan

“FinCEN Penalizes U.S. Bank Official for Corporate Anti-Money Laundering Failures”

In 1961 President John F. Kennedy commented on the failed Bay of Pigs invasion: “victory has a hundred fathers and defeat is an orphan”. This statement came to mind as I read the Treasury Department’s March 4, 2020 assessment of a $450,000 penalty against the former Chief Operational Risk Officer of US Bank for the bank’s failures to implement and maintain an effective anti-money laundering (AML) program. And although the bank itself, and its holding company US Bancorp, were sanctioned and paid hundreds of millions of dollars in penalties, it appears that no other officers or directors of US Bank were personally sanctioned.

I have previously written that running an AML program in an American financial institution is like Winston Churchill’s description of Russia in 1939: a riddle, wrapped in a mystery, inside an enigma. The riddle is how to meet your obligations to provide law enforcement with actionable, effective intelligence (the stated purpose of the US AML laws set out in Title 31 of the US Code). That riddle is wrapped in the mystery of how to satisfy the multiple regulatory agencies’ “safety and soundness” requirements set out in Title 12 of the US Code. And the enigma is the personal liability you face for failing to satisfy either or both of those things.

And that enigma of personal liability was recently brought front and center with the March 4, 2020, announcement from FinCEN that the former Chief Operational Risk Officer of US Bank, Michael LaFontaine, was hit with a $450,000 penalty for his failure to prevent BSA/AML violations during his seven to ten year tenure.

Before going further, keep this in mind: it is inconceivable that a single person could run an AML program in one of the largest banks in the United States. They would need hundreds if not thousands of others to help design, implement, modify, test, audit, oversee, and examine that program. Everyone from a first-year analyst to the Board of Directors. But it is equally inconceivable – with all the checks and balances built into the US financial sector regulatory regime, with the three lines of defense, and all the auditors, examiners, and directors – that a single person could single-handedly screw up that same AML program over a period of five years. Yet that is the conclusion that seems to have been made: no matter how many people were responsible for US Bank’s AML program over a five year period, only one was held accountable for it.

“FinCEN Penalizes U.S. Bank Official for Corporate Anti-Money Laundering Failures” – FinCEN Press Release

March 04, 2020

WASHINGTON—The Financial Crimes Enforcement Network (FinCEN) has assessed a $450,000 civil money penalty against Michael LaFontaine, former Chief Operational Risk Officer at U.S. Bank National Association (U.S. Bank), for his failure to prevent violations of the Bank Secrecy Act (BSA) during his tenure.  U.S. Bank used automated transaction monitoring software to spot potentially suspicious activity, but it improperly capped the number of alerts generated, limiting the ability of law enforcement to target criminal activity.  In addition, the bank failed to staff the BSA compliance function with enough people to review even the reduced number of alerts enabling criminals to escape detection.

“Mr. LaFontaine was warned by his subordinates and by regulators that capping the number of alerts was dangerous and ill-advised.  His actions prevented the proper filing of many, many SARs, which hindered law enforcement’s ability to fully combat crimes and protect people,” said FinCEN Director Kenneth A. Blanco.  “FinCEN encourages technological innovations to help fight money laundering, but technology must be used properly.”

In February 2018, FinCEN, in coordination with the Office of the Comptroller of the Currency (OCC) and the U.S. Department of Justice, issued a $185 million civil money penalty against U.S. Bank for, among other things, willfully violating the BSA’s requirements to implement and maintain an effective anti-money laundering (AML) program and to file Suspicious Activity Reports (SARs) in a timely manner.

Mr. LaFontaine was advised by two subordinates that they believed the existing automated system was inadequate because caps were set to limit the number of alerts.  The OCC warned U.S. Bank on several occasions that using numerical caps to limit the Bank’s monitoring programs based on the size of its staff and available resources could result in a potential enforcement action, and FinCEN had taken previous public actions against banks for the same activity.

Mr. LaFontaine received internal memos from staff claiming that significant increases in SAR volumes, law enforcement inquiries, and closure recommendations, created a situation where the AML staff “is stretched dangerously thin.”  Mr. LaFontaine failed to take sufficient action when presented with significant AML program deficiencies in the Bank’s SAR-monitoring system and the number of staff to fulfill the AML compliance role.  The Bank had maintained inappropriate alert caps for at least five years.

FinCEN has coordinated this action with the OCC and appreciates the assistance it provided.

FinCEN’s March 2020 action against Mr. LaFontaine was the third of a series of actions in the last five years against US Bank, its parent US Bancorp, and now, one of its former officers.

The US Bank Cases – 2015, 2018, and 2020

In October 2015 the OCC and US Bank entered into a Cease & Desist Order (on consent) for longstanding and extensive BSA/AML program failures and failures relating to suspicious activity monitoring and reporting. US Bank was compelled to perform a lengthy list of remedial actions, including a “look-back” of activity. Apparently, US Bank eventually satisfied the OCC, and in November 2018 that Order was lifted or terminated. But no individuals were singled out.

In February 2018 US Bank was hit with a series of orders and actions relating to (1) those aforementioned BSA/AML program and SAR failures, and (2) a multi-billion dollar, multi-year payday lending fraud that was effectuated, in part, through the fraudster’s accounts at US Bank (the so-called “Scott Tucker” fraud). Among other orders and penalties, US Bank and/or its parent US Bancorp paid a $75 million fine to the OCC, a $70 million fine to FinCEN, a $15 million fine to the Federal Reserve, and forfeited $453 million to the Department of Justice (and those forfeited funds were later distributed to the victims of the Scott Tucker fraud) in a federal civil case filed in the Southern District of New York (civil case no. 18CV01357). US Bank also consented to a one-count criminal charge and entered into a two-year Deferred Prosecution Agreement (DPA) with the US Attorney for the Southern District of New York. Finally, the Treasury Department brought a civil case against US Bank, also in the Southern District, to “reduce” the FinCEN $70 million penalty to a civil judgment: that was civil case no. 18CV01358. Again, no individuals were singled out.

The (former) Chief Operational Risk Officer was held personally accountable: but who is actually responsible for a bank’s BSA/AML compliance program?

US Bank – the 5th Largest Bank in the United States

Based on all the orders and civil and criminal complaints, it appears that the core period of time the government was concerned about were the years 2010 through 2014. Based on the Annual Reports of US Bank, during that period the bank had:

  • Between thirteen and fifteen directors each year. Eleven of those directors served from at least 2009 through 2014
  • A Managing Committee made up of:
    • 1 Chairman and CEO (the same person for the entire period);
    • Eight to ten Vice-Chairmen each year, one of which was the Chief Risk Officer in 2014; and
    • Four to six Executive Vice-Presidents each year, one of which was the Chief Risk Officer from 2005 through 2013, and one of which was Michael LaFontaine as Chief Operational Risk Officer in the 2012 and 2013 annual report

It’s fair to say that since US Bank listed these people – the Board of Directors and the Managing Committee – in its Annual Reports, these people were seen as being collectively responsible for overseeing and managing the affairs of US Bank.

OCC’s Regulations for BSA/AML Compliance – Title 12 of the Code of Federal Regulations

US Bank’s primary regulator is the OCC. The OCC’s regulations for a BSA/AML compliance program are set out at 12 CFR § 21.21. Subsection (a) describes the “purpose” for the section: “to assure that all national banks and savings associations establish and maintain procedures reasonably designed to assure and monitor their compliance with the requirements of subchapter II of chapter 53 of title 31, United States Code, and the implementing regulations promulgated thereunder by the Department of the Treasury at 31 CFR Chapter X.” So the purpose of the OCC’s BSA/AML program requirement is to assure that banks meet their requirements under FinCEN’s legislation and regulations.

12 CFR § 21.21 continues. Subsection (c) goes beyond mere procedures and compels banks to “develop and provide for the continued administration of a program reasonably designed to assure and monitor compliance with the recordkeeping and reporting requirements set forth in subchapter II of chapter 53 of title 31, United States Code and the implementing regulations issued by the Department of the Treasury at 31 CFR Chapter X. The compliance program must be written, approved by the national bank’s or savings association’s board of directors, and reflected in the minutes of the national bank or savings association.”

And then subsection (d) sets out the minimum contents that the program shall have. It shall:

(1) Provide for a system of internal controls to assure ongoing compliance;

(2) Provide for independent testing for compliance to be conducted by national bank or savings association personnel or by an outside party;

(3) Designate an individual or individuals responsible for coordinating and monitoring day-to-day compliance; and

(4) Provide training for appropriate personnel.

So the OCC’s regulations tell us how a bank’s program is documented, who approves it (the board of directors), and what it must contain (at a minimum, the four “pillars” from subsection (d) – internal controls, independent testing, a BSA compliance officer, and training). Those OCC regulations don’t specifically set out who is responsible for the program. But they do refer to subchapter II of chapter 53 of title 31, United States Code and the implementing regulations issued by the Department of the Treasury at 31 CFR Chapter X. What do those provide? Do those laws and regulations set out who is responsible for a bank’s BSA/AML program?

FinCEN’s Regulations for BSA/AML Compliance – Title 31 of the Code of Federal Regulations

31 CFR Part X, specifically § 1010.210, provides that “each financial institution (as defined in 31 U.S.C. 5312(a)(2) or (c)(1)) should refer to subpart B of its chapter X part for any additional anti-money laundering program requirements.” The subpart B for national banks, like US Bank, provides as follows:

31 CFR § 1020.210

Anti-money laundering program requirements for financial institutions regulated only by a Federal functional regulator, including banks, savings associations, and credit unions. A financial institution regulated by a Federal functional regulator that is not subject to the regulations of a self-regulatory organization shall be deemed to satisfy the requirements of 31 U.S.C. 5318(h)(1) if the financial institution implements and maintains an anti-money laundering program that:

(a) Complies with the requirements of §§1010.610 and 1010.620 of this chapter;

(b) Includes, at a minimum:

(1) A system of internal controls to assure ongoing compliance;

(2) Independent testing for compliance to be conducted by bank personnel or by an outside party;

(3) Designation of an individual or individuals responsible for coordinating and monitoring day-to-day compliance;

(4) Training for appropriate personnel; and

(5) Appropriate risk-based procedures for conducting ongoing customer due diligence, to include, but not be limited to:

(i) Understanding the nature and purpose of customer relationships for the purpose of developing a customer risk profile; and

(ii) Conducting ongoing monitoring to identify and report suspicious transactions and, on a risk basis, to maintain and update customer information. For purposes of this paragraph (b)(5)(ii), customer information shall include information regarding the beneficial owners of legal entity customers (as defined in §1010.230 of this chapter); and

(c) Complies with the regulation of its Federal functional regulator governing such programs.

So, other than the OCC regulation having only four pillars while the FinCEN regulation has five, neither the OCC nor the FinCEN BSA/AML program regulations specifically describe who, if anyone, in a bank, is actually responsible for the BSA/AML program. But we know from the Michael LaFontaine case that the Chief Operational Risk Officer was found personally accountable for the failures of the program.

Regulatory Guidance – the FFIEC BSA/AML Examination Manual

So if the answer isn’t in the regulation, perhaps it can be found in regulatory guidance. For BSA/AML purposes, the golden source for regulatory guidance is set out in the Federal Financial Institutions Examination Council (FFIEC) BSA/AML Examination Manual. All five editions of the Manual (from 2005 through 2014) provide: “The board of directors, acting through senior management, is ultimately responsible for ensuring that the bank maintains an effective BSA/AML internal control structure, including suspicious activity monitoring and reporting.” (At page 29 of the most recent (2014) edition).

Hmmm … that appears to indicate that the board of directors is ultimately responsible, but the “acting through senior management” interjection is confusing. But the details that follow (again, the same language since 2005) provide clarity:

BSA Compliance Officer

The bank’s board of directors must designate a qualified individual to serve as the BSA compliance officer.[1] The BSA compliance officer is responsible for coordinating and monitoring day-to-day BSA/AML compliance. The BSA compliance officer is also charged with managing all aspects of the BSA/AML compliance program and with managing the bank’s adherence to the BSA and its implementing regulations; however, the board of directors is ultimately responsible for the bank’s BSA/AML compliance.

While the title of the individual responsible for overall BSA/AML compliance is not important, his or her level of authority and responsibility within the bank is critical. The BSA compliance officer may delegate BSA/AML duties to other employees, but the officer should be responsible for overall BSA/AML compliance.  The board of directors is responsible for ensuring that the BSA compliance officer has sufficient authority and resources (monetary, physical, and personnel) to administer an effective BSA/AML compliance program based on the bank’s risk profile.

This seems pretty clear: the board of directors is ultimately responsible for the bank’s BSA/AML compliance program, and for ensuring that the BSA compliance officer has the tools to do their job.

In addition, the Manual makes it clear that the BSA Officer cannot be “layered”: the BSA Officer must directly report to and take direction from the Board. The Manual provides:

“The line of communication should allow the BSA compliance officer to regularly apprise the board of directors and senior management of ongoing compliance with the BSA.  Pertinent BSA-related information, including the reporting of SARs filed with FinCEN, should be reported to the board of directors or an appropriate board committee so that these individuals can make informed decisions about overall BSA/AML compliance.  The BSA compliance officer is responsible for carrying out the direction of the board and ensuring that employees adhere to the bank’s BSA/AML policies, procedures, and processes.”

Although banking and financial crimes regulations don’t specifically spell out who is responsible for a bank’s BSA/AML program, written guidance makes it clear that the Board of Directors is responsible for ensuring that a bank implements and maintains an effective BSA/AML program.

But that isn’t what has happened in this case. The former Chief Operational Risk Officer – not the Board of Directors, nor the BSA compliance officer(s) that should have reported directly to the Board, nor anyone on the Managing Committee of the bank – was held accountable. Why was that? The answer may lie in FinCEN’s assessment against Mr. LaFontaine.

The March 4, 2020 FinCEN Assessment of Civil Money Penalty

What were the allegations against Mr. LaFontaine?

Page 2 – “Mr. LaFontaine at various times had responsibility for overseeing U.S. Bank’s compliance program and therefore shares responsibility for the Bank’s violations of the requirements to implement and maintain an effective AML program and file SARs in a timely manner.”

So it appears from this that Mr. LaFontaine shared responsibility for the program violations. Who did he share that responsibility with? Some detail is provided on page 3:

Page 3 – “Beginning in or about January 2005, and continuing through his separation from U.S. Bank in or about June 2014, Mr. LaFontaine held senior positions within the Bank’s AML hierarchy, involving oversight of the Bank’s AML compliance functions, from approximately 2008 through April 2011, and then from October 2012 through June 2014. He was the Chief Compliance Officer (CCO) of the Bank from 2005 through 2010, at which time he was promoted to Senior Vice President and Deputy Risk Officer. Thereafter, in October 2012, Mr. LaFontaine was promoted again to Executive Vice President and Chief Operational Risk Officer. In this latter position, which Mr. LaFontaine held throughout the remainder of his employment at the Bank, he reported directly to the Bank’s Chief Executive Officer (CEO) [Footnote: From early 2014 to the end of his tenure, Mr. LaFontaine reported to the Bank’s new Chief Risk Officer and had direct communications with the Bank’s Board of Directors.] As Chief Operational Risk Officer, Mr. LaFontaine oversaw the Bank’s AML compliance department (which was referred to internally as Corporate AML), and he supervised the Bank’s CCO, AML Officer (AMLO), [Footnote: The AMLO did not report directly to Mr. LaFontaine following the hiring of new Chief AML and BSA officers in the spring and summer of 2012. After these hirings, the AMLO reported to the Bank’s CCO, who reported to Mr. LaFontaine] and AML staff.”

We don’t know why the Board of Directors, any one or more of the directors (and there were at least eleven of them that were directors during the entire period in question), or any other senior officers of US Bank (and there were about a dozen of them every year), weren’t held accountable. And in this case, in at least six (6) regulatory, civil, and criminal orders running to hundreds of pages filed over a five (5) year period, we didn’t find out who the government felt was responsible for this bank’s BSA/AML compliance program. Other than Mr. LaFontaine, who was held accountable.

But one of those documents had an interesting take on responsibility. Paragraph 18 of the Treasury Department’s civil complaint against US Bank (Case No 18CV01357, filed February 15, 2018) referenced the FFIEC BSA/AML Manual. The paragraph provided:

“18. Under the BSA/AML Manual, a bank’s risk profile informs the steps it must take to comply with each of the BSA’s requirements. To develop appropriate policies and controls, banks must identify “banking operations . . . more vulnerable to abuse by money launderers and criminals . . . and provide for a BSA/AML compliance program tailored to manage risks. Similarly, while banks must designate an individual officer responsible for ensuring compliance with the BSA, such designation is not alone sufficient. Instead, the BSA/AML Manual notes that banks are responsible for ensuring that their compliance functions have ‘resources (monetary, physical, and personnel) [necessary] to administer an effective BSA/AML compliance program based on the bank’s risk profile.’”

In fact, as set out above, that is not what the Manual provides: according to the Manual, published by the OCC and FinCEN, among many other FFIEC agencies, the board of directors is responsible for ensuring that the bank implements and maintains an effective AML program. Not the “bank”, nor, in this case, the Chief Operational Risk Officer.

Paragraph 31 of the February 15, 2018 civil complaint provided that “US Bank delegated the responsibility for ensuring that it met its obligations under the BSA to its AML compliance department, which it referred to internally as Corporate AML.”

It would have been more accurate to write “US Bank attempted to delegate the responsibility for ensuring that it met its obligations under the BSA to its AML compliance department, which it referred to internally as Corporate AML; but the Board of Directors retained ultimate responsibility.” As the Manual provides, the board of directors maintains ultimate responsibility for the bank’s BSA/AML compliance, with their board-appointed BSA compliance officer “charged with managing all aspects of the BSA/AML compliance program and with managing the bank’s adherence to the BSA and its implementing regulations.”

Based on everything that is in the various pleadings, orders, and press releases, it appears that Mr. LaFontaine didn’t do that part of his job that involved managing Corporate AML. As one of the senior officers in the chain of command of US Bank’s risk organization, and as a member of the Managing Committee in 2012 and 2013, he had some responsibility and accountability: he appears to have organizationally been positioned somewhere between the BSA officers and the Board, and apparently thwarted or ignored the warnings of the AML Officer and/or BSA Officer(s) – who should have been reporting to the Board.

There is much we don’t know about this case. No one person – not even a CEO or Chairman of the Board – has the ability to run an AML program, let alone screw up that program. But apparently the Government has concluded that one person alone can be found accountable for the failures of a mega-bank’s AML program. Which begs a few questions …

Question 1 – Did the OCC inform the Board of Directors that BSA/AML risks weren’t being managed?

Paragraph 58 of the February 2018 civil complaint provided that “… despite recommendations and warnings from the OCC dating back to 2008, the Bank failed to have [the transaction monitoring system] independently validated.”

The phrase “warnings from the OCC dating back to 2008” could be explored. In the section in the Manual titled “Examiner Determination of the Bank’s BSA/AML Aggregate Risk Profile” is the following: “when the risks are not appropriately controlled, examiners must communicate to management and the board of directors the need to mitigate BSA/AML risk.” At this point, we don’t know what the OCC told the board, or when. We do know that the OCC issued a public Cease & Desist Order (on consent) in 2015.

Question 2 – Where was Internal Audit?

Independent testing, or internal audit, is one of the four (Title 12) or five (Title 31) required (minimum) pillars of a BSA/AML compliance program. And the Exam Manual provides that “the persons conducting the BSA/AML testing should report directly to the board of directors or to a designated board committee comprised primarily or completely of outside directors.” (see page 30 of the 2006 Manual, page 12 of the 2014 Manual). Which begs the question: where was US Bank’s audit team during the six+ years that there was capping of alerts and staffing issues? Shouldn’t the audit function have reported to the Board that there were long-standing issues with the transaction monitoring system and AML staffing, and that the OCC had made recommendations and warnings that went unheeded?

Question 3 – Where were the BSA Officers?

As a former BSA Officer, this was the question that was most on my mind as I read the March 4, 2020 FinCEN Assessment, and re-read the 2015 OCC order and the orders and complaints from February 2018. Indeed, I was relieved when the March Assessment came out and it was not against any of the former BSA Officers. The 2015 and 2018 documents showed an organization that appeared to organizationally bury its BSA officers, didn’t empower them, didn’t give them the required access to the Board, and certainly didn’t provide sufficient resources to allow for an effective program (all of which has been corrected with US Bank’s current BSA Officer and organization). And the March 2020 FinCEN Assessment describes two AML Officers and one Chief Compliance Officer, all reporting directly or indirectly into Mr. LaFontaine, who raised serious concerns over a number of years. At page 10 of the Assessment is this:

“In or about November 2013, a meeting was scheduled, at the request of the Bank’s CEO, so that the AMLO and CCO could update the CEO on the Bank’s AML program. In advance of that meeting, the AMLO and CCO prepared a PowerPoint presentation that began with an “Overview of Significant AML Issues,” the first of which was “Alert volumes capped for both [Security Blanket] and [Q]uery detection methods.” The AMLO and CCO put the alert caps issue first because, from their perspective, it was the most pressing of the Bank’s AML issues.  The PowerPoint identified the alert caps as a “[c]overage gap” that “could potentially result in missed Suspicious Activity Reports.” It also said that the “[s]ystem configuration and use could be deemed a program weakness, with potential formal actions including fines, orders, and historical review of transactions.” Prior to the meeting with the CEO, Mr. LaFontaine reviewed the PowerPoint, yet failed to raise the issue of the alert caps with the CEO during the meeting, choosing instead to prioritize other compliance-related issues.”

This suggests that the CEO wanted to meet with the AMLO and CCO, yet eventually met only with their boss, Mr. LaFontaine. Who took the opportunity to bury the primary message that his BSA Officer wanted the CEO to hear: that they were capping the number of alerts coming from the transaction monitoring system.

A financial institution must not organizationally “bury” its BSA Officer (AML officer): their organizational reporting line must be no more than “two-down” from the CEO and within an independent risk organization (e.g., the BSA Officer reports to the Chief Risk Officer, who reports to the CEO) and – critically – the BSA Officer must personally and directly report to the Board.[2]

It appears from the US Bank documents that neither the organizational structure nor the lines of communication allowed the BSA Officer(s) to “apprise the board of directors and senior management of ongoing compliance with the BSA … so that these individuals can make informed decisions about overall BSA/AML compliance”, as the Exam Manual requires. And it wasn’t the Chief Operational Risk Officer that was “responsible for carrying out the direction of the board and ensuring that employees adhere to the bank’s BSA/AML policies, procedures, and processes” … it was the BSA Officer(s). But it appears those BSA Officer(s) were organizationally and/or culturally stymied from directly communicating to the Board. In fact, the paragraph immediately after the description of the CEO meeting provides that “[t]he above-described conduct by Mr. LaFontaine continued until May 2014 when the AMLO bypassed Mr. LaFontaine and sent an email to the Bank’s then-Chief Risk Officer referencing the alert caps issue.”] A BSA officer must not be forced to bypass or do end-runs around a blocking boss in order to raise issues.

But whose responsibility is it to ensure that the BSA officer has the organizational stature and resources to do their job, and to ensure that the BSA officer has direct access to senior management and the board? It is the responsibility of the Board of Directors. The Manual is clear: “The board of directors is responsible for ensuring that the BSA compliance officer has sufficient authority and resources (monetary, physical, and personnel) to administer an effective BSA/AML compliance program based on the bank’s risk profile.” It shouldn’t take the regulators and, perhaps, a whistle blower to get the bank to act (page 11 of the 2020 Assessment includes: “The Bank did not begin to address its deficient policies and procedures for monitoring transactions and generating alerts until June 2014, when questions from the OCC and reports from an internal complainant caused the Bank’s Chief Risk Officer to retain outside counsel to investigate the Bank’s practices.”).

But maybe the directors weren’t aware that they were responsible for ensuring that the bank implemented and maintained an effective AML program. Which then begs the question …

Question 4 – Where was the Law Department?

Boards rely heavily on in-house counsel. Among other duties, in-house counsel must ensure that the directors understand their legal and regulatory obligations. In the case of BSA/AML, as the Exam Manual clearly sets out, the BSA program must be in writing and approved by the Board. The Board must designate a qualified individual to serve as the BSA compliance officer. The Board is responsible for ensuring that the BSA compliance officer has sufficient authority and resources (monetary, physical, and personnel) to administer an effective BSA/AML compliance program.

The first and last thing in-house counsel should leave the Board with when they are conducting their annual board training and awareness is this: “folks, if you remember one thing, remember this: as directors, you are ultimately responsible for the bank’s BSA/AML compliance.”

Question 5 – Where were the other senior managers of the bank?

The most vexing thing about this is not what is written in the FinCEN assessment or accompanying press release, but what is not written. Anyone who has spent any time in AML compliance in a mid-size to large financial institution knows that there are hundreds to thousands of people involved in designing, implementing, testing, maintaining, auditing, overseeing, and examining an AML program. Nothing happens – or doesn’t happen – without the involvement of modelers, testers, auditors, examiners, and committees; without endless finance meetings, HR meetings, “credible challenge” meetings; without senior management buy-in and support; and without the monthly or quarterly meetings with the board of directors (or a committee of the board) and the annual review and approval of the program and appointment, or re-appointment, of the BSA compliance officer.

The Government has singled out one senior manager in the 5th largest bank in the country for failures in a critical risk program that occurred over a five or six year period: where were the other senior managers?

Which takes us back full circle to the Board of Directors …

Question 6 – If the Board of Directors is responsible for a BSA compliance program, how come the Directors were not held accountable for its failures?

We simply don’t know what the US Bank board of directors knew or didn’t know when it came to the five or six years that the bank’s AML program was, apparently, not meeting regulatory requirements. We don’t know what they approved (or didn’t approve) annually. We don’t know what management, or audit, was reporting (or not reporting) to them. We don’t know whether they understood their responsibilities under the BSA regulations and regulatory guidance. We don’t know whether their annual approval of the AML program and appointment of the BSA Officer was a rubber-stamp or a fair and credible challenge of the program, the BSA Officer, and whether the BSA Officer had the monetary, physical, and personnel resources necessary to administer an effective BSA/AML compliance program based on the bank’s risk profile (paraphrasing the Manual). But it’s fair to assume that the Government found it difficult to find anyone liable where they simply failed to do their appointed task well. “We didn’t know the AML transaction monitoring system had been capped”, or “no one told us that the AML investigations team was grossly under-staffed”, or “none of the audit reports that came to the board indicated there were any problems with the AML program” become reasonably solid defenses when someone is looking to assign blame. It is much easier to find someone liable when they were presented with a problem and failed to address it, or even worse, took actions to hide it.  That said, it may simply go back to this:

“Success has many fathers; failure is an orphan”

Michael LaFontaine was considered a rising star in the banking world. The Minneapolis/St. Paul Business Journal included him in its “40 under 40 – 2014” class. In a March 21 2014 Video Clip for the “40 Under 40” program he said “success doesn’t happen alone”. Unfortunately, it appears that the opposite is true: he appears to have been singled out and left alone when it comes to finding one person responsible for something that many were accountable for. As President Kennedy said, “victory has a hundred fathers and defeat is an orphan”. More than a dozen directors had responsibility for US Bank’s AML program; eleven served from 2009-2014; and four of those are still directors. But none were held accountable.


The point of this article is not to encourage the Government to impose fines on all the directors, senior management, auditors, and BSA Officers involved in a program that has failures and regulatory violations. Rather, it is to point out to all the Boards of Directors out there that they are responsible for their bank’s AML program, and with that responsibility comes accountability. Knowing that, those Boards will push the management of those banks to implement and maintain effective AML programs … and hopefully prevent another individual from the horrors of personal liability.

[1] Footnote 34 in 2014 Manual: “The bank must designate one or more persons to coordinate and monitor day-to-day compliance.  This requirement is detailed in the federal banking agencies’ BSA compliance program regulations: 12 CFR 208.63, 12 CFR 211.5(m), and 12 CFR 211.24(j) (Federal Reserve); 12 CFR 326.8 (FDIC); 12 CFR 748.2 (NCUA); 12 CFR 21.21 (OCC).”

[2] There is a third question. It doesn’t involve responsibility and accountability for a BSA program, but is important nonetheless. And that is … how do you get SAR filing rates of 30% to 80% from below-the-Line testing? Both the 2018 civil complaint and March 2020 FinCEN Assessment describe the results of a look-back conducted in 2011. Paragraph 41 of the February 2018 civil complaint provides, in part: “… in November 2011, the Bank’s AML staff concluded that, during the past year, the SAR filing rates for below threshold testing averaged between 30% and 80%. In other words, between 30% and 80% of the transactions that were reviewed during the below-threshold testing resulted in the filing of a SAR.” The most efficient transaction monitoring systems have alert-to-SAR rates of 20% – 30%. In fact, the industry laments that the “false positive” rate for most transaction monitoring systems is 95% or more, for a true positive rate of 5% or less. So having a false negative rate (which is a below-the-line testing rate) of 30% to 80% makes no sense at all. Particularly since paragraph 64 of the complaint provides that 2,121 SARs were filed as a result of a six-month look back of 24,179 alerts: an alert-to-SAR rate of about 9%. [NOTE: the average value of these “look-back” SARs was over $339,000].

OCC Comptroller Talks About AML “False Negatives” and Technology

Whether “False Negatives” or “False Positives”, the Answer May Not Lie Just in New or Improved Technologies, but in an Improved Mix of New Technologies and More Forgiving Regulatory Requirements

On January 24, 2020, Jo Ann Barefoot had Thomas Otting, Comptroller of the Currency, as her guest on her podcast. The link is available at Barefoot Otting Podcast. Among other things, the Comptroller talked about BSA/AML, or as he put it “AML/BSA”.

Approximately 12:00 minutes into the podcast, the Comptroller had this to say about BSA/AML:

“Are we doing it the most effective way? … what we’re doing, is it helping us catch the bad guys as they’re coming into the banking industry and taking advantage of it?”

In a discussion on technology trends, the Comptroller spoke about how banks are using new technologies to learn about their customers and for risk management. Beginning at the 20:45 mark, he stated:

“Today our AML/BSA relies upon a lot of systems to kick out a lot of data that often has an enormous amount of false negatives associated with it that requires a lot of resources to go through that false negative, and I think if we can get to the point where we have better fine-tuned data with artificial intelligence about tracking information is and the type of activities that are occurring, I think ultimately we’ll have better risk management practices within the institutions as well.”

Having been a guest on Jo Ann’s podcast myself (see Richards Podcast), I know how unforgiving the literal transcript of a podcast can be, so it is fair to write that the Comptroller’s point was that the current systems kick out a lot of false negatives that require a lot of manual investigations; and better data and artificial intelligence could reduce those false negatives, resulting in greater efficiencies and better risk management.

But it is curious that he refers to “false negatives” – which are transactions that do not alert but should have alerted – rather than “false positives” – which are transactions that did alert and, after being investigated, prove not to be suspicious and therefore falsely alerted.  The Comptroller has many issues to deal with, and it’s easy to confuse false negatives with false positives. In fairness, his ultimate point was well made: the current regulatory requirements and expectations around AML monitoring, alerting, investigations, and reporting have resulted in a regime that is not efficient (he didn’t addressed the effectiveness of the SAR regime).

At the 21:30 mark, Jo Ann Barefoot commented on the recent FinTech Hackathon she hosted that looked at using new technology to make suspicious activity  monitoring and reporting more efficient and effective, and stated that “we need to get rid of the false flags in the system” (I got the sense that she was uncomfortable with using the Comptroller’s phrase of “false negatives” – Jo Ann is well-versed in BSA and AML and familiar with the issue of high rates of false positives). Comptroller Otting replied:

“If you think just in the SARs space, that 7 percent of transactions kind of hit the tripwire, and then ultimately about 2 percent generally have SARs filed against them, that 5 percent is an enormous amount of resources that organizations are dedicating towards that compliance function that I’m convinced that with new technology we can improve that process.”

Again, podcast transcripts can be unforgiving, and I believe the point that the Comptroller was making was that a small percentage of transactions are alerted on by AML monitoring systems, and an even smaller percentage of those alerts are eventually reported in SARs. His percentages, and math, may not foot back to any verifiable data, but his point is sound: the current AML monitoring, alerting, investigations, and reporting system isn’t as efficient as it should be and could be (again, he didn’t address its effectiveness).

I don’t believe that the inefficiencies in the current AML system are wholly caused by outdated or poorly deployed technology. Rather, financial institutions are (rightfully) deathly afraid of a regulatory sanction for missing a potentially suspicious transaction, and will err on the side of alerting and filing on much more than is truly suspicious. For larger institutions, it will cost them a few million dollars more to run at a 95% false positive rate rather than an 85% rate, or 75% rate (I address the question of what is a good false positive rate in one of the articles, below), but those institutions know that by doing so, they avoid the hundreds of millions of dollars in potential fines for missing that one big case, or series of cases, that their regulator, with hindsight, determines should have been caught.

Running an AML monitoring and surveillance program that produces 95% false positives is not “helping us catch the bad guys that are taking advantage of the banking industry” as the Comptroller noted at the beginning of the podcast. Perhaps a renewed and coordinated, cooperative effort between technologists, bankers, BSA/AML professionals, law enforcement, and the Office of the Comptroller of the Currency can lead us to a monitoring/surveillance regime enhanced with more effective technologies and better feedback on what is providing tactical and strategic value to law enforcement … and, hopefully, tempered by a more forgiving regulatory approach.

Below are two articles I’ve written on monitoring, false positive rates, the use of artificial intelligence, among other things. Let’s work together to get to a more effective and efficient AML regime.

Rules-Based Monitoring, Alert to SAR Ratios, and False Positive Rates – Are We Having The Right Conversations?

This article was published on December 20, 2018. It is available at RegTech Article – Are We Having the Right Conversations?

There is a lot of conversation in the industry about the inefficiencies of “traditional” rules-based monitoring systems, Alert-to-SAR ratios, and the problem of high false positive rates. Let me add to that conversation by throwing out what could be some controversial observations and suggestions …

Current Rules-Based Transaction Monitoring Systems – are they really that inefficient?

For the last few years AML experts have been stating that rules-based or typology-driven transaction monitoring strategies that have been deployed for the last 20 years are not effective, with high false positive rates (95% false positives!) and enormous staffing costs to review and disposition all of the alerts.  Should these statements be challenged? Is it the fact the transaction monitoring strategies are rules-based or typology-driven that drives inefficiencies, or is it the fear of missing something driving the tuning of those strategies? Put another way, if we tuned those strategies so that they only produced SARs that law enforcement was interested in, we wouldn’t have high false positive rates and high staffing costs.  Graham Bailey, Global Head of Financial Crimes Analytics at Wells Fargo, believes it is a combination of basic rules-based strategies coupled with the fear of missing a case. He writes that some banks have created their staffing and cost problems by failing to tune their strategies, and by “throwing orders of magnitude higher resources at their alerting.”  He notes that this has a “double negative impact” because “you then have so many bad alerts in some banks that they then run into investigators’ ‘repetition bias’, where an investigator has had so many bad alerts that they assume the next one is already bad” and they don’t file a SAR. So not only are the SAR/alert rates so low, you run the risk of missing the good cases.

After 20+ years in the AML/CTF field – designing, building, running, tuning, and revising programs in multiple global banks – I am convinced that rules-based interaction monitoring and customer surveillance systems, running against all of the data and information available to a financial institution, managed and tuned by innovative, creative, courageous financial crimes subject matter experts, can result in an effective, efficient, proactive program that both provides timely, actionable intelligence to law enforcement and meets and exceeds all regulatory obligations. Can cloud-based, cross-institutional, machine learning-based technologies assist in those efforts? Yes! If properly deployed and if running against all of the data and information available to a financial institution, managed and tuned by innovative, creative, courageous financial crimes subject matter experts.

Alert to SAR Ratios – is that a ratio that we should be focused on?

A recent Mid-Size Bank Coalition of America (MBCA) survey found the average MBCA bank had: 9,648,000 transactions/month being monitored, resulting in 3,908 alerts/month (0.04% of transactions alerted), resulting in 348 cases being opened (8.9% of alerts became a case), resulting in 108 SARs being filed (31% of cases or 2.8% of alerts). Note that the survey didn’t ask whether any of those SARs were of interest or useful to law enforcement. Some of the mega banks indicate that law enforcement shows interest in (through requests for supporting documentation or grand jury subpoenas) 6% – 8% of SARs.

So I argue that the Alert/SAR and even Case/SAR (in the case of Wells, Package/Case and Package/SAR) ratios are all of interest, but tracking to SARs filed is a little bit like a car manufacturer tracking how many cars it builds but not how many cars it sells, or how well those cars perform, how well they last, and how popular they are.  The better measure for AML programs is “SARs purchased”, or SARs that provide value to law enforcement.

How do you determine whether a SAR provides value to Law Enforcement? One way would be to ask Law Enforcement, and hope you get an answer. That could prove to be difficult.  Can you somehow measure Law Enforcement interest in a SAR?  Many banks do that by tracking grand jury subpoenas received to prior SAR suspects, Law Enforcement requests for supporting documentation, and other formal and informal requests for SARs and SAR-related information. As I write above, an Alert-to-SAR rate may not be a good measure of whether an alert is, in fact, “positive”. What may be relevant is an Alert-to-TSV SAR rate (see my previous article for more detail on TSV SARs).  What is a “TSV SAR”? A SAR that has Tactical or Strategic Value to Law Enforcement, where the value is determined by Law Enforcement providing a response or feedback to the filing financial institution within five years of the filing of the SAR that the SAR provided tactical (it led to or supported a particular case) or strategic (it contributed to or confirmed a typology) value. If the filing financial institution does not receive a TSV SAR response or feedback from law enforcement or FinCEN within five years of filing a SAR, it can conclude that the SAR had no tactical or strategic value to law enforcement or FinCEN, and may factor that into decisions whether to change or maintain the underlying alerting methodology. Over time, the financial institution could eliminate those alerts that were not providing timely, actionable intelligence to law enforcement, and when that information is shared across the industry, others could also reduce their false positive rates.

Which leads to …

False Positive Rates – if 95% is bad … what’s good?

There is a lot of lamenting, and a lot of axiomatic statements, about high false positive rates for AML alerts: 95% or even 98% false positive rates.  I’d make three points.

First, vendors selling their latest products, touting machine learning and artificial intelligence as the solution to high false positive rates, are doing what they should be doing: convincing consumers that their current product is out-dated and ill-equipped for its purpose by touting the next, new product. I argue that high false positive rates are not caused by the current rules-based technologies; rather, they’re caused by inexperienced AML enthusiasts or overwhelmed AML experts applying rules that are too simple against data that is mis-labeled, incomplete, or simply wrong, and erring on the side of over-alerting and over-filing for fear of regulatory criticism and sanctions.

If the regulatory problems with AML transaction monitoring were truly technology problems, then the technology providers would be sanctioned by the regulators and prosecutors.  But an AML technology provider has never been publicly sanctioned by regulators or prosecutors … for the simple reason that any issues with AML technology aren’t technology issues: they are operator issues.

Second, are these actually “false” alerts? Rather, they are alerts that, at the present time, based on the information currently available, do not rise to the level of either (i) requiring a complete investigation, or (ii) if completely investigated, do not meet the definition of “suspicious”. Regardless, they are now valuable data points that go back into your monitoring and case systems and are “hibernated” and possibly come back if that account or customer alerts at a later time, or there is another internally- or externally-generated reason to investigate that account or customer.

Third, if 95% or 98% false positive rates are bad … what is good? What should the target rate be? I’ll provide some guidance, taken from a Treasury Office of Inspector General (OIG) Report: OIG-17-055 issued September 18, 2017 titled “FinCEN’s information sharing programs are useful but need FinCEN’s attention.” The OIG looked at 314(a) statistics for three years (fiscal years 2010-2012) and found that there were 711 314(a) requests naming 8,500 subjects of interest sent out by FinCEN to 22,000 financial institutions. Those requests came from 43 Law Enforcement Agencies (LEAs), with 79% of them coming from just six LEAs (DEA, FBI, ICE, IRS-CI, USSS, and US Attorneys’ offices). Those 711 requests resulted in 50,000 “hits” against customer or transaction records by 2,400 financial institutions.

To analogize those 314(a) requests and responses to monitoring alerts, there were 2,400 “alerts” (financial institutions with positive matches) out of 22,000 “transactions” (total financial institutions receiving the 314(a) requests). That is an 11% hit rate or, arguably, a 89% false positive rate. And keep in mind that in order to be included in a 314(a) request, the Law Enforcement Agency must certify to FinCEN that the target “is engaged in, or is reasonably suspected based on credible evidence of engaging in, terrorist activity or money laundering.” So Law Enforcement considered that all 8,500 of the targets in the 711 requests were active terrorists or money launderers, and 11% of the financial institutions positively responded.

With that, one could argue that a “hit rate” of 10% to 15% could be optimal for any reasonably designed, reasonably effective AML monitoring application.

But a better target rate for machine-generated alerts is the rate generated by humans. Bank employees – whether bank tellers, relationship managers, or back-office personnel – all have the regulatory obligation of reporting unusual activity or transactions to the internal bank team that is responsible for managing the AML program and filing SARs. For the twenty plus years I was a BSA Officer or head of investigations at large multi-national US financial institutions, I found that those human-generated referrals resulted in a SAR roughly 40% to 50% of the time.

An alert to SAR ratio goal of machine-based alert generation systems should be to get to the 40% to 50% referral-to-SAR ratio of human-based referral generation programs.

Flipping the Three AML Ratios with Machine Learning and Artificial Intelligence (why Bartenders and AML Analysts will survive the AI Apocalypse)

This article was posted on December 14, 2018. It remains the most viewed article on my website. It is available at RegTech Article – Flipping the Ratios

Machine Learning and Artificial Intelligence proponents are convinced – and spend a lot of time trying to convince others – that they will disrupt and revolutionize the current “broken” AML regime. Among other targets within this broken regime is AML alert generation and disposition and reducing the false positive rate (more on false positives in another article!). The result, if we believe the ML/AI community, is a massive reduction in the number of AML analysts that are churning through the hundreds and thousands of alerts, looking for the very few that are “true positives” worthy of being labelled “suspicious” and reported to the government.

But is it that simple? Can the job of AML Analyst be eliminated or dramatically changed – in scope and number of positions – by machine learning and AI? Much has been and continues to be written about the impact of artificial intelligence on jobs.  Those writers have categorized jobs along two axes – a Repetitive-to-Creative axis, and an Asocial-to-Social axis – resulting in four “buckets” of jobs, with each bucket of jobs being more or less likely to be disrupted or even eliminated:

A good example is the “Social & Repetitive” job of Bartender: Bartenders spend much of their time doing very routine, repetitive tasks: after taking a drink order, they assemble the correct ingredients in the correct amounts, and put those ingredients in the correct glass, then present the drink to the customer. All of that could be more efficiently and effectively done with an AI-driven machine, with no spillage, no waste, and perfectly poured drinks. So why haven’t we replaced bartenders? Because a good bartender has empathy, compassion, and instinct, and with experience can make sound judgments on what to pour a little differently, when to cut-off a customer, when to take more time or less with a customer. A good bartender adds value that a machine simply can’t.

Another example could be the “Asocial & Creative” (or is it “Social & Repetitive”?) job of an AML Analyst: much of an AML Analyst’s time is spent doing very routine, repetitive tasks: reviewing the alert, assembling the data and information needed to determine whether the activity is suspicious, writing the narrative. So why haven’t we replaced AML Analysts? Because a good Analyst, like a good bartender, has empathy, compassion, and instinct, and with experience can make sound judgments on what to investigate a little differently, when to cut-off an investigation, when to take more time or less on an investigation. A good Analyst adds value that a machine simply can’t.

Where AI and Machine Learning, and Robot Process Automation, can really help is by flipping the three currently inefficient AML ratios:

  1. The False Positive Ratio– the currently accepted, but highly axiomatic and anecdotal, ratio is that 95% to 98% of alerts do not result in SARs, or are “false positives” … although no one has ever boldly stated what an effective or acceptable false positive rate is (even with ROC curves providing some empirical assistance), perhaps the ML/AI/RPA communities can flip this ratio so that 95% of alerts result in SARs. If they can do this, they can also convince the regulatory community that this new ratio meets regulatory expectations (because as I’ll explain in an upcoming article, the  false positive ratio problem may be more of a regulatory problem than a technology problem).
  2. The Forgotten SAR Ratio– like false positive rates, there are anecdotes and some evidence that very few SARs provide tactical or strategic value to law enforcement. Recent Congressional testimony suggests that ~20% of SARs provide TSV (tactical or strategic value) to law enforcement … perhaps the ML/AI/RPA communities can help to flip this ratio so that 80% of SARs are TSV SARs. This also will take some effort from the regulatory and law enforcement communities.
  3. The Analysts’ Time Ratio– 90% of an AML Analyst’s time can be spent simply assembling the data, information, and documents needed to investigate a case, and only 10% of their time thinking and using their empathy, compassion, instinct, judgment, and experience to make good decisions and file TSV SARs … perhaps the ML/AI/RPA communities can help to flip this ratio so that Analysts spend 10% of their time assembling and 90% of their time thinking.

We’ve seen great strides in the AML world in the last 5-10 years when it comes to applying machine learning and creative analytics to the problems of AML monitoring, alerting, triaging, packaging, investigations, and reporting. My good friend and former colleague Graham Bailey at Wells Fargo designed and deployed ML and AI systems for AML as far back as 2008-2009, and the folks at Verafin have deployed cloud-based machine learning tools and techniques to over 1,600 banks and credit unions.

I’ve outlined three rather audacious goals for the machine learning/artificial intelligence/robotic process automation communities:

  1. The False Positive Ratio – flip it from 95% false positives to 5% false positives
  2. The Forgotten SAR Ratio – flip it from 20% TSV SARs to 80% TSV SARs
  3. The Analysts’ Time Ratio – flip it from 90% gathering data to 10% gathering data

Although many new AML-related jobs are being added – data scientist, model validator, etc. – and many existing AML-related jobs are changing, I am convinced that the job of AML Analyst will always be required. Hopefully, it will shift over time from being predominantly that of a gatherer of information and more of a hunter of criminals and terrorists. But it will always exist. If not, I can always fall back on being a Bartender. Maybe …

FinCEN’s BSA Value Project is A Year Old … How Is It Going?

In January 2019, FinCEN launched its “BSA Value Project” – an effort to “catalogue the value of BSA reporting across the entire value chain of its creation and use” and “result in a comprehensive and quantitative understanding of the broad value of BSA reporting and other BSA information to all types of consumers of that information” (quoting the prepared remarks of FinCEN Director Kenneth A. Blanco delivered at the 12th annual Law Vegas AML Conference for casinos and card clubs, August 13, 2019, available at Director Blanco Remarks 8-13-2019).

FinCEN is now one year into the BSA Value Project … how is that project going?

Again, quoting from Director Blanco’s remarks last August, “so far, the study has confirmed there are extensive and extremely varied uses of BSA information across all stakeholders (including by the private sector) consistent with their missions.”

It appears that there are, indeed, extensive uses of BSA information by the public sector, as Director Blanco has told us that almost one in four FBI and IRS-CI investigations use BSA data. Director Blanco made the following remarks (again, on August 13, 2019) on the usefulness of BSA data:

“All FBI subject names are run against the BSA database. More than 21 percent of FBI investigations use BSA data, and for some types of crime, like organized crime, nearly 60 percent of FBI investigations use BSA data. Roughly 20 percent of FBI international terrorism cases utilize BSA data. The Internal Revenue Service-Criminal Investigation section alone conducts more than 126,000 BSA database inquiries each year. And as much as 24 percent of its investigations involving criminal tax, money laundering, and other BSA violations are directly initiated by, or associated with, a BSA report.

In addition to providing controlled access to the data to law enforcement, FinCEN also proactively pushes certain information to them on critical topics. On a daily basis, FinCEN takes the suspicious activity reports and we run them through several categories of business rules or algorithms to identify reports that merit further review by our analysts. Our terrorist financing-related business rules alone generate over 1,000 matches each month for review and further dissemination to our law enforcement and regulatory partners in what we call a Flash report. These Flash reports enable the FBI, for example, to identify, track, and disrupt the activities of potential terrorist actors. It is incredibly valuable information.”

Four months later, in prepared remarks delivered at the American Bankers Association/American Bar Association Financial Crimes Conference (December 10, 2019, available at Director Blanco at ABA December 10 2019) Director Blanco provided another perspective on the public sector use of BSA data:

“FinCEN grants more than 12,000 agents, analysts, and investigative personnel from over 350 unique federal, state, local, and tribal agencies across the United States with direct access to this critical reporting by financial institutions. There are approximately 30,000 searches of the BSA data each day. Further, there are more than 100 Suspicious Activity Report (SAR) review teams and financial crimes task forces across the country, bringing together prosecutors and investigators from different agencies to review BSA reports. Collectively, these teams reviewed approximately 60% of all SARs filed. Each day, FinCEN, law enforcement, regulators, and others query this data—that equates to an average of 7.4 million queries per year. Those queries identify an average of 18.2 million filings that are responsive or useful to ongoing investigations, examinations, victim identification, analysis and network development, sanctions development, and U.S. national security activities, among many, many other uses that help protect our nation, deter crime, and save lives.”

But Which BSA Filings are Providing Real Value to Law Enforcement?

There is no doubt that the (roughly) 20 million BSA reports that are filed each year provide great value to law enforcement. But questions remain about the utility of those filings, and the costs of preparing them. Some of those questions include: (i) which of those reports provide value? (ii) what kind of value is being provided – tactical and/or strategic? (iii) can financial institutions eliminate the “no value” filings and deploy those resources to higher-value filings? (iv) can financial institutions automate the preparation and filing of the low value filings and deploy those resources to the highest-value filings?

FinCEN’s BSA Value Project, and its “Value Quantification Model”, May Answer Those Questions

In his December 2019 remarks, Director Blanco updated us on the BSA Value Project and revealed the “value quantification model” FinCEN is building:

FinCEN is using the BSA Value Project to improve how we communicate the value and use of BSA information, and to develop metrics to track and measure the value of its use on an ongoing basis. The project has involved the gathering and review of reams of data, statistics, case studies, and other information, as well as holding detailed interviews with a wide range of government and private-sector stakeholders, including many of the organizations in this room today. That information has informed us about how each stakeholder uses and gains value from BSA reporting and the value-add activities of other stakeholders. This “value chain” of BSA reporting is being developed for each type of stakeholder:  FinCEN, law enforcement, industry, regulators, and others.

We are validating these results with the agencies and firms that have contributed to their development, and soon we will be talking with some of you about the value chain that has been developed for financial institutions to ensure it captures every aspect properly.

As of today, the team has identified over 500 different metrics that are being incorporated into the valuation model. We expect the model to show us the relative value of specific forms and even key fields—what is seen as more valuable and what is seen as less valuable.

    • This value quantification model will help us assess how the regulatory and compliance changes we are considering making with our government partners will affect the value of BSA reporting—we want any changes to lead to more effective outcomes and increase the value of BSA reporting, not just provide greater industry efficiency.
    • It will help us provide you better and more targeted feedback on the information you report so you can identify whether it is the automated tools and databases or the more manual work of your internal financial intelligence units and investigators that is driving that value creation in specific instances.
    • The project also is showing us specific challenges that we need to address, particularly in the area of communication and the development of shared AML priorities on which we can focus our efforts.

I also want to make very clear that the value of BSA data is not just confined to FinCEN, law enforcement, or the government. Industry also benefits. Financial institutions and other reporting entities derive important value from their BSA compliance and reporting activities. Throughout the study, industry consistently has confirmed that their BSA obligations, while incurring costs, also help them:

    • Identify and exit bad actors to avoid reputational and financial risks;
    • Manage risks more effectively to permit greater responsible revenue generation;
    • Secure partnerships and investment opportunities domestically and internationally in a responsible, risk-sensitive manner, something particularly important for emerging entrants in the financial services arena; and, of course;
    • Avoid financial, operational, and reputational costs from non-compliance.

I want to stress that we intend to be as transparent and public facing as possible about the results from this project. FinCEN hopes to show the tremendous variety of uses we have for your reporting.”


Kudos to Director Blanco and his FinCEN team for their initiative and efforts around the BSA Value Project. The results of the Project, notably the BSA Value Quantification Model, could be a game-changer for the financial industry’s BSA/AML programs. The industry is being inundated with calls to apply machine learning and artificial intelligence to make their AML programs more effective and efficient. But if those institutions don’t know which of their filings provide value, and arguably only one in four is providing value, they cannot effectively use machine learning or AI.

The entire industry is looking forward to the results of FinCEN’s BSA Value Project!

For other articles on the need for better reporting on the utility of SAR filings, see:

BSA Value Project August 19 2019

SAR Feedback 314(d) – July 30 2019

BSA Reports and Federal Criminal Cases – June 5 2019

The TSV SAR Feedback Loop – June 4 2019