Money Laundering & Terrorist Financing - General Archives

FinCEN’s Marijuana-Related SAR Data: By Not Including MSBs, Are We Under-Reporting Marijuana Businesses’ Access to Financial Services?

April 27, 2020April 28, 2020adminCannabis/Marijuana, Money Laundering & Terrorist Financing - General

Marijuana-Related Businesses may have greater access to financial services than is being reported, even if those services aren’t being provided by banks and credit unions

The only real guidance that financial institutions can turn to when deciding whether to provide financial services to marijuana-related businesses, or MRBs, is FinCEN’s February 14, 2014 guidance, FIN-2014-G001. The actual Guidance document – FIN-2014-G001 PDF – begins with: “The Financial Crimes Enforcement Network (“FinCEN”) is issuing guidance to clarify Bank Secrecy Act (“BSA”) expectations for financial institutions seeking to provide services to marijuana-related businesses.”

The section “Providing Financial Services to Marijuana-Related Businesses” begins with “This FinCEN guidance clarifies how financial institutions can provide services to marijuana-related businesses consistent with their BSA obligations. In general, the decision to open, close, or refuse any particular account or relationship should be made by each financial institution based on a number of factors specific to that institution.” Following that is a section on seven marijuana-related business-specific customer due diligence steps a financial institution should consider in assessing the risk of providing services to a marijuana-related business. Then there is guidance on the three types of marijuana-related Suspicious Activity Reports: Marijuana Limited, Marijuana Priority, and Marijuana Termination. Finally, there are two pages of “Red Flags to Distinguish Priority SARs”.

Throughout the Guidance, the term “financial institution” is used forty-four times in seven pages. The term “money services business” or “MSB” appears once (in the PDF version of the Guidance). In the “Currency Transaction Reports and Form 8300’s” section on the last page is: “Financial institutions and other persons subject to FinCEN’s regulations must report currency transactions in connection with marijuana-related businesses the same as they would in any other context, consistent with existing regulations and with the same thresholds that apply. For example, banks and money services businesses would need to file CTRs on the receipt or withdrawal by any person of more than $10,000 in cash per day.”

So, are MSBs covered by the 2014 Guidance or not? Are MSBs “financial institutions” and subject to the Guidance?

For BSA purposes, the term “financial institution” is defined in the regulations at 31 CFR s. 1010.100 as including banks, credit unions, broker dealers, casinos, mutual funds, and money services businesses, among other entities. So one could assume that the use of that term in the Guidance indicated that all entity types would be subject to the guidance – including money services businesses, broker dealers, casinos, card clubs, etc.

Although the PDF version of the FinCEN Guidance doesn’t define “financial institution”, both the news release and the non-PDF version had a reference to the term “Financial Institution” at the end (of both) that appears to mean that for the purposes of the “Guidance to Financial Institutions on Marijuana Businesses”, “financial institutions” meant money services businesses and depository institutions.

The term “depository institution” is defined in multiple banking regulations in Title 12 of the Code of Federal Regulations. To keep it simple, and in keeping with FinCEN’s reporting practices, it means banks and credit unions. So, according to FinCEN, it has issued guidance to clarify Bank Secrecy Act (“BSA”) expectations for banks, credit unions, and money services businesses seeking to provide services to marijuana-related businesses.

Since the publication of the that guidance, FinCEN has published a quarterly “Marijuana Banking” report that provides some high level data on the number of these marijuana-related SARs that it instructed depository institutions (banks and credit unions) and money services businesses to file. As can be seen from the chart, this reporting is limited to depository institutions – banks and credit unions. FinCEN hasn’t reported any marijuana-related SARs filed by any of the other “financial institution” types – money services businesses.

If FinCEN has provided guidance that banks, credit unions, and money services businesses are required to file marijuana-related SARs, why is it only reporting on the marijuana-related SARs filed by banks and credit unions?

Without knowing for sure whether any of the 227,745 MSBs (according to a GAO report released September 26, 2019 that looked at how BSA-related information was being shared between the public sector agencies and by FinCEN: see GAO-19-582 at page 9) have identified and reported any marijuana-related suspicious activity, one can assume that some of the millions of SARs filed by those MSBs since 2nd quarter 2014 must have included marijuana-related activity. Indeed, given the complaints by the cannabis/marijuana industries about the lack of access to traditional banking services, one can assume that marijuana-related businesses are turning to money services businesses and alternative financial services providers to conduct otherwise basic financial services such as paying suppliers, paying utility providers, paying taxes and license fees, even cashing checks for employees. And, if those marijuana-related businesses were doing those transactions at money services businesses, ALL of those transactions are supposed to be reported in a marijuana SAR. According to FinCEN.

The data may bear that out. FinCEN’s SAR Statistics allow you to drill down to SARs filed by depository institutions, by MSBs, by month and year, and by location of the reported suspicious activity (state, county, even metropolitan areas). See https://www.fincen.gov/reports/sar-stats

Let’s take a look at a marijuana hot spot – the Emerald Triangle of California: Humboldt, Trinity, and Mendocino counties that (reportedly) grow much of the illegal cannabis in California and about 35% of the legal cannabis.

In calendar year 2018, across all of the United States, MSBs filed about 90 SARs for every 100 SARs filed by Depository Institutions, or DIs. But for activity that occurred in California, MSBs filed 122 SARs for every 100 SARs filed by DIs. To put it another way, for suspicious activity across the United States, MSBs filed about 90% the number of SARs as banks and credit unions, but in California MSBs filed 122% the number of SARs as did DIs. But according to FinCEN’s “heatmap” of SARs filed by MSBs by California county, there was a hotspot up in the three “Emerald Triangle” counties. Drilling down into the actual FinCEN data, in 2018 MSBs filed 327 SARs (10,076) for every 100 SARs (3,081) filed by DIs in the three Emerald Triangle counties. There are only 235,000 people in those three counties, which is 0.6% of California’s population, yet 4.6% of MSBs’ SARs were filed on activity that occurred in those three counties.

It could be that none of those 10,076 MSB SARs filed in 2018 on activity that occurred in the Emerald Triangle counties was flagged as a marijuana-related SAR for FinCEN to identify, track, and report. But the ratio of MSB-related SARs relative to the number of bank and credit union related SARs filed on activity in the Emerald Triangle – a ratio that has held steady for the last five years at 3.5 to 1 – suggests that FinCEN’s quarterly “Marijuana Banking” report of marijuana-related SARs filed by banks and credit unions may be under-reporting marijuana-related financial activity overall.

It’s logical – and likely – that this high MSB SAR count, both relative to depository institutions and to the population of the area, indicates that MSBs are filing “Marijuana Limited” SARs on all of the activity that marijuana-related businesses are doing with them, not just the traditional suspicious activity. In other words, MSBs are complying with the FinCEN guidance, and we don’t know it. The conclusion may be that marijuana related businesses have access to more financial services than is being reported, even if those financial services aren’t being provided by banks and credit unions.

Perhaps FinCEN can tell us in the next quarterly Marijuana Banking and Money Services Business Report …

BSA/AML Compliance Programs are Important, but Providing Timely, Actionable Intelligence to Law Enforcement Should be the Goal

April 22, 2020April 22, 2020adminMoney Laundering & Terrorist Financing - General

Eighteen months ago I called for a renewal of the original purpose of the Bank Secrecy Act: with recent changes – and more expected changes – to the FFIEC’s BSA/AML Examination Manual, I’m renewing that call.

On April 15, 2020, state and federal bank regulatory agencies, through the Federal Financial Institutions Examination Council (FFIEC), updated one of the six main sections of the FFIEC’s BSA/AML Examination Manual, the section titled “Core Examination Overview and Procedures for Assessing the BSA/AML Compliance Program.” What the regulators haven’t (yet) updated are the Introduction that precedes the newly-updated section, the core examination section on the regulatory requirements, the two expanded examination sections on products and services, and persons and entities, respectively, the expanded examination section on compliance compliance programs, and the twenty appendices.

So perhaps there’s time to influence their thinking.

The stated purpose of the Manual is to provide instructions to examiners as they assess the adequacy of a bank’s BSA/AML compliance program. But the Manual is much more than that: indeed, it could be called the “BSA/AML Program Design, Development, Testing, Auditing, and Examination” Manual. It is the proverbial Bible, Torah, and Koran for everyone involved in BSA/AML. It sets the tone, as well as expectations, for everyone involved in BSA/AML, not just examiners. What is written in the Manual is critical, because the Bank Secrecy Act, or BSA is critical: “The BSA is intended to safeguard the U.S. financial system and the financial institutions that make up that system from the abuses or financial crime, including money laundering, terrorist financing, and other illicit financial transactions.” So says the Introduction section of the Manual, at page 7.

That same Introduction section also includes this:

“Banking organizations must develop, implement, and maintain effective AML programs that address the ever-changing strategies of money launderers and terrorists who attempt to gain access to the U.S. financial system. A sound BSA/AML compliance program is critical in deterring and preventing these types of activities at, or through, banks and other financial institutions.” (emphasis added)

Eighteen months ago, Verafin released my White Paper titled “50 Years of the Bank Secrecy Act: It’s Time to Renew the Purpose of Providing Actionable Intelligence to Law Enforcement”. The Paper is available at https://verafin.com/resource/50-years-bank-secrecy-act/. I conclude with the following:

“I, and many others, believe that providing timely and actionable intelligence to law enforcement is critical to the successful prevention of illicit activity. Of course, as outlined in the FFIEC manual, a sound BSA/AML compliance program provides the necessary foundation for providing that intelligence. With that in mind, a first step in reforming the BSA/AML regime in the United States may be changing the language of the Manual itself. I propose that the language is changed from ‘a sound BSA/AML compliance program is critical in deterring and preventing these types of activities at, or through, banks and other financial institutions…’ to ‘providing timely and actionable intelligence to law enforcement is critical in deterring and preventing these types of activities at, or through, banks and other financial institutions, and a sound BSA/AML compliance program provides the foundation for the ability to provide that intelligence.’ The change is subtle but important as it strengthens and focuses the very purpose of the BSA. Providing actionable, timely intelligence to law enforcement, while maintaining sound but rational programs, should be the new goal.”

I believe that a financial institution should be supervised, examined, and judged first and foremost on whether it is providing timely, actionable intelligence to law enforcement over whether the hundreds or even thousands of BSA compliance program requirements are ticked and tied and documented. Having an effective – or to use the new adjective in the just-released update – “adequate” BSA/AML compliance program is critically important, but it shouldn’t be the only defense, or even the primary defense from money laundering, terrorist financing, or other illicit financial activity.

So my suggestion to the FFIEC is this: on page 7 of the current Introduction section, replace:

“Banking organizations must develop, implement, and maintain effective AML programs that address the ever-changing strategies of money launderers and terrorists who attempt to gain access to the U.S. financial system. A sound BSA/AML compliance program is critical in deterring and preventing these types of activities at, or through, banks and other financial institutions.

With:

“Banking organizations must develop, implement, and maintain effective AML programs that address the ever-changing strategies of money launderers and terrorists who attempt to gain access to the U.S. financial system. Providing timely and actionable intelligence to law enforcement is critical in deterring and preventing these types of activities at, or through, banks and other financial institutions, and a sound BSA/AML compliance program provides the foundation for the ability to provide that intelligence.”

“Money Laundering/Terrorist Financing and Other Illicit Financial Activity” – a New BSA/AML Focus?

April 18, 2020April 18, 2020adminMoney Laundering & Terrorist Financing - General

If this is, in fact, a new standard for the assessment of U.S. financial institutions’ BSA/AML compliance programs, then I believe it is a positive development.

The April 15, 2020 revision of four of the five introductory sections of the FFIEC BSA/AML Examination Manual is 43 pages long. It begins with “Scoping and Planning” a BSA/AML examination. In the just-replaced section from the 2014 Manual, the objective of scoping and planning was to “identify the bank’s BSA/AML risks”. The new objective is to “develop an understanding of the bank’s money laundering, terrorist financing (ML/TF) and other illicit financial activity risk profile.”

In fact, the phrase “money laundering, terrorist financing and other illicit financial activity risk” or “ML/TF and other illicit financial activity risk” appears fifty-three (53) times in forty-three (43) pages in this April 2020 update.

The phrase “money laundering or terrorist financing risk” appears three (3) times in the current Manual (twice in the CDD section, once in the MSB section), but the phrase “ML/TF and other illicit financial activity” appears exactly zero (0) times in 442 pages of the 2014 BSA/AML Examination Manual.[1]

It appears, then, that the regulatory agencies have replaced the term “BSA/AML risk” and “BSA/AML risk profile” with the phrase “ML/TF risk” and “ML/TF risk profile.”

What are the practical impacts, if any, with the regulators’ shift from examining a bank’s “BSA/AML risk profile” to examining a bank’s “ML/TF risk profile”?

Without guidance from the regulators, without knowing their intent, it’s impossible to say what, if any, practical difference there is.

What the regulators haven’t yet touched is the Introduction section of the Manual, which precedes the four sections they have updated. So, the 2014 Introduction remains. Among other things, the Introduction includes some discussion of money laundering and terrorist financing. At page 7:

Money Laundering and Terrorist Financing

The BSA is intended to safeguard the U.S. financial system and the financial institutions that make up that system from the abuses of financial crime, including money laundering, terrorist financing, and other illicit financial transactions. Money laundering and terrorist financing are financial crimes with potentially devastating social and financial effects. From the profits of the narcotics trafficker to the assets looted from government coffers by dishonest foreign officials, criminal proceeds have the power to corrupt and ultimately destabilize communities or entire economies. Terrorist networks are able to facilitate their activities if they have financial means and access to the financial system. In both money laundering and terrorist financing, criminals can exploit loopholes and other weaknesses in the legitimate financial system to launder criminal proceeds, finance terrorism, or conduct other illegal activities, and, ultimately, hide the actual purpose of their activity.

Banking organizations must develop, implement, and maintain effective AML programs that address the ever-changing strategies of money launderers and terrorists who attempt to gain access to the U.S. financial system. A sound BSA/AML compliance program is critical in deterring and preventing these types of activities at, or through, banks and other financial institutions.

At page 8:

Terrorist Financing

The motivation behind terrorist financing is ideological as opposed to profit-seeking, which is generally the motivation for most crimes associated with money laundering. Terrorism is intended to intimidate a population or to compel a government or an international organization to do or abstain from doing any specific act through the threat of violence. An effective financial infrastructure is critical to terrorist operations. Terrorist groups develop sources of funding that are relatively mobile to ensure that funds can be used to obtain material and other logistical items needed to commit terrorist acts. Thus, money laundering is often a vital component of terrorist financing.

It appears, then, that the 2014 Introduction remains and provides clear direction that a sound BSA/AML compliance program is critical in deterring and preventing money laundering and terrorist financing at, or through, banks and other financial institutions. And it appears also that the 2020 updates have further emphasized the importance of focusing on ML/TF and other illicit financing activity risks as this phrase doesn’t appear at all in the old/existing Manual.

In this article I will make three observations about money laundering and terrorist financing, and all three come from a Congressional hearing that occurred almost seventeen (17) years ago – a year before the first BSA/AML Examination Manual was published – that was held by the House Financial Services Subcommittee on Oversight and Investigations. That hearing was titled “Improving Financial Oversight: A Private Sector View of Anti-Money Laundering Efforts”. It was held on May 18, 2004. The hearing transcript is available at Congressional Hearing May 2004. In full disclosure, I was one of five witnesses to appear before the Sub-Committee. The others were David Aufhauser (then a Senior Counsel, Center for Strategic and International Studies and Counsel, Williams & Connolly LLP, and previously General Counsel at the Treasury Department); John Byrne, at the time the Director of Center for Regulatory Compliance, American Bankers Association; Joe Cachey, then the Vice President, Global Compliance and Chief Compliance Officer and Counsel, Western Union Financial Services; and Steve Emerson, Executive Director, The Investigative Project.

1. From an operational point of view, money laundering and terrorist financing are different problems

“From a purely operational point of view, money laundering and terrorist financing are two, very, very different problems. Traditional money laundering prevention is a transaction-focused internally sourced issue where transactions lead to relational links. Terrorist financing prevention is very different. It is a relationship-focused, externally sourced issue where relational links lead to transactions.” – written testimony of Jim Richards, Operations Executive for Global Anti-Money Laundering, Bank of America, footnote 10 on page 13.

Seventeen years later, I wish I had taken a page from the FFIEC manual and added something about “money laundering is often a vital component of terrorist financing.” But in the immediate post-9/11 environment, most of our success in finding terrorist financing or the funding of terrorist operations came from getting names or other leads from law enforcement. That said, Sub-Committee Chairwoman Sue Kelly (D. NY) asked me “[c]an you identify any particular case in which your companies worked with law enforcement to stop the flow of funds to a terrorist group or an activity of some sort?” I replied:

“Madam Chairman, off the top of my head, I can think at least two particular cases: One prior to September 11 and one after September 11. In both cases, we identified what we thought was suspicious activity. Again, we are not required to detect money laundering or terrorist financing, we are required to detect and report suspicious activity. We did that. In both cases, we felt it was significant enough that we immediately contacted law enforcement, which we are entitled and indeed perhaps required to do if it is an ongoing, serious matter. And in this case, it was the Boston U.S. Attorney’s Office, and they immediately contacted us and sought the underlying records that were the basis of our suspicious activity reports. Subsequent news events confirmed that what we had reported was indeed tied to potential terrorist financing.”

So I actually contradicted myself: we reported what we thought was money laundering or suspicious activity, and subsequent events revealed that what we had actually reported was terrorist financing or the funding of terrorist activity. The FFIEC is correct: money laundering is often a vital component of terrorist financing.

2. Money laundering and terrorist financing should not just be viewed as problems, but as symptoms of problems

“… from the perspective of a bank’s risk officer, money laundering or terrorist financing is not a problem, but a symptom of an underlying operational or control problem. When looked at from this perspective, the risk officer is able to look at the filing of a SAR or the activity represented in the SAR as a symptom of an underlying problem with account opening procedures, document collection and verification procedures, branch AML training, or the monitoring or surveillance functions. Looking at money laundering or terrorist financing as a symptom rather than a problem can be an effective way to focus on and eliminate or mitigate the underlying causes.” – Written testimony of Jim Richards, page 13, footnote 10.

Seventeen years later, I wish I had written “from the perspective of a bank’s risk officer, money laundering or terrorist financing is not just a problem, but also a symptom of an underlying operational or control problem …”. Obviously, money laundering is a problem. As is terrorist financing. But the important point I was trying to make is that identifying and reporting the suspicious activity – whether related to money laundering or terrorist financing, or both – is not the end-game for the reporting financial institution. It’s equally important to take those reports – to take the problems that you’ve identified and reported – and view them as symptoms of possible problems or issues with your underlying operational controls, or policies and procedures, or training, or even auditing or independent testing, and to correct those problems. Being able to prevent money laundering or terrorist financing is the ultimate goal.

I attempted to explain this notion of symptom versus problem in answering a question from Congressman Jeb Hensarling (R. TX 5^th):

Mr. Hensarling. Thank you, Madam Chair. Mr. Richards, I believe in your testimony you stated that money laundering or terrorist financing is not a problem but a symptom of a problem. Could you elaborate and explain that statement?

Mr. Richards. Yes. We believe that within the context of the total issue of operating risk, that the act of filing a suspicious activity report is not the end of your duty but indeed you take the suspicious activity reports and then you go back and look at the commonalities between them to determine whether the money laundering that you have reported or suspicious activity you are reported is caused by issues relating to account opening, failure to collect the proper identification, it might be a branch training issue where you have to train the people in the branch environment, something like that.

So that rather than looking at the end game being the filing of a suspicious activity report, you look at it as just the beginning of trying to see if there is an underlying operational issue in the bank. If you address the underlying operational issue, you may resolve the suspicious activity that is occurring in your bank. So, again, if you look at it as not a problem but a symptom, you can then drill down and see what the real underlying operational problem may be.

Mr. Hensarling. Thank you.

3. Managing money laundering and terrorist financing risks can only be done with creative, committed, and courageous professionals in the public and private sectors, working together

“The success of the financial sector’s anti-money laundering and terrorist financing prevention efforts is entirely dependent on two things: First, cooperation between and coordination by all of the parties involved: the law enforcement and intelligence communities, the regulatory community, the private sector, our trade associations, such as the ABA, and others; and, second, creative, committed professionals dedicated to this task. In my experience, Madam Chairman, the American financial sector has both.” – written testimony of Jim Richards

Just as I wish I had written “money laundering or terrorist financing is not just a problem, but also a symptom …”, seventeen years later I wish I had added “courageous” to my description of the type of professional that are dedicated to fighting money laundering, terrorist financing, and other illicit financial activity.

Since my Congressional testimony in 2004, I’ve come to realize that Winston Churchill was right when it comes to courage: “Courage is the single attribute upon which all other attributes depend”.

In an article I published in December 2018 titled “Rules-Based Monitoring, Alert-to-SAR Ratios, and False Positive Rates: Are We Having the Right Conversations?” I wrote this about the importance of courage:

“After 20+ years in the AML/CTF field – designing, building, running, tuning, and revising programs in multiple global banks – I am convinced that rules-based interaction monitoring and customer surveillance systems, running against all of the data and information available to a financial institution, managed and tuned by innovative, creative, courageous financial crimes subject matter experts, can result in an effective, efficient, proactive program that both provides timely, actionable intelligence to law enforcement and meets and exceeds all regulatory obligations. Can cloud-based, cross-institutional, machine learning-based technologies assist in those efforts? Yes! If properly deployed and if running against all of the data and information available to a financial institution, managed and tuned by innovative, creative, courageous financial crimes subject matter experts.”

And in a March 2019 article titled “Lessons Learned as a BSA Officer 1998-2018” , one of the nine lessons I described was on the importance of courage. After quoting Winston Churchill (“Courage is the single attribute upon which all other attributes depend”), I wrote:

“After the September 2001 terrorist attacks, the 9/11 Commission was set up to look at what happened, and why. In its final report issued in 2004, they concluded that the US government’s failures could be grouped into four major categories: failure of policy, failure of capabilities, failure of management, and failure of imagination. And they concluded that the “most important failure” was a lack of imagination. I believe that all four of those failures – of policy, of capabilities, of management, and of imagination – have one thing in common. A failure of courage. What do I mean by courage? Courage to speak freely – but respectfully and fairly. Courage to walk away when your principles are compromised. Courage to change. Courage to listen. Courage to compromise.”

Finally, I apparently used the word “courage” six times in a podcast I did with the esteemed Jo Ann Barefoot in April 2018, just weeks after I retired from Wells Fargo. In the show notes, Jo Ann wrote, in part, that “executing the transformation [to digitally-enabled regulation] will take imagination, vision, wisdom and even courage, which is why I invited today’s guest to join us. He is Jim Richards, founder of the new firm, RegTech Consulting, and I think he used the word “courage” six times, in our talk.”[2]

Conclusion

I don’t believe there are any practical differences between BSA/AML risks, on the one hand, and money laundering, terrorist financing (ML/TF) and other illicit financial activity risks, on the other hand. But if there are differences, then a greater focus on managing – and being examined on how financial institutions manage – ML/TF and other illicit financial activity risks is a positive thing.

It will take cooperation between, coordination by, and the courage of all of the parties involved in the fight against money laundering and terrorist financing: the law enforcement and intelligence communities, the regulatory communities, private sector financial institutions, fintech disrupters and vendors of financial crimes systems, trade associations, and others. In my experience, the American financial sector has what it takes to effectively manage money laundering and terrorist financing and other illicit financial activity risks.

[1] In fairness, the phrase “money laundering, terrorist financing, and other illicit financial transactions” appears in the current Introduction section (page 7).

[2] https://www.jsbarefoot.com/podcasts/2018/5/14/the-courage-to-change-former-wells-fargo-bsa-officer-jim-richards

The Perfect Storm: More Alerts, Fewer Investigators, & More False Positives

March 17, 2020adminAML Regulations and Enforcement Actions, FinTech, Financial Crimes, and Risk Management, Money Laundering & Terrorist Financing - General

The Focus Has Always Been On the Increase in Fraud

Natural disasters bring out the best in some people and the worst in others. Almost fifteen years ago, in the wake of Hurricane Katrina, the Department of Justice formed the National Center for Disaster Fraud[1] to coordinate the investigations and prosecutions of benefits, charities, and cyber-related frauds that sprang up when billions of dollars in federal disaster relief poured into the Gulf Coast region. In October 2017, after a series of hurricanes in the southeast US and Caribbean (Harvey, Irma, and Maria), and California wildfires, the Financial Crimes Enforcement Network (FinCEN) issued an “Advisory to Financial Institutions Regarding Disaster-Related Fraud” that described some of the same fraud scams and instructed firms how to identify and report that activity.

FinCEN Recognizes The Strain on Resources

On March 16, 2020, three days after the President declared a National Emergency in response to COVID-19, FinCEN issued a press release (not an Advisory) encouraging financial institutions to (1) communicate concerns related to the “coronavirus disease 2019 (COVID-19)”, and (2) to remain alert to related illicit financial activity.[2]

Specifically, FinCEN requested that financial institutions contact FinCEN and their functional regulator as soon as practicable if it “has concern about any potential delays in its ability to file required Bank Secrecy Act (BSA) reports.”

This is an important acknowledgment by FinCEN. The previous Advisory focused on the increase in fraud as a result of natural disasters. This press release adds another element: at the same time fraud is increasing, the ability of financial institutions to manage that increase is impacted because of the “shelter in place” or work from home requirements. To put it in simple terms, where a bank may have had 1,000 fraud alerts handled by 50 investigators prior to the pandemic, it may now have 2,000 alerts being handled by only 20 investigators.

The Third Issue – Your Existing Fraud Alerting Logic May Produce More False Positives

Not only will the alerting “numerator” be going up (that is the transactions that a financial institution’s rules find are anomalous) but the denominator, or the volume of and types of transactions, is also changing. Very simply, people transact differently because of the pandemic. There will be more cash withdrawals (both numbers and amounts), and more activity (transactions and interactions) will shift from in-person to mobile, online, and telephone.

Elder fraud is a good example of the impact of the pandemic. The older population is most at risk from COVID-19, and most at risk of various fraud schemes. The alerting logic a bank had programmed was based on historical data relating to, say, changes in elderly customers’ use of online and mobile channels. With the pandemic, elderly customers are using those channels more often, and those alerts will now be hitting on anomalous but now-expected activity. This new current activity will be different than the historical activity on which the bank based its alerting logic.

And all of this at a time when banks have fewer investigators able to handle the output: they’re at home and either unable to access bank systems or less efficient in doing so.

Communication is the Key

As FinCEN points out, financial institutions need to communicate with their regulators if they’re finding that their investigations teams cannot keep up with the increase in fraud cases. One aspect a bank needs to consider is whether it should – and can – move analysts and investigators from AML over to fraud and sanctions screening. Sanctions screening and fraud monitoring requires real- and near-time screening and monitoring to prevent transactions from occurring – whether those are transactions with sanctioned entities, possible Business E-mail Compromise (BEC) frauds, or other frauds. Sanctions and fraud analysts and investigators need to be able to prevent certain transactions and investigate others in real- or near-time. AML analysts and investigators do not operate in the same time-sensitive environment: as a general rule, an AML alert generated in March will involve activity that occurred in February, it will be investigated in April in order to determine whether it was “suspicious”, then a SAR will be filed in May. So part of the external and internal communications a bank will need to have will involve shifting its AML resources over to sanctions and fraud monitoring and investigations.

But more important are the communications banks need to have with their clients and customers to warn them about common disaster-related frauds, and the communications within the bank to adapt to the changes in overall customer activity. How will the changes in customer activity impact the sanctions and fraud monitoring, detection, and alerting systems?

It’s the perfect storm: more alerts, more false positives, fewer investigators.

[1] https://www.justice.gov/disaster-fraud

[2] https://www.fincen.gov/news/news-releases/financial-crimes-enforcement-network-fincen-encourages-financial-institutions

Lack of Beneficial Ownership Information: a “Glaring Hole in our System” Says Treasury Secretary

February 13, 2020adminAML Regulations and Enforcement Actions, Beneficial Ownership & Customer Due Diligence, Money Laundering & Terrorist Financing - General

On February 12, 2020, Treasury Secretary Mnuchin testified before the Senate Finance Committee on the President’s Fiscal Year 2021 budget. At the 75:22 mark of the hearing, Senator Mark Warner (D. VA) began a series of statements and questions about the lack of beneficial ownership information. Senator Warner observed that the just-submitted (February 6th) 2020 National Strategy for Combating Terrorist and Other Illicit Financing – National Strategy – indicated that the number one vulnerability facing the U.S. efforts to combat terrorism, money laundering, and proliferation financing was the lack of beneficial ownership requirements at the time of company formation.

Senator Warren noted that “one of the key vulnerabilities identified in the report is the lack of a legally binding requirement to collect beneficial ownership at the time of company formation.” At the 76:50 mark, the Senator posed the following question:

Mr. Secretary, do you agree that one of our most urgent national security and regulatory problems is that the US Government still has no idea who really controls shell companies?

At the 77:25 mark Secretary Mnuchin replied:

“This is a glaring hole in our own system.”

What did the National Strategy have to say about lack of beneficial ownership information?

2020 National Strategy for Combating Terrorist and Other Illicit Financing – Key Vulnerability is Lack of Beneficial Ownership Information

The National Strategy listed 10 vulnerabilities. In the “Vulnerabilities Overview” section (page 12), the first of the “most significant vulnerabilities in the United States exploited by illicit actors” was “the lack of a requirement to collect beneficial ownership information at the time of company formation and after changes in ownership.” The Strategy goes on:

“Misuse of legal entities to hide a criminal beneficial owner or illegal source of funds continues to be a common, if not the dominant, feature of illicit finance schemes, especially those involving money laundering, predicate offences, tax evasion, and proliferation financing.

*****

More than two million corporations and limited liability companies (LLCs) are formed in the United States every year. Domestic shell companies continue to present criminals with the opportunity to conceal assets and activities through the establishment of a seemingly legitimate U.S. businesses. The administrative ease and low-cost of company formation in the United States provide important advantages and should be preserved for legitimate investors and businesses. However, the current lack of disclosure requirements gives both U.S. and foreign criminals a method of obfuscation that they can and have repeatedly used, here and abroad, to carry out financial crimes. There are numerous challenges for federal law enforcement when the true beneficiaries of illicit proceeds are concealed through shell or front companies. Money launderers and others involved in commercial activity intentionally conduct transactions through corporate structures in order to evade detection, and may layer such structures, much like Matryoshka dolls, across various secretive jurisdictions. In many instances, each time an investigator obtains ownership records for a domestic or foreign entity, the newly identified entity is yet another corporate entity, necessitating a repeat of the same process. While some federal law enforcement agencies may have the resources required to undertake complex (and costly) investigations, the same is often not true for state, local, and tribal law enforcement.

*****

To address a major aspect of this recognized vulnerability, FinCEN issued a Customer Due Diligence (CDD) Rule, which became fully enforceable for covered financial institutions on May 11, 2018. This rule requires, among other things, more than 23,000 covered financial institutions to identify and verify the identities of beneficial owners of legal entity customers at the time of account opening and defined points thereafter.

*****

While the CDD Rule addressed the gap of collecting beneficial ownership information at the time of account opening, there remains no categorical obligation at either the state or federal level that requires the disclosure of beneficial ownership information at the time of company formation. Treasury currently does not have the authority to require the disclosure of beneficial ownership information at the time of company formation without legislative action. The CDD
Rule is an important risk-mitigating measure for financial institutions and an equally important resource for law enforcement, but it is not a comprehensive solution to the problem and a crucial gap remains.

The United Sates is traditionally the global leader on AML/CFT. But the lack of a legally-binding requirement to collect beneficial ownership information at the time of company formation hinders the ability of all regulated sectors to mitigate risks and law enforcement’s ability to swiftly investigate those entities created to hide ownership. Crucially, this deficiency drives significant costs and delays for both the public and private sectors. The 2016 Financial Action Task Force (FATF) Mutual Evaluation Report (MER) underscored the seriousness of this deficiency. Indeed, this gap is one of the principal reasons for the United States’ failing grade regarding the efficacy of its mechanisms for beneficial ownership transparency.” (citations omitted)

Key Priorities of the US Government in Combating Terrorism, Money Laundering, and Proliferation Financing

After setting out the threats and vulnerabilities, the 2020 National Strategy turned to the US Government’s three key priorities in fighting terrorist and other illicit financial activity:

“To make this 21st century AML/CFT regime a practical reality, the U.S. government will continue to review and pursue the following key priorities: (1) modernize our legal framework to increase transparency and close regulatory gaps; (2) continue to improve the efficiency and effectiveness of our regulatory framework for financial institutions; and (3) enhance our current AML/CFT operational framework. This will include the supporting actions discussed below.” (page 39)

Priority 1: Increase Transparency and Close Legal Framework Gaps

This first priority has four supporting actions: (i) require collection of beneficial ownership information by the government at time of company formation and after ownership changes; (ii) minimize the risks of the laundering of illicit proceeds through real estate purchases; (iii) extend AML program obligations to certain financial institutions and intermediaries currently outside the scope of the BSA; and (iv) clarify or update our regulatory framework to expand coverage of digital assets.

Supporting Action: Require the Collection of Beneficial Ownership Information by the Government at Time of Company Formation and After Ownership Changes

Currently, there is no categorical obligation at the state or federal level that requires the disclosure of beneficial ownership information at the time of company formation. Also, Treasury does not have the authority to require the disclosure of beneficial ownership information at the time of company formation without legislative action. Having immediate access to accurate information about the natural person behind a company or legal entity is essential for law enforcement and other authorities to disrupt complex money laundering and proliferation financing networks. However, this must be balanced with individual privacy concerns and not be unduly burdensome for small businesses.

The Administration believes that congressional proposals to require the collection of beneficial ownership information of legal entities by FinCEN, including the Corporate Transparency Act represents important progress in strengthening national security, supporting law enforcement, and clarifying regulatory requirements. The Administration is working with Congress. The aim—pass beneficial ownership legislation in 2020. It is important that any law enacted should closely align the definition of “beneficial owner” to that in FinCEN’s CDD Rule, protect small businesses from unduly burdensome disclosure requirements, and provide for adequate access controls with respect to the information gathered under this bill’s new disclosure regime.

The ILLICIT CASH Act – A Solution to the Beneficial Ownership Vulnerability

The 2020 National Strategy refers to congressional proposals. One of those was mentioned by Senator Warren, who referred to the bipartisan support that exists in Congress for addressing this vulnerability through a Senate bill, the ILLICIT CASH Act, S.2563 before the Senate Banking Committee. Senator Warren noted that the ILLICIT CASH Act, or Improving Laundering Laws & Increasing Comprehensive Information Tracking of Criminal Activity in Shell Holdings Act (clearly one of the great “backronyms” of all time!) had the support of 4 Democrats and 4 Republicans. Title IV of that bill set out “Beneficial Ownership Disclosure Requirements”, and included provisions to establish beneficial ownership reporting requirements. Although there is bipartisan and Administration support for the bill, not everyone is as supportive: the American Bar Association, for one, opposes the bill.

The American Bar Association – Supportive of Reasonable Measures to Combat Money Laundering, But Not the ILLICIT CASH Act

The American Bar Association – ABA Position on Combating Financial Crime – “supports reasonable and necessary domestic and international measures designed to combat money laundering and terrorist financing. However, the Association opposes legislation and regulations that would impose burdensome and intrusive gatekeeper requirements on small businesses or their attorneys or undermine the attorney-client privilege, the confidential attorney-client relationship, or the right to effective counsel.” With respect to the ILLICIT CASH Act, the ABA opposes key provisions, and expressed that opposition in a June 19, 2019 letter to the Chairman and Ranking Member of the Senate Banking Committee. ABA Letter Opposing the ILLICIT CASH Act. And on their webpage:

“The ILLICIT CASH Act would require anyone involved in a real estate purchase or sale to file a detailed report with the Treasury Department containing the name of the natural person purchasing the real estate, the amount and source of the funds received, the date and nature of the transaction, and other data. Because attorneys often represent clients in real estate transactions, the ILLICIT CASH Act would compel many attorneys to disclose confidential client information to the government, a result plainly inconsistent with state court ethics rules.”

Conclusion – Courage to Compromise Is Needed if We Are to Make Inroads in the Fight Against Terrorism, Money Laundering, and Proliferation Financing

The ABA’s concerns about burdensome and intrusive requirements and undermining the attorney-client privilege are understandable. The Treasury Department’s concerns about the vulnerabilities of, and need to amend, the broken beneficial ownership regime are understandable. Democrats and Republicans in the House and Senate, and Republicans in the White House, will need to come together to draft, pass, and enact laws to fix the broken beneficial ownership regime. All of these groups, and more, will need the courage to compromise if we are to fill the most glaring hole in our AML system.

Chinese Money Brokers – The First US Case Involving An Identified Threat to the US Financial System?

February 10, 2020February 10, 2020adminMoney Laundering & Terrorist Financing - General, RegTech

February 6, 2020 – US Warns of Chinese Money Brokers Integrating Illicit Cash Proceeds through Trade Based Money Laundering, or TBML

On February 6, 2020, the Treasury Department released its 2020 National Strategy for Combating Terrorist and Other Illicit Financing. 2020 National Strategy. Among other threats to the US financial system were Chinese money laundering networks, or money brokers, described at pages 24 and 25 of the Strategy …

U.S. law enforcement has seen an increase in complex schemes to launder proceeds from the sale of illegal narcotics in the United States by facilitating the exchange of cash proceeds from Mexican drug trafficking organizations to Chinese citizens residing in the United States. These money laundering schemes, run by Professional Money Laundering Networks, or PMLNs, are designed to sidestep two separate obstacles: Drug Trafficking Organizations’ (DTOs’) inability to repatriate drug proceeds into the Mexican banking system due to dollar deposit restrictions imposed by Mexico in 2010 [of $4,000 a month per individual and $1,500 a month for U.S. currency exchanges by non-accountholders] and Chinese capital flight law restrictions on Chinese citizens located in the United States that prevent them from transferring the equivalent of US$50,000 held in Chinese bank accounts for use abroad. Chinese money laundering networks facilitate the transfer of cash between these two groups.

As described in the graphic from the Strategy [below], a variety of Chinese money brokers, processors and money couriers facilitate these PMLNs. Brokers in Mexico coordinate with DTOs in order for the DTOs to receive pesos in exchange for drug profits earned in the United States. The DTO instructs a courier in the United States to provide U.S. currency to the broker’s U.S. processor. The processor then launders the cash and identifies U.S.-based buyers. In exchange for U.S. currency, the buyer will transfer renminbi (RMB) through their Chinese bank account to a Chinese account controlled by the money broker. The broker then uses the RMB to buy commodities from a Chinese manufacturer for export to Mexico. Once the goods arrive in Mexico, the broker or the DTO completes the cycle by selling the goods locally for pesos.”

February 3, 2020 – Owners of Underground, International Financial Institutions Plead Guilty to Operating Unlicensed Money Transmitting Business

The First Chinese Money Broker Prosecution? On February 3, 2020 – three days before the 2020 National Strategy was released, the US Attorney for the Southern District of California issued a press release that announced that Bing Han and Lei Zhang pleaded guilty in federal court for operating unlicensed money transmitting businesses. The US Attorney noted that the guilty pleas “are believed to be the first in the United States for a developing form of unlawful underground financial institution that transfers money between the United States and China, thereby circumventing domestic and foreign laws regarding monetary transfers and reporting, including United States anti-money laundering scrutiny and Chinese capital flight controls.”

The press release described the scheme as admitted in the plea agreements (which are not available online) as follows:

“Han and Zhang would collect U.S. dollars (in cash) from various third-parties in the United States and deliver that cash to a customer, typically a gambler from China who could not readily access cash in the United States due to capital controls that limit the amount of Chinese yuan an individual can convert to foreign currency at $50,000 per year. Upon receipt of the U.S. dollars, the customer (i.e., the gambler) would transfer the equivalent value of yuan (using banking apps on their cell phones in the United States) from the customer’s Chinese bank account to a Chinese bank account designated by defendant Han or Zhang. For facilitating these transactions, Zhang and Han were paid a commission based on the monetary value illegally transferred … Han and Zhang further admitted that they were regularly introduced to customers by casino hosts, who sought to increase the gambling play of the casino’s customers. By connecting cash-starved gamblers in the United States with illicit money transmitting businesses, like those operated by Han and Zhang, the casinos increased the domestic cash play of their China-based customers. All a gambler needed was a mobile device that had remote access a China-based bank account. As a result, Han and Zhang managed to transmit and convert electronic funds in China into hard currency in the United States; all while circumventing the obstacles imposed both by China’s capital controls, and the anti-money laundering scrutiny imposed on all United States financial institutions. For their efforts, the casino hosts often received a cut of Han’s or Zhang’s commission.”

This sounds very similar to what was described in the 2020 National Strategy document. AML professionals should put a reminder in their calendars for the sentencing hearings of Han and Zhang in order to learn more about these “Chinese Money Broker” crimes that pose a threat to the US financial system.

US v. Bing Han, SD CA Case 20CR00369 is scheduled for sentencing on May 1, 2020.

US v. Lei Zhang, SD CA Case 20CR00370 is scheduled for sentencing on May 4, 2020.

PETITION DENIED – The US Supreme Court Defends the SAR Safe Harbor!

January 31, 2020February 24, 2020adminAML Regulations and Enforcement Actions, Money Laundering & Terrorist Financing - General

Updated February 24, 2020 – The US Supreme Court denied a petition that challenged the SAR Safe Harbor

On September 13, 2020 a petition was filed with the US Supreme Court asking the Court to take up a case to decide whether the so-called “safe harbor” provision gives banks and bank employees absolute immunity from any liability when filing a Suspicious Activity Report, or SAR, or something less than absolute immunity. The case is AER Advisors, Inc., Deutsche et al., Petitioners v. Fidelity Brokerage Services, LLC, petition for writ of certiorari, Docket 19-347 (US Supreme Court).[1] It was “distributed for conference” on January 22, 2020, and the conference – or meeting of the Justices – was scheduled for, and held on, February 21, 2020. On February 24th the Court published its decision: PETITION DENIED!

This was a critical case for the US anti-money laundering regime. In this case, the Court of Appeals for the First Circuit held that Fidelity had absolute immunity in filing Suspicious Activity Reports, and dismissed the petitioners’ claims against Fidelity that it filed a SAR against the petitioners in bad faith. The petitioners sought review by way of a petition for writ of certiorari – basically, an appeal – to the US Supreme Court.

The petitioners framed the main question as whether 31 USC section 5318(g), added by the Annunzio-Wylie Money Laundering Act of 1992, confers (a) absolute immunity for any disclosure; or (b) immunity only if the disclosure is an objectively possible criminal violation and/or is made in good faith and/or is not fraudulent.[2] The respondent Fidelity framed the main question differently: Is a financial institution immune from private suit under the Bank Secrecy Act when it files a Suspicious Activity Report as required by the Act?

The section in question is unequivocal:

31 USC s. 5318(g)(3) Liability for Disclosures

(A) In general. –Any financial institution that makes a voluntary disclosure of any possible violation of law or regulation to a government agency or makes a disclosure pursuant to this subsection or any other authority, and any director, officer, employee, or agent of such institution who makes, or requires another to make any such disclosure, shall not be liable to any person under any law or regulation of the United States, any constitution, law, or regulation of any State or political subdivision of any State, or under any contract or other legally enforceable agreement (including any arbitration agreement), for such disclosure or for any failure to provide notice of such disclosure to the person who is the subject of such disclosure or any other person identified in the disclosure.

Leaving aside all the legal arguments, Fidelity’s Opposition Brief includes an interesting description of the policy considerations favoring absolute immunity for financial institutions for filing Suspicious Activity Reports (beginning on page 18, the policy consideration began with “if financial institutions face liability for filing a report …”). As I began reading that section, I (as a former large bank BSA Officer responsible for the filing of well over one million SARs over the years) immediately thought of two things.

First, counsel was (rightly) focused on his client, the financial institution. But as I read the case, I was thinking “what about the BSA Officer who is the FIRST person the plaintiff’s lawyer is going to sue?!” And “who cares about the financial institution that makes a gazillion dollars a year … what about the poor BSA Officer?!”.

After recovering from that, I then thought that the obvious policy consideration favoring absolute immunity was the chilling effect that anything but absolute immunity would have on the way a BSA program is run. Without that absolute immunity, you would need to have multiple layers of review of every possible SAR, quality assurance reviews, testing requirements, auditing of those processes, etc. You would need to have multiple sign-offs on every SAR, then checking and testing of the policies and procedures and processes supporting those sign-offs. You would have checkers checking checkers checking checkers. And with large banks filing hundreds of SARs every business day, the process and personnel requirements to review every SAR for a “good faith” standard, could double the number of people needed to investigate, prepare, and file SARs. (my mind then drifted back to the personal liability of the BSA Officer overseeing such a program and of the supervisors and managers reviewing SARs).

In short, BSA Officers and AML investigations teams would be overwhelmed with oversight, to the point of paralysis. The effect of a limited or qualified immunity would be to have no immunity, and the BSA regime as we know it – monitoring for unusual activity, investigating that activity, and to the best of your ability and based on all the available facts, filing reports of suspicious activity – would end.

But none of that was on the mind of the lawyers. No, they weren’t worried about the potential impact on the suspicious activity reporting regime itself, or the BSA personnel in financial institutions facing personal ruin from plaintiffs/ law suits, they were worried about the burden on the financial institutions and on the institutions’ lawyers and the cost of those lawyers. At page 18 counsel for Fidelity wrote:

“… policy considerations favor absolute immunity. ‘Any qualification on immunity poses practical problems.’ Id. The most immediate problem is ‘a risk of second guessing.’ Id. If financial institutions face liability for filing a report, they may delay reporting or under report. Id. But even where a financial institution has a good-faith belief that a law has been violated, the institution may still think twice before reporting if Petitioners’ view of the law prevailed … In the face of potential litigation burdens of this magnitude, there is a substantial risk that financial institutions would be chilled in the filing of suspicious activity reports. Institutions will certainly think twice before reporting if expensive litigation is the cost of complying with the law. And because institutions file millions of these reports a year, if these reports were subject to litigation, financial institutions would be overwhelmed.”

Now, this is not to say that counsel is wrong. Indeed, he is right: institutions will certainly think twice before reporting suspicious activity if expensive litigation is the cost of doing so. But as a former BSA Officer, I would have felt better if one of the policy considerations favoring absolute immunity for filing Suspicious Activity Reports – even the primary policy consideration – was to protect the men and women on the front lines of financial institutions’ AML programs from second-guessing and personal liability for doing their jobs as best they can: for filing the Suspicious Activity Reports that give law enforcement and intelligence agencies the actionable, timely intelligence they need to protect the financial system from money laundering, terrorism, and other crimes. Not to protect the lawyers.

Interpreting statutes – what does the Supreme Court look at?

There is plenty of case law on how courts interpret a statute, or a part of a statute. An example is a famous case* the US Supreme Court decided in 2015, King et al v Burwell et al, 576 US 988 (2015). This is the “ObamaCare” decision where the Supreme Court was considering the requirement in the law that people had to purchase insurance on an exchange established by their state, or, if there was no such state exchange, the federal exchange. In particular, the Court was considering whether a tax credit was available to individuals who purchased insurance on the federal exchange. The phrase in question was “an Exchange established by the State”, because tax credits were only available to those who purchased insurance on “an Exchange established by the State”. The decision of the majority of the Court was 21 pages long. At the end was the following:

Reliance on context and structure in statutory interpretation is a “subtle business, calling for great wariness lest what professes to be mere rendering becomes creation and attempted interpretation of legislation becomes legislation itself.” Palmer v. Massachusetts, 308 U. S. 79, 83 (1939).
For the reasons we have given, however, such reliance is appropriate in this case, and leads us to conclude that Section 36B allows tax credits for insurance purchased on any Exchange created under the Act. Those credits are necessary for the Federal Exchanges to function like their State Exchange counterparts, and to avoid the type of calamitous result that Congress plainly meant to avoid.
* * *
In a democracy, the power to make the law rests with those chosen by the people. Our role is more confined—“to say what the law is.” Marbury v. Madison, 1 Cranch 137, 177 (1803). That is easier in some cases than in others. But in every case we must respect the role of the Legislature, and take care not to undo what it has done. A fair reading of legislation demands a fair understanding of the legislative plan. Congress passed the Affordable Care Act to improve health insurance markets, not to destroy them. If at all possible, we must interpret the Act in a way that is consistent with the former, and avoids the latter. Section 36B can fairly be read consistent with what we see as Congress’s plan, and that is the reading we adopt.

The judgment of the United States Court of Appeals for
the Fourth Circuit is Affirmed.

* The case is famous not only because it upheld a main provision of the Affordable Care Act, but also because of the blistering dissent of Justice Antonin Scalia, a dissent that included his famous phrase “interpretive jiggery-pokery”. Among other things, Justice Scalia wrote:

“The Court holds that when the Patient Protection and Affordable Care Act says “Exchange established by the State” it means “Exchange established by the State or the Federal Government.” That is of course quite absurd, and the Court’s 21 pages of explanation make it no less so.” (Dissent, page 1)

Then, after almost 8 pages of examples of the poor reasoning of the majority, Justice Scalia unloads his famous line:

“The Court’s next bit of interpretive jiggery-pokery involves other parts of the Act that purportedly presuppose the availability of tax credits on both federal and state Exchanges.”

Page 12 was, perhaps, an even better line: “For its next defense of the indefensible, the Court turns to the Affordable Care Act’s design and purposes.” And at page 17 is: “Perhaps sensing the dismal failure of its efforts to show that “established by the State” means “established by the State or the Federal Government,” the Court tries to palm off the pertinent statutory phrase as “inartful drafting.” Ante, at 14. This Court, however, has no free-floating power “to rescue Congress from its drafting errors.” Lamie v. United States Trustee, 540 U. S. 526, 542 (2004) (internal quotation marks omitted). Only when it is patently obvious to a reasonable reader that a drafting mistake has occurred may a court correct the mistake.”

And in closing on page 21: “The somersaults of statutory interpretation they have performed (“penalty” means tax, “further [Medicaid] payments to the State” means only incremental Medicaid payments to the State, “established by the State” means not established by the State) will be cited by litigants endlessly, to the confusion of honest jurisprudence. And the cases will publish forever the discouraging truth that the Supreme Court of the United States favors some laws over others, and is prepared to do whatever it takes
to uphold and assist its favorites. I dissent.”

How did the Supreme Court rule?

The Supreme Court simply denied the petition. But in the original article that appeared on this site, I asked that the US Supreme Court “refuse to take this case up and send it back to the 1st Circuit with an affirmation of the Safe Harbor for banks, lawyers, and BSA Officers alike” and:

To John Roberts and the Supremes, as you consider whether to take this case, please remember the words of Diana Ross and the Supremes:

Stop! In the name of love
Before you break my heart
Think it over
Think it over

[1] https://www.supremecourt.gov/search.aspx?filename=/docket/docketfiles/html/public/19-347.html

[2] An interesting quirk appeared in Annunzio-Wylie. Section 1517, titled “suspicious transactions and enforcement programs”, intended to add subsections (g) and (h) to section 5318 of title 31. As AML practitioners know, 5318(g) is the suspicious activity reporting requirement, and 5318(h) is the AML program requirement. However, section 1517 of Annunzio-Wylie had a typographical error, and instead of adding (g) and (h) to section 5318, it added them to section 5314, the section requiring records and reports on foreign financial agency transactions (the so-called “FBAR” section, or Foreign Bank Account Report section). This typo wasn’t corrected until two years later by section 330017(b) of the Violent Crime Control & Law Enforcement Act of 1994, PL 103-322, enacted on September 13, 1994. That section provided: “Amendment relating to Title 31, U.S.C.— (1) Effective as of the date of enactment of the Annunzio Wylie Anti-Money Laundering Act, section 1517(b) of that Act is amended by striking ‘‘5314’’ and inserting ‘‘5318’’.” In another oddity, one day after the Violent Crime Control Act was sent to the President to be signed, the Money Laundering Suppression Act (MLSA) was sent to the President. The MLSA also included a section to correct the 1992 typo; in fact, section 413(b)(1) of the MLSA was identical to section 330017(b) of the Violent Crime Control Act. Congress made doubly sure to fix the typo!

Proceeds of Crime and GDP – Are We Comparing Apples to Oranges?

January 8, 2020January 8, 2020adminAML Regulations and Enforcement Actions, Money Laundering & Terrorist Financing - General

The Estimate for US Money Laundering – $300 billion a year, or 2% of GDP

The 2015 National Money Laundering Risk Assessment – available at 2015 NMLRA – estimated that the total amount of criminal proceeds generated in the United States was approximately $300 billion, or 2% of gross domestic produce (GDP). The report provided:

“United Nations Office on Drugs and Crime (UNODC) estimated proceeds from all forms of financial crime in the United States, excluding tax evasion, was $300 billion in 2010, or about two percent of the U.S. economy. [Footnote: United Nations Office on Drugs and Crime, Estimating Illicit Financial Flows Resulting From Drug Trafficking and other Transnational Organized Crimes, October 2011.] This is comparable to U.S. estimates. UNODC estimates illicit drug sales were $64 billion, which the DEA believes is a reasonable current estimate, putting the proceeds for all other forms of financial crime in the United States at $236 billion, most of which is attributable to fraud.” (citations omitted)

The figures of $300 billion in 2010 and two percent of the US economy are the midpoints of estimates based on a 2004 report. The UNODC report provided:

“… the criminal income in 2010 (excluding tax evasion) may have amounted to some US$350 bn in the world’s largest national economy [the United States]. This would probably be the upper limit estimate. A lower limit estimate – assuming that the nominal increases found over the 1990-2000 period continued unchanged over the 2000-2010 period, would result in an estimate of around US$235 bn for the year 2010 or 1.6% of GDP. A mid-point estimate would show criminal income of some US$300 bn (rounded) or 2% of GDP for 2010. (UNODC Report, page 20).”

A critical review of the UNODC report, and the reports that it relies on, suggests that these estimates need to updated. For example, the amount of criminal proceeds from illegal drug sales dropped by almost 50% from 1990 to 2010 from $97 billion to $64 billion, but the amount of criminal proceeds from all other crimes (excluding tax evasion), more than doubled in that same period, from $112 billion to $236 billion. And excluding tax evasion is meaningful: the 1990 estimate of tax evasion was $236 billion – dwarfing both drugs and other criminal proceeds.

$300 Billion in Criminal Proceeds – How Much is Reported by Financial Institutions?

We don’t know. But what is interesting about the 2015 National Money Laundering Risk Assessment figure of $300 billion in estimated proceeds of criminal activity, is that it may be reasonably close to the total amount reported in Suspicious Activity Reports. Although FinCEN has not (yet) provided total amounts reported in Suspicious Activity Reports and Currency Transaction Reports, some anecdotal evidence (based on off-the-record discussions with people in the industry) suggests that the average depository institution (bank and credit union) SAR reports approximately $250,000 in suspicious activity, and the average money services business (MSB) SAR reports approximately $35,000 to $40,000. And I’ll guess that all other filers’ SARs average $50,000 each. Using 2018 SAR totals:

Depository Institutions 975,000 SARs @ $245,000 ~$239 billion

Money Services Businesses 875,000 SARs @ $35,000 ~$ 31 billion

“Other” and all other filers 275,000 @ $50,000 ~$ 14 billion

~$284 billion

And if we assume that some of the activity reported in Currency Transaction Reports (CTRs) is, in fact, the proceeds of criminal activity, we could arguably add another $36 billion (18 million CTRs @ $20,000 each with 10% “dirty money”). The total reported by financial institutions in the US is then roughly $320 billion. So US financial institutions may be doing a pretty good job at reporting suspicious activity!

Total Suspected Proceeds of Crime Reported in the US: ~$320 billion. Estimated proceeds of criminal activity in the US: ~$300 billion.

Proceeds of Crime and GDP – Are We Comparing Apples to Oranges?

There is another flaw in comparing the amount of criminal proceeds to global (or national) gross domestic product, or GDP. GDP is a measure of the total final value of everything produced. Its components include personal consumption expenditures, business investment, government spending, and exports less imports (and there is nominal GDP and real GDP, with the latter factoring in inflation). A better measure of the effectiveness of the financial system in identifying, interdicting, and reporting criminal proceeds would be to compare the total amount of criminal proceeds flowing through the financial system to the total amount of funds flowing through the financial system.

The US Financial System – Two Quintilian Dollars A Year

The 2015 National Money Laundering Risk Assessment (pages 35 and 36) estimates that the total amount of FedWire, CHIPS, ACH, debit card, and cash transactions moving through the US financial system in a year is approximately two Quintilian dollars:

“The global dominance of the U.S. dollar generates trillions of dollars of daily transaction volume through U.S. banks, creating significant exposure to potential money laundering activity. The Federal Reserve System’s real-time gross settlement system, Fedwire, which is used to clear and settle payments with immediate finality, processed an average of $3.5 trillion in daily funds transfers in 2014. The Clearing House Interbank Payment System (CHIPS) is the largest private-sector U.S.-dollar funds-transfer system in the world, clearing and settling an average of $1.5 trillion in cross-border and domestic payments daily. CHIPS estimates that it is responsible for processing more than 95 percent of U.S. dollar-denominated cross-border transactions, and nearly half of all domestic wire transactions. The average value of a transaction on Fedwire and CHIPS is in the millions of dollars. The automated clearinghouse network (ACH), through which U.S. banks transfer electronic payments that are not settled in real time, processes more than $10 trillion in transactions annually.”

Converting those daily amounts to annual amounts gives us a total of approximately two Quintilian dollars. Of that, $300 billion is criminal proceeds. Therefore, criminal proceeds make up approximately 0.00000007% of the total amount moving through the American financial system.

The US Government’s National Money Laundering Risk Assessment believes that for every one billion dollars of money flowing through the US financial system, seven dollars is criminal proceeds.

The private sector participants in the US financial system are subject to a regulatory regime that requires them to have complex systems, processes, and programs that collectively cost tens of billions of dollars, if not hundreds of billions of dollars, to develop, operate, and enhance. And the administrative and criminal penalties for failing to have reasonably effective AML programs can be severe. As the 2015 NMLRA concludes (on page 36):

“This exposure to a daily flow of trillions of dollars in transaction volume from large value to small value payment systems requires banks to maintain robust safeguards to minimize the potential for illicit activity. Like any other financial industry, deficient compliance practices and complicit insiders are vulnerabilities, but the stakes are higher for banks given the volume and value of transactions that U.S. banks engage in daily. Preserving the integrity of the U.S. financial system requires that banks effectively monitor and control the money laundering risks to which they are exposed. To this end, banks are required to establish a written AML program reasonably designed to prevent their financial institutions from being used to facilitate money laundering and the financing of terrorist activities. The introduction of illicit proceeds into the financial system is the first and critical step in the money laundering process and banks are most vulnerable to being used for this purpose by criminals. Once illicit proceeds are placed into the financial system, the continued use of banks to move those funds both domestically and internationally can further obscure their criminal origins and facilitate their integration into the system. Therefore, establishing and maintaining an effective customer identification program (CIP) is a key control.”

The American anti-money laundering regime – which is now in its fiftieth year – has been built to identify and report the seven dollars of criminal activity out of every one billion dollars of total activity that flows through that financial system. It is critical that the public and private sectors continue to work together to not only make this regime as effective and efficient as possible; but perhaps because of the daunting task that the private sector has been given – to detect and report the 0.00000007% of activity flowing through the system that is criminal proceeds – the regulatory agencies that examine them for compliance with the regime’s rules and regulations should focus less on how those institutions comply with the rules, and more on how well those institutions provide actionable, timely intelligence to law enforcement.

FinCEN’s BSA Value Project is A Year Old … How Is It Going?

January 7, 2020adminFinTech, Financial Crimes, and Risk Management, Money Laundering & Terrorist Financing - General

In January 2019, FinCEN launched its “BSA Value Project” – an effort to “catalogue the value of BSA reporting across the entire value chain of its creation and use” and “result in a comprehensive and quantitative understanding of the broad value of BSA reporting and other BSA information to all types of consumers of that information” (quoting the prepared remarks of FinCEN Director Kenneth A. Blanco delivered at the 12th annual Law Vegas AML Conference for casinos and card clubs, August 13, 2019, available at Director Blanco Remarks 8-13-2019).

FinCEN is now one year into the BSA Value Project … how is that project going?

Again, quoting from Director Blanco’s remarks last August, “so far, the study has confirmed there are extensive and extremely varied uses of BSA information across all stakeholders (including by the private sector) consistent with their missions.”

It appears that there are, indeed, extensive uses of BSA information by the public sector, as Director Blanco has told us that almost one in four FBI and IRS-CI investigations use BSA data. Director Blanco made the following remarks (again, on August 13, 2019) on the usefulness of BSA data:

“All FBI subject names are run against the BSA database. More than 21 percent of FBI investigations use BSA data, and for some types of crime, like organized crime, nearly 60 percent of FBI investigations use BSA data. Roughly 20 percent of FBI international terrorism cases utilize BSA data. The Internal Revenue Service-Criminal Investigation section alone conducts more than 126,000 BSA database inquiries each year. And as much as 24 percent of its investigations involving criminal tax, money laundering, and other BSA violations are directly initiated by, or associated with, a BSA report.

In addition to providing controlled access to the data to law enforcement, FinCEN also proactively pushes certain information to them on critical topics. On a daily basis, FinCEN takes the suspicious activity reports and we run them through several categories of business rules or algorithms to identify reports that merit further review by our analysts. Our terrorist financing-related business rules alone generate over 1,000 matches each month for review and further dissemination to our law enforcement and regulatory partners in what we call a Flash report. These Flash reports enable the FBI, for example, to identify, track, and disrupt the activities of potential terrorist actors. It is incredibly valuable information.”

Four months later, in prepared remarks delivered at the American Bankers Association/American Bar Association Financial Crimes Conference (December 10, 2019, available at Director Blanco at ABA December 10 2019) Director Blanco provided another perspective on the public sector use of BSA data:

“FinCEN grants more than 12,000 agents, analysts, and investigative personnel from over 350 unique federal, state, local, and tribal agencies across the United States with direct access to this critical reporting by financial institutions. There are approximately 30,000 searches of the BSA data each day. Further, there are more than 100 Suspicious Activity Report (SAR) review teams and financial crimes task forces across the country, bringing together prosecutors and investigators from different agencies to review BSA reports. Collectively, these teams reviewed approximately 60% of all SARs filed. Each day, FinCEN, law enforcement, regulators, and others query this data—that equates to an average of 7.4 million queries per year. Those queries identify an average of 18.2 million filings that are responsive or useful to ongoing investigations, examinations, victim identification, analysis and network development, sanctions development, and U.S. national security activities, among many, many other uses that help protect our nation, deter crime, and save lives.”

But Which BSA Filings are Providing Real Value to Law Enforcement?

There is no doubt that the (roughly) 20 million BSA reports that are filed each year provide great value to law enforcement. But questions remain about the utility of those filings, and the costs of preparing them. Some of those questions include: (i) which of those reports provide value? (ii) what kind of value is being provided – tactical and/or strategic? (iii) can financial institutions eliminate the “no value” filings and deploy those resources to higher-value filings? (iv) can financial institutions automate the preparation and filing of the low value filings and deploy those resources to the highest-value filings?

FinCEN’s BSA Value Project, and its “Value Quantification Model”, May Answer Those Questions

In his December 2019 remarks, Director Blanco updated us on the BSA Value Project and revealed the “value quantification model” FinCEN is building:

FinCEN is using the BSA Value Project to improve how we communicate the value and use of BSA information, and to develop metrics to track and measure the value of its use on an ongoing basis. The project has involved the gathering and review of reams of data, statistics, case studies, and other information, as well as holding detailed interviews with a wide range of government and private-sector stakeholders, including many of the organizations in this room today. That information has informed us about how each stakeholder uses and gains value from BSA reporting and the value-add activities of other stakeholders. This “value chain” of BSA reporting is being developed for each type of stakeholder: FinCEN, law enforcement, industry, regulators, and others.

We are validating these results with the agencies and firms that have contributed to their development, and soon we will be talking with some of you about the value chain that has been developed for financial institutions to ensure it captures every aspect properly.

As of today, the team has identified over 500 different metrics that are being incorporated into the valuation model. We expect the model to show us the relative value of specific forms and even key fields—what is seen as more valuable and what is seen as less valuable.

- This value quantification model will help us assess how the regulatory and compliance changes we are considering making with our government partners will affect the value of BSA reporting—we want any changes to lead to more effective outcomes and increase the value of BSA reporting, not just provide greater industry efficiency.

- It will help us provide you better and more targeted feedback on the information you report so you can identify whether it is the automated tools and databases or the more manual work of your internal financial intelligence units and investigators that is driving that value creation in specific instances.

- The project also is showing us specific challenges that we need to address, particularly in the area of communication and the development of shared AML priorities on which we can focus our efforts.

I also want to make very clear that the value of BSA data is not just confined to FinCEN, law enforcement, or the government. Industry also benefits. Financial institutions and other reporting entities derive important value from their BSA compliance and reporting activities. Throughout the study, industry consistently has confirmed that their BSA obligations, while incurring costs, also help them:

- Identify and exit bad actors to avoid reputational and financial risks;
- Manage risks more effectively to permit greater responsible revenue generation;
- Secure partnerships and investment opportunities domestically and internationally in a responsible, risk-sensitive manner, something particularly important for emerging entrants in the financial services arena; and, of course;
- Avoid financial, operational, and reputational costs from non-compliance.

I want to stress that we intend to be as transparent and public facing as possible about the results from this project. FinCEN hopes to show the tremendous variety of uses we have for your reporting.”

Conclusion

Kudos to Director Blanco and his FinCEN team for their initiative and efforts around the BSA Value Project. The results of the Project, notably the BSA Value Quantification Model, could be a game-changer for the financial industry’s BSA/AML programs. The industry is being inundated with calls to apply machine learning and artificial intelligence to make their AML programs more effective and efficient. But if those institutions don’t know which of their filings provide value, and arguably only one in four is providing value, they cannot effectively use machine learning or AI.

The entire industry is looking forward to the results of FinCEN’s BSA Value Project!

For other articles on the need for better reporting on the utility of SAR filings, see:

BSA Value Project August 19 2019

SAR Feedback 314(d) – July 30 2019

BSA Reports and Federal Criminal Cases – June 5 2019

The TSV SAR Feedback Loop – June 4 2019

Business Email Compromise – New FinCEN Advisory and Trend Analysis

July 18, 2019adminMoney Laundering & Terrorist Financing - General

FinCEN has issued an updated advisory on Business Email Compromise (BEC) fraud schemes: FinCEN 2019 BEC Advisory . At the same time it issued a Financial Trend Analysis that provides some details on what FinCEN is seeing from the Suspicious Activity Reports on BEC schemes: BEC Trends

FIN-2019-A005 Updated Advisory on Email Compromise Fraud Schemes Targeting Vulnerable Business Processes (July 16, 2019)

This 2019 Advisory is 12 pages long, and supersedes the 2016 advisory: FinCEN 2016 BEC Advisory. Highlights of the 2019 Advisory can be summarized as follows:

Instances of BEC reported to FinCEN have climbed from averaging just under 500 reports per month (averaging $110 million monthly in total attempted BEC thefts) in 2016 to over 1,100 monthly reports (averaging over $300 million monthly in total attempted BEC thefts) in 2018. Since November 2016, financial institutions reported over 6,000 instances and over $2.6 billion in attempted and successful transactions affiliated with suspected money laundering activity through BEC schemes.

Three observed trends since the 2016 Advisory. First, a concentration of targeting of particular sectors: manufacturing and construction (25% of reported BEC cases), commercial services (18%), and real estate (16%). Second, the majority of BEC incidents (reported in the Trends Analysis at 73%) affecting U.S. financial institutions and their customers are increasingly involving initial domestic funds transfers, rather than international, likely taking advantage of money mule networks across the United States to move stolen funds. Third, the two most common impersonations – CEO and vendor – are trending in different directions: CEO impersonations are trending down (from 33% of reported incidents in 2017 to 12% in 2018), and vendor impersonations are trending up (from 30% of incidents in 2017 to 39% in 2018, becoming the most common BEC method). FinCEN also noted that the average transaction amount for BECs impersonating a vendor or client invoice was $125,439, compared with $50,373 for impersonating a CEO.

A BEC scheme’s probability of success and the potential payout from fraudulent payment instructions often depends on (1) the criminal’s knowledge of their victim’s normal business processes by leveraging publicly available information about the victim organization’s vendors, contracts, and business processes, and (2) weaknesses in the victim’s authorization and authentication protocols.

In this 2019 Advisory, FinCEN broadens its definitions of email compromise fraud activities to clarify that such fraud targets a variety of types of entities and may be used to misdirect any kind of payment (not just wire transfers) or transmittal of other things of value. While many email compromise fraud scheme payments are carried out via wire transfers (as originally stated in the 2016 BEC Advisory), FinCEN has observed BEC schemes fraudulently inducing funds or value transfers through convertible virtual currency payments, ACH transfers, and purchases of gift cards.

The 2019 Advisory also expands the types of victims beyond commercial businesses. FinCEN analysis has indicated criminal groups use a variety of techniques to conduct BEC fraud against individuals, particularly and increasingly those with high net worth, and entities that routinely use email to make or arrange payments between partners, customers, or suppliers. Targets of these schemes fall outside of the definition of traditional business customers, such as government entities and non-profit organizations or even the financial institutions themselves.

Footnote 7 provides that “The definitions of email compromise fraud, BEC, and EAC supersede the definitions in the 2016 BEC Advisory.” Those definitions are (and the red font indicates changes from 2016):

Email Compromise Fraud: Schemes in which 1) criminals compromise[1] the email accounts of victims to send fraudulent payment instructions to financial institutions or other business associates in order to misappropriate funds or value; or in which 2) criminals compromise the email accounts of victims to effect fraudulent transmission of data that can be used to conduct financial fraud. The main types of email compromise, the definitions of which have been modified to reflect the expansion of victims being targeted, include:

Business Email Compromise (BEC): Targets accounts of financial institutions or customers of financial institutions that are operational entities, including commercial, non-profit, nongovernmental, or government entities.

Email Account Compromise (EAC): Targets personal email accounts belonging to an individual.

BEC Fraud against Governments – BEC frauds have targeted accounts used for pension funds, payroll accounts, and contracted services. Schemes against government victims are consistent with other common typologies in BEC fraud. BEC schemes targeting government entities also often include vendor impersonation.

BEC Fraud against Educational Institutions – In 2016, financial institutions reported to FinCEN over 160 incidents of BEC targeting educational institutions where criminals attempted to steal over $50 million. The education sector has the largest concentration of high-value BEC attempts in financial sector reporting, even though only approximately 2% of BEC incidents affected educational institutions in 2017. Schemes against educational institutions frequently involve vendor impersonation. Attackers use authentic-looking payment requests to direct funds to domestic bank accounts they control. Large-scale construction and renovation projects have repeatedly been targets of high-dollar thefts.

BEC Fraud against Financial Institutions – In some cases, BEC actors directly target the financial institutions themselves. This scheme typically involves spoofing bank domains and sending what appear to be credible messages to imitate official communications between bank employees, such as sending emails that appear to be from a financial institution’s SWIFT (wire operations) department with payment instructions and SWIFT reference numbers in the email text to enhance its apparent legitimacy to the victim.

Information Sharing – The 2019 Advisory encourages financial institutions to use 314(b) to share information. FinCEN points out that many beneficiaries of BEC schemes play roles in larger networks of criminal activity and laundering of funds from illicit activity (“FinCEN encourages financial institutions to share valuable information about BEC beneficiaries and perpetrators, for purposes of identifying and, where appropriate, reporting activities that they suspect may involve possible terrorist activity or money laundering.”).

The 2019 Advisory includes a section on information for US financial institutions (which supersedes the 2016 advisory):

Risk Management Considerations – In determining the inherent risk of BEC, financial institutions should consider the level of information available publicly about key financial counterparties and processes, including information on public websites or on the darknet (e.g., email account login credentials that have been compromised and posted for sale). Financial institutions need to also consider its procedures and processes relating to how it (1) authenticates participants in communications,( 2) authorizes transactions, and (3) communicates information and changes about transactions. A multi-faceted transaction verification process, as well as training and awareness-building to identify and avoid spear phishing schemes, are critical.

Response and Recovery of Funds – To request immediate assistance in recovering BEC-stolen funds, financial institutions should file a complaint with the FBI’s Internet Crime Complaint Center (IC3), contact their local FBI field office, or contact the nearest USSS field office. These agencies are part of FinCEN’s Rapid Response Program (RRP). Financial institutions should also use the 314(b) information sharing process to request assistance from other financial institutions involved in (victims of or unwitting participants in) the scheme.

Suspicious Activity Reporting – Financial institutions should provide all pertinent available information on the event and associated suspicious activity, including cyber-related information, in the SAR form and narrative. Specifically, the following information is highly valuable to law enforcement and FinCEN in investigating BEC/EAC fraud:

Transaction details:

1) Dates and amounts of suspicious transactions;

2) Sender’s identifying information, account number, and financial institution;

3) Beneficiary’s identifying information, account number, and financial institution; and

4) Correspondent and intermediary financial institutions’ information, if applicable.

Scheme details:

1) Relevant email addresses and associated Internet Protocol (IP) addresses with their respective timestamps;

2) Description and timing of suspicious email communications and any involved compromised or impersonated parties; and

3) Description of related cyber-events and use (or compromise) of particular technology in the conduct of the fraud. For example, financial institutions should consider including any of the following information or evidence related to the email compromise fraud:

a) Email auto-forwarding
b) Inbox sweep rules or sorting rules set up in victim email accounts
c) A malware attack, and
d) The authentication protocol that was compromised (i.e., single-factor or multi-factor, one-step or multi-step, etc.)

[1] Criminals engaged in email compromise fraud may directly compromise email accounts through unauthorized electronic intrusions in order to leverage the compromised account for sending messages, or they may instead impersonate an email account through spoofing the email address or using an email account closely resembling a known counterparty or customer’s email address (i.e., that is slightly altered by adding, changing, or deleting one or more characters).