Loading…

Biden or Trump? Possible Impacts of a New Administration on Financial Crimes Compliance

And does FinCEN have a 95 percent “false positive rate” it needs to address?

The U.S. election is Tuesday, November 3rd. We’ll know soon thereafter whether the country will have a new Democratic Joe Biden administration or whether the current administration under Republican Donald Trump will continue for a second term. And we’ll also know whether the Senate stays with a Republican majority or flips and goes Democratic (control of the House of Representatives will likely remain with the Democrats).

Financial crimes professionals are asking about what a change in administration could mean for them. Let’s look at recent trends in four different aspects of financial crimes compliance: (i) the number of Suspicious Activity Reports (SARs) filed, (ii) the number and types of federal criminal cases, (iii) the number of Deferred Prosecution Agreements (DPAs) entered into by corporations, and (iv) referrals to FinCEN made by federal agencies for substantial potential BSA violations.

We will look at the period 2011 through 2019. The recent FinCEN Files investigation and articles from Buzzfeed News and the International Consortium of Investigative Journalists (ICIJ) used leaked SARs that had been filed from 2011 through 2017 (actually, there were also about 10 SARs a year from each of 2008, 2009, and 2010, but journalists haven’t focused on those, likely because they don’t reveal enough salacious information to fit their narrative). And 2019 is the last full year (federal government fiscal year running through September 30) that has available data. Also, this nine-year period includes the last four years of the Democratic Obama administration and the first two full years of the Republican Trump administration. So we can compare the two to see if there are any differences or trends.

Caveat/Disclaimer – the Trump administration took power on January 21, 2017, almost four months into the 2017 fiscal year. In fairness to that administration, I have only used fiscal years 2018 and 2019 as being “Trump” years, and have described these years as the first two full years of this administration.

I. SAR Filing Trends Compared to Federal Criminal Cases

The image below is complicated and contains a lot of data and information. First, the main table with the grey, blue, and green column headings: the blue headings show the total number of Suspicious Activity Reports (SARs) filed each year from 2011 through 2019. The red arrows in the cells indicate that the number in that cell (year) is higher than the number in the prior year. As can be seen, the number of SARs filed goes up every year.

The total number of SARs filed is compared to the number of FinCEN Files SARs. As explained in the ** note below the chart, Buzzfeed News has a chart that allows you to estimate the number of SARs it had by year. I include this to show that the FinCEN Files SARs are a very small proportion of the total SARs filed: that alone should convince a reader that the FinCEN Files SARs are not representative of all SARs filed.

The green columns show data from the Office of the United States Attorney’s Annual Statistical Reports. The first green-header column shows the total number of criminal cases filed in all Federal District Courts. As can be seen by the arrows, the total number of criminal cases dropped every year 2012 through 2017, then rose significantly in 2018 and again in 2019. As indicated, 2014 through 2017 are the last four years of the Obama administration: 2018 and 2019 are the first two full fiscal years of the Trump administration.

The next six columns break out the criminal cases by the DOJ program categories. I selected the four largest (by total number of cases) categories – immigration, violent crime, drugs, and white collar crime – as well as Money Laundering (being of obvious interest to financial crimes compliance professionals) and then all others.

Immigration Cases – these cases make up about 40 percent of all federal criminal cases. Comparing the average of the last four years of the Obama administration with the average of the first two years of the Trump administration, immigration cases are up about 37 percent under Trump. And where these cases trended down every year under the Democratic administration, they are up both years under the Republican administration.

Violent Crime Cases – these cases make up about 22 percent of all federal criminal cases. Comparing the average of the last four years of the Obama administration with the average of the first two years of the Trump administration, violent crime cases are up about 31 percent under Trump.

Observation: Over 60 percent of federal criminal cases are immigration or violent crime cases. It is unlikely that BSA reports would play a major part in the identification, investigation, or prosecution of these types of cases, which appear to be a focus of the Trump administration.

Drug Cases – these cases make up about 21 percent of all federal criminal cases. Comparing the average of the last four years of the Obama administration with the average of the first two years of the Trump administration, drug cases are up about 13 percent under Trump.

White Collar Cases – these cases make up about 9 percent of all federal criminal cases. Comparing the average of the last four years of the Obama administration with the average of the first two years of the Trump administration, white collar cases are down about 10 percent under Trump. However, the trends are more complicated than the averages: white collar cases dropped every year for the last four years of the Obama administration, from a high of 6,300 in 2013 down to 4,379 in 2017. The numbers are only slightly higher under the Trump administration at ~4,600 each year.

Money Laundering Cases – there is no real trend in these cases other than very few are brought. I have included this category of cases to illustrate the difference between suspicious activity, which is what financial institutions are required to report to the federal government, and the crime of money laundering. For every 10,000 SARs and 100,000 BSA reports, the federal government brings 1 money laundering case.

Over 30 percent of federal criminal cases involve drug crimes, white collar crimes, or money laundering. It is likely that BSA reports play a major part in the identification, investigation, or prosecution of these types of cases. 

So to summarize:

II. SAR Filing Trends Compared to Deferred Prosecution Agreements (DPAs)

If you were able to figure out the previous graphic, this next one should be a breeze. The website Corporate Prosecution Registry is maintained by a group at the University of Virginia. The website provides the following description:

The Corporate Prosecution Registry is a joint project of the Legal Data Lab at the University of Virginia School of Law and Duke University School of Law. The goal of this Corporate Prosecution Registry is to provide comprehensive and up-to-date information on federal organizational prosecutions in the United States, so that we can better understand how corporate prosecutions are brought and resolved. We include detailed information about every federal organizational prosecution since 2001, as well as deferred and non-prosecution agreements with organizations since 1990.

We aim to provide accurate, timely, and accessible information for policymakers, researchers and litigators alike. All of the information contained on this website is publicly available, and was gathered from federal docket sheets, press releases, prosecutor’s offices, as well as from FOIA requests.

The Registry was created by Professor Brandon Garrett ( bgarrett@law.duke.edu) and Jon Ashley ( jonashley@law.virginia.edu)). We welcome any questions or feedback about the contents or features of this website. Please tell us if you notice any errors or can add information about a case, or if you have information about a case that is missing from the Registry.

We want to encourage the broadest possible use of this data for research and educational purposes. We believe all of the primary documents collected here are works of the United States government and are therefore free of all copyright protection, per Section 105 of the U.S. Copyright Act. To promote access and reuse of the database, which may be subject to limited copyright protection or other legal protections, we have licensed the data for free public use under the Creative Commons Attribution-NonCommercial 4.0 International License. Please attribute the database as indicated above. For permission to make commercial uses not covered by the license or a relevant legal provision (such as fair use), please contact us.

Please cite to this resource collection as “Brandon L. Garrett and Jon Ashley, Corporate Prosecution Registry, Duke University and University of Virginia School of Law”, at http://lib.law.virginia.edu/Garrett/corporate-prosecution-registry/index.html

With that introduction, I pulled the data for Deferred Prosecution Agreements (DPAs), Non-Prosecution Agreements (NPAs) and guilty pleas, by year, and then took three sub-sets of that data: (i) DPAs, NPAs, and Pleas relating to six types of offenses (as categorized by the folks at UVA and Duke) that involve financial crimes-related matters (BSA, Money Laundering, Bribery, Foreign Corrupt Practices Act, four types of Frauds, and Kickbacks); (ii) DPAs, NPAs, and guilty pleas of any type by financial institutions; and (iii) DPAs, NPAs, and guilty pleas by financial institutions for BSA of Money Laundering. And as I did with federal criminal cases, I included total SARs filed and FinCEN Files SARs as a comparison.

There are some interesting trends. First, 2015 is an anomaly: it included 73 fraud cases prosecuted against Swiss banks under a program that DOJ ran relating to undisclosed accounts and assets held by U.S. taxpayers. 


Total DPAs, NPAs, Pleas – the total number of DPAs, NPAs, and guilty pleas has been steadily dropping from 2011 through 2019, but the drop is more pronounced under the Trump administration, where they’re down by about two-thirds compared to the last four years of the Obama administration.

DPAs, NPAs, Pleas for Financial Crimes – Comparing the average of the last four years of the Obama administration with the average of the first two years of the Trump administration, these are down by over 42 percent.

Observation: Comparing the average of the last four years of the Obama administration with the average of the first two years of the Trump administration, total DPAs, NPAs, and guilty pleas, and financial crimes-related DPAs, NPAs, and guilty pleas, against corporations are down by about half.

DPAs, NPAs, and Pleas against Financial Institutions – although the number of financial institutions entering into DPAs, NPAs, and guilty pleas isn’t high – other than the spike from the Swiss bank cases in 2015 it has not exceeded twelve in any year – the percentage of these resolutions involving financial institutions has gone up under the Trump administration (11 percent of all DPAs, NPAs, and pleas) compared to three of the last four years of the Obama administration (7 percent, excluding the anomalous 2015 year). 

DPAs, NPAs, and Pleas Entered into by Financial Institutions for BSA and Money Laundering – As seen above, these are rare. In the last nine years (with the exception of the anomalous 2015 year) there has never been more than two of these cases brought against financial institutions. There are 30,000+ financial institutions in the United States: the chances of being prosecuted for BSA or money laundering violations is exceedingly rare.

To summarize:

III. Referrals from Regulatory Agencies to FinCEN

In August 2019 the Government Accountability Office, or GAO, issued a report titled “BSA: Agencies and Financial Institutions Share Information but Metrics and Feedback not Regularly Provided”. It is available at https://www.gao.gov/assets/710/701086.pdf.

Among other things, the GAO looked at FinCEN’s enforcement action authority, and how it obtained information needed to issue enforcement actions. On pages 29 and 30 they described these referral sources as follows:

“FinCEN enforcement actions can be based on sources that include referrals from examining authorities, information from financial institutions, interviews, and leads from law enforcement. Other sources for FinCEN enforcement actions can include FinCEN’s own targeted BSA/AML examinations for high-risk areas and other areas that FinCEN identifies through referrals within FinCEN or through its proactive investigations. Supervisory agencies, including the federal banking regulators, SEC, CFTC, and their respective SROs are to promptly notify FinCEN of any significant potential BSA violations. A significant violation, as established in a memorandum of understanding with each supervisory agency, generally includes systemic BSA/AML compliance program deficiencies or reporting or recordkeeping violation(s); a financial institution’s failure to respond to supervisory warnings concerning such BSA deficiencies or violations; a financial institution’s willful or reckless disregard of BSA requirements; or a violation that creates a substantial risk of money laundering or the financing of terrorism in the institution. IRS also makes referrals to FinCEN for violations it identifies in its BSA examinations, such as willful violations of AML program requirements and recordkeeping and reporting regulations and structuring. Additionally, financial institutions can self-report violations, DOJ or other law enforcement agencies may provide leads, and FinCEN personnel can refer potential violations to FinCEN’s Enforcement Division to be investigated.”

From January 2015 through September 2018, six regulatory agencies (Federal Reserve, OCC, FDIC, CFTC, SEC, NCUA) and the IRS referred 419 significant potential BSA violations to FinCEN. According to the GAO, it took FinCEN between 5 months and 3 years to close a referral case. Below is table 3 from the GAO report summarizing those referrals:

In that same period (2015-2018), FinCEN issued 26 enforcement actions (one in 2019, two in 2020). Here’s what that looks like:

The first trend we can see from this data is that the number of FinCEN enforcement actions dropped every year from a high of twelve in 2015 to a low of one in 2019. Through October 30 there have been two FinCEN enforcement actions issued in 2020, and both have been against individuals: Michael LaFontaine, former chief risk officer of US Bank, and Larry Dean Harmon, who operated an unlicensed money service business (a crypto exchange and mixer).

This data also reveals something that is not about a trend or a comparison between political administrations, but is about the outcomes from the agency referrals. Given the 5 month to three year lag in closing cases, we can assume (generously) that a referral made in 2015 wouldn’t be closed (and an enforcement action either doesn’t result or does result from the closed case) until at least 2016. So most of the 135 referrals from 2015 would be part of the 76 or even 180 closed cases in 2016 and 2017. But it would be fair to assume that the 419 referrals from 2015 through 2018 were resolved between 2016 and 2020. With that assumption,

96 percent or more of regulatory agencies’ referrals of significant potential BSA violations do not result in a FinCEN enforcement action: that is a 96 percent “false positive” rate!

I write “96 percent or more” because agency referrals, as explained by the GAO, are only one source of potential FinCEN enforcement actions: financial institutions can self-report issues, the DOJ can make referrals, and FinCEN, of course, has the ability to source its own cases. So 96 percent is conservative: it is likely closer to 98 percent.

Everyone in the industry, and everyone commenting on the industry, bemoans the terrible false positive rate of traditional transaction monitoring systems. Experts and enthusiasts alike write and talk about the 95 percent false positive rate – where only 5 of 100 alerts that are generated end up being reported in a Suspicious Activity Report, or SAR. Leaving aside the sloppiness of the description – alerts are not reported in SARs, suspicious activity is reported in SARs – and the axiomatic and anecdotal nature of the complaints, it is fair to say that traditional transaction monitoring systems are neither effective nor efficient, and a 95 percent false positive rate, on average, may not be too far off reality. It is, at least, a useful talking point and an anchoring number we can use as we strive to lower that rate to something better. I have written about this at length. See, for example, https://regtechconsulting.net/uncategorized/the-current-bsa-aml-regime-is-a-classic-fixer-upper-and-heres-seven-things-to-fix/

But it is certainly interesting, even if only for conversational purposes, if FinCEN itself also suffers from a 95 percent false positive rate when it comes to converting agency referrals of “significant potential BSA violations” to its version of a SAR, an enforcement action.

Conclusion

When we wake up on November 4th (although it could take longer, and technically some states are not required to certify their votes until early December) we will either have a new Democratic administration under former Vice-President Joe Biden, or the current Republican administration under President Donald Trump will remain for another four years. Looking at trends in criminal cases against both individuals and corporations (with the latter represented by Deferred and Non-Prosecution Agreements), and trends in enforcement actions brought by FinCEN, we can expect real differences between a Biden administration – more financial crimes-related cases and enforcement actions – and a Trump administration – less. Regardless of the incoming administration, though, we should probably take a closer look at the referrals being made by the regulatory agencies to FinCEN, and how FinCEN is managing them (five months to three years to make a decision on a referral) and closing them: 95 percent “false positives” is inefficient and ineffective in the public sector as well as the private sector.

FinCEN Files – Reforming AML Regimes Through TSV SARs (Tactical or Strategic Value Suspicious Activity Reports)

The Public/Private AML Industry is Fifty Years Old and is Long Overdue for a Makeover: Let’s Start with Better Public Sector Feedback

What we know as the Bank Secrecy Act (BSA) has been around since October 26, 1970. The original purpose was to require financial institutions to keep records and file reports that had “a high degree of usefulness in criminal, tax, or regulatory investigations or proceedings”. Other than adding another purpose after the terrorist attacks of 9/11 (reports to support “the conduct of intelligence or counterintelligence activities, including analysis, to protect against international terrorism”), that original purpose hasn’t changed. Fifty years ago a few thousand reports were submitted to law enforcement: this year more than 20 million BSA reports are produced by the private sector and submitted to the Treasury Department’s financial intelligence unit, or FIU – the Financial Crimes Enforcement Network (FinCEN).

To repeat, the purpose of these BSA reports, indeed of the entire anti-money laundering (AML) and counter-terrorist financing (CFT) regime, is to provide “a high degree of usefulness in criminal, tax, or regulatory investigations or proceedings, or in the conduct of intelligence or counterintelligence activities, including analysis, to protect against international terrorism.”[1]

The production of these reports doesn’t come cheaply. It costs the private sector billions of dollars every year to develop and maintain programs that are ultimately intended to produce and keep these records and to produce and file these reports. And for years the private sector has complained that law enforcement isn’t using the reports effectively and isn’t providing feedback to the private sector as to which reports are useful.

It costs the private sector billions of dollars every year to develop and maintain programs that are ultimately intended to produce and keep these records and to produce and file these reports. And for years the private sector has complained that law enforcement isn’t using the reports effectively and isn’t providing feedback to the private sector as to which reports are useful.

The FinCEN Files – a series of salacious stories based on the illegal disclosure of over 2,100 Suspicious Activity Reports (SARs) filed by dozens of banks – painted some large, global banks as being the reason for, or the facilitators of, financial crime and corruption. Those stories have resulted in calls to reform – once and for all – what the media and others are calling a broken, ineffective, and inefficient regime. But none of those calls for reform offer any solutions. Five recent US government publications provide a more measured – and legal – view into the U.S. anti-money laundering regime and the use, usefulness, and costs of producing those SARs, and other Bank Secrecy Act (BSA) reports filed by tens of thousands of financial institutions. And one of those reports, a September 22, 2020 report on the use and usefulness of BSA reports published by the U.S. Government Accountability Office (GAO), suggests what needs to be done to streamline and improve the AML regime: we need to “systematically collect information on outcomes from the use of BSA reports”.  In other words, there are plenty of inputs into the system – private sector reports of suspicious activity – but we know very little about the outputs from or results of those inputs – what is law enforcement doing with those reports? Which ones are providing actual leads, or tactical information? Which ones are providing trending and analytical value, or strategic information? What agencies are using the reports? All these questions remain unanswered. And although the GAO suggests what needs to be done, it doesn’t suggest how that can be done.  I do. The most effective way to systematically collect information so that the private sector producers of BSA reports (financial institutions) can provide reports with a “high degree of usefulness to government authorities” (the very purpose of the BSA), is to require that the public sector consumers of BSA reports (law enforcement) provide feedback to the private sector. And the mechanism for that feedback is the Tactical or Strategic Value Suspicious Activity Report, or TSV SAR.

This article tracks a September 22, 2020 GAO Report on the use and usefulness of BSA reports, and brings in excerpts from other federal government publications where appropriate. This article focuses on three issues described in the GAO report: law enforcement’s use of BSA reports, and whether they find them useful; the BSA/AML compliance cost burden; and regulators’ supervision and examination of BSA compliance programs. The fourth issue – the SAR and CTR thresholds – is included in the compliance cost section.

Finally, and as described above, I offer a solution to how the public sector can provide more effective feedback to the private sector so the private sector can more effectively and efficiently meet its obligations to provide timely, actionable intelligence to government authorities – the TSV SAR. This is not the only solution; indeed, we need more public/private sector partnerships, we need to move to cross-institutional and cross-jurisdictional collaborative investigations, we need more effective information sharing, and we need more efficient and effective monitoring/surveillance, alerting, investigations, and reporting. But the key to any reform is public sector feedback: I’m offering the TSV SAR as the vehicle for that feedback.  

Five U.S. Government Publications

FinCEN’s Suspicious Activity Report (SAR) Cost & Burden Estimate

On May 26, 2020, FinCEN published a notice in the Federal Register titled “Proposed Updated Burden Estimate for Reporting Suspicious Transactions Using FinCEN Report 111 – Suspicious Activity Report”. This is a notice required under the Paperwork Reduction Act, or PRA: agencies are required to periodically assess and estimate the burdens and costs of their regulatory regimes.

This was the first such notice where: (1) FinCEN has been able to analysis the SAR Database to quantitatively assess the numbers, characteristics, and types of SARs, by institution type, by type of work required to be done, and by what types of involved positions; and (2) perhaps just as important, FinCEN has shown a willingness to provide this information and to seek feedback from the private sector on other available information that could be incorporated into future analyses. FinCEN must be commended for both.

In prior PRA notices, FinCEN has simply estimated that the SAR filing process takes a total of two hours for each and every SAR filed. With this notice, FinCEN identified and attempted to capture burden and cost estimates for five categories of SARs, two types of filing (batch and discrete), three of the six stages in the SAR filing process, and the four types of positions involved in the process.

Five categories of SARs: (1) depository institutions’ (banks and credit unions) original SARs with standard content; (2) depository institutions’ original SARs with extended content; (3) non-depository institutions’ original SARs with standard content; (4) non-depository institutions’ original SARs with extended content; and (5) all filers’ continuing activity SARs. The standard and extended content analysis looked at combinations of (1) the number of named suspects; (2) the number of suspicious activities’ categories marked on the SAR form; (3) the length and make-up of the narrative; and (4) whether there was an attachment.

Six stages in the SAR filing process: (1) maintaining a monitoring system; (2) reviewing alerts; (3) transforming alerts into cases; (4) case review; (5) documentation of the SAR/no SAR determination; and (6) the SAR filing process. The current two-hour per SAR PRA estimate only considered the 6th stage: this notice added the 4th and 5th stage, and FinCEN acknowledged that it needs further data, and comments from the private sector, in order to include the 1st, 2nd, and 3rd stages.

Four types of people: (1) general supervision (oversight); (2) direct supervision; (3) clerical (SAR investigation); and (4) clerical (filing).

With this notice, FinCEN is changing its PRA burden estimate of 120 minutes per SAR to an estimate ranging from 25 minutes to 315 minutes per SAR for the last 3 of the 6 stages in the SAR filing process, and is inviting comments on these new estimates and on how to include and estimate the first 3 of the 6 stages.[2]

US Attorney’s Annual Statistical Report, Fiscal Year 2019

The DOJ statistical reports are available going back to fiscal year 1955 (the federal government’s fiscal year ends on September 30th). They are available at https://www.justice.gov/usao/resources/annual-statistical-reports. These reports provide an incredible amount of information on federal criminal cases by US Attorney’s office, by major type of criminal offence, by number of cases filed and completed, how they are completed (guilty, not guilty, dismissed, other), whether dispositioned in district court or by magistrate, length of case, etc.

US Sentencing Commission’s Statistical Information Packets, Fiscal Year 2019

Since at least 1996 the US Sentencing Commission has published summaries of federal criminal cases by district court, by types of crimes, by guilty pleas versus trial, sentence type and term, whether above or below the guidelines and why, etc. The fiscal year 2019 reports are available at https://www.ussc.gov/research/data-reports/geography/2019-federal-sentencing-statistics. The Sentencing Commission data generally aligns with the US Attorney’s data, although there are some differences that I cannot explain (nor have I made formal inquiries). For example, the US Attorneys’ data shows a total of 73,934 defendants pled or were found guilty, while the USSC data shows 76,538 defendants were sentenced. The programs (US Attorneys’ data) and types of crimes (USSC) generally aligned, although there were differences there, also. For example, the US Attorney’s data showed  221 defendants pled or were found guilty under the program heading “money laundering”, while the USSC data shows 1,177 defendants were sentenced for money laundering.

I have included a summary of the Department of Justice’s US Attorneys’ Annual Statistical Report for Fiscal Year 2019. Where the GAO report includes information on how law enforcement uses BSA reports, and whether those reports are useful, it doesn’t indicate how many cases, and what kinds of cases, federal law enforcement agencies bring. Neither the US Sentencing Commission’s Statistical Information Packets nor the US Attorney’s Annual Statistical Report link BSA reports to criminal cases: that remains the undiscovered Holy Grail. Regardless, the US Attorneys’ information is enlightening and, in many respects, concerning.

FinCEN’s Advance Notice of Proposed Rule-Making on BSA/AML Program Effectiveness

On September 16, 2020 FinCEN published a notice seeking public comment for potential regulatory amendments to require all covered financial institutions to maintain an “effective and reasonably designed” AML program that (1) assesses and manages risk as informed by a financial institution’s risk assessment, including consideration of anti-money laundering priorities to be issued by FinCEN consistent with the proposed amendments; (2) provides for compliance with Bank Secrecy Act requirements; and (3) provides for the reporting of information with a high degree of usefulness to government authorities. The intent of the proposed changes is to “modernize the regulatory regime to address the evolving threats of illicit finance, and provide financial institutions with greater flexibility in the allocation of resources, resulting in the enhanced effectiveness and efficiency of anti-money laundering programs.”

Currently, financial institutions must have programs that assess and manage financial crimes risk and meet the requirements of the BSA laws and regulations. The critical change is the addition of a third program requirement: providing reports that have a high degree of usefulness to government authorities. This is critical: the very purpose of the BSA laws and regulations (set out in the first AML statute in 1970 and codified at 31 USC s. 5311) is “to require certain reports or records where they have a high degree of usefulness in criminal, tax, or regulatory investigations or proceedings, or in the conduct of intelligence or counterintelligence activities, including analysis, to protect against international terrorism.” Currently there is no express requirement that financial institutions’ BSA programs address the very purpose of the BSA.

But as explained in the conclusions and recommendations, there currently is no way to determine what what “useful” means, how it would be measured, and which records or reports are, in fact, useful, and for what purposes.

The GAO Report on Use & Usefulness of BSA Reports

On September 22, 2020, the United States Government Accountability Office (GAO) issued a report that addressed these very concerns about the use made of, and usefulness of, BSA reports, and the costs to produce those reports and maintain the required programs. Titled “Anti-Money Laundering: Opportunities Exist to Increase Law Enforcement Use of Bank Secrecy Act Reports, and Banks’ Costs to Comply with the Act Varied”, the Report was addressed to Representative Blaine Luetkemeyer (R. MO 3rd), the Ranking Member of the Subcommittee on Consumer Protection and Financial Institutions, Committee on Financial Services, House of Representatives. The report, GAO-20-574, is available at https://www.gao.gov/assets/710/709547.pdf.

The Report is lengthy – 214 pages – and covers four main topics or issues and posed two questions relating to FinCEN’s role in BSA/AML supervision and examination:

  1. Law enforcement’s use of Bank Secrecy Act (BSA) reports – pages 14 to 36 with details and supporting information in Appendix II
  2. A survey of eleven representative banks’ and credit unions’ direct costs of running a BSA/AML compliance program – pages 36 to 60 with details and supporting information in Appendix III
  3. A discussion of regulators’ supervision and examination of BSA/AML compliance programs – pages 60 to 65
  4. A discussion of proposed changes to reporting thresholds, sharing of information, and using innovative technologies – pages 65 to 75
  5. A discussion whether FinCEN should adopt the SEC practice of issuing “No Action Letters” (Appx V)
  6. A discussion of whether FinCEN should conduct BSA/AML examinations (Appx VI)

The GAO did its work from September 2018 through September 2020, using information and data from 2015 – 2018. It surveyed six federal law enforcement agencies, eleven banks and credit unions, and six trade associations. The Report is data-intensive: it includes 123 Tables and 16 Figures. Like all GAO reports, it is well written, uses plain language, fairly represents the issues, and, where appropriate, makes recommendations.

Issue 1 – Law Enforcement Use of BSA Reports

The Law Enforcement Agencies

The GAO surveyed six federal law enforcement agencies that were the main users of FinCEN’s BSA database in 2018. I noted that the US Postal Inspection Service was not included.

The table below shows the relative sizes of the agencies, which drive the sample sizes required for statistical integrity. The GAO sent surveys out to select positions within the agencies to get a representative sample. As can be seen, the overall response rate was 57.2%: note the IRS-CI response rate of 75.5%. The IRS-CI also stood out throughout the Report as having higher than average usage rates of all BSA reports.

Figure 3, below, summarizes the percentages of law enforcement personnel from the six agencies that used BSA reports to start or assist on new investigations, conduct or assist with ongoing criminal investigations, to analyze patterns, trends, and issues associated with criminal activity, and to work on criminal prosecutions. Almost three-quarters of respondents use BSA reports to conduct or assist with ongoing investigations. Notably, only 41% of the respondents indicated that they used BSA reports for analyzing trends or patterns. And as can be seen in Figure 3, the IRS-CI is a prodigious consumer of BSA reports.

Use and Usefulness of BSA Reports

Some of the more interesting findings in the Report are in the details of how frequently law enforcement used the five main BSA reports in their work, and whether they found those reports useful.

The table below is a summary of twelve different tables from Appendix II of the Report. The table provides a high-level snapshot on the use and usefulness of the main types of BSA reports. The color-coding is intended to highlight some of the clear trends:

  • Across the six agencies, SARs and CTRs were the most commonly used reports, but still were only used “almost always” or “frequently” about half the time. But when used, SARs and CTRs were found to be very useful or somewhat useful the majority of the time.
  • The Form 8300 usage and usefulness data suggests that there is an opportunity for improving the overall utilization of these reports. Forms 8300 are prepared and submitted by non-financial businesses when they receive cash greater than $10,000. For example, a car dealer receiving $12,000 in cash must submit a Form 8300.

Law Enforcement Use of BSA Reports By Type of Potential Crime

Figure 6 summarized the results of questions posed to law enforcement on whether they used BSA reports for ten criminal activities.[3]  I found the 27% positive response rate for human trafficking indicated a potential for better public/private sector outreach.[4]

Human Trafficking and BSA Reports

I’ll pause to include some detail on the findings relating to human trafficking, one of the worst crimes impacting the most vulnerable parts of global society.[5] The Report notes that “human trafficking and human smuggling were added to the SAR form as separate suspicious activity categories in 2018. Before that time, personnel working in these areas did not have a systematic mechanism to identify potentially relevant reports when starting investigations or analyzing criminal activities.” And, in a footnote (footnote 60, page 25): “In a 2014 advisory, FinCEN encouraged banks to use common terms to report on human smuggling and human trafficking activities in the written portion of the SAR. According to law enforcement agency staff we spoke with, agencies perform key word searches of SARs to identify reports on a specific topic or activity, but officials with two of the six law enforcement agencies we spoke with noted that the effectiveness of this approach can be limited because financial institutions may use different terms on the form to describe similar activities.”

At page 7 of the Report the GAO notes that “[a]ccording to Treasury’s 2018 National Money Laundering Risk Assessment, the crimes that generate the bulk of illicit proceeds in the Unites States are fraud, drug trafficking, human smuggling, human trafficking, organized crime, and corruption.” That, and the revision of the SAR form in 2018 to add a specific category for human trafficking, one would expect that there should have been a lot of human trafficking SARs filed in 2019 and 2020. But that is not the case: in the first 8 months of 2020 FinCEN’s SAR Statistics data (https://www.fincen.gov/reports/sar-stats) shows only 1,822 SARs with the category “human trafficking” (out of 1,574,353 total SARs filed). This is down from 2019 filings: for the same eight month period in 2019, there were 2,478 SARs flagging human trafficking as the suspicious activity (out of 1,527,881 total SARs filed in that period).

Alternatives to BSA Reports?

This Report focused on law enforcement’s use of BSA reports, and whether those reports were useful. But the GAO correctly asked questions about whether there were alternatives to BSA reports that were more readily and easily available to law enforcement. At page 25 the GAO wrote: “we estimated that at least 74 percent of law enforcement personnel who used BSA reports in their work on investigation, analysis, or prosecutions from 2015 through 2018 reported either having no alternative source of information or having an alternative source that was less efficient. Those alternative sources include surveillance, warrants, and grand jury subpoenas. Figure 7, below, provides the details.

FinCEN’s Duties and Powers – to Maintain and Disseminate

This section (pages 27 to 35) of the Report addresses the foundational duties and powers of FinCEN, and doesn’t paint a very positive picture. In footnote 63 on page 27 the GAO writes: “Congress gave FinCEN responsibility for operating a government-wide data access service for SARs, CTRs, and other BSA reports. See 31 U.S.C. § 310(b)(2)(B). Treasury is further tasked with establishing and maintaining operating procedures that allow for the efficient retrieval of information from FinCEN’s BSA database, including by cataloguing the information in a manner that facilitates rapid retrieval by law enforcement personnel of meaningful data. See 31 U.S.C. § 310(c).”

The actual language of 31 U.S.C. § 310(b) is instructive. 31 U.S.C. § 310(b)(2) sets out the duties and powers of the Director of FinCEN as follows:

(A) Advise and make recommendations on matters relating to financial intelligence, financial criminal activities, and other financial activities to the Under Secretary of the Treasury for Enforcement.

(B) Maintain a government-wide data access service, with access, in accordance with applicable legal requirements, to the following: (i) Information collected by the Department of the Treasury, including report information filed under subchapter II of chapter 53 of this title (such as reports on cash transactions, foreign financial agency transactions and relationships, foreign currency transactions, exporting and importing monetary instruments, and suspicious activities) …

(C)  Analyze and disseminate the available data in accordance with applicable legal requirements and policies and guidelines established by the Secretary of the Treasury and the Under Secretary of the Treasury for Enforcement to– (i) identify possible criminal activity to appropriate Federal, State, local, and foreign law enforcement agencies; (ii) support ongoing criminal financial investigations and prosecutions and related proceedings, including civil and criminal tax and forfeiture proceedings … (v) determine emerging trends and methods in money laundering and other financial crimes; (vi) support the conduct of intelligence or counterintelligence activities, including analysis, to protect against international terrorism;  and (vii) support government initiatives against money laundering.

These three duties and powers can be summarized as (1) providing advice to the Under Secretary of the Treasury for Enforcement, (2) maintaining an accessible FinCEN BSA database, and (3) analyzing and disseminating financial crimes data to federal, state, local, and foreign law enforcement agencies. The GAO report concludes that FinCEN can improve in two of its three duties.

Law Enforcement Access to FinCEN’s BSA Database

The GAO found that 85% of federal agencies had direct access to the FinCEN BSA database, but only 54% of state agencies had direct access, and only 1% of local and county agencies had direct access (page 27).

In the section beginning on page 30 titled “FinCEN Lacks Written Policies and Procedures to Help Ensure That Agencies without Direct Access Use BSA Reports to the Greatest Extent Possible” were the following observations:

  • “Thirty-two state attorney general offices, including offices that prosecute criminal cases involving money laundering, such as organized crime, public corruption, and human trafficking, did not have direct access” To the FinCEN database.
  • “Twenty-one of the 50 largest local police departments, which investigate crimes that could involve money laundering, such as drug trafficking, financial crimes, cybercrimes, terrorism, and human trafficking, did not have direct access” to the FinCEN database.

The GAO noted (page 32) that FinCEN “scores” law enforcement agencies seeking direct access, and that it denied 40 of 103 applications from 2015 through 2018. In addition to gaining direct access to the BSA database, law enforcement agencies can request searches. But in 2018, only 4% to 8% of the roughly 15,000 state and local police departments requested searches. The GAO wrote “[a]ccording to FinCEN officials, they do not have policies and procedures to promote the use of BSA reports to law enforcement agencies without direct access.” But FinCEN disputed this finding in its response (see Appendix VII, page 194).

FinCEN Disseminating Information to Law Enforcement

As set out above, 31 USC section 310(b)(2)(B) – (E) set out the duties and powers of the Director of FinCEN. The GAO describes these at page 34 as requiring FinCEN to disseminate BSA reports to identify possible criminal activity to appropriate federal, state, tribal, and local law enforcement agencies.

In other words, in addition to opening up its BSA database, FinCEN has a duty to “analyze and disseminate the available data” to federal, state, and local law enforcement agencies. The GAO found (at page 34) that “FinCEN’s written policies and procedures do not specifically address how to achieve that outcome.”

It appears that FinCEN could do more to proactively reach out to law enforcement. This is another area of opportunity for FinCEN. As the country’s financial intelligence unit, or FIU, it has the duty and responsibility to provide actionable intelligence to law enforcement – to disseminate information to law enforcement. It is, and should be, more than a financial information depository organization.

Issue 2 – The BSA/AML Compliance Cost Burden

The GAO included a representative sample of four credit unions and seven banks.[6] The key attributes of the eleven surveyed financial institutions are in Appendix III. I summarized multiple tables containing the details of the eleven institutions into one table:

Some observations on US banks and credit unions are warranted in order to put these eleven institutions in some sort of context. I will use data from roughly the time these institutions were selected.

  • There are 4 banks with assets of $1 trillion or more. These four banks have a total of $7.2 trillion in assets. The other 5,367 banks have combined assets of $11 trillion.
  • The next 40 largest banks assets between $50 billion and $500 billion. The two “Very Large Banks” in this report are on the small end of that range.
  • There are 188 banks with assets between $5 billion and $50 billion. The “Large Bank” in this report is at the small end of that range.
  • The majority of US banks – 2,847 or 53% – have assets less than $250 million. The two “Small Community Banks” in this report are in the middle of this range.
  • Of the ~5,200 credit unions, only 7 of then have assets of more than $10 billion, and the largest, Navy Federal Credit Union, is less than $100 billion in assets.

 

I found it curious, and could not find an explanation, that the “Large Credit Unions” were both smaller than $200 million in assets: there are more than 300 credit unions that have more than $1 billion in assets. It would have been instructive to have one of these larger credit unions and even one of the seven of the largest credit unions.

Also, the GAO was careful not to select a bank or credit union that was under spending duress from a recent enforcement action (“we used information from the federal banking agencies to confirm that the banks we selected were not subject to BSA/AML-related formal enforcement actions in recent years”). Also notable, the GAO “did not assess the quality of banks’ BSA/AML programs.” (footnote 88, page 36).

The GAO considered the overall direct costs of running a BSA/AML program, as well as breaking out those costs into five main components of a BSA/AML program: customer due diligence, reporting, the four pillars, software and consultants, and a catch-all “other” made up of monetary instrument reporting, funds transfer recordkeeping, information sharing, and special measures.

Estimated Total Direct Costs for BSA/AML Compliance Programs

Figure 8 summarizes the estimate direct costs for each of the eleven banks. “Direct” costs were defined as labor, software, and third party costs, and did not include indirect costs such as office space or depreciation on computer systems. The GAO noted that the estimate for Very Large Bank B, based on interviews, surveys, and reviewing budget documents, of $15 million was comparable to the actual budget of the bank’s BSA/AML Department of $13 million.

The GAO also included seven other recent (2016-2018) cost of compliance studies in Appendix IV of the Report. It noted that a 2018 Bank Policy Institute survey of fourteen large banks found that the median program costs for banks in the $50 billion to $200 billion range was $25 million, and the median program costs for the mega banks (those with assets over $500 billion) was $600 million.

I observed (and describe below) that the average cost per SAR of the largest bank in this survey (roughly $100), extrapolated out to the 150,000 SARs the four mega banks file (on average) would result in SAR filing costs alone of $150 million. This Report also suggests that SAR filing accounts for 25% of total program costs, meaning the four mega banks would have total program costs of $600 million. This aligns with the BPI survey.[7]

Estimated Direct Costs by BSA Program Component

Figure 10 on page 41 breaks out the relative costs for the five main program components. What is clear is that Customer Due Diligence (CDD) requirements and BSA reporting – primarily SAR reporting – make up the majority of the program costs.

All the credit unions and the two small community banks opened less than 1,000 new customer relationships in 2018. The smallest institutions had very manual CDD processes, thus relatively higher costs, and the larger institutions had more automated processes, thus relatively lower costs. The larger banks all had more automated processes: sheer volumes of new customers, and the complexities of those customers, contributed to the higher relative costs.

Cost of Customer Due Diligence

The analysis of the cost of customer due diligence began at page 42. The GAO noted “For the 11 banks in our review, estimated costs for complying with the customer due diligence requirements ranged from about 15 percent to about 59 percent of total direct BSA/AML costs. These requirements collectively were more costly than any other BSA/AML requirement (as a percentage of total costs) for five of the 11 banks, including the four largest.”

The per-account costs seemed low to me. Table 1 showed that the selected banks spent an estimated average of $15 per new account to comply with the customer due diligence requirements in 2018, and per-account costs ranged from $5 to $44. That table is summarized here.

As a general rule, legal entity customers take longer to onboard than natural persons. Small Credit Union B, which opened up less than 200 accounts at a cost of $8 per account, opened only one account in 2018 for a legal entity. It’s average cost per new account was $8. Very Large Bank A, on the other hand, opened over 36,000 legal entity accounts in 2018 at a total cost of ~$3.7 million or $103 per legal entity account. Using a fully-loaded cost of $75,000 and 1,720 effective hours in a year gives an hourly rate of $43.60. That would suggest that this Very Large Bank took about 2.5 hours to onboard a legal entity customer.

Implementation Costs of the Beneficial Ownership Requirement

Page 43 of the Report had an interesting sidebar. It provided:

The 11 banks we studied also incurred onetime implementation costs to comply with the new beneficial ownership requirement for legal entity customers, which has an applicability date of May 11, 2018, as part of the Financial Crimes Enforcement Network’s final rule on Customer Due Diligence Requirements for Financial Institutions.

Banks we reviewed incurred costs to research the new requirement, update policies and procedures, revise information collection systems, and train personnel. However, implementation costs varied. For example:

    • Small credit union B ($50 million or less in total assets), which opened only one legal entity account in 2018, spent under $100 to implement the new requirement, including to update policies and train personnel.
    • Very large bank A ($101 billion or more in total assets), which opened over 36,000 legal entity accounts in 2018, spent an estimated $3.7 million. Bank representatives told us that they assigned two senior compliance personnel to the implementation project over a 2-year period, updated hardware and software systems, and trained approximately 4,000 bank personnel on the new requirement.

Cost of Suspicious Activity Reports

The GAO looked at the costs of all BSA reports: SARs, CTRs, and others (CMIRs, FBARs, DOEPs). All of these reports together accounted for an average of 28% of the total cost of running a BSA/AML program, but the SAR-related costs accounted for 90% of the total reporting costs. They also noted that the bulk of the SAR costs – 83% – were incurred in monitoring for and investigating suspicious activity alerts. They described “investigating” as includes the time banks spent initially reviewing an alert, escalating it to an investigation, and deciding whether to file a SAR, so it appears that the other 17% of the costs related to preparing and filing the actual SAR, as well as the long-term recordkeeping requirements.

Table 2 on page 47 of the Report provides the number of SARs, and average estimated cost per SAR filed, for the eleven financial institutions. I added a third column for the institution’s SAR filing frequency compared to its peer institutions.

I have two observations from Table 2. Observation A relates to Large Community Bank A that only filed 9 SARs in 2018 (putting it in the bottom quarter in number of SARs filed within its peer group). The Report notes that this bank reported that it generated 7,000 Alerts that resulted in 60 Cases that generated 9 SARs. That is a Alert/SAR ratio of 0.13%, or a false positive rate of 99.87%.

The second observation (B) relates to Small Community Bank B, also in the bottom 25% in number of SARs filed in its peer group. That bank filed two SARs. It reported that both related to elder financial abuse and both took about 80 hours to investigate and report. $17,691 divided by 160 hours is $110.57 per hour, suggesting that more senior people were involved in the SAR in investigation.

GAO’s Survey and FinCEN’s SAR Burden and Cost Estimate

The third observation needs me to pull in a SAR cost and burden estimate that was recently published by FinCEN. Recall that earlier this year (May 26, 2020) FinCEN published a request for comments on its estimates of the costs and burden of filing SARs. Whereas the GAO considered the total SAR process – monitoring, the initial review of alert, escalating alerts to “case” (to an investigation), conducting the investigation, making the SAR/No SAR decision, preparing and filing the actual SAR, and the long-term recordkeeping requirements – FinCEN’s analysis only considered the process from the “case” forward:  conducting the investigation, making the SAR/No SAR decision, preparing and filing the actual SAR, and the long-term recordkeeping requirements. FinCEN concluded that “simple” SARs (about 83% of all SARs) took between 45 and 75 minutes each; “complex” SARs (about 2% of all SARs) took between 205 and 315 minutes; and “Continuing activity” SARs (about 15% of all SARs) took between 25 and 45 minutes.[8]

So I compared FinCEN’s estimates with what the GAO found. The results are interesting.

First, I used a fully-loaded cost of $75,000 per full time equivalent (FTE) and 1,720 effective hours in a year to get an hourly rate of $43.60. For mathematical simplicity, I reduced that to $40 per hour. Second, I took the average time for each of the three types of SARs that FinCEN identified:

  • Simple SARs: 83.3% of SARs taking 45 to 75 minutes each = 60 minutes, or 1.0 hour
  • Complex SARs: 1.6% of SARs taking 205 to 315 minutes each = 260 minutes or 4.33 hours
  • Repeat SARs: 15.1 % of SARs taking 24 to 45 minutes each = 35 minutes or 0.58 hours

As can be seen, the GAO survey results were very different than the FinCEN estimates. The biggest reason is that the GAO results included the costs of generating alerts and dispositioning the alerts – either deciding to open a case and conduct and investigation, or close the alert without doing an investigation. Recall my observation on Large Community Bank A, that had 7,000 alerts but only 60 cases and 9 SARs. The GAO survey included the cost of making determination on 6,940 alerts that did not result in a case investigation, and 51 investigations did not result in a SAR. The FinCEN methodology only considered the costs of the case investigations and SARs. And Small Community Bank B, where FinCEN’s methodology was 45,000 percent less than the GAO survey, reflects the fact that each of those two SARs took that bank 80 hours (they were elder financial exploitation cases, which are always very time intensive).

 

This is not a criticism of FinCEN’s methodology, but a call for a more fulsome analysis of all the aspects of suspicious activity monitoring, alert generation, alert disposition, case management, investigations, SAR decisions, preparation, filing, recordkeeping, and responding to law enforcement requests for supporting documentation.

Proposed Changes to the SAR Threshold

Part IV of the Report, beginning on page 68, includes a section on whether to increase the SAR reporting threshold from $5,000 to $10,000. I’m including a summary of that section here, for continuity purposes.

The GAO noted that there have been Congressional efforts (bills) to increase the mandatory SAR filing threshold from $5,000 – first set in 1996 – to $10,000.[9] The result, according to an analysis by FinCEN, would be 21% fewer SARs filed by depository financial institutions (banks and credit unions).

How many SARs is 21%? Using FinCEN’s SAR Stats – https://www.fincen.gov/reports/sar-stats – for calendar year 2018 (which the GAO was using for its Report), based on the primary federal regulator, we find:

118,113 SARs filed by Credit Unions (NCUA regulated entities)

859,590 SARs filed by Banks (FDIC, FRB, OCC)

873,479 SARs filed by Money Services Businesses (IRS)

319,991 SARs filed by All Others (multiple regulators)

2,171,173 Total SARs filed in 2018

Law enforcement disagreed with increasing the mandatory SAR reporting threshold: “Officials from six federal law enforcement agencies expressed concerns that raising the SAR threshold, as with the CTR threshold, would reduce the amount of financial intelligence available to law enforcement agencies and harm their investigations … Officials said that the nature of the suspicious activity, such as human trafficking and terrorist financing, can be more relevant than the amount of money involved.” (page 68). I agree. And so do many banks: according to this Report, banks filed ~44,000 SARs reporting amounts less than $5,000, roughly 5% of all bank SARs filed in 2018.

In addition, law enforcement found SARs to provide a high degree of usefulness: at page 69 it is noted that 53% of the law enforcement agents used SARs frequently, and 50% found them to be very useful.[10]

There was also a discussion on streamlining SAR filings for structuring.[11] In footnote 137 on page 70, the GAO described structuring as follows:

According to FinCEN, structuring can take two basic forms. First, a customer might deposit currency on multiple days in amounts under $10,000 for the intended purpose of circumventing a bank’s obligation to report any cash deposit over $10,000 on a CTR. Although such deposits do not require aggregation for currency transaction reporting because they occur on different business days, they nonetheless meet the definition of structuring under the BSA, implementing regulations, and relevant case law. In another variation, a customer may engage in multiple transactions during 1 day or over a period of several days or more, in one or more branches of a bank, in a manner intended to circumvent either the currency transaction reporting requirement or some other BSA requirement, such as the recordkeeping requirements for funds transfers of $3,000 or more.

This description makes structuring seem like an easy thing to detect, alert on, investigate, and report. It isn’t, or, rather, the variations of structuring are not always easy to detect, alert on, properly and thoroughly investigate, and accurately report. There are often multiple parties, co-signers, non-accountholder depositors involved in multiple, related transactions; there can be multiple branches, ATM deposits, or cash vault deposits made in multiple (but somehow related) accounts. Very few structuring cases involve one customer with one account and one branch over a one- or two-day period. Banks and industry groups have suggested “auto-filing” “simple structuring” SARs or reducing or eliminating the narrative portion for structuring SARs. Law enforcement does not support either initiative.

Sharing SARs With Foreign Branches

There is a quirk in the regulations and regulatory guidance around the sharing of SARs, or information that would lead to the discovery of a SAR, with the foreign branches of a US financial institution. The discussion begins on page 71 of the Report. Notably, only 34 banks, out of the 5,250 banks in the US at the time of the Report, have one or more foreign branches (in 65 countries), so this issue is limited to only a few of the largest, most complex, international financial institutions. The issue is complex, but can be summarized as follows:

  • A US branch of a foreign bank may disclose a SAR to its head office outside the United States
  • A US bank may not disclose a SAR to its branch offices outside the United States

The GAO, and FinCEN, and the private sector, all agree that greater clarity and consistency is required, particularly given the international nature of many transactions, if not financial institution structures.

Cost of Currency Transaction Reports

At page 49 the GAO noted “banks generally must file a CTR when a customer conducts a transaction in currency of more than $10,000 in aggregate over 1 day.”

If it was only that simple. The 2014 edition of the FFIEC BSA/AML Examination Manual devotes a page to explaining the CTR requirement:

A bank must electronically file a Currency Transaction Report (CTR) for each transaction in currency (deposit, withdrawal, exchange, or other payment or transfer) of more than $10,000 by, through, or to the bank. Certain types of currency transactions need not be reported, such as those involving “exempt persons,” a group which can include retail or commercial customers meeting specific criteria for exemption …

Aggregation of Currency Transactions

Multiple currency transactions totaling more than $10,000 during any one business day are treated as a single transaction if the bank has knowledge that they are by or on behalf of the same person. Transactions throughout the bank should be aggregated when determining multiple transactions.

In cases where multiple businesses share a common owner, the presumption is that separately incorporated entities are independent persons. The currency transactions of separately incorporated businesses should not automatically be aggregated as being on behalf of any one person simply because those businesses are owned by the same person. Financial institutions should determine, based on information obtained in the ordinary course of business, whether multiple businesses that share a common owner are being operated independently depending on all the facts and circumstances.

However, if a financial institution determines that these businesses (or one or more of the businesses and the private accounts of the owner) are not operating separately or independently of one another or their common owner (e.g., the businesses are staffed by the same employees and are located at the same address, the bank accounts of one business are repeatedly used to pay the expenses of another business, or the business bank accounts are repeatedly used to pay the personal expenses of the owner) the financial institution may determine that aggregating the businesses’ transactions is appropriate because the transactions were made on behalf of a single person.

If a financial institution determines that the businesses are independent, then it should not aggregate the separate transactions of these businesses. Alternatively, once a financial institution determines that the businesses are not independent of each other or their common owner, then the transactions of these businesses should be aggregated going forward. (2014 Exam Manual, page 82, three footnotes omitted)

The paragraph that describes the complexities of CTRs is “multiple currency transactions totaling more than $10,000 during any one business day are treated as a single transaction if the bank has knowledge that they are by or on behalf of the same person. Transactions throughout the bank should be aggregated when determining multiple transactions.” This same paragraph is the source of the wide range in regulatory expectations across the industry, as some institutions do not have the systems or other capabilities (they lack knowledge) to aggregate across conductors, across accounts, across delivery channels. The Exam Manual instructs examiners to “determine whether the bank aggregates all or some currency transactions within the bank.” (page 87). But not all institutions can, nor do all examiners expect their institutions to, identify and aggregate all cash transactions conducted at bank branches, cash vaults (and those can be outsourced to other institutions), ATMs, and even mail-in services. As a result, determining who is conducting the cash transaction(s), on whose behalf the transaction(s) are being done, through which delivery channel(s), can be so daunting for smaller institutions that they don’t do it, and their regulators don’t expect them to do it.

I expect that the low time and cost estimates in this Report are a result, in part, of a lack of identification of all conductors, beneficiaries, and delivery channels. The GAO estimated that the costs to identify, research, complete, and file a CTR ranged from about $3 to about $12 (or about $7 on average) for the 11 banks.

Proposed Changes to the CTR Threshold

The Report considered the impact of increasing the CTR threshold (pages 65-67). Increasing the CTR threshold has been the most common, and in my opinion least understood, proposal to reduce banks’ BSA compliance burdens. Proponents of increasing the threshold commonly point out that the

$10,000 threshold was set when the BSA was first enacted in 1970. As the GAO notes:

FinCEN’s analysis indicates that … increasing the CTR threshold from $10,000 to $20,000 would have resulted in banks filing around 65 percent fewer CTRs. Increasing the threshold to $30,000 would have resulted in banks filing around 81 percent fewer CTRs. Finally, increasing the threshold to $61,276 (original 1970 threshold adjusted for inflation) would have resulted in banks filing around 94 percent fewer CTRs.

As with the arguments for raising the SAR threshold to account for inflation, these arguments are misguided and ill-informed. First, the original 1970 threshold of $10,000 was for a single cash transaction: there was no aggregation. Second, that threshold was established before ATMs, before credit cards, before mobile or online or other electronic banking. I argue that single cash transactions of $5,000 are even rarer or more unusual today than cash transactions of $10,000 were twenty, thirty, or forty years ago. Multiple Federal Reserve studies show that the average cash transaction is less than $20, and the median cash transaction is $2 – $3. A more effective way to reduce overall compliance costs is to simplify the CTR reporting requirement to single cash transactions greater than $10,000 (allowing for fully automated reporting), leaving all other aggregated cash transactions and the “by or on behalf of” identification and analysis to the Suspicious Activity Report.

I agree with law enforcement’s opposition to raising the CTR threshold:

Officials from six federal law enforcement agencies told us that they generally oppose raising the CTR threshold, largely because it would reduce the amount of financial intelligence available to them for investigations, analysis, and prosecutions. For example, fewer CTRs could reduce opportunities for law enforcement to link financial transactions to criminal activity and identify subjects, coconspirators, and assets related to ongoing investigations. Officials also said that increasing the CTR threshold would make it easier for criminals to launder greater amounts of illicit proceeds. Further, officials told us the $10,000 threshold may continue to be warranted because, as customers have shifted to electronic payments, large cash transactions may especially signal potentially suspicious activity. Finally, some officials said that law enforcement has used lower-dollar CTRs to investigate terrorism, fraud, and money laundering. (pages 66-67)

The GAO noted that five of the six industry associations that they interviewed generally supported increasing the CTR reporting threshold to reduce costs. But what costs would be reduced? I used the GAO data on the number of CTRs filed and average estimated costs, then reduced the number of CTRs filed by 65% (FinCEN’s estimated reduction in CTRs by moving the threshold to $20,000).

The result is that increasing the CTR threshold from $10,000 to $20,000 would materially reduce the compliance costs for only the largest banks: even the “Large Bank” would see its total compliance costs go down by only $5,240. Given that 42% of law enforcement uses CTRs frequently, 39% of them find CTRs very useful, and some of the most egregious crimes – human trafficking and terrorist financing – involve very small dollar amounts, these cost savings are not worth the potential human costs. I recommend that the $10,000 CTR threshold remain.

Cost of Managing Three (of Four (or Five?)) Pillars of a BSA/AML Program

There are four (or five) pillars to a BSA/AML program: a system of internal controls, a designated BSA compliance officer, independent testing (audit), and training.[12] The GAO considered the BSA compliance officer costs to be embedded in the other components of a program (CDD, reporting, training, etc., so did not consider those costs separately. The GAO described internal controls as the policies, procedures, and processes banks use to manage risks and ensure compliance (pages 51-52). They considered the costs of updating policies, procedures, and processes and conducting a risk assessment, and concluded that the two very large banks spent $200,000 and $500,000, while the average of all the others was $1,800.

In multiple parts of the Report the GAO cautioned that their findings for these eleven banks cannot be generalized to other banks (see, for example, page 40). After seeing the results for the costs attributed to the system of internal controls, I agree. It is inconceivable to me that any financial institution in the United States, no matter how small, can spend $220 in personnel time to develop, maintain, update, and implement BSA/AML policies, procedures, and processes AND conduct an annual and ongoing risk assessments to ensure those controls are appropriately risk-based. $220 is between 1 and 5 hours of time, depending on the position. It is simply not possible to run an effective, even adequate program for a year by dedicating 1 to 5 hours. In fairness, the GAO did not consider the effectiveness of any of the banks and credit unions it surveyed.

One thing did emerge from the data that may be worth commenting on. The two large credit unions indicated they spent $183 and $297 on their system of internal controls. Their two bank peers – the two large community banks – indicated they spend $3,232 and $4,379, or roughly fifteen times what the two credit unions spent. The GAO may consider an audit of the relative supervisory programs of the NCUA and FDIC.[13]

Cost of AML Software

I combined Tables 2 and 6 with Figure 14 to show the number of SAR filed, the average estimated cost per SAR filed (employee time), and the dedicated BSA/AML software costs (which are in addition to the estimated cost per SAR filed). The GAO noted that 10 of the 11 banks that used specialized software used it to assist with customer due diligence requirements, such as verifying customers’ identities and assigning risk profiles to their accounts. Eight of the 10 banks used surveillance monitoring software to identify suspicious activity. What this chart suggests is that transaction monitoring and customer surveillance monitoring and alerting systems, and case management systems to manage the investigative processes, are the most costly.

In an interesting section on pages 59-60 dealing with whether banks passed on their BSA/AML costs to their customers (they generally did not), the GAO noted that “at least six of the banks said they did not offer accounts to money services businesses because of the potentially greater and more costly due diligence, monitoring, and reporting involved.”

Issue 3 – Supervision/Examination of BSA Compliance Program

The GAO chose to use this statement as their sidebar/headline introducing this section of the Report on page 60: “Federal Banking Agencies Are Required to Conduct BSA Compliance Examinations and Cited Nearly a Quarter of Banks Under Their Supervision for BSA Violations”. That is an accurate, but deceptive statement. Two pages later, in another sidebar, the GAO wrote: “FinCEN Data Show Nearly a Quarter of the Examined Banks Had BSA Violations, but Many Violations Were Technical.” And then two pages later, in the last paragraph of this section on page 64, the GAO wrote that “the Federal Reserve, FDIC, and OCC issued 123 BSA-related formal enforcement actions in fiscal years 2015–2018 – representing less than 1 percent of the total BSA examinations that they conducted during the same period.

This is unfortunate, as the message from the headline – a quarter of all banks are violating the BSA – is different from the reality – although a quarter of banks have technical violations of the BSA, less than 1 percent have substantive violations requiring formal enforcement actions.

Figure 15 (page 63) of the Report sets out the percentage of federal banking agency exams with BSA violations, by type of violation. As can be seen in the chart below, the most common type of violation was CTR (8.0%) then SAR (7.3%). Notably, an overall program violation was cited in only 1.4% of the exams, and those program violations resulted in public enforcement actions in less than 1 percent of the exams. This is clear evidence that the vast majority of banks and credit unions are taking their BSA/AML responsibilities seriously, and doing a good job.

US Attorneys’ Annual Statistical Report for Fiscal Year 2019

This statistical report is not part of the GAO Report. The DOJ statistical reports are available going back to fiscal year 1955 (the federal government’s fiscal year ends on September 30th). They are available at https://www.justice.gov/usao/resources/annual-statistical-reports.

The reports provide an incredible amount of information on federal criminal cases by US Attorney’s office, by major type of criminal offence, by number of cases filed and completed, how they are completed (guilty, not guilty, dismissed, other), whether dispositioned in district court or by magistrate, length of case, etc.

Why is this important? The GAO report tells us that in 2018 banks and credit unions filed about 1 million SARs and 14 million CTRs. The GAO report also tells us that six major federal law enforcement agencies – DEA, FBI, HIS, IRS-CI, USAOs, and USSS – have almost 29,000 investigators, 8,000 analysts, and 5,300 prosecutors. That 53 percent of them used SARs frequently, and 50 percent found them very useful. That 59 percent of them used BSA reports to start or assist new investigations and 72 percent used them to conduct or assist in ongoing investigations. That 41 percent of them used BSA reports to analyze trends or patterns, and 44 percent used them to work on criminal prosecutions. That 74 percent of them used BSA reports in potential drug trafficking prosecutions, and 27 percent used them in potential human trafficking prosecutions. But the GAO Report doesn’t tell us how many criminal prosecutions there were. The US Attorney’s Statistical Report tells us.

Each of the program categories has a number of crimes. The table below summarizes a four-page table from the US Attorneys’ Statistical Report. It shows that in fiscal year 2019 (October 1, 2018 through September 30, 2019), there were a total of 69,412 cases filed in Federal District Court naming 87,266 defendants. 63,012 cases involving 79,310 defendants were terminated: 73,934 defendants, or 93.2% pled or were found guilty (0.3% were found not guilty).

I chose to differentiate the Immigration and Violent Crime program categories from all other federal criminal program categories. I made the assumption that BSA reports were not likely to have been utilized in immigration or violent crime cases. This leaves 22,848 federal criminal cases that were brought in fiscal year 2019 that law enforcement likely, or could have, used BSA reports.

Recall Figure 6 on page 4 of this document, which summarized ten tables of data (Tables 0-89) from pages 149-156 of the GAO Report, where the GAO asked law enforcement which potential criminal activities they used BSA reports. Figure 6 showed that 74% of law enforcement agents indicated they used BSA reports for potential drug trafficking. Here, we can see that 13,631 “drug dealing” cases were filed in FY2019.

Looking at the data, and the issues, at their most basic level, we have 20 million BSA reports and something less than 25,000 federal criminal cases where those reports could have been useful. Even assuming that 100% of the 25,000 federal criminal cases used BSA reports (and law enforcement indicated that only half of them used SARs and CTRs frequently and found them very useful), we don’t know which reports were used for what purposes in what types of cases.

As the GAO noted on page 35 of their Report: “systematically collecting information on outcomes from use of BSA reports is essential to understanding the value of the program and a critical step toward streamlining and improving the program for the future.”

The “White Collar Crimes” category of crimes is interesting, as it closely reflects many of the categories set out in the Suspicious Activity Report form itself.

Conclusions and Recommendations

The first conclusion is that about half of federal law enforcement agents frequently use SARs and CTRs, and find them very useful. This means that half don’t use them, or if they do, don’t find them very useful. So there is room for improvement. And this overall, or average, usage/usefulness isn’t reflected in all criminal investigations: BSA reports are used in about one of every four human smuggling and human trafficking investigations. I recommend that FinCEN mount a concerted effort to target those agencies that are not using SARs and CTRs frequently, as well as work with those agencies focused on human smuggling and human trafficking investigations.

The second conclusion tracks the GAO recommendation: FinCEN needs to do more to give state and local/county law enforcement agencies access to the FinCEN BSA database and do what they can to ensure those agencies are using the BSA reports. According to the GAO, only 54% of state agencies and 1% of local and county agencies have direct access to the FinCEN BSA database.

The third conclusion is that FinCEN does not have the resources to analyze and disseminate information, intelligence, and BSA reports out to state and local law enforcement agencies. The GAO found that about 1% of 15,000 state and local law enforcement agencies had direct access to the BSA database, but as I wrote on page 6, FinCEN is to monitor and disseminate: 31 U.S.C. § 310(b)(2)(C) provides that the FinCEN Director is empowered to “analyze and disseminate the available data in accordance with applicable legal requirements and policies and guidelines established by the Secretary of the Treasury and the Under Secretary of the Treasury for Enforcement to– (i) identify possible criminal activity to appropriate Federal, State, local, and foreign law enforcement agencies …”. Congress needs to fund FinCEN appropriately so it can really be a true financial intelligence unit (rather than a financial information depository organization) by analyzing and disseminating more actionable intelligence to all law enforcement agencies.

It is difficult to draw any conclusions on the second issue, the cost of BSA compliance. Indeed, the GAO warns us against drawing any conclusions: they indicated on a number of occasions that the information they obtained from the eleven banks in their sample “cannot be generalized to other banks”. That appears to be a fair warning. Any conclusions for the overall BSA/AML/CFT regime should only be drawn if and when the GAO conducts similar audits of the un- or under-represented parts of the private sector participants. I suggest two audits: one of the four mega banks, which account for about half of all SARs and CTRs filed by all 10,000+ banks and credit unions (collectively, “depository institutions” in FinCEN’s reporting methodology); and Money Services Businesses, or MSBs, which file almost as many SARs as depository institutions (and the MSB industry is as dominated by two large institutions, Western Union and MoneyGram, as depository institutions are dominated by the big four).

One conclusion, and recommendation I will make, though, relates to the differences between the cost estimates that the GAO found from its limited survey of eleven banks and credit unions, and FinCEN’s May 26, 2020 estimates of the burden and costs of part of the SAR process. From these differences it is easy to conclude, and recommend, that any future estimate of the SAR burden and cost that FinCEN publishes must include the entire SAR process: from suspicious activity monitoring, to alert generation, to alert disposition, case management, investigations, SAR decisions, preparation, filing, recordkeeping, responding to law enforcement requests for supporting documentation, and the internal testing and auditing, and external examinations of, that process.

As to the third issue, the supervision and examination of BSA compliance, I recommend that the BSAAG provide guidance to the private sector and regulatory agencies on how to better position the private sector’s overall compliance with BSA/AML laws, regulations, and regulatory guidance. This is particularly important with so much media, political, and social pressure on parts of the industry as a result of the FinCEN Files. As the GAO report found, less than 1% of BSA examinations result in enforcement actions, which means more than 99% of BSA examinations conclude that the financial institution is generally meeting its regulatory obligations. That story is not being told well.

We also need to put to rest the inane and ill-informed notions of raising the mandatory CTR and SAR filing thresholds. According to the GAO report – which we apparently should not rely on – CTRs don’t cost very much, so any percentage savings wouldn’t be enough to offset the loss of intelligence to law enforcement. And the amount being reported doesn’t create complexity and cost: it is the aggregation of multiple transactions across multiple delivery channels and the “by and on behalf of” requirements. The better solution is to keep the threshold at more than $10,000, make it a single transaction reporting the accountholder … and everything else (aggregation, conductors, different channels, etc.) moves to a determination of whether the activity was suspicious. And raising the mandatory SAR threshold from $5,000 to $10,000 won’t address the fundamental problem: we don’t know which SARs law enforcement finds useful.

Tactical or Strategic Value (TSV) SARs

The GAO described what needs to be done to reform the AML regime at page 35 of their Report:

Systematically collecting information on outcomes from the use of BSA reports is essential to understanding the value of the program and a critical step toward streamlining and improving the program for the future.

So that is what needs to be done. But how can we systematically collect information on outcomes from the use of BSA reports?  And if the purpose of the BSA/AML regime is to produce reports that have a high degree of usefulness to government agencies, how do we identify and measure what is useful?

I’ll begin to answer those questions by posing another question: should private sector SARs that cost billions of dollars to produce be “free” to public sector law enforcement agencies? Put another way, should the public sector law enforcement agency consumers of SARs need to provide something in return to the private sector producers of SARs?

I say they should. And here’s what I propose: that in return for the privilege of accessing and using private sector SARs, law enforcement should have to pay for that privilege. Not with money, but with effort. The public sector consumers of SARs should be required to notify the private sector producers which of those SARs provide tactical or strategic value.

A 2018 Mid-Size Bank Coalition of America (MBCA) survey found the average MBCA bank had 9,648,000 transactions/month being monitored, resulting in 3,908 alerts/month (0.04% of transactions alerted), resulting in 348 cases being opened (8.9% of alerts became a case), resulting in 108 SARs being filed (31% of cases or 2.8% of alerts). The MBCA survey didn’t ask whether any of those SARs were of interest or useful to law enforcement. Anecdotally, the four U.S. mega banks indicate that law enforcement shows interest in (through requests for supporting documentation or grand jury subpoenas) in six percent to eight percent of the SARs they file.

I argue that the Alert/SAR and even Case/SAR ratios are all of interest, but tracking any of the inputs or process steps to SARs filed is like a car manufacturer tracking how many cars it builds, but not how many cars it sells, or how well those cars perform, how long they last, and how popular they are. The better measure for AML programs is “SARs purchased”, or SARs that provide value to law enforcement.

Also, there is much being written about how machine learning and artificial intelligence will transform anti-money laundering programs. Indeed, ML and AI proponents are convinced – and spend a lot of time trying to convince others – that they will disrupt and revolutionize the current “broken” AML regime. Among other targets within this broken regime is AML alert generation and disposition and reducing the false positive rate. The result, if we believe the ML/AI community, is a massive reduction in the number of AML analysts that are churning through the hundreds and thousands of alerts, looking for the very few that are “true positives” worthy of being labelled “suspicious” and reported to the government. But the fundamental problem that every one of those ML/AI systems has is that they are using the wrong data to train their algorithms and “teach” their machines: they are looking at the SARs that are filed, not the SARs that have tactical or strategic value to law enforcement.

Tactical or Strategic Value Suspicious Activity Reports – TSV SARs

The best measure of an effective and efficient financial crimes program is how well it is providing timely, effective intelligence to law enforcement. And the best measure of that is whether the SARs that are being filed are providing tactical or strategic value to law enforcement. How do you determine whether a SAR provides value to law enforcement? One way would be to ask law enforcement, and hope you get an answer. That could prove to be difficult.  Can you somehow measure law enforcement interest in a SAR?  Many banks do that by tracking grand jury subpoenas received to prior SAR suspects, law enforcement requests for supporting documentation, and other formal and informal requests for SARs and SAR-related information. As I write above, an Alert-to-SAR rate may not be a good measure of whether an alert is, in fact, “positive”. What may be relevant is an Alert-to-TSV SAR rate.

A TSV SAR is one that has either tactical value – it was used in a particular case – or strategic value – it contributed to understanding a typology or trend. And some SARs can have both tactical and strategic value. That value is determined by law enforcement indicating, within seven years of the filing of the SAR (more on that later), that the SAR provided tactical (it led to or supported a particular case) or strategic (it contributed to or confirmed a typology) value.  That law enforcement response or feedback is provided to FinCEN through the same BSA Database interfaces that exist today – obviously, some coding and training will need to be done (for how FinCEN does it, see below). If the filing financial institution does not receive a TSV SAR response or feedback from law enforcement or FinCEN within seven years of filing a SAR, it can conclude that the SAR had no tactical or strategic value to law enforcement or FinCEN, and may factor that into decisions whether to change or maintain the underlying alerting methodology. Over time, the financial institution could eliminate those alerts that were not providing timely, actionable intelligence to law enforcement. And when FinCEN shares that information across the industry, others could also reduce their false positive rates.

FinCEN’s TSV SAR Feedback Loop

FinCEN is working to provide more feedback to the private sector producers of BSA reports. As FinCEN Director Ken Blanco recently stated:

“Earlier this year, FinCEN began the BSA Value Project, a study and analysis of the value of the BSA information we receive. We are working to provide comprehensive and quantitative understanding of the broad value of BSA reporting and other BSA information in order to make it more effective and its collection more efficient. We already know that BSA data plays a critical role in keeping our country strong, our financial system secure, and our families safe from harm — that is clear. But FinCEN is using the BSA Value Project to improve how we communicate the way BSA information is valued and used, and to develop metrics to track and measure the value of its use on an ongoing basis.”[14]

FinCEN receives every SAR. Indeed, FinCEN receives a number of different BSA-related reporting: SARs, CTRs, CMIRs, and Form 8300s. It’s a daunting amount of information. As FinCEN Director Ken Blanco noted in the same speech:

“FinCEN’s BSA database includes nearly 300 million records — 55,000 new documents are added each day. The reporting contributes critical information that is routinely analyzed, resulting in the identification of suspected criminal and terrorist activity and the initiation of investigations.

“FinCEN grants more than 12,000 agents, analysts, and investigative personnel from over 350 unique federal, state, and local agencies across the United States with direct access to this critical reporting by financial institutions. There are approximately 30,000 searches of the BSA data taking place each day. Further, there are more than 100 Suspicious Activity Report (SAR) review teams and financial crimes task forces across the country, which bring together prosecutors and investigators from different agencies to review BSA reports. Collectively, these teams reviewed approximately 60% of all SARs filed.

Each day, law enforcement, FinCEN, regulators, and others are querying this data:  7.4 million queries per year on average. Those queries identify an average of 18.2 million filings that are responsive or useful to ongoing investigations, examinations, victim identification, analysis and network development, sanctions development, and U.S. national security activities, among many, many other uses that protect our nation from harm, help deter crime, and save lives.”

This doesn’t tell us how many of those 55,000 daily reports are SARs, but we do know that in 2018 there were 2,171,173 SARs filed, or about 8,700 every (business) day. And it appears that FinCEN knows which law enforcement agencies access which SARs, and when. And we now know that there are “18.2 million filings that are responsive or useful to ongoing investigations, examinations, victim identification, analysis and network development, sanctions development, and U.S. national security activities” every year. But which filings?

The law enforcement agencies know which SARs provide tactical or strategic value, or both. So if law enforcement finds value in a SAR, it should acknowledge that, and provide that information back to FinCEN. FinCEN, in turn, could provide an annual report to every financial institution that filed, say, more than 250 SARs a year (that’s one every business day, and is more than three times the number filed by the average bank or credit union). That report would be a simple relational database indicating which SARs had either or both tactical or strategic value. SAR filers would then be able to use that information to actually train or tune their monitoring and surveillance systems, and even eliminate those alerting systems that weren’t providing any value to law enforcement.

Why give law enforcement seven years to respond? Criminal cases take years to develop. And sometimes a case may not even be opened for years, and a SAR filing may trigger an investigation. And sometimes a case is developed and the law enforcement agency searches the SAR database and finds SARs that were filed five, six, seven or more years earlier. Between record retention rules and practical value, seven years seems reasonable.

Law enforcement agencies have tremendous responsibilities and obligations, and their resources and budgets are stretched to the breaking point. Adding another obligation – to provide feedback to the banks, credit unions, and other private sector institutions that provide them with reports of suspicious activity – may not be feasible. But the upside of that feedback – that law enforcement may get fewer, but better, reports, and the private sector institutions can focus more on human trafficking, human smuggling, and terrorist financing and less on identifying and reporting activity that isn’t of interest to law enforcement – may far exceed the downside.

Final Word

As I wrote in the introduction, the Tactical or Strategic Value (TSV) SAR is not the only solution; indeed, we need more public/private sector partnerships, we need to move to cross-institutional and cross-jurisdictional collaborative investigations, we need more effective information sharing, and we need more efficient and effective monitoring/surveillance, alerting, investigations, and reporting. But the key to any reform is public sector feedback: I’m offering the TSV SAR as the vehicle for that feedback. I’m open to any better solutions, but perhaps we can start with the TSV SAR.

For more on alert-to-SAR rates, the TSV feedback loop, machine learning and artificial intelligence, see other articles I’ve written:

The TSV SAR Feedback Loop – June 4 2019     

AML and Machine Learning – December 14 2018

Rules Based Monitoring – December 20 2018             

FinCEN FY2020 Report – June 4 2019

FinCEN BSA Value Project – August 19 2019   

BSA Regime – A Classic Fixer-Upper – October 29 2019

Jim Richards Walnut Creek, CA September 26, 2020

[1] 31 U.S. Code § 5311, declaration of purpose. From 1970 to 2001, the purpose of the records and reports was to provide a high degree of usefulness in criminal, tax, or regulatory investigations or proceedings. The USA PATRIOT Act amended section 5311 by adding “or in the conduct of intelligence or counterintelligence activities, including analysis, to protect against international terrorism”.

[2] For a full analysis of FinCEN’s cost and burden estimate, see https://regtechconsulting.net/aml-regulations-and-enforcement-actions/fincens-estimate-of-the-costs-and-burden-of-filing-sars-is-evolving-but-needs-private-sector-input/

[3] Compare this information with the US Attorney’s Statistical Report, in the Appendix.

[4] In footnote 59 on page 25 the GAO set out its definition of human trafficking used for the survey: “we defined … human trafficking to include the movement of nonconsenting persons, often across borders, potentially through force, fraud, or coercion.”

[5] Human trafficking is a heinous, inexcusable crime. Those of us working in the private financial sector, and in the industries that support the private financial sector, are relatively privileged and safe compared to the victims, and families of victims, of human trafficking. We can do much more than we are to combat and eliminate human trafficking.

[6] There are approximately 5,200 credit unions and 5,100 banks in the United States. Eighteen months ago (March 2019) there were 5,500 credit unions and 5,400 banks.

[7] This might be the only alignment I could find between the GAO survey results and the private sector studies in Appendix IV. For example, a LexisNexis “True Cost of AML Compliance Study” from 2019 that included results from 117 US firms found that firms less than $10 billion in assets (9 of the 11 firms in the GAO study) averaged $1.5 million in AML compliance costs, and firms of more than $10 billion in assets averaged $14.3 million in AML compliance costs. In the next section – the cost of customer due diligence – the GAO found that the average bank spent an estimated average of $15 per new account: the LexisNexis study found that all banks (small and large) took between 3 and 10 hours to onboard natural persons, and between 6 and 25 hours to onboard legal entities. There is a disconnect.

[8] I wrote a lengthy article on June 2, 2020 about this FinCEN publication: https://regtechconsulting.net/aml-regulations-and-enforcement-actions/fincens-estimate-of-the-costs-and-burden-of-filing-sars-is-evolving-but-needs-private-sector-input/

[9] The GAO noted that $5,000 in 1996, indexed for inflation, would be $8,037 as of December 2018. How or why inflation has anything to do with criminal behavior, particularly with greater electronification of financial transactions, is a mystery to me. Harshly, I believe that those that argue for indexing BSA filing thresholds to inflation are either lazy or misguided.

[10] See the table on page 4, infra, for a summary of the use and usefulness of SARs and CTRs.

[11] The report noted that just less than one-third of the 860,000 bank SARs reported structuring.

[12] In 2016 FinCEN added a fifth pillar to its Title 31 BSA/AML program requirements by essentially carving out the customer due diligence obligations embedded in the “system of internal controls” pillar, adding beneficial ownership requirements, and creating a fifth pillar. The Title 12 regulatory agencies did not follow suit.

[13] Adding to this concern, at page 64 the GAO refers to FinCEN information that between 2015 and 2018 the three banking agencies (FRB, FDIC, and OCC) issued 123 BSA enforcement actions, and the NCUA did not issue any. With more than 5,000 credit unions being examined over four years, it’s inconceivable that none had any systemic, programmatic issues.

[14] November 15, 2019, prepared remarks for the Chainalysis Blockchain Symposium, available at https://www.fincen.gov/news/speeches/prepared-remarks-fincen-director-kenneth-blanco-chainalysis-blockchain-symposium

The US BSA/AML Regime – Have We Just Gone From Aspiring to be “Effective” to Merely Being “Adequate”?

On April 15, 2020, federal and state banking agencies updated parts of the BSA/AML Examination Manual (“Manual”), a document that was first published in 2005 and has been revised and re-published four times since, with the last full edition published in November 2014. The Manual provides what and how examiners examine banks and other financial institutions (collectively, “banks”) for compliance with BSA/AML laws and regulations. Just as important, the Manual is the blueprint that allows banks to build and maintain their programs, and for bank auditors to audit those programs, with some confidence that they’re meeting regulatory requirements and their regulators’ expectations.

OCC Comptroller Otting’s statement on the release of the revisions to the Manual included the following statement:

Today, the FFIEC agencies published updates to the BSA/AML Examination Manual that represent a significant step forward in our efforts to improve how we ensure banks have effective programs to safeguard the banking system against financial crime, particularly money laundering and terrorist financing.[1](emphasis added)

Ensuring that banks have effective programs is critical. This “effectiveness” standard is how the United States itself is judged by the Financial Action Task Force, or FATF, which rates its member countries’ technical compliance with its Recommendations as well as how effective their BSA/AML regimes are in fighting financial crime.

“Effectiveness” is a hot topic in financial crimes risk management. Just last December, the Wolfsberg Group issued its statement on effectiveness.[2] The opening paragraphs of that statement are instructive:

The Wolfsberg Group – Statement on Effectiveness

Making AML/CTF Programmes more effective

The Wolfsberg Group (the Group) is an association of thirteen global banks, founded in 2000, which aims to develop frameworks and guidance for the management of financial crime risk in general, with a more recent and strategic focus on enhancing the effectiveness of global Anti-Money Laundering/Counter Terrorist Financing (AML/CTF) programmes. The topic of effectiveness has also been more widely discussed across the AML/CTF community in recent years.

In 2013, the Financial Action Task Force (FATF) determined that jurisdictions simply having reasonable legal frameworks in place for financial crime prevention was no longer sufficient.  FATF stated that “each country must enforce these measures, and ensure that the operational, law enforcement and legal components of an AML/CFT system work together effectively to deliver results: the 11 immediate outcomes.”  As a result, FATF changed the way it conducted mutual evaluations of its member states, no longer focusing solely on technical compliance with its 40 Recommendations, but also evaluating the overall effectiveness of the AML/CTF regime based on evidence that the outcomes were being achieved.

Notwithstanding FATF’s approach, Financial Institutions (FIs) still tend to be examined by national supervisors almost exclusively on the basis of technical compliance rather than focussing on the practical element of whether AML/CTF programmes are really making a difference in the fight against financial crime.  The Group believes that, in practice, there is as yet insufficient consideration of whether an FI’s AML/CTF programme is effective in achieving the overall goals of the AML/CTF regime which go beyond technical compliance. As a result, FIs devote a significant amount of resources to practices designed to maximise technical compliance, while not necessarily optimising the detection or deterrence of illicit activity.  The Group believes that jurisdictions should adopt the FATF’s focus on effective outcomes and therefore, that an FI’s AML/CTF programme should have three key elements:

    1. Comply with AML/CTF laws and regulations
    2. Provide highly useful information to relevant government agencies in defined priority areas
    3. Establish a reasonable and risk-based set of controls to mitigate the risks of an FI being used to facilitate illicit activity

The Group believes that supervisors and/or relevant government agencies should assess the effectiveness of an FI’s AML/CTF programme based on the above criteria, recognising that no two FIs are the same and each FI’s risk mitigation strategy must be tailored to meet its risk appetite.

This certainly seems in line with Comptroller Otting’s statement that these new BSA Exam Manual updates will help “ensure banks have effective programs to safeguard the banking system against financial crime”.

So if these updates are, in fact, a significant step forward to improve how the OCC ensures banks have effective BSA/AML programs, how come the OCC – and the other federal and state examiners – seem to have lowered their examination standards from assessing whether banks have effective programs, to assessing whether banks have adequate programs?

First, since I’m making a stink about the difference between effective and adequate, I’ll pause and offer some definitions. I went to one source only: Merriam-Webster. Here’s what I found:

Effective – producing a decided, decisive, or desired effect: as in an effective policy.

Adequate – sufficient for a specific need or requirement; as in adequate time. Also, good enough, or of a quality that is acceptable but not better than acceptable: as in a machine that does an adequate job[3]

These seem in line with what we expect: effective is a higher standard than adequate. Being an effective leader is better than being an adequate leader. And having an effective program is better than having an adequate program.

The FFIEC BSA/AML Examination Manual

Let’s first take a look at the language from the existing Manual, or rather the parts of the Manual that were just changed. As explained in the “Introduction” section of the 2014 Manual (which is over 440 pages long, by the way):

“… the manual is structured to allow examiners to tailor the BSA/AML examination scope and procedures to the specific risk profile of the banking organization.  The manual consists of the following sections:

    • Introduction
    • Core Examination Overview and Procedures for Assessing the BSA/AML Compliance Program
    • Core Examination Overview and Procedures for Regulatory Requirements and Related Topics
    • Expanded Examination Overview and Procedures for Consolidated and Other Types of BSA/AML Compliance Program Structures
    • Expanded Examination Overview and Procedures for Products and Services
    • Expanded Examination Overview and Procedures for Persons and Entities
    • Appendixes

The core and expanded overview sections provide narrative guidance and background information on each topic; each overview is followed by examination procedures.  The “Core Examination Overview and Procedures for Assessing the BSA/AML Compliance Program” and the “Core Examination Overview and Procedures for Regulatory Requirements and Related Topics” (core) sections serve as a platform for the BSA/AML examination and, for the most part, address legal and regulatory requirements of the BSA/AML compliance program.  The “Scoping and Planning” and the “BSA/AML Risk Assessment” sections help the examiner develop an appropriate examination plan based on the risk profile of the bank.  There may be instances where a topic is covered in both the core and expanded sections (e.g., funds transfers and foreign correspondent banking).  In such instances, the core overview and examination procedures address the BSA requirements while the expanded overview and examination procedures address the AML risks of the specific activity.

At a minimum, examiners should use the following examination procedures included within the “Core Examination Overview and Procedures for Assessing the BSA/AML Compliance Program” section of this manual to ensure that the bank has an adequate BSA/AML compliance program commensurate with its risk profile:

    • Scoping and Planning (refer to page 11)
    • BSA/AML Risk Assessment (refer to page 18)
    • BSA/AML Compliance Program (refer to page 28)
    • Developing Conclusions and Finalizing the Examination (refer to page 40)”

It is these last four bulleted sections that form the basis for all exams of banks’ BSA programs. And it is these four bulleted sections that were updated on April 15, 2020. A side-by-side comparison of the 2014 BSA Exam Manual (partial) table of contents and the April 2020 updates (complete) shows clearly what the regulators have focused on:

The regulatory agencies didn’t touch the 2014 Manual’s Introduction section. What they focused on are the sections on the four “pillars” of a BSA/AML compliance program. Where the 2014 Manual goes through each of the four pillars in a total of five pages, and then includes examination procedures for the overall compliance program at the end, the new 2020 update takes a different approach: it breaks out each of the four pillars, and has objectives and examination procedures for each. It is a more detailed and comprehensive approach.

So the 2014 Introduction section remains in place. That section uses three different adjectives in describing bank’s programs:

  • Page 1: “An effective BSA/AML compliance program requires sound risk management …”
  • Page 2: “… ensure that the bank has an adequate BSA/AML compliance program commensurate with its risk profile”
  • Page 6: “The federal banking agencies work to ensure that the organizations they supervise understand the importance of having an effective BSA/AML compliance program in place.”
  • Page 7: “Banking organizations must develop, implement, and maintain effective AML programs that address the ever-changing strategies of money launderers and terrorists who attempt to gain access to the U.S. financial system.  A sound BSA/AML compliance program is critical in deterring and preventing [money laundering, terrorist financing, and other illicit financial transactions] at, or through, banks and other financial institutions.”

In the four “pillar” sections that were updated in 2020, the words “effective” or “effectiveness” appear four times in forty-three pages. Those words appeared seventeen times in the old 2014 version.

Let’s go through those sections, with a focus on the differences in the use of the words “effective” and “adequate”.

Scoping & Planning

The 2014 “Scoping and Planning” section begins on page 11 with “The BSA/AML examination is intended to assess the effectiveness of the bank’s BSA/AML compliance program and the bank’s compliance with the regulatory requirements pertaining to the BSA, including a review of risk management practices.”

The 2020 “Scoping and Planning” section begins on page 1 with: “Examiners assess whether the bank has developed and implemented adequate processes to identify, measure, monitor, and control those risks and comply with BSA regulatory requirements.”

So the regulators have shifted from effective to adequate.

The 2014 “Scoping and Planning” section then continues with a reference to risk assessment. At page 11: “risk assessment has been given its own section to emphasize its importance in the examination process and in the bank’s design of effective risk-based controls.”

The 2020 update provides, on page 4: “The BSA/AML Risk Assessment section provides information and procedures for examiners in determining whether the bank has developed a risk assessment process that adequately identifies the ML/TF and other illicit financial activity risks within its banking operations.”

So the regulators will determine whether the risk assessment adequately identifies risks: not whether it effectively identifies risks.

The 2014 edition does use the term “adequate in a few places. At page 12 is a reference to the Examination Plan: “At a minimum, examiners should conduct the examination procedures included in the following sections of this manual to ensure that the bank has an adequate BSA/AML compliance program commensurate with its risk profile.” And in a mixed message, under the heading “Transaction Testing” is: “Examiners perform transaction testing to evaluate the adequacy of the bank’s compliance with regulatory requirements, determine the effectiveness of its policies, procedures, and processes, and evaluate suspicious activity monitoring systems.”

There’s no mixed message in the 2020 update, though. Under the heading “Risk-Focused Testing” on page 6 is: “Examiners perform testing to assess the adequacy of the bank’s BSA/AML compliance program, relative to its risk profile, and the bank’s compliance with BSA regulatory requirements.” And at page 8 is the new objective for risk-focused BSA/AML supervision examination procedures: “Determine the examination activities necessary to assess the adequacy of the bank’s BSA/AML compliance program, relative to its risk profile, and the bank’s compliance with BSA regulatory requirements.”

So again, it’s fair to say (write) that the regulators have shifted from effective/effectiveness to adequate/adequacy.

Page 34 of the 2014 Manual sets out the objectives of the exam procedures: “Assess the adequacy of the bank’s BSA/AML compliance program. Determine whether the bank has developed, administered, and maintained an effective program for compliance with the BSA and all of its implementing regulations.”

Page 18 of the 2020 update sets out the objective when assessing the BSA/AML compliance program: “Assess whether the bank has designed, implemented, and maintains an adequate BSA/AML compliance program that complies with BSA regulatory requirements.” And at page 20: the objective of “assessing the BSA/AML compliance program examination procedures” is to “[d]etermine whether the bank has designed, implemented, and maintains an adequate BSA/AML compliance program that complies with BSA regulatory requirements.”

Internal Controls

There are some interesting differences in the main section on the system of internal controls – one of the four pillars of a BSA/AML compliance program.[4]

The 2014 Manual sets out the objectives for the overall BSA/AML compliance program: “Assess the adequacy of the bank’s BSA/AML compliance program.  Determine whether the bank has developed, administered, and maintained an effective program for compliance with the BSA and all of its implementing regulations.” (page 28). The 2014 Manual then goes through each of the four pillars, and does so in five pages, then includes examination procedures for the overall compliance program. The 2020 update takes a different approach: it breaks out each of the four pillars, and has objectives and examination procedures for each.

The 2020 update doesn’t use the terms effective or adequate in the Internal Controls section. Rather, it refers to “ongoing” compliance (“[t]he board of directors, acting through senior management, is ultimately responsible for ensuring that the bank maintains a system of internal controls to assure ongoing compliance with BSA regulatory requirements.”).

Independent Testing

As to independent testing, the 2020 update includes an Objective: “Assess the adequacy of the bank’s independent testing program” (page 24). The objective of the exam procedures is to “[d]etermine whether the bank has designed, implemented, and maintains an adequate BSA/AML independent testing program for compliance with BSA regulatory requirements”. There isn’t similar language or detail in the 2014 Manual.

BSA Compliance Officer

The changes to the BSA Compliance Officer pillar are extensive. The 2020 update includes an objective: to “[c]onfirm that the bank’s board of directors has designated a qualified individual or individuals (BSA compliance officer) responsible for coordinating and monitoring day-to-day compliance with BSA regulatory requirements. Assess whether the BSA compliance officer has the appropriate authority, independence, access to resources, and competence to effectively execute all duties.” (page 29). In this section is the following: ” The board of directors is responsible for ensuring that the BSA compliance officer has appropriate authority, independence, and access to resources to administer an adequate BSA/AML compliance program based on the bank’s ML/TF and other illicit financial activity risk profile.”

The objective of the exam procedures for this pillar is to “[c]onfirm that the bank’s board of directors has designated a qualified individual or individuals (BSA compliance officer) responsible for coordinating and monitoring day-to-day compliance with BSA regulatory requirements.  Determine whether the BSA compliance officer has the appropriate authority, independence, access to resources, and competence to effectively execute all duties”.

The 2014 Manual provides that “[t]he board of directors, acting through senior management, is ultimately responsible for ensuring that the bank maintains an effective BSA/AML internal control structure, including suspicious activity monitoring and reporting.” (page 29). And at page 32: “[t]he board of directors is responsible for ensuring that the BSA compliance officer has sufficient authority and resources (monetary, physical, and personnel) to administer an effective BSA/AML compliance program based on the bank’s risk profile.”

To summarize: the 2014 Manual provided that the board is responsible for ensuring the BSA Compliance Officer has sufficient authority and resources to administer an effective program. The 2020 updates provide that the board is now responsible for ensuring the BSA Compliance Officer has appropriate authority and resources to administer an adequate program. What has not changed, though, with the 2020 update is this: “the board of directors is ultimately responsible for the bank’s BSA/AML compliance.”

Training

The standards for BSA/AML training seem to have dropped, also. The 2014 Manual provided that “[t]he training program should reinforce the importance that the board and senior management place on the bank’s compliance with the BSA and ensure that all employees understand their role in maintaining an effective BSA/AML compliance program.” (page 33).

The 2020 update provides: “The training program may be used to reinforce the importance that the board of directors and senior management place on the bank’s compliance with the BSA and that all employees understand their role in maintaining an adequate BSA/AML compliance program.” (page 32).

Conclusion

The Wolfsberg Group’s December 2019 Statement on Effectiveness ended with this:

The Group believes that jurisdictions should adopt the FATF’s focus on effective outcomes and therefore, that an FI’s AML/CTF programme should have three key elements: (1) Comply with AML/CTF laws and regulations; (2) Provide highly useful information to relevant government agencies in defined priority areas; and (3) Establish a reasonable and risk-based set of controls to mitigate the risks of an FI being used to facilitate illicit activity

The Group believes that supervisors and/or relevant government agencies should assess the effectiveness of an FI’s AML/CTF programme based on the above criteria, recognising that no two FIs are the same and each FI’s risk mitigation strategy must be tailored to meet its risk appetite.

Starting in 2005 with the first FFIEC BSA/AML Examination Manual, and continuing to the last full publication in 2014, the purpose of a BSA/AML regulatory exam was to determine whether banks had an effective BSA/AML compliance program, and the directors of those banks, who were ultimately responsible for their bank’s BSA/AML compliance, were to ensure the BSA Compliance Officer had sufficient authority and resources to administer an effective program. The 2020 update appears to have lowered those bars: going forward, the purpose of a BSA/AML regulatory exam is to determine whether banks have an adequate BSA/AML compliance program, and the directors of those banks, who remain ultimately responsible for their bank’s BSA/AML compliance, are now to ensure the BSA Compliance Officer has appropriate authority and resources to administer an adequate program.

It will be interesting to see what, if any, differences this new adequate standard will bring as regulatory examiners across America will be walking into banks and credit unions and announcing, “hello, we’re here to determine whether you have an adequate program.” That is a very different greeting, and a very different exam, and possibly a very different result, than if that examiner walked in and announced, “hello, we’re here to determine whether you have an effective BSA/AML compliance program.”

Post Script

In an article I wrote in August 2019 titled  “Lessons Learned as a BSA Officer – 1998 to 2018” one of the nine lessons was that words and punctuation matter. I wrote that one should use adjectives and adverbs sparingly, if at all:

Most modifiers are unnecessary. Whether necessary or not, as a risk professional you should be aware of both your use of adjectives and adverbs, and when reading others’ use of adjectives and adverbs. When confronted with any modifier, ask yourself (i) why is that modifier being used? (ii) is it being used correctly? (iii) does it change the meaning of the sentence in a way that is unintended? (iv) is it being used consistently with other modifiers? And (v) could it limit or prevent us in the future?

In this case the state and federal banking agencies changed the adjective “effective” to “adequate” to describe the quality of the BSA/AML program they will expect to see and will examine to. I hope that this was unintended, or else five to ten years from now, after a long-held standard of effectiveness is replaced by one of mere adequacy, we could be limited in our ability to fight financial crime.

Endnotes

[1] https://www.occ.gov/news-issuances/news-releases/2020/nr-occ-2020-55.html

[2] https://www.wolfsberg-principles.com/sites/default/files/wb/pdfs/Effectiveness%201%20pager%20Wolfsberg%20Group%202019%20FINAL_Publication.pdf

[3] https://www.merriam-webster.com/

[4] The 2014 FFIEC Exam Manual “was a collaborative effort of the federal and state banking agencies” and FinCEN (2014 Manual, page 1). The Interagency Statement accompanying the 2020 update provided “The Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, National Credit Union Administration, Office of the Comptroller of the Currency, and State Liaison Committee (Agencies) revised the sections in close collaboration with Treasury’s Financial Crimes Enforcement Network.” And FinCEN hasn’t (yet) issued a press release or otherwise publicly acknowledged the 2020 updates. Regardless, the agencies’ Title 12 BSA/AML compliance program includes four pillars, and FinCEN’s Title 31 BSA/AML compliance program includes five pillars.

5 + 4 = 6 … Treasury’s New PPP Math Is Creating Unnecessary Confusion, & Here’s a Proposed Solution

I’ve written two articles on the CARES Act’s Paycheck Protection Program (PPP) – the $350 billion, or $350,000,000,000, pot of federal money available for the lucky few hundred thousand or so of the roughly thirty million American small businesses that can navigate the labyrinth of regulatory requirements to apply for and be approved to get a loan that is intended to cover their payroll for 8 weeks or so. See The CARES Act and the PPP – We Know A Surge of Fraud is Coming

On April 13th the Treasury Department issued some guidance intended to clarify how the PPP lenders – mostly banks and credit unions – can satisfy some of their regulatory requirements around identifying the beneficial owners of the small businesses they’ll be lending to. In some of the more creative math I’ve seen in a while, they were somehow able to take the 5 things required under one set of regulations, combine them with the 4 things required under another set of regulations, and come up with 6 things. Instead of speeding up the delivery of the much-needed assistance to small businesses across America, their math may have the opposite effect.

Title 15 Small Business Administration (SBA) requirements

On April 2nd the SBA rolled out its requirements. Among other things, the two-page Borrower Form requires the “authorized representative” of the small business to certify a number of things, notably (for purposes of this labyrinth) five pieces of information – name, SSN/TIN, Address, Title, and Ownership Percentage – of up to five people that own 20 percent or more of the small business. And, according to the Interim Final Rule published on April 2nd, the lender (bank or credit union) can rely on that certification. And the authorized representative has to provide their name, title, and a signature.

So to summarize – for Title 15 SBA purposes, the borrower’s authorized representative needs to certify five pieces of information on as many as five legal owners of the borrower, and the bank lender can rely on that certification.

Title 31 Bank Secrecy Act (BSA) requirements

In May 2018 the federal anti-money laundering regulations were changed to add a requirement that financial institutions collect and verify “beneficial ownership” information of legal entity customers. Beneficial ownership was made up of what is called the “ownership prong” – a natural person owning twenty-five percent or more of the legal entity – and the “control prong” – one person who controlled the legal entity. The regulation also provided a Beneficial Ownership Certification form. The result was that the person opening the account had to certify a number of things, notably (for purposes of this labyrinth) four pieces of information – name, SSN/TIN, address, and Date of Birth (DOB) – of up to five people: up to four that own twenty-five percent or more of the legal entity and the single “control” person. According to the regulation, the bank can rely on that certification ““provided that it has no knowledge of facts that would reasonably call into question the reliability of such information.” And the account opener has to provide their name, title, and a signature. And the bank is required to verify that beneficial ownership information: not that the persons are the beneficial owners, because that can’t reasonably be done, but that the persons are … persons. And that verification needs to be done within a reasonable time after the account is opened.

And there are some complications in the BSA rule around existing customers opening new accounts, and whether the bank can rely on existing beneficial ownership information or not. Essentially, a bank needs to document whether and when and how it will it can rely on existing information, and that documentation is part of what is known as its “risk-based BSA compliance program”.

So to summarize – for Title 31 BSA purposes, the legal entity’s account opener needs to certify four pieces of information on as many as four legal owners and one control person, and the bank can rely on that certification unless it knows of something that calls into question the reliability of the information, and the bank needs to verify that the persons are, in fact, persons.

Title 31 BSA requirements for Title 15 SBA PPP Loans

On April 13 Treasury and the SBA revised previously published FAQs to add a question and answer relating to how the Title 31 BSA requirements relating to collection (and verification) of beneficial ownership information would be applied to the Title 15 SBA PPP loans. And FinCEN issued, for the first time, the same question and answer. These are summarized below:

Treasury FAQ:  Does the information lenders are required to collect from PPP applicants regarding every owner who has a 20% or greater ownership stake in the applicant business (i.e., owner name, title, ownership %, TIN, and address) satisfy a lender’s obligation to collect beneficial ownership information (which has a 25% ownership threshold) under the BSA?

Existing customers:  if the PPP loan is being made to an existing customer and the lender previously verified the necessary information, the lender does not need to re-verify the information.  Furthermore, if federally insured banks and credit unions have not yet collected such beneficial ownership information on existing customers, such institutions do not need to collect and verify beneficial ownership information for those customers applying for new PPP loans, unless otherwise indicated by the lender’s risk-based approach to BSA compliance.

New customers: the lender’s collection of SIX THINGS – owner name, title, ownership %, TIN, address, and date of birth – from as many as 5 natural persons with a 20% or greater ownership stake in the applicant business will be deemed to satisfy applicable BSA requirements and FinCEN regulations governing the collection of beneficial ownership information. Decisions regarding further verification of beneficial ownership information collected from new customers should be made pursuant to the lender’s risk-based approach to BSA compliance.

Leaving aside (for the moment) the vexing issue of what a bank’s risk-based BSA compliance program requires it to do for existing high risk customers applying for PPP loans, the most elaborate labyrinth the government has created is for new customers. For these new-to-the-lender customers, there appears to be a trade-off. Purely for SBA purposes, PPP lenders need to collect but perhaps not verify SIX things – the name, TIN, DOB, address, title, and ownership percentage – one of which (DOB) isn’t on the PPP Form, for up to 5 natural persons as legal owners. The April 13th guidance doesn’t say anything about the BSA “control” person – nor does it say whether the SBA Authorized Representative can be that control person. And because a lender’s risk-based BSA compliance program requires it to verify beneficial owners, the PPP lender still needs to verify that the Beneficial Owners are, in fact, human beings … not that they are, in fact, the Beneficial Owners of the Applicant Borrower. Also, for both the BSA’s “person opening the account” and the SBA’s “Authorized Representative”, the financial institution must collect the person’s name, title, and signature.

A Possible Solution to Treasury’s Math Problem

The likelihood of rampant money laundering through PPP loans is pretty slim. The likelihood of fraud, though, is 100%. How much fraud is dependent on a lot of factors, but banks are adept at lending money and keeping fraud rates down. In normal times. These are not normal times. But everyone involved in this effort wants to get the $350,000,000,000 into the hands of deserving American small businesses as soon as possible, knowing that there will be some abuses, frauds, mistakes, corruption, laziness, willful blindness, etc., etc. in the process.

But making the lenders collect six pieces of information on the owners of small businesses when neither of the applicable regulatory regimes require them to collect more than five seems to add a layer of unnecessary complexity and can only slow down the lending process.

Having to collect 5 pieces of information (but not DOB) from as many as five legal owners for SBA purposes, and to collect four pieces of information (including DOB) from as many as four legal owners AND one control person for BSA purposes, and now to have to collect SIX pieces of information (including DOB) from five persons for SBA/BSA purposes creates confusion. Treasury needs to take its own risk-based approach: satisfy SBA requirements today, BSA requirements before you forgive the loan.

So here’s my suggestion to Treasury (and the regulatory agencies): PPP lenders can rely on the certifications in the Form 2483 PPP Borrower form. Those lenders can satisfy their BSA-related beneficial ownership requirements by the earlier of (i) September 30, 2020, or (ii) before the PPP loan is forgiven. In other words, focus on the PPP borrowers and requirements today, and worry about the BSA requirements later this summer. Full stop.

The CARES Act of 2020: “Tall, Dark, or Handsome” and “Tall, Dark, and Handsome” in one bill

There is a big difference between someone who is tall, dark, and handsome – he is all three of those things – and a guy who is tall, dark, or handsome – he is one of those things. Unfortunately, the new Special Inspector General for Pandemic Recovery is the Congressional version of tall, dark, or handsome, and their peers – the Executive Director and Deputy Executive Director of the Pandemic Response Accountability Committee – are the Congressional versions of tall, dark, and handsome. Although Congress didn’t take my pre-passage advice to spruce up the SIGPR (there wasn’t time, apparently), we can still hope that they are as polished as their PRAC peers.

In an article I wrote in August 2019 titled  “Lessons Learned as a BSA Officer – 1998 to 2018” I covered nine topics:

  1. All the Cooks in the AML Kitchen aka Stakeholders
  2. All the Resources Available to You
  3. The 5 Dimensions of Risk – Up, Down, Across, Out, and Within
  4. FinTech versus Humans
  5. The 7 Cs – What Makes a Good Analyst/Investigator
  6. Tall, Dark and Handsome – Words and Punctuation Matter!
  7. SMEs v SMEs – Subject Matter Experts vs Subject Matter Enthusiasts
  8. Is Transaction Monitoring a Thing of the Past?
  9. The Importance of Courage

I thought of topic 6 – Tall, Dark and Handsome – the morning I read the Coronavirus Aid, Relief, and Economic Security Act (CARES Act) bill that the Senate and House were then negotiating. Back in 2019 I wrote the following:

Tall, Dark, and Handsome – Words (especially adjectives and adverbs) and punctuation matter!

    1. Write simply and clearly

“We know all too well that drugs are killing record numbers of Americans – and almost all of them come from overseas.”  Former AG Jeff Sessions, August 2018 speech

This is a good example of a poorly written sentence that is begging for clarity. The phrase “almost all” means very little: at least 51% and less than 100%. Second, do “almost all” drugs come from overseas, or do almost all Americans come from overseas? And finally, Mexico is the source country for 90% – 94% of heroin entering the US, and the final transit country for 90% of the cocaine entering the US. Mexico isn’t actually overseas from the US.

    1. Use Adjectives and Adverbs Sparingly, if at all

Most modifiers are unnecessary. Whether necessary or not, as a risk professional you should be very aware of both your use of adjectives and adverbs, and when reading others’ use of adjectives and adverbs. When confronted with any modifier, ask yourself (i) why is that modifier being used? (ii) is it being used correctly? (iii) does it change the meaning of the sentence in a way that is unintended? (iv) is it being used consistently with other modifiers? And (v) could it limit or prevent us in the future?

    1. Watch out for Red Flag Words and Phrases

Intended, Primarily, Pilot, Agile Development, shall versus may, Artificial Intelligence, Machine Learning

Special Inspector General for Pandemic Recovery

Section 4018 of the CARES Act calls for the appointment of a new Special Inspector General for Pandemic Recovery. This appears to be a position similar to the TARP (Troubled Assets Relief Program) Inspector General position created after the 2007-2009 economic crisis to manage the TARP monies distributed to banks, the auto companies, and other businesses.

(I’ll point out that, just as the DMV’s vanity license department checks that proposed vanity license plates aren’t offensive, I’m sure someone in the Congressional Research Acronym Program Office checked the title for possible embarrassments. In this case, SIGPaR is much preferable to, say, Pandemic Inspector General.)

What is the federal government looking for in its new Special Inspector General for Pandemic Recovery? As seen from the screen shot of the section in the bill, “the nomination of the Special Inspector General  shall be made on the basis of integrity and demonstrated ability in accounting, auditing, financial analysis, law, management analysis, public administration, or investigations.”

To put it another way, the nomination shall be made on the basis of two things: (i) integrity, and (ii) demonstrated ability in either accounting or auditing or financial analysis or law or management analysis or public administration or investigations.

Prior to the passage of the Act, I suggested that Congress change “or” to “and” on line 8 of section 4018(b). As I wrote in my original article (published March 26th, the day vefore the bill was signed into law), “It would be great if we had a Special Inspector General for Pandemic Recovery who exhibited integrity and demonstrated ability in accounting, auditing, financial analysis, law, management analysis, public administration, and investigations. She’ll need all of those attributes to do her job, I expect.”

Unfortunately, Congress didn’t take up my suggestion.

And oddly enough, pursuant to section 15010(c)(3)(B)(ii) of the CARES Act, two other critical oversight positions created by the Act – the Executive Director and Deputy Executive Director of the Pandemic Response Accountability Committee – shall:

“(I) have demonstrated ability in accounting, auditing, and financial analysis;

(II) have experience managing oversight of large organizations and expenditures; and

(III) be full-time employees of the Committee.”

 There you have it: the legislative equivalent of “tall, dark, or handsome” (the Special Inspector General) and “tall, dark, and handsome” (the Executive Director and Deputy Executive Director of the Pandemic Response Accountability Committee) in one Bill. Yikes!

When it comes to BSA/AML compliance programs, success has a hundred fathers, but failure is, apparently, an orphan

“FinCEN Penalizes U.S. Bank Official for Corporate Anti-Money Laundering Failures”

In 1961 President John F. Kennedy commented on the failed Bay of Pigs invasion: “victory has a hundred fathers and defeat is an orphan”. This statement came to mind as I read the Treasury Department’s March 4, 2020 assessment of a $450,000 penalty against the former Chief Operational Risk Officer of US Bank for the bank’s failures to implement and maintain an effective anti-money laundering (AML) program. And although the bank itself, and its holding company US Bancorp, were sanctioned and paid hundreds of millions of dollars in penalties, it appears that no other officers or directors of US Bank were personally sanctioned.

I have previously written that running an AML program in an American financial institution is like Winston Churchill’s description of Russia in 1939: a riddle, wrapped in a mystery, inside an enigma. The riddle is how to meet your obligations to provide law enforcement with actionable, effective intelligence (the stated purpose of the US AML laws set out in Title 31 of the US Code). That riddle is wrapped in the mystery of how to satisfy the multiple regulatory agencies’ “safety and soundness” requirements set out in Title 12 of the US Code. And the enigma is the personal liability you face for failing to satisfy either or both of those things.

And that enigma of personal liability was recently brought front and center with the March 4, 2020, announcement from FinCEN that the former Chief Operational Risk Officer of US Bank, Michael LaFontaine, was hit with a $450,000 penalty for his failure to prevent BSA/AML violations during his seven to ten year tenure.

Before going further, keep this in mind: it is inconceivable that a single person could run an AML program in one of the largest banks in the United States. They would need hundreds if not thousands of others to help design, implement, modify, test, audit, oversee, and examine that program. Everyone from a first-year analyst to the Board of Directors. But it is equally inconceivable – with all the checks and balances built into the US financial sector regulatory regime, with the three lines of defense, and all the auditors, examiners, and directors – that a single person could single-handedly screw up that same AML program over a period of five years. Yet that is the conclusion that seems to have been made: no matter how many people were responsible for US Bank’s AML program over a five year period, only one was held accountable for it.

“FinCEN Penalizes U.S. Bank Official for Corporate Anti-Money Laundering Failures” – FinCEN Press Release

March 04, 2020

WASHINGTON—The Financial Crimes Enforcement Network (FinCEN) has assessed a $450,000 civil money penalty against Michael LaFontaine, former Chief Operational Risk Officer at U.S. Bank National Association (U.S. Bank), for his failure to prevent violations of the Bank Secrecy Act (BSA) during his tenure.  U.S. Bank used automated transaction monitoring software to spot potentially suspicious activity, but it improperly capped the number of alerts generated, limiting the ability of law enforcement to target criminal activity.  In addition, the bank failed to staff the BSA compliance function with enough people to review even the reduced number of alerts enabling criminals to escape detection.

“Mr. LaFontaine was warned by his subordinates and by regulators that capping the number of alerts was dangerous and ill-advised.  His actions prevented the proper filing of many, many SARs, which hindered law enforcement’s ability to fully combat crimes and protect people,” said FinCEN Director Kenneth A. Blanco.  “FinCEN encourages technological innovations to help fight money laundering, but technology must be used properly.”

In February 2018, FinCEN, in coordination with the Office of the Comptroller of the Currency (OCC) and the U.S. Department of Justice, issued a $185 million civil money penalty against U.S. Bank for, among other things, willfully violating the BSA’s requirements to implement and maintain an effective anti-money laundering (AML) program and to file Suspicious Activity Reports (SARs) in a timely manner.

Mr. LaFontaine was advised by two subordinates that they believed the existing automated system was inadequate because caps were set to limit the number of alerts.  The OCC warned U.S. Bank on several occasions that using numerical caps to limit the Bank’s monitoring programs based on the size of its staff and available resources could result in a potential enforcement action, and FinCEN had taken previous public actions against banks for the same activity.

Mr. LaFontaine received internal memos from staff claiming that significant increases in SAR volumes, law enforcement inquiries, and closure recommendations, created a situation where the AML staff “is stretched dangerously thin.”  Mr. LaFontaine failed to take sufficient action when presented with significant AML program deficiencies in the Bank’s SAR-monitoring system and the number of staff to fulfill the AML compliance role.  The Bank had maintained inappropriate alert caps for at least five years.

FinCEN has coordinated this action with the OCC and appreciates the assistance it provided.

FinCEN’s March 2020 action against Mr. LaFontaine was the third of a series of actions in the last five years against US Bank, its parent US Bancorp, and now, one of its former officers.

The US Bank Cases – 2015, 2018, and 2020

In October 2015 the OCC and US Bank entered into a Cease & Desist Order (on consent) for longstanding and extensive BSA/AML program failures and failures relating to suspicious activity monitoring and reporting. US Bank was compelled to perform a lengthy list of remedial actions, including a “look-back” of activity. Apparently, US Bank eventually satisfied the OCC, and in November 2018 that Order was lifted or terminated. But no individuals were singled out.

In February 2018 US Bank was hit with a series of orders and actions relating to (1) those aforementioned BSA/AML program and SAR failures, and (2) a multi-billion dollar, multi-year payday lending fraud that was effectuated, in part, through the fraudster’s accounts at US Bank (the so-called “Scott Tucker” fraud). Among other orders and penalties, US Bank and/or its parent US Bancorp paid a $75 million fine to the OCC, a $70 million fine to FinCEN, a $15 million fine to the Federal Reserve, and forfeited $453 million to the Department of Justice (and those forfeited funds were later distributed to the victims of the Scott Tucker fraud) in a federal civil case filed in the Southern District of New York (civil case no. 18CV01357). US Bank also consented to a one-count criminal charge and entered into a two-year Deferred Prosecution Agreement (DPA) with the US Attorney for the Southern District of New York. Finally, the Treasury Department brought a civil case against US Bank, also in the Southern District, to “reduce” the FinCEN $70 million penalty to a civil judgment: that was civil case no. 18CV01358. Again, no individuals were singled out.

The (former) Chief Operational Risk Officer was held personally accountable: but who is actually responsible for a bank’s BSA/AML compliance program?

US Bank – the 5th Largest Bank in the United States

Based on all the orders and civil and criminal complaints, it appears that the core period of time the government was concerned about were the years 2010 through 2014. Based on the Annual Reports of US Bank, during that period the bank had:

  • Between thirteen and fifteen directors each year. Eleven of those directors served from at least 2009 through 2014
  • A Managing Committee made up of:
    • 1 Chairman and CEO (the same person for the entire period);
    • Eight to ten Vice-Chairmen each year, one of which was the Chief Risk Officer in 2014; and
    • Four to six Executive Vice-Presidents each year, one of which was the Chief Risk Officer from 2005 through 2013, and one of which was Michael LaFontaine as Chief Operational Risk Officer in the 2012 and 2013 annual report

It’s fair to say that since US Bank listed these people – the Board of Directors and the Managing Committee – in its Annual Reports, these people were seen as being collectively responsible for overseeing and managing the affairs of US Bank.

OCC’s Regulations for BSA/AML Compliance – Title 12 of the Code of Federal Regulations

US Bank’s primary regulator is the OCC. The OCC’s regulations for a BSA/AML compliance program are set out at 12 CFR § 21.21. Subsection (a) describes the “purpose” for the section: “to assure that all national banks and savings associations establish and maintain procedures reasonably designed to assure and monitor their compliance with the requirements of subchapter II of chapter 53 of title 31, United States Code, and the implementing regulations promulgated thereunder by the Department of the Treasury at 31 CFR Chapter X.” So the purpose of the OCC’s BSA/AML program requirement is to assure that banks meet their requirements under FinCEN’s legislation and regulations.

12 CFR § 21.21 continues. Subsection (c) goes beyond mere procedures and compels banks to “develop and provide for the continued administration of a program reasonably designed to assure and monitor compliance with the recordkeeping and reporting requirements set forth in subchapter II of chapter 53 of title 31, United States Code and the implementing regulations issued by the Department of the Treasury at 31 CFR Chapter X. The compliance program must be written, approved by the national bank’s or savings association’s board of directors, and reflected in the minutes of the national bank or savings association.”

And then subsection (d) sets out the minimum contents that the program shall have. It shall:

(1) Provide for a system of internal controls to assure ongoing compliance;

(2) Provide for independent testing for compliance to be conducted by national bank or savings association personnel or by an outside party;

(3) Designate an individual or individuals responsible for coordinating and monitoring day-to-day compliance; and

(4) Provide training for appropriate personnel.

So the OCC’s regulations tell us how a bank’s program is documented, who approves it (the board of directors), and what it must contain (at a minimum, the four “pillars” from subsection (d) – internal controls, independent testing, a BSA compliance officer, and training). Those OCC regulations don’t specifically set out who is responsible for the program. But they do refer to subchapter II of chapter 53 of title 31, United States Code and the implementing regulations issued by the Department of the Treasury at 31 CFR Chapter X. What do those provide? Do those laws and regulations set out who is responsible for a bank’s BSA/AML program?

FinCEN’s Regulations for BSA/AML Compliance – Title 31 of the Code of Federal Regulations

31 CFR Part X, specifically § 1010.210, provides that “each financial institution (as defined in 31 U.S.C. 5312(a)(2) or (c)(1)) should refer to subpart B of its chapter X part for any additional anti-money laundering program requirements.” The subpart B for national banks, like US Bank, provides as follows:

31 CFR § 1020.210

Anti-money laundering program requirements for financial institutions regulated only by a Federal functional regulator, including banks, savings associations, and credit unions. A financial institution regulated by a Federal functional regulator that is not subject to the regulations of a self-regulatory organization shall be deemed to satisfy the requirements of 31 U.S.C. 5318(h)(1) if the financial institution implements and maintains an anti-money laundering program that:

(a) Complies with the requirements of §§1010.610 and 1010.620 of this chapter;

(b) Includes, at a minimum:

(1) A system of internal controls to assure ongoing compliance;

(2) Independent testing for compliance to be conducted by bank personnel or by an outside party;

(3) Designation of an individual or individuals responsible for coordinating and monitoring day-to-day compliance;

(4) Training for appropriate personnel; and

(5) Appropriate risk-based procedures for conducting ongoing customer due diligence, to include, but not be limited to:

(i) Understanding the nature and purpose of customer relationships for the purpose of developing a customer risk profile; and

(ii) Conducting ongoing monitoring to identify and report suspicious transactions and, on a risk basis, to maintain and update customer information. For purposes of this paragraph (b)(5)(ii), customer information shall include information regarding the beneficial owners of legal entity customers (as defined in §1010.230 of this chapter); and

(c) Complies with the regulation of its Federal functional regulator governing such programs.

So, other than the OCC regulation having only four pillars while the FinCEN regulation has five, neither the OCC nor the FinCEN BSA/AML program regulations specifically describe who, if anyone, in a bank, is actually responsible for the BSA/AML program. But we know from the Michael LaFontaine case that the Chief Operational Risk Officer was found personally accountable for the failures of the program.

Regulatory Guidance – the FFIEC BSA/AML Examination Manual

So if the answer isn’t in the regulation, perhaps it can be found in regulatory guidance. For BSA/AML purposes, the golden source for regulatory guidance is set out in the Federal Financial Institutions Examination Council (FFIEC) BSA/AML Examination Manual. All five editions of the Manual (from 2005 through 2014) provide: “The board of directors, acting through senior management, is ultimately responsible for ensuring that the bank maintains an effective BSA/AML internal control structure, including suspicious activity monitoring and reporting.” (At page 29 of the most recent (2014) edition).

Hmmm … that appears to indicate that the board of directors is ultimately responsible, but the “acting through senior management” interjection is confusing. But the details that follow (again, the same language since 2005) provide clarity:

BSA Compliance Officer

The bank’s board of directors must designate a qualified individual to serve as the BSA compliance officer.[1] The BSA compliance officer is responsible for coordinating and monitoring day-to-day BSA/AML compliance. The BSA compliance officer is also charged with managing all aspects of the BSA/AML compliance program and with managing the bank’s adherence to the BSA and its implementing regulations; however, the board of directors is ultimately responsible for the bank’s BSA/AML compliance.

While the title of the individual responsible for overall BSA/AML compliance is not important, his or her level of authority and responsibility within the bank is critical. The BSA compliance officer may delegate BSA/AML duties to other employees, but the officer should be responsible for overall BSA/AML compliance.  The board of directors is responsible for ensuring that the BSA compliance officer has sufficient authority and resources (monetary, physical, and personnel) to administer an effective BSA/AML compliance program based on the bank’s risk profile.

This seems pretty clear: the board of directors is ultimately responsible for the bank’s BSA/AML compliance program, and for ensuring that the BSA compliance officer has the tools to do their job.

In addition, the Manual makes it clear that the BSA Officer cannot be “layered”: the BSA Officer must directly report to and take direction from the Board. The Manual provides:

“The line of communication should allow the BSA compliance officer to regularly apprise the board of directors and senior management of ongoing compliance with the BSA.  Pertinent BSA-related information, including the reporting of SARs filed with FinCEN, should be reported to the board of directors or an appropriate board committee so that these individuals can make informed decisions about overall BSA/AML compliance.  The BSA compliance officer is responsible for carrying out the direction of the board and ensuring that employees adhere to the bank’s BSA/AML policies, procedures, and processes.”

Although banking and financial crimes regulations don’t specifically spell out who is responsible for a bank’s BSA/AML program, written guidance makes it clear that the Board of Directors is responsible for ensuring that a bank implements and maintains an effective BSA/AML program.

But that isn’t what has happened in this case. The former Chief Operational Risk Officer – not the Board of Directors, nor the BSA compliance officer(s) that should have reported directly to the Board, nor anyone on the Managing Committee of the bank – was held accountable. Why was that? The answer may lie in FinCEN’s assessment against Mr. LaFontaine.

The March 4, 2020 FinCEN Assessment of Civil Money Penalty

What were the allegations against Mr. LaFontaine?

Page 2 – “Mr. LaFontaine at various times had responsibility for overseeing U.S. Bank’s compliance program and therefore shares responsibility for the Bank’s violations of the requirements to implement and maintain an effective AML program and file SARs in a timely manner.”

So it appears from this that Mr. LaFontaine shared responsibility for the program violations. Who did he share that responsibility with? Some detail is provided on page 3:

Page 3 – “Beginning in or about January 2005, and continuing through his separation from U.S. Bank in or about June 2014, Mr. LaFontaine held senior positions within the Bank’s AML hierarchy, involving oversight of the Bank’s AML compliance functions, from approximately 2008 through April 2011, and then from October 2012 through June 2014. He was the Chief Compliance Officer (CCO) of the Bank from 2005 through 2010, at which time he was promoted to Senior Vice President and Deputy Risk Officer. Thereafter, in October 2012, Mr. LaFontaine was promoted again to Executive Vice President and Chief Operational Risk Officer. In this latter position, which Mr. LaFontaine held throughout the remainder of his employment at the Bank, he reported directly to the Bank’s Chief Executive Officer (CEO) [Footnote: From early 2014 to the end of his tenure, Mr. LaFontaine reported to the Bank’s new Chief Risk Officer and had direct communications with the Bank’s Board of Directors.] As Chief Operational Risk Officer, Mr. LaFontaine oversaw the Bank’s AML compliance department (which was referred to internally as Corporate AML), and he supervised the Bank’s CCO, AML Officer (AMLO), [Footnote: The AMLO did not report directly to Mr. LaFontaine following the hiring of new Chief AML and BSA officers in the spring and summer of 2012. After these hirings, the AMLO reported to the Bank’s CCO, who reported to Mr. LaFontaine] and AML staff.”

We don’t know why the Board of Directors, any one or more of the directors (and there were at least eleven of them that were directors during the entire period in question), or any other senior officers of US Bank (and there were about a dozen of them every year), weren’t held accountable. And in this case, in at least six (6) regulatory, civil, and criminal orders running to hundreds of pages filed over a five (5) year period, we didn’t find out who the government felt was responsible for this bank’s BSA/AML compliance program. Other than Mr. LaFontaine, who was held accountable.

But one of those documents had an interesting take on responsibility. Paragraph 18 of the Treasury Department’s civil complaint against US Bank (Case No 18CV01357, filed February 15, 2018) referenced the FFIEC BSA/AML Manual. The paragraph provided:

“18. Under the BSA/AML Manual, a bank’s risk profile informs the steps it must take to comply with each of the BSA’s requirements. To develop appropriate policies and controls, banks must identify “banking operations . . . more vulnerable to abuse by money launderers and criminals . . . and provide for a BSA/AML compliance program tailored to manage risks. Similarly, while banks must designate an individual officer responsible for ensuring compliance with the BSA, such designation is not alone sufficient. Instead, the BSA/AML Manual notes that banks are responsible for ensuring that their compliance functions have ‘resources (monetary, physical, and personnel) [necessary] to administer an effective BSA/AML compliance program based on the bank’s risk profile.’”

In fact, as set out above, that is not what the Manual provides: according to the Manual, published by the OCC and FinCEN, among many other FFIEC agencies, the board of directors is responsible for ensuring that the bank implements and maintains an effective AML program. Not the “bank”, nor, in this case, the Chief Operational Risk Officer.

Paragraph 31 of the February 15, 2018 civil complaint provided that “US Bank delegated the responsibility for ensuring that it met its obligations under the BSA to its AML compliance department, which it referred to internally as Corporate AML.”

It would have been more accurate to write “US Bank attempted to delegate the responsibility for ensuring that it met its obligations under the BSA to its AML compliance department, which it referred to internally as Corporate AML; but the Board of Directors retained ultimate responsibility.” As the Manual provides, the board of directors maintains ultimate responsibility for the bank’s BSA/AML compliance, with their board-appointed BSA compliance officer “charged with managing all aspects of the BSA/AML compliance program and with managing the bank’s adherence to the BSA and its implementing regulations.”

Based on everything that is in the various pleadings, orders, and press releases, it appears that Mr. LaFontaine didn’t do that part of his job that involved managing Corporate AML. As one of the senior officers in the chain of command of US Bank’s risk organization, and as a member of the Managing Committee in 2012 and 2013, he had some responsibility and accountability: he appears to have organizationally been positioned somewhere between the BSA officers and the Board, and apparently thwarted or ignored the warnings of the AML Officer and/or BSA Officer(s) – who should have been reporting to the Board.

There is much we don’t know about this case. No one person – not even a CEO or Chairman of the Board – has the ability to run an AML program, let alone screw up that program. But apparently the Government has concluded that one person alone can be found accountable for the failures of a mega-bank’s AML program. Which begs a few questions …

Question 1 – Did the OCC inform the Board of Directors that BSA/AML risks weren’t being managed?

Paragraph 58 of the February 2018 civil complaint provided that “… despite recommendations and warnings from the OCC dating back to 2008, the Bank failed to have [the transaction monitoring system] independently validated.”

The phrase “warnings from the OCC dating back to 2008” could be explored. In the section in the Manual titled “Examiner Determination of the Bank’s BSA/AML Aggregate Risk Profile” is the following: “when the risks are not appropriately controlled, examiners must communicate to management and the board of directors the need to mitigate BSA/AML risk.” At this point, we don’t know what the OCC told the board, or when. We do know that the OCC issued a public Cease & Desist Order (on consent) in 2015.

Question 2 – Where was Internal Audit?

Independent testing, or internal audit, is one of the four (Title 12) or five (Title 31) required (minimum) pillars of a BSA/AML compliance program. And the Exam Manual provides that “the persons conducting the BSA/AML testing should report directly to the board of directors or to a designated board committee comprised primarily or completely of outside directors.” (see page 30 of the 2006 Manual, page 12 of the 2014 Manual). Which begs the question: where was US Bank’s audit team during the six+ years that there was capping of alerts and staffing issues? Shouldn’t the audit function have reported to the Board that there were long-standing issues with the transaction monitoring system and AML staffing, and that the OCC had made recommendations and warnings that went unheeded?

Question 3 – Where were the BSA Officers?

As a former BSA Officer, this was the question that was most on my mind as I read the March 4, 2020 FinCEN Assessment, and re-read the 2015 OCC order and the orders and complaints from February 2018. Indeed, I was relieved when the March Assessment came out and it was not against any of the former BSA Officers. The 2015 and 2018 documents showed an organization that appeared to organizationally bury its BSA officers, didn’t empower them, didn’t give them the required access to the Board, and certainly didn’t provide sufficient resources to allow for an effective program (all of which has been corrected with US Bank’s current BSA Officer and organization). And the March 2020 FinCEN Assessment describes two AML Officers and one Chief Compliance Officer, all reporting directly or indirectly into Mr. LaFontaine, who raised serious concerns over a number of years. At page 10 of the Assessment is this:

“In or about November 2013, a meeting was scheduled, at the request of the Bank’s CEO, so that the AMLO and CCO could update the CEO on the Bank’s AML program. In advance of that meeting, the AMLO and CCO prepared a PowerPoint presentation that began with an “Overview of Significant AML Issues,” the first of which was “Alert volumes capped for both [Security Blanket] and [Q]uery detection methods.” The AMLO and CCO put the alert caps issue first because, from their perspective, it was the most pressing of the Bank’s AML issues.  The PowerPoint identified the alert caps as a “[c]overage gap” that “could potentially result in missed Suspicious Activity Reports.” It also said that the “[s]ystem configuration and use could be deemed a program weakness, with potential formal actions including fines, orders, and historical review of transactions.” Prior to the meeting with the CEO, Mr. LaFontaine reviewed the PowerPoint, yet failed to raise the issue of the alert caps with the CEO during the meeting, choosing instead to prioritize other compliance-related issues.”

This suggests that the CEO wanted to meet with the AMLO and CCO, yet eventually met only with their boss, Mr. LaFontaine. Who took the opportunity to bury the primary message that his BSA Officer wanted the CEO to hear: that they were capping the number of alerts coming from the transaction monitoring system.

A financial institution must not organizationally “bury” its BSA Officer (AML officer): their organizational reporting line must be no more than “two-down” from the CEO and within an independent risk organization (e.g., the BSA Officer reports to the Chief Risk Officer, who reports to the CEO) and – critically – the BSA Officer must personally and directly report to the Board.[2]

It appears from the US Bank documents that neither the organizational structure nor the lines of communication allowed the BSA Officer(s) to “apprise the board of directors and senior management of ongoing compliance with the BSA … so that these individuals can make informed decisions about overall BSA/AML compliance”, as the Exam Manual requires. And it wasn’t the Chief Operational Risk Officer that was “responsible for carrying out the direction of the board and ensuring that employees adhere to the bank’s BSA/AML policies, procedures, and processes” … it was the BSA Officer(s). But it appears those BSA Officer(s) were organizationally and/or culturally stymied from directly communicating to the Board. In fact, the paragraph immediately after the description of the CEO meeting provides that “[t]he above-described conduct by Mr. LaFontaine continued until May 2014 when the AMLO bypassed Mr. LaFontaine and sent an email to the Bank’s then-Chief Risk Officer referencing the alert caps issue.”] A BSA officer must not be forced to bypass or do end-runs around a blocking boss in order to raise issues.

But whose responsibility is it to ensure that the BSA officer has the organizational stature and resources to do their job, and to ensure that the BSA officer has direct access to senior management and the board? It is the responsibility of the Board of Directors. The Manual is clear: “The board of directors is responsible for ensuring that the BSA compliance officer has sufficient authority and resources (monetary, physical, and personnel) to administer an effective BSA/AML compliance program based on the bank’s risk profile.” It shouldn’t take the regulators and, perhaps, a whistle blower to get the bank to act (page 11 of the 2020 Assessment includes: “The Bank did not begin to address its deficient policies and procedures for monitoring transactions and generating alerts until June 2014, when questions from the OCC and reports from an internal complainant caused the Bank’s Chief Risk Officer to retain outside counsel to investigate the Bank’s practices.”).

But maybe the directors weren’t aware that they were responsible for ensuring that the bank implemented and maintained an effective AML program. Which then begs the question …

Question 4 – Where was the Law Department?

Boards rely heavily on in-house counsel. Among other duties, in-house counsel must ensure that the directors understand their legal and regulatory obligations. In the case of BSA/AML, as the Exam Manual clearly sets out, the BSA program must be in writing and approved by the Board. The Board must designate a qualified individual to serve as the BSA compliance officer. The Board is responsible for ensuring that the BSA compliance officer has sufficient authority and resources (monetary, physical, and personnel) to administer an effective BSA/AML compliance program.

The first and last thing in-house counsel should leave the Board with when they are conducting their annual board training and awareness is this: “folks, if you remember one thing, remember this: as directors, you are ultimately responsible for the bank’s BSA/AML compliance.”

Question 5 – Where were the other senior managers of the bank?

The most vexing thing about this is not what is written in the FinCEN assessment or accompanying press release, but what is not written. Anyone who has spent any time in AML compliance in a mid-size to large financial institution knows that there are hundreds to thousands of people involved in designing, implementing, testing, maintaining, auditing, overseeing, and examining an AML program. Nothing happens – or doesn’t happen – without the involvement of modelers, testers, auditors, examiners, and committees; without endless finance meetings, HR meetings, “credible challenge” meetings; without senior management buy-in and support; and without the monthly or quarterly meetings with the board of directors (or a committee of the board) and the annual review and approval of the program and appointment, or re-appointment, of the BSA compliance officer.

The Government has singled out one senior manager in the 5th largest bank in the country for failures in a critical risk program that occurred over a five or six year period: where were the other senior managers?

Which takes us back full circle to the Board of Directors …

Question 6 – If the Board of Directors is responsible for a BSA compliance program, how come the Directors were not held accountable for its failures?

We simply don’t know what the US Bank board of directors knew or didn’t know when it came to the five or six years that the bank’s AML program was, apparently, not meeting regulatory requirements. We don’t know what they approved (or didn’t approve) annually. We don’t know what management, or audit, was reporting (or not reporting) to them. We don’t know whether they understood their responsibilities under the BSA regulations and regulatory guidance. We don’t know whether their annual approval of the AML program and appointment of the BSA Officer was a rubber-stamp or a fair and credible challenge of the program, the BSA Officer, and whether the BSA Officer had the monetary, physical, and personnel resources necessary to administer an effective BSA/AML compliance program based on the bank’s risk profile (paraphrasing the Manual). But it’s fair to assume that the Government found it difficult to find anyone liable where they simply failed to do their appointed task well. “We didn’t know the AML transaction monitoring system had been capped”, or “no one told us that the AML investigations team was grossly under-staffed”, or “none of the audit reports that came to the board indicated there were any problems with the AML program” become reasonably solid defenses when someone is looking to assign blame. It is much easier to find someone liable when they were presented with a problem and failed to address it, or even worse, took actions to hide it.  That said, it may simply go back to this:

“Success has many fathers; failure is an orphan”

Michael LaFontaine was considered a rising star in the banking world. The Minneapolis/St. Paul Business Journal included him in its “40 under 40 – 2014” class. In a March 21 2014 Video Clip for the “40 Under 40” program he said “success doesn’t happen alone”. Unfortunately, it appears that the opposite is true: he appears to have been singled out and left alone when it comes to finding one person responsible for something that many were accountable for. As President Kennedy said, “victory has a hundred fathers and defeat is an orphan”. More than a dozen directors had responsibility for US Bank’s AML program; eleven served from 2009-2014; and four of those are still directors. But none were held accountable.

Conclusion

The point of this article is not to encourage the Government to impose fines on all the directors, senior management, auditors, and BSA Officers involved in a program that has failures and regulatory violations. Rather, it is to point out to all the Boards of Directors out there that they are responsible for their bank’s AML program, and with that responsibility comes accountability. Knowing that, those Boards will push the management of those banks to implement and maintain effective AML programs … and hopefully prevent another individual from the horrors of personal liability.

[1] Footnote 34 in 2014 Manual: “The bank must designate one or more persons to coordinate and monitor day-to-day compliance.  This requirement is detailed in the federal banking agencies’ BSA compliance program regulations: 12 CFR 208.63, 12 CFR 211.5(m), and 12 CFR 211.24(j) (Federal Reserve); 12 CFR 326.8 (FDIC); 12 CFR 748.2 (NCUA); 12 CFR 21.21 (OCC).”

[2] There is a third question. It doesn’t involve responsibility and accountability for a BSA program, but is important nonetheless. And that is … how do you get SAR filing rates of 30% to 80% from below-the-Line testing? Both the 2018 civil complaint and March 2020 FinCEN Assessment describe the results of a look-back conducted in 2011. Paragraph 41 of the February 2018 civil complaint provides, in part: “… in November 2011, the Bank’s AML staff concluded that, during the past year, the SAR filing rates for below threshold testing averaged between 30% and 80%. In other words, between 30% and 80% of the transactions that were reviewed during the below-threshold testing resulted in the filing of a SAR.” The most efficient transaction monitoring systems have alert-to-SAR rates of 20% – 30%. In fact, the industry laments that the “false positive” rate for most transaction monitoring systems is 95% or more, for a true positive rate of 5% or less. So having a false negative rate (which is a below-the-line testing rate) of 30% to 80% makes no sense at all. Particularly since paragraph 64 of the complaint provides that 2,121 SARs were filed as a result of a six-month look back of 24,179 alerts: an alert-to-SAR rate of about 9%. [NOTE: the average value of these “look-back” SARs was over $339,000].

Chinese Money Brokers – The First US Case Involving An Identified Threat to the US Financial System?

February 6, 2020 – US Warns of Chinese Money Brokers Integrating Illicit Cash Proceeds through Trade Based Money Laundering, or TBML

On February 6, 2020, the Treasury Department released its 2020 National Strategy for Combating Terrorist and Other Illicit Financing. 2020 National Strategy. Among other threats to the US financial system were Chinese money laundering networks, or money brokers, described at pages 24 and 25 of the Strategy …

U.S. law enforcement has seen an increase in complex schemes to launder proceeds from the sale of illegal narcotics in the United States by facilitating the exchange of cash proceeds from Mexican drug trafficking organizations to Chinese citizens residing in the United States. These money laundering schemes, run by Professional Money Laundering Networks, or PMLNs, are designed to sidestep two separate obstacles: Drug Trafficking Organizations’ (DTOs’) inability to repatriate drug proceeds into the Mexican banking system due to dollar deposit restrictions imposed by Mexico in 2010 [of $4,000 a month per individual and $1,500 a month for U.S. currency exchanges by non-accountholders] and Chinese capital flight law restrictions on Chinese citizens located in the United States that prevent them from transferring the equivalent of US$50,000 held in Chinese bank accounts for use abroad. Chinese money laundering networks facilitate the transfer of cash between these two groups.

As described in the graphic from the Strategy [below], a variety of Chinese money brokers, processors and money couriers facilitate these PMLNs. Brokers in Mexico coordinate with DTOs in order for the DTOs to receive pesos in exchange for drug profits earned in the United States. The DTO instructs a courier in the United States to provide U.S. currency to the broker’s U.S. processor. The processor then launders the cash and identifies U.S.-based buyers. In exchange for U.S. currency, the buyer will transfer renminbi (RMB) through their Chinese bank account to a Chinese account controlled by the money broker. The broker then uses the RMB to buy commodities from a Chinese manufacturer for export to Mexico. Once the goods arrive in Mexico, the broker or the DTO completes the cycle by selling the goods locally for pesos.”

 

February 3, 2020 – Owners of Underground, International Financial Institutions Plead Guilty to Operating Unlicensed Money Transmitting Business

The First Chinese Money Broker Prosecution? On February 3, 2020 – three days before the 2020 National Strategy was released, the US Attorney for the Southern District of California issued a press release that announced that Bing Han and Lei Zhang pleaded guilty in federal court for operating unlicensed money transmitting businesses. The US Attorney noted that the guilty pleas “are believed to be the first in the United States for a developing form of unlawful underground financial institution that transfers money between the United States and China, thereby circumventing domestic and foreign laws regarding monetary transfers and reporting, including United States anti-money laundering scrutiny and Chinese capital flight controls.”

The press release described the scheme as admitted in the plea agreements (which are not available online) as follows:

“Han and Zhang would collect U.S. dollars (in cash) from various third-parties in the United States and deliver that cash to a customer, typically a gambler from China who could not readily access cash in the United States due to capital controls that limit the amount of Chinese yuan an individual can convert to foreign currency at $50,000 per year. Upon receipt of the U.S. dollars, the customer (i.e., the gambler) would transfer the equivalent value of yuan (using banking apps on their cell phones in the United States) from the customer’s Chinese bank account to a Chinese bank account designated by defendant Han or Zhang. For facilitating these transactions, Zhang and Han were paid a commission based on the monetary value illegally transferred … Han and Zhang further admitted that they were regularly introduced to customers by casino hosts, who sought to increase the gambling play of the casino’s customers. By connecting cash-starved gamblers in the United States with illicit money transmitting businesses, like those operated by Han and Zhang, the casinos increased the domestic cash play of their China-based customers. All a gambler needed was a mobile device that had remote access a China-based bank account. As a result, Han and Zhang managed to transmit and convert electronic funds in China into hard currency in the United States; all while circumventing the obstacles imposed both by China’s capital controls, and the anti-money laundering scrutiny imposed on all United States financial institutions. For their efforts, the casino hosts often received a cut of Han’s or Zhang’s commission.”

This sounds very similar to what was described in the 2020 National Strategy document. AML professionals should put a reminder in their calendars for the sentencing hearings of Han and Zhang in order to learn more about these “Chinese Money Broker” crimes that pose a threat to the US financial system.

US v. Bing Han, SD CA Case 20CR00369 is scheduled for sentencing on May 1, 2020.

US v. Lei Zhang, SD CA Case 20CR00370 is scheduled for sentencing on May 4, 2020.

A Bank’s Bid for Innovative AML Solutions: Innovation Remains A Perilous Endeavor

One Bank Asked the OCC to Have an “Agile Approach to Supervisory Oversight”

On September 27, 2019 the OCC published an Interpretive Letter answering an unknown bank’s request to make some innovative changes to how it files cash structuring SARs. Tacked onto its three technical questions was a request by the bank to do this innovation along with the OCC itself through something the bank called an “agile approach to supervisory oversight.” After qualified “yes” answers to the three technical questions, the OCC’s Senior Deputy Comptroller and Chief Counsel indicated that the OCC was open to “an agile and transparent supervisory approach while the Bank is building this automated solution” but he didn’t actually write that the OCC would, in fact, adopt an agile approach. This decision provides some insight, and perhaps the first public test, of (i) the regulators’ December 2018 statement on using innovative efforts to fight money laundering, and (ii) the OCC’s April 2019 proposal around innovation pilot programs. Whether the OCC passed the test is open to discussion: what appears settled, though, is that AML innovation in the regulated financial sector remains a perilous endeavor.

Regulators’ December 2018 Joint Statement on Innovative AML Efforts

On December 3, 2018 the five main US Bank Secrecy Act (BSA) regulators issued a joint statement titled “Innovative Efforts to Combat Money Laundering and Terrorist Financing”.[1] The intent of the statement was to encourage banks to use modern-era technologies to bolster their BSA/AML compliance programs. The agencies asked banks “to consider, evaluate, and, where appropriate, responsibly implement innovative approaches to meet their Bank Secrecy Act/anti-money laundering (BSA/AML) compliance obligations, in order to further strengthen the financial system against illicit financial activity” and “[t]he Agencies recognize[d] that private sector innovation, including new ways of using existing tools or adopting new technologies, can help banks” to do so.

The statement was a very positive step to encourage private sector innovation in fighting financial crime by testing new ways of using existing tools as well as adopting new technologies.

But it wasn’t the “green light to innovate” that some people have said it is. There was some language in the statement that made it, at best, a cautionary yellow light. And the September 27th OCC letter seems to clarify that banks can innovate, but the usual regulatory oversight and potential sanctions still apply.

The Agencies’ December 2018 statement included five things that bear repeating:

  1. “The Agencies recognize that private sector innovation, including new ways of using existing tools or adopting new technologies, can help banks identify and report money laundering, terrorist financing, and other illicit financial activity by enhancing the effectiveness and efficiency of banks’ BSA/AML compliance programs. To assist banks in this effort, the Agencies are committed to continued engagement with the private sector and other interested parties.”
  2. “The Agencies will not penalize or criticize banks that maintain effective BSA/AML compliance programs commensurate with their risk profiles but choose not to pursue innovative approaches.”
  3. “While banks are expected to maintain effective BSA/AML compliance programs, the Agencies will not advocate a particular method or technology for banks to comply with BSA/AML requirements.”
  4. Where test or implemented “artificial intelligence-based transaction monitoring systems … identify suspicious activity that would not otherwise have been identified under existing processes, the Agencies will assess the adequacy of banks’ existing suspicious activity monitoring processes independent of the results of the pilot program”
  5. “… the implementation of innovative approaches in banks’ BSA/AML compliance programs will not result in additional regulatory expectations.”

Note the strong, unqualified language: “the Agencies are committed to continued engagement”, “the Agencies will not penalize or criticize”, “the Agencies will not advocate …”, “the Agencies will assess”, and “the implementation of innovative approaches will not result in additional regulatory expectations”.

The qualified “assurances” come in the paragraph about pilot programs (with emphasis added):

“Pilot programs undertaken by banks, in conjunction with existing BSA/AML processes, are an important means of testing and validating the effectiveness of innovative approaches.  While the Agencies may provide feedback, pilot programs in and of themselves should not subject banks to supervisory criticism even if the pilot programs ultimately prove unsuccessful.  Likewise, pilot programs that expose gaps in a BSA/AML compliance program will not necessarily result in supervisory action with respect to that program.  For example, when banks test or implement artificial intelligence-based transaction monitoring systems and identify suspicious activity that would not otherwise have been identified under existing processes, the Agencies will not automatically assume that the banks’ existing processes are deficient.  In these instances, the Agencies will assess the adequacy of banks’ existing suspicious activity monitoring processes independent of the results of the pilot program.  Further, the implementation of innovative approaches in banks’ BSA/AML compliance programs will not result in additional regulatory expectations.”

Here there are the qualified assurances (a qualified assurance is not an assurance, by the way): “should not” is different than “will not”; “will not necessarily” is very different than “will not”; and “not automatically assume” isn’t the same as “not assume”.  These are important distinctions. The agencies could have written something very different:

“… pilot programs in and of themselves will not subject banks to supervisory criticism even if the pilot programs ultimately prove unsuccessful.  Likewise, pilot programs that expose gaps in a BSA/AML compliance program will not result in supervisory action with respect to that program.  For example, when banks test or implement artificial intelligence-based transaction monitoring systems and identify suspicious activity that would not otherwise have been identified under existing processes, the Agencies will not assume that the banks’ existing processes are deficient …”

The OCC’s April 2019 Innovation Pilot Program

On April 30, 2019 the OCC sought public comment on its proposed Innovation Pilot Program, a voluntary program designed to provide fintech providers and financial institutions “with regulatory input early in the testing of innovative activities that could present significant opportunities or benefits to consumers, businesses, financial institutions, and communities.” See OCC Innovation Pilot Program. As the OCC has written, the Innovation Pilot Program clearly notes that the agency would not provide “statutory or regulatory waivers and does not absolve entities participating in the program from complying with applicable laws and regulations.”

Twenty comments were posted to the OCC’s website. A number of them included comments that innovators needed some formalized regulatory forbearance in order to be able encourage them to innovate. The Bank Policy Institute’s letter (BPI Comment), submitted by Greg Baer (a long-standing and articulate proponent of reasonable and responsible regulation), provided that:

“… the OCC should clarify publicly that a bank is not required to seek the review and approval of its examination team prior to developing or implementing a new product, process, or service; that unsuccessful pilots will not warrant an MRA or other sanction unless they constitute and unsafe and unsound practice or a violation of law; and that innovations undertaken without seeking prior OCC approval will not be subject to stricter scrutiny or a ‘strict liability’ regime. We also recommend that the OCC revisit and clarify all existing guidance on innovation to reduce the current uncertainty regarding the development of products, processes and services; outdated or unnecessary supervisory expectations should be rescinded.”

The American Bankers Association comment ABA Comment also asks for similar guidance:

“For institutions to participate confidently in a pilot, there must be internal agreement that OCC supervision and enforcement will not pursue punitive actions. In other words, the program should produce decisions that have the full support of the OCC and bind the agency to those conclusions going forward … One way for the OCC to accomplish this is to clarify that a participating bank will not be assigned Matters Requiring Attention (MRAs) if it acts in good faith as part of a Pilot Program. The nature of technological innovation means that banks must try new things, experiment, and sometimes make mistakes. The Pilot Program has been designed as a short-term limited-scale test to ensure that any mistakes made are unlikely to have an impact on the safety and soundness of an institution. Clarifying that MRAs will not be issued for mistakes made in good faith may help give banks the certainty they need to participate in a Pilot Program.”

And the Securities Industry and Financial Markets Association (SIFMA) comment letter SIFMA Comment Letter included the following:

“Relief from strict regulatory compliance is a vital prerequisite to draw firms into the test environment, precisely so that those areas of noncompliance may be identified and remediated and avoid harm to the consumers. Without offering this regulatory relief, the regulatory uncertainty associated with participating in the Pilot Program could, by itself, deter banks from participating. Similarly, the lack of meaningful regulatory relief could limit the opportunity the program provides for firms to experiment and innovate.”

So where did that leave banks that were thinking of innovative approaches to AML?  For those that choose not to pursue innovative pilot programs, it is clear that they will not be penalized or criticized, but for those that try innovative pilot programs that ultimately expose gaps in their BSA/AML compliance program, the agencies will not automatically assume that the banks’ existing processes are deficient. In response to this choice – do not innovate and not be penalized, or innovate and risk being penalized – many banks have chosen the former. As a result, advocates for those banks – the BPI and ABA, for example – have asked the OCC to clarify that it will not pursue punitive actions against banks that unsuccessfully innovate.

How has the OCC replied? It hasn’t yet finalized its Innovation Program, but it has responded to a bank’s request for guidance on some innovative approaches to monitoring for, alerting on, and filing suspicious activity reports on activity and customers that are structuring cash transactions.

A Bank’s Request to Have the OCC Help It Innovate

The OCC published an Interpretive Letter on September 27, 2019 that sheds some light on how it looks at its commitments under the December 2018 innovation statement.[2]  According to the Interpretive Letter, on February 22, 2019 an OCC-regulated bank submitted a request to streamline SARs for potential structuring activity (the Bank also sought the same or a similar ruling from FinCEN: as of this writing, FinCEN has not published a ruling). The bank asked three questions (and the OCC responded):

  1. Whether the Bank could file a structuring SAR based solely on an alert, without performing a manual investigation, and if so, under what circumstances (yes, but with some significant limitations);
  2. Whether the proposed automated generation of SAR narratives for structuring SARs was consistent with the OCC’s SAR regulations (yes, but with some significant limitations);
  3. Whether the proposed automation of SAR filings was consistent with the OCC’s BSA program regulations (yes, but with some significant limitations).

The most interesting request by the Bank, though, was its request that the OCC take an “agile approach to supervisory oversight” for the bank’s “regulatory sandbox” initiative. Pages 6 and 7 of the OCC letter provide the particulars of this request. There, the OCC writes:

“Your letter also requested regulatory relief to conduct this initiative within a “regulatory sandbox.” Your regulatory sandbox request states ‘This relief would be in the form of an agile approach to supervisory oversight, which would include the OCC’s full access, evaluation, and participation in the initiative development, but would not include regulatory outcomes such as matters requiring attention, violations of law or financial penalties. [The Bank] welcomes the OCC to consider ways to participate in reviewing the initiative outcomes outside of its standard examination processes to ensure effectiveness and provide feedback about the initiative development.’”

NOTE: I had to read the key sentence a few times to settle on its intent and meaning. That sentence is “This relief would be in the form of an agile approach to supervisory oversight, which would include the OCC’s full access, evaluation, and participation in the initiative development, but would not include regulatory outcomes such as matters requiring attention, violations of law or financial penalties.”

Was the bank saying the relief sought was an agile approach to supervisory oversight that included the OCC’s full participation in the process and no adverse regulatory outcomes? Or was the bank saying the relief sought was an agile approach to supervisory oversight that included the OCC’s full participation in the process, but did not include anything to do with adverse regulatory outcomes?

I settled on the latter meaning: that the bank was seeking the OCC’s full participation, but did not expect any regulatory forbearance.

The OCC first reiterated its position from the December 2018 joint statement by writing that it “supports responsible innovation in the national banking system that enhances the safety and soundness of the federal banking system, including responsibly implemented innovative approaches to meeting the compliance obligations under the Bank Secrecy Act.” It then wrote that it “is also open to an agile and transparent supervisory approach while the Bank is building this automated solution for filing Structuring SARs and conducting user acceptance testing.” This language is a bit different than what the OCC wrote at the top of page 2 of the letter: “the OCC is open to engaging in regular discussions between the Bank and appropriate OCC personnel, including providing proactive and
timely feedback relating to this automation proposal.”

Notably, the OCC wrote that it is “open to an agile and transparent supervisory approach”, and “open to engaging in regular discussions between the Bank and appropriate OCC personnel”, but being open to something doesn’t mean you approve of it or agree to it. In fact, the OCC didn’t appear to grant the bank’s request. In the penultimate sentence the OCC wrote: “The OCC will monitor any such changes through its ordinary supervisory processes.”

How About Forbearance to Innovate Without Fear of Regulatory Sanctions?

As set out above, in June 2019 the BPI and ABA (and eighteen others) commented on the OCC’s proposal for an innovation pilot program. The BPI commented that “the OCC should clarify publicly that … unsuccessful pilots will not warrant an MRA or other sanction unless they constitute and unsafe and unsound practice or a violation of law”, and the ABA commented that the OCC should “clarify that a participating bank will not be assigned Matters Requiring Attention (MRAs) if it acts in good faith as part of a Pilot Program”.

The OCC seems to have obliquely responded to both of those comments. In its September 2019 Interpretative Letter, the OCC took the time to write that it “will not approve a regulatory sandbox that includes forbearance on regulatory issues for the Bank’s initiative for the automation of Structuring SAR filings.” Note that the OCC made this statement even though the bank appears to have specifically indicated that the requested relief did not include forbearance from “regulatory outcomes such as matters requiring attention, violations of law or financial penalties”. And the OCC letter includes a reference to both the Interagency statement on responsible innovation and the OCC’s April 2019 Innovation Pilot Program (see footnote 25 on page 7): “banks must continue to meet their BSA/AML compliance obligations, as well as ensure the ongoing safety and soundness of the bank, when developing pilot programs and other innovative approaches.”

So although the OCC hasn’t formally responded to the comments to its June 2019 innovation program to allow banks to innovate without fear of regulatory sanction if that innovation doesn’t go well, it has made it clearer that a bank still has the choice to not innovate and not be penalized, or to innovate and risk being penalized.

(In fairness, in its Spring 2019 Semiannual Risk Perspective Report, the OCC noted that a bank’s inability to innovate is “a source of significant strategic risk.” See OCC Semiannual Risk Perspective, 2019-49 (May 20, 2019)).

Timely Feedback – Is Seven Months Timely?

As set out above, the OCC wrote that it “is open to engaging in regular discussions between the Bank and appropriate OCC personnel, including providing proactive and timely feedback …”.  The bank’s request was submitted on February 22, 2019. The OCC’s feedback was sent on September 27, 2019. So it took the OCC seven months to respond to the bank’s request for an interpretive letter. In this age of high-speed fintech disruption, seven months should not be considered “timely.” What would be timely? I would aim for 90 days.

Conclusion

This unnamed OCC-regulated bank appears to have a flashing green or cautionary yellow light from the OCC to deploy some technology and process enhancements to streamline a small percentage if its SAR monitoring, alerting, and filing.  The OCC will remain vigilant, however, warning the bank that it “must ensure that it has developed and deployed appropriate risk governance to enable the bank to identify, measure, monitor, and control for the risks associated with the automated process. The bank also has a continuing obligation to employ appropriate oversight of the automated process.”

So the message to the 1,700 or so OCC banks appears to be this: there’s no peril in not innovating, but if you decide to innovate, do so at your peril.

[1] The Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation (FDIC), the Financial Crimes Enforcement Network (FinCEN), the National Credit Union Administration, and the Office of the Comptroller of the Currency. The statement is available at https://www.occ.gov/news-issuances/news-releases/2018/nr-occ-2018-130a.pdf

[2] https://www.occ.gov/topics/charters-and-licensing/interpretations-and-actions/2019/int1166.pdf

The Current BSA/AML Regime is a Classic Fixer-Upper … and Here’s Seven Things to Fix

A 1970 Holden “Belmont” … built the same year as the first BSA-related Act was passed in the United States: the Currency and Foreign Transactions Reporting Act, PL 91-508

There is a lot of media attention around the need for a new way to tackle financial crimes risk management. Apparently the current regime is “broken” (I disagree) or in desperate need of repair (what government-run programs are not in some sort of state of disrepair?), or, at the very least, not particularly effective nor efficient. And there are a lot of suggestions from the private and public sectors on how to make the regime more effective and more efficient.  I’ll offer seven things to consider as we all work towards renovating our BSA/AML regime, to take it from its tired, dated (the last legislative change to the three statutes we call the Bank Secrecy Act was made in 2004) state to something that provides a more balanced, effective, and efficient regime.

I. Transaction Monitoring Systems

Apparently, current customer- and account-based transaction monitoring systems are highly inefficient, because for every 100 alerts they produce, five or fewer actually end up being reported to the government in a Suspicious Activity Report. The transaction monitoring software is often blamed (although bad data is the more likely culprit), and machine learning and artificial intelligence are often touted (by providers of machine learning and artificial intelligence) as the solutions. Consider the following when it comes to transaction monitoring and false positives:

  1. If a 95% false positive rate is bad … what is good? Human-generated referrals will result in SARs about 50% of the time: that might be a good standard.
  2. We have to stop tuning our transaction monitoring systems against SARs filed with law enforcement, and start tuning them against SARs used by law enforcement. I’ve written about this on many occasions, and have offered up something called the “TSV” SAR – a SAR that law enforcement indicates has Tactical or Strategic Value.
  3. High false positives rates may not be caused by bad data or poor technology at all, but by regulatory expectations – real or imagined – that financial institutions can’t afford the audit, regulatory, legal, and reputational costs of failing to identify (alert on) something unusual or anomalous that could eventually be found to have been suspicious.

(I’ve written about this on a few occasions: see, for example, RegTech Consulting Article).

It may be that transaction monitoring itself is the culprit (and not bad data, outmoded technology, or unreasonable regulatory expectations). My experience is that customer- and account-based transaction monitoring is not nearly as effective as relationship-based interaction surveillance. Let’s parse this out:

  • Customer versus relationship – focusing on a single customer is less efficient than looking at the entire relationship that customer is or could be part of. Bank’s marketing departments think in terms of households as the key relationship: credit department’s think in terms of parent and subsidiary entities and guarantors as the needed relationship in determining credit worthiness. Financial crimes departments need to also think in the same terms. It is simply more encompassing and more efficient.
  • Transaction versus interaction – customers may interact with a bank many times, through a phone call, an online session, a balance inquiry, or a mobile look-up, before they will perform an actual transaction or movement of value. Ignoring those interactions, and only focusing on transactions, doesn’t provide the full picture of that customer’s relationship with the bank.
  • Monitoring versus surveillance – monitoring is not contextual: it is simply looking at specific transaction types, in certain amounts or ranges, performed by certain customers or customer classes. Surveillance, on the other hand, is contextual: it looks at the context of certain activity compared against all activity of that customer over time, and/or of certain activity of that customer compared to other customers within its class (Whatever that class may be).

So the public sector needs to encourage the private sector to shift from a customer-based transaction monitoring regime to a relationship-based interaction surveillance regime.

II. Information Sharing

Crime and criminal organizations don’t operate in a single financial institution or even in a single jurisdiction. Yet our BSA/AML regime still encourages single entity SAR filers and doesn’t promote cross-jurisdictional information sharing.  The tools are available to better share information across a financial institution, and between financial institutions. Laws, regulations, and regulatory guidance all need to change to specifically and easily allow a single financial institution operating in multiple jurisdictions to (safely) share more information with itself, to allow multiple institutions in a single and multiple jurisdictions to (safely) share more information between them, and to allow those institutions to jointly investigate and report together. Greater encouragement and use of Section 314(b) associations and joint SAR filings are critical.

III. Classical Music, or Jazz?

Auditors, regulators, and even a lot of FinTech companies, would prefer that AML continue to be like classical music, where every note (risk assessments and policies) is carefully written, the music is perfectly orchestrated (transaction monitoring models are static and documented), and the resulting music (SAR filings) sounds the same time and time again regardless of who plays it. This allows the auditors and regulators to have perfectly-written test scripts to audit and examine the programs, and allows the FinTech companies to produce a “solution” to a defined problem. This approach may work for fraud, where an objective event (a theft or compromise) produces a defined result (a monetary loss). But from a financial institution’s perspective, AML is neither an objective event nor a defined result, but is a subjective feeling that it is more likely than not that something anomalous or different has occurred and needs to be reported. So AML is less like classical music and more like jazz: defining, designing, tuning, and running effective anti-money laundering interaction monitoring and customer surveillance systems is like writing jazz music … the composer/arranger (FinTech) provides the artist (analyst) a foundation to freely improvise (investigate) within established and consistent frameworks, and no two investigations are ever the same, and similar facts can be interpreted a different way by different people … and a SAR may or may not be filed. AML drives auditors and examiners mad, and vexes all but a few FinTechs. So be it. Let’s acknowledge it, and encourage it.

IV. Before Creating New Tools, Let’s Use the Ones We Have

The federal government has lots of AML tools in its arsenal: it simply needs to use them in more courageous and imaginative ways. Tools such as section 311 Special Measures and 314 Information Sharing are grossly under-utilized. Information sharing is discussed above: section 311 Special Measures are reserved for the most egregious bad actors in the system, and are rarely invoked. But the reality is that financial institutions will kick out a customer or not (knowingly) provide services to entire classes of customers or in certain jurisdictions for fear of not being able to economically manage the perceived risk/reward equation of that customer or class of customer or jurisdiction. But that customer or class or jurisdiction simply goes to another financial institution in the regulated sector, or to an institution in an un- or under-regulated sector (the notion of “de-risking”). The entire financial system would be better off if, instead of de-risking a suspected bad customer or class of customer or jurisdiction, financial institutions were not encouraged to exit at all, but encouraged to keep that customer or class, and monitor for and report any suspicious activity. Then, if the government determined that the customer or class of customers was too systemically risky to be banked at all, it could use section 314 to effectively blacklist that customer or class of customers. Imposing “special measures” shouldn’t be a responsibility of private sector financial institutions guessing at whether a customer or class of customers is a bad actor: it is and should be the responsibility of the federal government using the tool it currently has available to it: Section 311.

V. … and Let’s Restore The Tool We Started With

The reporting of large cash transactions was the first AML tool the US government came up with (in 1970 as part of the Currency & Foreign Transactions Reporting Act).  Those reports, called Currency Transaction Reports, or CTRs, started out as single cash transactions on behalf of an accountholder, for more than $10,000.  They have since morphed to one or more cash transactions aggregating to more than $10,000 in a 24-hour period, by or on behalf of one or more beneficiaries.  There will be more than 18 million CTRs filed this year, and apparently law enforcement finds them an effective tool. But there is nothing more inefficient: simply put, CTRs are now the biggest resource drain in BSA/AML. Because of regulatory drift, CTRs are de facto SAR-lites … we need to get back to basic CTRs and redeploy the resources used to wrestle with the ever-expanding aggregation and “by or on behalf of” requirements, and deploy them against potential suspicious activity. And forget about increasing the threshold amount from the current “more than $10,000” standard: $10,000 is almost 5,000 times the amount of the average cash transaction in the United States today (which is $22, according to multiple reports from the Federal Reserve), and no one can argue that having a requirement to report a transaction or transactions that are 5,000 times the average is unreasonable. And it isn’t the amount that causes inefficiencies, it is the requirements to (i) aggregate multiple transactions totaling more than $10,000 in a 24-hour period, (ii) to identify and aggregate transactions “by or on behalf of” multiple parties and accountholders, and (iii) exempt, on a bank-by-bank basis, certain entities that can be exempted (but rarely are) from the CTR filing regime. If anything, we could save and redploy resources if the CTR threshold was the same as the SAR threshold – $5,000.

VI. The Clash of the Titles

And remember the “Clash of the Titles” … the protect-the-financial-system (filing great SARs) requirements of Title 31 (Money & Finance … the BSA) are trumped by the safety and soundness (program hygiene) requirements of Title 12 (Banks & Banking), and financial institutions act defensively because of the punitive measures in Title 18 (Crimes & Criminal Procedure) and Title 50 (War … OFAC’s statutes and regulations). There is a need to harmonize the Four Titles – or at least Titles 12 and 31 – and how financial institutions are examined against them. BSA/AML people are judged on whether they avoid bad TARP results (from being Tested, Audited, Regulated, and Prosecuted) rather than  on whether they provide actionable, timely intelligence to law enforcement. Today, most BSA Officers live in fear of not being able to balance all their commitments under the four titles: the great Hugh MacLeod was probably thinking of BSA Officers when he wrote: “I do the work for free. I get paid to be afraid …”

VII. A Central Registry for Beneficial Ownership Information

At the root of almost all large money laundering cases are legal entities with opaque ownership, or shell companies, where kleptocrats, fraudsters, tax evaders, and other miscreants can hide, move, and use their assets with near impunity.  Greater corporate transparency has long been seen as one of the keys to fighting financial crime (the FATF’s Recommendation 24 on corporate transparency was first published in 1993), and accessible central registries of beneficial ownership information have been proven to be the key to that greater transparency. Yet the United States is one of the few major financial centers that does not have a centralized registry of beneficial ownership information. I’ve written that without such a centralized registry, the current beneficial ownership requirements are ineffective.  See Beneficial Ownership Registry Article. Two bills currently before Congress – the Senate’s ILLICIT Cash Act (S2563) and the House’s Corporate Transparency Act (HR2513) both contemplate a centralized registry of beneficial ownership maintained by FinCEN. But both of those bills – and FATF recommendations and guidance on the same issue – fall short in that they only allow law enforcement (or “competent authorities” using the FATF term) to freely access that database. The bills before Congress allow financial institutions to access the database but only with the consent of the customer they’re asking about and only for the purposes of performing due diligence on that customer. I have proposed that those bills be changed to also allow financial institutions to query the database without the consent of the entity they’re asking about for the purposes of satisfying their suspicious activity reporting requirements.

Conclusion – Seven Fixer-Upper Projects for the BSA/AML Regime

  1. Shift from customer-centric transaction monitoring systems to relationship-based interaction surveillance systems
  2. Encourage cross-institutional and cross-jurisdictional information sharing
  3. Encourage the private sector to be more creative and innovative in its approach to AML – AML is like jazz music, not classical music
  4. Address de-risking through aggressive use of Section 311 Special Measures
  5. Simplify the CTR regime. Please. And forget about increasing the $10,000 threshold – in fact, reduce it to $5,000
  6. As long as financial institutions are judged on US Code Titles 12, 18, 31, and 50, expect them to be both ineffective and inefficient. Can Titles 12 and 31 try to get along?
  7. A central registry of beneficial ownership information that is freely accessible to financial institutions is a must have

FinCEN’s FY2020 Report to Congress Reveals its Priorities and Performance

FinCEN Needs More Resources – and a TSV SAR Feedback Loop – To Really Make a Difference in the Fight Against Crime & Corruption

Every year each US federal government department and agency submits its Congressional budget justification and annual performance report and plan: essentially a document that says to Congress “here’s our mission, here’s how we did last year, here’s what we need for next year.” FinCEN’s fiscal year 2020 (October 1, 2019 through September 30, 2020) Congressional Budget Justification and Annual Performance Report and Plan is available at

https://home.treasury.gov/system/files/266/12.-FINCEN-FY-2020-CJ.pdf

My notes on the 14-page document summarize some of the key aspects of the report.

First is a summary of what FinCEN does: its areas of responsibility. Of note is the seventh area – “bringing together the disparate interests of law enforcement, [158 foreign] FIUs, regulatory partners, and industry”. This is also an admission that the interests of the various public and private sector participants are, in fact, disparate. Which begs the questions “should there be disparate interests?” and “what can we do to bring all these participants together and forge a single, unified interest of safeguarding the financial system from illicit use, combating money laundering, and promoting national security through the strategic use of financial authorities and the collection, analysis, and dissemination of financial intelligence?” (quoting FinCEN’s mission statement).  When it comes to fighting human trafficking, drug trafficking, etc., different perspectives are healthy and expected … competing or disparate interests are counterproductive.

Second, many people will be surprised at just how small FinCEN is – from the number of people to its overall budget – given the importance of its mission. The FY2019 budget called for 332 people and a budget of $115 million. The FY2020 budget proposes an increase to 359 people and a budget of $124.7 million, with the increase in people split between two priority programs: 13 for cybercrime, and 14 for “special measures”, which includes the actual special measures section (section 311) of the Patriot Act, requests to financial institutions for data on foreign financial institution wire transfers, and Geographic Targeting Orders.  As a “participant” for 20+ years, I would like to see what FinCEN could do if it had 659 people and a budget of $224.7 million: perhaps the $100 million to fund FinCEN’s efforts to combat human trafficking, narcotics trafficking, and foreign corruption could come from a 2.8% reduction in the “new drone procurement” budget request of the Department of Defense …

Third, the data on SARs filed, total BSA reports filed, and BSA Database Users is interesting. From FY2014 through FY2018 (actuals) and through FY2020 (estimates), the number of SARs filed has gone from 1.9 million to 2.7 million, an increase of 41.5%. But in the same period, the total number of BSA reports filed – including SARs – has gone from 19.2 million to 20.9 million, an increase of only 9.2%. That tells us two things: SARs are estimated to make up about 1 out of every 8 BSA reports filed in FY2020 compared to 1 out of every 10 BSA reports filed in FY2014 (a positive trend); and the total number of non-SAR BSA filings has essentially been the same for the last 7 years. In other words, the number of CTRs, CMIRs, and FBARs is not going up.

Fourth, there is the axiomatic, reflexive gripe that the SAR database is a black-hole: that financial institutions file SARs then never hear anything back from FinCEN or law enforcement as to whether those SARs are meaningful, effective, useful.  But look at the following from page 12:

FinCEN monitors the percentage of domestic law enforcement and regulators who assert queried BSA data led to detection and deterrence of illicit activity. This performance measure looks at the value of BSA data, such as whether the data provided unknown information, supplemented or expanded known information, verified information, helped identify new leads, opened a new investigation or examination, supported an existing investigation or examination, or provided information for an investigative or examination report. In FY 2018, FinCEN narrowly missed its target of 86 percent with 85 percent of users finding value from the data. FinCEN will work toward increasing its FinCEN Portal/FinCEN Query training efforts to provide more users with the knowledge needed in order to better utilize both FinCEN Portal and FinCEN Query. In FY 2019, the target is set at 86 percent and 87 percent in FY 2020.

Looking at this in a positive light, there appears to be a feedback loop between the users of BSA data – law enforcement and the regulators – and FinCEN, where law enforcement and regulators can assert – therefore they can determine – whether BSA data (mostly SARs and CTRs) led to detection and deterrence of illicit activity: whether the data provided unknown information, supplemented or expanded known information, verified information, helped identify new leads, opened a new investigation or examination, supported an existing investigation or examination, or provided information for an investigative or examination report.

The feedback loop between the users of BSA data (law enforcement, regulators, and FinCEN) must be expanded to include the producers (financial institutions) of BSA data

I have written previously about the need to provide financial institutions with more feedback on the 20 million+ BSA reports they produce every year. See, for example: https://regtechconsulting.net/uncategorized/rules-based-monitoring-alert-to-sar-ratios-and-false-positive-rates-are-we-having-the-right-conversations/

In that article, I introduced something I call the “TSV” SAR, or “Tactical or Strategic Value” SAR. I wrote:

How do you determine whether a SAR provides value to Law Enforcement? One way would be to ask Law Enforcement, and hope you get an answer. That could prove to be difficult.  Can you somehow measure Law Enforcement interest in a SAR?  Many banks do that by tracking grand jury subpoenas received to prior SAR suspects, Law Enforcement requests for supporting documentation, and other formal and informal requests for SARs and SAR-related information. As I write above, an Alert-to-SAR rate may not be a good measure of whether an alert is, in fact, “positive”. What may be relevant is an Alert-to-TSV SAR rate.  What is a “TSV SAR”? A SAR that has Tactical or Strategic Value to Law Enforcement, where the value is determined by Law Enforcement providing a response or feedback to the filing financial institution within five years of the filing of the SAR that the SAR provided tactical (it led to or supported a particular case) or strategic (it contributed to or confirmed a typology) value. If the filing financial institution does not receive a TSV SAR response or feedback from law enforcement or FinCEN within five years of filing a SAR, it can conclude that the SAR had no tactical or strategic value to law enforcement or FinCEN, and may factor that into decisions whether to change or maintain the underlying alerting methodology. Over time, the financial institution could eliminate those alerts that were not providing timely, actionable intelligence to law enforcement, and when that information is shared across the industry, others could also reduce their false positive rates.

Tactical or Strategic Value (TSV) SAR Feedback Loop

It appears that there are already mechanisms in place for law enforcement and the regulators to determine whether the 20 million CTRs and SARs that are being filed every year provide unknown information, supplement or expand known information, verify information, help identify new leads, open a new investigation or examination, support an existing investigation or examination, or provide information for an investigative or examination report. There is a way – there is always a way if there is the will – to provide that information to the private sector filers of the CTRs and SARs. Perhaps there is a member of Congress out there that could tweak FinCEN’s Fiscal Year 2020 budget request a little bit to give it the people power and monetary resources to begin developing a TSV SAR Feedback loop. We’d all benefit.