In cryptic statement, FinCEN warns of leak, theft tied to SAR database, but whether a drip or a deluge, answer coming soon

The Skinny:

  • The U.S. Treasury’s Financial Crimes Enforcement Network (FinCEN), the country’s financial intelligence unit (FIU), has issued a statement about several impending news reports about a breach related to its anti-money laundering (AML) filing database.
  • The arbiter of financial crime compliance defenses in the United States has warned that a number of unnamed news agencies are on the cusp of publishing a series of stories about a leak or theft tied to the financial sector’s most sensitive and sacrosanct filings: suspicious activity reports (SARs).
  • FinCEN holds millions upon millions of filings from banks tied to AML reporting rules tied to what banks consider potential indicators of illicit activity, typically more than $5,000, and direct or aggregated deposits of more than $10,000, called customer transaction reports (CTRs).
  • The unauthorized disclosure of SARs is a “crime that can impact the national security of the United States, compromise law enforcement investigations, and threaten the safety and security of the institutions and individuals who file such reports,” FinCEN said in the statement. 
  • The vague statement has become water cooler talk for the range of stakeholders in the fight against financial crime – current and former compliance officers, regulators and investigators – with many fearing the worst.
  • The biggest fear for banks, and FinCEN, is that this is a large-scale hack by organized crime or a foreign nation state or terabytes of data pilfered by an insider, similar to the Panama and Paradise Papers-related data dumps.
  • But banks, regulators and investigators all could be harmed by such a leak. 

By Brian Monroe
bmonroe@acfcs.org
September 4, 2020

The arbiter of financial crime compliance defenses in the United States has warned that a number of unnamed news agencies are on the cusp of publishing a series of stories about a leak or theft tied to the financial sector’s most sensitive and sacrosanct filings tied to potential fraud, money laundering and other crimes.

The U.S. Treasury’s Financial Crimes Enforcement Network (FinCEN), the country’s financial intelligence unit (FIU), has issued a statement this week about several impending news reports about a breach related to its anti-money laundering (AML) filing database.

While FinCEN did not confirm the leak, the agency did say the news reports will cover unlawful disclosure of suspicious activity reports (SARs).

FinCEN holds millions upon millions of filings from banks tied to AML reporting rules tied to what banks consider potential indicators of illicit activity, typically more than $5,000, and direct or aggregated deposits of more than $10,000, called currency transaction reports (CTRs).

FinCEN stated it “is aware that various media outlets intend to publish a series of articles based on unlawfully disclosed” SARs, as well as “other sensitive government documents, from several years ago.” 

While no one knows the how of the disclosure, the who could be in serious trouble.

The unauthorized disclosure of SARs is a “crime that can impact the national security of the United States, compromise law enforcement investigations, and threaten the safety and security of the institutions and individuals who file such reports,” FinCEN said in the statement. 

FinCEN has already referred matter to federal investigative agencies, including the U.S. Department of Justice and the U.S. Department of the Treasury’s Office of Inspector General.

To read the full statement, please click here

A large-scale SAR breach, and sense that confidentiality is broken, could bring it all crashing down

The vague statement has become water cooler talk for the range of stakeholders in the fight against financial crime – current and former compliance officers, regulators and investigators – with many fearing the worst.

The biggest fear for banks, and FinCEN, is that this is a large-scale hack by organized crime or a foreign nation state or terabytes of data pilfered by an insider, similar to the Panama and Paradise Papers-related data dumps.

But banks, regulators and investigators all could be harmed by such a leak.

“Highly classified data leakage means loss in revenue because now not only customers of SARs are knowing it, but customers friends, colleagues, and other third party [groups] knowing it,” said one commenter on social media.

“Being a regulator, this is highest level of compromise which will result in untrust of banks and hence filing of SARs would be impacted,” said the person, adding that for investigators, a breach by an insider or outside hacking group has the “potential to disrupt the legal framework, especially data confidentiality and customer trust!”

If banks don’t feel the filings will stay confidential, it could cause irreparable harm to the entire AML filing regime.

The “reliability of the whole system to protect [SAR] confidentiality…Now questionable…with a host of banking information on customers not proven yet in law as to any money laundering offences only deemed *suspicious*” could open “the doors to lawsuits by customers,” said a second fincrime compliance professional.

What is currently unknown is the context and size of the disclosure.

“Are they the ones that Deutsche Bank decided to actually file about the president and his failson-in-law? The ones Cy Vance’s grand jury is digging through while it waits—and waits and waits and waits—for Trump’s tax returns?” asked Dealbreaker.

FinCEN in the last two years has already had a high-profile case of SARs being leaked to the media.

In January, a senior Treasury Department official pleaded guilty to leaking confidential financial reports, after being charged with disclosing information related to Russia and the President’s associates.

Natalie Mayflower Sours Edwards, a senior adviser at FinCEN, entered a guilty plea to one count of conspiracy. She faces between zero and six months in prison as part of the deal.

In an 18-page criminal complaint, authorities detailed nearly a dozen stories published by news site, BuzzFeed, over the course of a year where Edwards served as a secret source.

She allegedly handed over specific details on individuals and related financial transactions, which potentially revealed monetary support for Russian meddling during the 2016 presidential campaign.

The apparent goal was to uncover concrete financial linkages between these Russian activities and associates of President Donald Trump, including now convicted felon Paul Manafort, his former campaign manager, Paul Gates, the Russian embassy, and others.

The FinCEN database: a tempting treat for jaded insiders, external hackers

It was no surprise someone — in this case Edwards — made the connection that if there were illicit details to be had in the Russia probe, they could be buried somewhere in the terabytes of data housed in FinCEN’s AML database. 

FinCEN is the main repository for this information.

Having so many filings in one place allows bureau analysts to engage in proactive investigations to uncover large-scale criminal trends.

FinCEN then shares those details with banks and other government agencies with purview over investigating and taking down criminal and terror networks and defending the nation against foreign and domestic threats.

The database is also a trusted resource for virtually every major federal investigative agency – and many state and local law enforcement offices.

Beyond FinCEN sharing the results of its own database analyses, federal and state investigators have remote access to the FinCEN database directly to query for details to form the foundation of a case or attempt to break new ground in current investigations related to companies, individuals, regions and more.

Moreover, while several government agents in recent years – typically those involved in national security – have been arrested and sentenced for improperly handling classified information, the FinCEN case is an anomaly.

For a FinCEN analyst to be sanctioned for mining the database to allegedly get dirt on political foes, then steal the data itself, possibly targeting even the current U.S. president, is exceedingly rare.

But for those in AML compliance and investigative circles, this situation – along with a few others – was always a “worst case scenario” waiting to happen.

The question: how secure is the AML database?

In conferences and conversations, whenever the subject of FinCEN, SARs and CTRs came up, one professional would invariably turn to another and say, “Wow, I wonder what would happen if some analyst or investigator had an agenda or axe to grind, and just decided to ping the database for themselves to find skeletons in the closet of a cross-party adversary, ex-boss or ex-wife.”

The response was always the same: whoever ever did something like that could, and likely would, find confidential information that could seriously tarnish the reputation of a captain of industry or political powerbroker.

The information in the FinCEN database is that powerful.

Beyond that, while a terrible breach of trust, the law and shaking of the confidential foundations the whole of the AML compliance world is built upon, illicit use of the data by a jaded employee is actually one of the milder of the nightmare scenarios that could befall FinCEN and its coveted database.

There is much, much worse.

Darknet market SARs or data destruction: You pick the nightmare

Here are two other situations FinCEN is doing its best to guard against: what would happen if a criminal hacker, through stealing the login credentials of a database user or abusing a software vulnerability, gained access to the database and downloaded all or some of the information?

They could then sell those details to the highest bidder among a cabal of illicit groups so that criminal groups could know what every bank has on them, and potentially every past or current government investigation – crippling who knows how many ongoing cases.

But even as bad as that could be, there is one involving FinCEN that would likely be considered the most feared of all: what if a hacker gained access to the database itself and rather than trying to steal or download it, introduced a virus or other insidious piece of malware that destroyed some or all of the data altogether. 

Such move would broadly hamstring many domestic and international, complex financial crime cases.

That’s because there are so many agencies around that world that rely on details in the FinCEN database to initiate and strengthen cases and pull together seemingly disparate sources of information to crack the diffuse, hidden trails of savvy organized criminal groups who are actively trying to mask their touchpoints with the formal financial system. 

*This post has been updated.