Leak of thousands of FinCEN SARs reveals large international banks still struggling on AML, serving illicit gatekeepers, corrupt powerbrokers, terror groups: ICIJ report

ICIJ FinCEN AML SAR Leak

The Skinny:

  • The highly-anticipated leak of sensitive, suspicious filings by the U.S. Treasury’s top counter-crime compliance body has turned into a deluge, a watershed moment for investigative journalism, but a dark damnation of the banking sector’s cumulative efforts to stop the illicit, the corrupt and the chaos bringers.
  • The International Consortium of Investigative Journalists (ICIJ) – the same group behind the Panama Papers, Paradise Papers and other seminal reports – Sunday broke its latest piece, reportedly revealing that the biggest banks in the United States, United Kingdom, Europe and other regions moved trillions of dollars for a criminal cabal of all stripes.
  • The media reports were based on thousands of leaked suspicious activity reports (SARs) filed by banks and other financial firms as part of their AML compliance program requirements with the U.S. Department of Treasury’s Financial Crimes Enforcement Network (FinCEN).
  • The stories by the ICIJ, Buzzfeed and other partner media groups also represent their most direct condemnation against the cumulative efforts of the current frontline vanguard of the fight against financial crime: the anti-money laundering (AML) compliance teams working at large global banks.
  • In all, ICIJ stated the cache of “documents identify more than $2 trillion in transactions between 1999 and 2017 that were flagged by financial institutions’ internal compliance officers as possible money laundering or other criminal activity — including $514 billion at JPMorgan and $1.3 trillion at Deutsche Bank.”
  • The records “show that five global banks — JPMorgan, HSBC, Standard Chartered Bank, Deutsche Bank and Bank of New York Mellon — kept profiting from powerful and dangerous players.”
  • Moreover, these high-risk engagements seemingly continued even after many of these banks paid hundreds of millions – and even billions of dollars – in fines for broad and longstanding AML and sanctions failures and continued as internal compliance teams raised a litany of concerns about loudly waving red flags, the ICIJ wrote. 

By Brian Monroe
bmonroe@acfcs.org
September 20, 2020

The dam has broken.

The highly-anticipated leak of sensitive, suspicious filings by the U.S. Treasury’s top counter-crime compliance body has turned into a deluge, a watershed moment for investigative journalism, but a dark damnation of the banking sector’s cumulative efforts to stop the illicit, the corrupt and the chaos bringers.

The International Consortium of Investigative Journalists (ICIJ) – the same group behind the Panama Papers, Paradise Papers and other seminal reports – Sunday broke its latest piece, reportedly revealing that the biggest banks in the United States, United Kingdom, Europe and other regions moved trillions of dollars for a criminal cabal of all stripes.

The stories by the ICIJ, Buzzfeed and other partner media groups also represent their most direct condemnation against the cumulative efforts of the current frontline vanguard of the fight against financial crime: the anti-money laundering (AML) compliance teams working at large global banks.

To read the full series, click here.  

To get a snapshot of the stories published by the ICIJ and other news agencies aggregated by AML fincrime professional Dev Odedra at The Laundry News, click here.

In all, an ICIJ analysis found, the “documents identify more than $2 trillion in transactions between 1999 and 2017 that were flagged by financial institutions’ internal compliance officers as possible money laundering or other criminal activity — including $514 billion at JPMorgan and $1.3 trillion at Deutsche Bank.”

The records “show that five global banks — JPMorgan, HSBC, Standard Chartered Bank, Deutsche Bank and Bank of New York Mellon — kept profiting from powerful and dangerous players.”

Moreover, these high-risk engagements seemingly continued even after many of these banks paid hundreds of millions – and even billions of dollars – in fines for broad and longstanding AML and sanctions failures and continued as internal compliance teams raised a litany of concerns about loudly waving red flags, the ICIJ wrote.

The media reports were based on thousands of leaked suspicious activity reports (SARs) filed by banks and other financial firms as part of their AML compliance program requirements with the U.S. Department of Treasury’s Financial Crimes Enforcement Network (FinCEN).

Under-resourced, overwhelmed and late to the party

Even with banks working in recent years to bolster “efficiency and effectiveness” and improve a “tone at the top” while fostering a “culture of compliance,” the ICIJ reports detail an AML system at many banks with woefully inadequate resources and simply overwhelmed by the sheer sums of potentially suspicious funds flowing through their institutions.

In essence, there are simply too many alerts from transaction monitoring systems – even as institutions embrace new technologies like artificial intelligence, machine learning and automation – to give these potential pings of impropriety proper depth of investigative focus.

The ratio of alerts to analysts is untenable – a common theme and familiar refrain in recent years in federal regulatory AML enforcement actions and monetary penalties.

This was borne out in the ICIJ reporting with examples of SARs that had taken months or years to get filed – even though these filings have 30-day and 60-day deadlines.

“The SARs also showed that banks often moved funds for companies that were registered in offshore havens, such as the British Virgin Islands, and did not know the ultimate owner of the account,” the report said, according to Reuters.

Investigative teams often used Google to determine risk and beneficial ownership details tied to large, risky transactions, according to the report.

What types of risky transactions, later linked to illicit entities?

“Funds processed by JPMorgan for potentially corrupt individuals and companies in Venezuela, Ukraine and Malaysia; money from a Ponzi scheme moving through HSBC; and money linked to a Ukrainian billionaire processed by Deutsche Bank,” Reuters noted.

In statements to ICIJ and on their websites, many of the banks mentioned by name in the leak have countered that the SARs and alleged activity are tied to historical gaps that have since been addressed and improved and that while the reports may paint these institutions as compliance pariahs, they are in fact, staunch and steadfast law enforcement allies.

The leaked documents, referred to as the FinCEN Files, include more than 2,100 SARs filed by banks and other financial firms with the U.S. Department of Treasury’s Financial Crimes Enforcement Network.

BuzzFeed News obtained the records and shared them with the International Consortium of Investigative Journalists. ICIJ organized a team of more than 400 journalists from 110 news organizations in 88 countries to investigate the world of banks and money laundering.

FinCEN frontran leak with pledge to retool U.S. AML regime

While the leak is dominating headlines, FinCEN just last week had stated that the U.S. AML regime will be changing – radically, with an eye toward better balancing risks, resources and results.

FinCEN stated it is engaging in a broad overhaul of the country’s financial crime compliance defenses, shifting more toward creating “effective and reasonably designed” programs that produce filings with a “high degree of usefulness” to law enforcement – even though the term “effectiveness” has no “consistent definition” in current rules.

In tandem, FinCEN also querying sectors subject to AML rules to determine if they could better manage risks, resources and threat actors if the bureau created national AML priorities.

Creating nation-wide financial crime and compliance priorities would be a herculean effort, but would be underpinned and informed by other national illicit finance, proliferation and terror risk assessments already being created as part of international oversite body recommendations.

Part and parcel of the proposal would also be to more concretely graft a longstanding compliance best practice and federal regulatory exam flashpoint into formal rules: the AML risk assessment, according to an advanced notice of proposed rulemaking (ANPR).

To read the full notice in the Federal Register published Wednesday, click here.

To read ACFCS coverage of the announcement, click here.

New ‘priorities’ to better manage evolving AML risks

Under the update, FinCEN’s bi-annual “Strategic Anti-Money Laundering Priorities” would inform bank AML risk assessments.

The tacit logic: banks would better be able to marshal technology and investigator capabilities and limited capacities to address rising risks, evolving criminal threat tactics and address more immediate law enforcement intelligence needs.

The FinCEN updates to AML objectives and effectiveness are not occurring in a vacuum.

The moves are informed by overarching efforts by global watchdog and private sector groups to prioritize “effectiveness” over technical compliance, at both the country, law enforcement and financial institutions levels, including the Paris-based Financial Action Task Force (FATF), the Wolfsberg Group, the Egmont Group of Financial Intelligence Units (FIUs) and others.

In all, the updates cover “developing and focusing on AML priorities, reallocation of compliance resources, modernizing monitoring and reporting, information sharing, regulatory innovations, and for the first time ever, issuing national AML priorities and defining an effective AML program,” said a top fincrime compliance professional at a large U.S. bank.

“If these become regulations, they would make our AML regime more efficient and effective, produce more useful information for law enforcement, and better protect our financial system from criminals.”

In FinCEN leak aftershocks, fear to file in breach of confidentiality

In an ignoble irony, while FinCEN publicly touts what could be powerful changes to AML to truly help banks, ameliorate regulators and arm law enforcement to truly target and cripple the mega launderers, narco kingpins, graft-gilt political powermongers and terror cells, the leak could cause institutions to be gun-shy when filing SARs.

FinCEN noted the seriousness of the leak in a statement earlier this month tied to impending ICIJ report.

FinCEN holds millions upon millions of filings from banks tied to AML reporting rules tied to what banks consider potential indicators of illicit activity, typically more than $5,000, and direct or aggregated deposits of more than $10,000, called currency transaction reports (CTRs).

FinCEN stated it “is aware that various media outlets intend to publish a series of articles based on unlawfully disclosed” SARs, as well as “other sensitive government documents, from several years ago.” 

The unauthorized disclosure of SARs is a “crime that can impact the national security of the United States, compromise law enforcement investigations, and threaten the safety and security of the institutions and individuals who file such reports,” FinCEN said in the statement. 

FinCEN has already referred matter to federal investigative agencies, including the U.S. Department of Justice and the U.S. Department of the Treasury’s Office of Inspector General.

To read the full statement, please click here

To read ACFCS coverage and a preview of the leak, click here.

In insider ‘whistleblower’ breach, a preview of larger leak to come

FinCEN in the last two years has already had a high-profile case of SARs being leaked to the media.

In January, a senior Treasury Department official pleaded guilty to leaking confidential financial reports, after being charged with disclosing information related to Russia and the President’s associates.

Natalie Mayflower Sours Edwards, a senior adviser at FinCEN, entered a guilty plea to one count of conspiracy. She faces between zero and six months in prison as part of the deal.

In an 18-page criminal complaint, authorities detailed nearly a dozen stories published by news site, BuzzFeed, over the course of a year where Edwards served as a secret source.

She allegedly handed over specific details on individuals and related financial transactions, which potentially revealed monetary support for Russian meddling during the 2016 presidential campaign.

She originally stated she viewed herself as a whistleblower and even believed her actions would be protected.

The apparent goal was to uncover concrete financial linkages between these Russian activities and associates of President Donald Trump, including now convicted felon Paul Manafort, his former campaign manager, Paul Gates, the Russian embassy, and others.

It was no surprise someone — in this case Edwards — made the connection that if there were illicit details to be had in the Russia probe, they could be buried somewhere in the terabytes of data housed in FinCEN’s AML database. 

FinCEN is the main repository for this information.

Could law enforcement investigations take a hit after FinCEN files leak?

Having so many filings in one place allows bureau analysts to engage in proactive investigations to uncover large-scale criminal trends.

FinCEN then shares those details with banks and other government agencies with purview over investigating and taking down criminal and terror networks and defending the nation against foreign and domestic threats.

The database is also a trusted resource for virtually every major federal investigative agency – and many state and local law enforcement offices.

Beyond FinCEN sharing the results of its own database analyses, federal and state investigators have remote access to the FinCEN database directly to query for details to form the foundation of a case or attempt to break new ground in current investigations related to companies, individuals, regions and more.

Moreover, while several government agents in recent years – typically those involved in national security – have been arrested and sentenced for improperly handling classified information, the FinCEN case is an anomaly.

For a FinCEN analyst to be sanctioned for mining the database to allegedly get dirt on political foes, then steal the data itself, possibly targeting even the current U.S. president, is exceedingly rare.

But for those in AML compliance and investigative circles, this situation – along with a few others – was always a “worst case scenario” waiting to happen.

An insider SAR leak is bad. An external breach worse. Data destruction, the worst.  

Here are two other situations FinCEN is doing its best to guard against: what would happen if a criminal hacker, through stealing the login credentials of a database user or abusing a software vulnerability, gained access to the database and downloaded all or some of the information?

They could then sell those details to the highest bidder among a cabal of illicit groups so that criminal groups could know what every bank has on them, and potentially every past or current government investigation – crippling who knows how many ongoing cases.

But even as bad as that could be, there is one involving FinCEN that would likely be considered the most feared of all: full or partial data destruction.

How?

What if a hacker gained access to the database itself and rather than trying to steal or download it, introduced a virus or other insidious piece of malware that destroyed some or all of the data altogether? 

Such move would broadly hamstring many domestic and international, complex financial crime cases.

That’s because there are so many agencies around that world that rely on details in the FinCEN database to initiate and strengthen cases and pull together seemingly disparate sources of information to crack the diffuse, hidden trails of savvy organized criminal groups who are actively trying to mask their touchpoints with the formal financial system. 

Are SAR safe harbors, sharing protections also irrevocably broken?

What is also unclear now is if FinCEN is still protected by civil and other lawsuits tied to SARs now that they are out in the open.

Jilted businesses that feel they are put in a bad light, jaded investors upset how a SAR made them look and others could start suing banks named in the ICIJ investigation.

Typically, SARs filed through proper channels have broad protections and sharing safe harbors under Patriot Act Sections 314(a) – law enforcement querying and sharing information on individuals suspected of money laundering – and 314(b), which allows banks to share information with each other on entities potentially tied to financial crime.

If somehow a person finds out about a SAR filed on them and tries to sue in court, these protections prevent defense attorneys getting access to these filings.

But now that the SARs were not shared from law enforcement or between banks, it could open the door to legal fusillades without institutions able to wield the safe harbor shield that had kept them safe for nearly two decades – a further erosion of the formerly confidential and sacrosanct SAR filing regime.