The FinCEN Files: Were Banks Complacent or Doing Their Job?

In September, Buzzfeed News and the International Consortium of Investigative Journalists (“ICIJ”) reported on documents leaked from the Financial Crimes Enforcement Network (“FinCEN”), which is the Department of the Treasury's bureau tasked to: “safeguard the financial system from illicit use and combat money laundering and promote national security through the collection, analysis, and dissemination of financial intelligence and strategic use of financial authorities.”[1] This reporting, known as the “FinCEN Files” sent shockwaves across the financial services industry, and it portrayed both FinCEN and financial institutions (“FI”) as complacent in monitoring suspicious activity.

While some FIs may have been complacent, largely FIs have fulfilled their compliance duties in regard to FinCEN, but FinCEN and law enforcement agencies have historically lacked sufficient funding, resources and information-sharing capabilities to effectively pursue and root out illicit use of the financial system. According to their own records, FinCEN receives an average of 2 million Suspicious Activity Reports (“SAR”) a year and yet employs only about 300 employees. How can one government agency so small possibly review and analyze 2 million SARs a year looking for bad actors?

Coincidentally, in September, FinCEN published an advanced notice of proposed rulemaking requesting public comment on potential regulatory amendments that would “explicitly define an effective and reasonably designed anti-money laundering (“AML”) program”. If implemented these changes could place an additional burden on FIs and their AML programs.


What the Current Rules State

The preparation and filing of a SAR with FinCEN is not optional, and FIs are held accountable for failing to file SARs and not meeting the filing deadlines. The law states that a FI is required to file a SAR no later than 30 calendar days after the date of the initial detection of facts that may constitute a basis for filing a SAR. If no suspect was identified on the date of detection of the incident requiring the filing, the bank may delay filing for an additional 30 days to identify a suspect. In no case shall reporting be delayed more than 60 calendar days after the date of initial detection of a reportable transaction.[2] 

The Currency and Foreign Transactions Reporting Act of 1970, commonly referred to as the Bank Secrecy Act (“BSA”), goes even further by requiring U.S. FIs to assist U.S. government agencies to detect and prevent money laundering. Specifically, one area of the act requires FIs to report suspicious activity that might signify money laundering, tax evasion or other criminal activities. FinCEN has instructed FIs that they must file SARs when certain circumstances occur. 

The USA Patriot Act has also expanded SAR requirements to help combat domestic and global terrorism. The act expanded the immunity from liability for reporting suspicious activities and expands prohibition against notification by the FI to any individual involved in the transaction, that the transaction was reported.  

Due to the information contained in a SAR, confidentiality of the SAR and any information that would reveal the existence of a SAR is required. As such, there are criminal penalties for disclosure of a SAR. Under the BSA, willful disclosure of a SAR or its contents by government employees or agents is a felony unless necessary to fulfill official duties.


The Role of FIs in Monitoring Suspicious Activity

The ICIJ reports have painted banks as complacent, suggesting they turned a blind eye to the suspicious activity and, instead, were more focused on the fees they could collect on the accounts. While this may be true in some instances, many of the banks were doing precisely what was required of them by filing SARs when they detected suspicious activity. FIs are required by law to maintain an effective compliance program which must include at a minimum the designation of a compliance officer, development of internal policies, procedures and controls, ongoing employee training and an independent audit function to test the program. In an adequately designed compliance program FIs would be alerted to unusual activity to review and investigate. If the activity was deemed suspicious and meeting the criteria for reporting, a SAR would be filed. There are also instances where historical reviews are conducted on transactions due to a FIs own review or at the request of a regulator. If suspicious activity is revealed during this “lookback” a SAR will be filed. This type of delayed reporting was also highlighted by the ICIJ as a FI failure, although it is actually the FI remediating any prior lapse in their identification and reporting of suspicious activity.

FIs must have a strong defense system in place to identify and report suspicious activity. If your compliance department needs to be enhanced, now is the perfect time to request additional funding. 



How FIs Can Prepare for Changes Ahead Themselves

It’s important that FIs prepare and stay up to date with changes to the AML regulatory framework. They should outline steps to take now to enhance their AML programs.
In BDO’s work as the third line of defense, the independent reviewer, here are some best practices we have seen in the industry:  

  • Building a culture of compliance from the top down, along with strengthened BSA/AML training 

  • Installing robust internal controls, quality review processes and effective policies in line with updated regulatory guidance and best practices

  • Ensuring sufficient funding and expertise for the compliance department and BSA Officer

  • Having clear communication to the Board of Directors about BSA reporting

  • Creating an open system for employees to make referrals without fear of reprisal (i.e., anonymous hotline)

  • Outlining an exit strategy to close accounts when activity in the accounts poses a risk

  • Clarifying the process to deal with law enforcement requests for additional information on SARs, tracking subpoenas and National Security Letters

Learn more about how BDO can help address your organization’s questions and concerns about AML and compliance programs.




[2] 12 CFR Ch. 1. 21.11