What the FinCEN files leak means for banks

 Simon Taylor photo
Simon Taylor Co-founder 11:FS & CPO 11:FS Foundry
5min read

There’s been a huge leak of files from FinCEN, the US-based Financial Crime Enforcement Network. Over 2000 Suspicious Activity Reports (SARs) and hundreds of other documents appear to show how banks have been unable to prevent trillions in money laundering, tax avoidance and criminality over the past decade.

But there's a more in-depth story to uncover here.

The problem: mainstream media is reporting large headline figures and missing much of the point. As it stands, banks can’t prevent transactions because of the so-called "tipping off rules.” This means they have to raise a SAR and follow up later.

The real story here is how ineffective the SAR process is in dealing with the sheer volume of criminality in the global financial system, and how banks so often throw people and process at the problem rather than rethinking it to make it more effective.

The real story here is how ineffective the SAR process is in dealing with the sheer volume of criminality in the global financial system.

What happened?

The BBC reported that "leaked documents involving $2trn of transactions reveal how criminals move dirty money around the world". But remember that banks use SARs to report suspicious behavior, but these are not proof of wrongdoing.

The documents were leaked to Buzzfeed News and shared with a group of investigative journalists from around the world. More than 108 news organisations in 88 countries have now taken part in the investigation.

These are just some of the failings the documents have revealed:

  • "HSBC allowed fraudsters to move millions" after learning that the fraudsters were involved in a scam.
  • JP Morgan "allow[ed] a company to move more than $1bn" through a London bank account without knowing who owned it.
  • The UK has been labeled a ‘high-risk jurisdiction’ because of the sheer number of UK-registered companies appearing on the FinCen files.

Unlike previous leaks on dirty money, this financial crime agency data comes from several banks directly. The FinCEN agency has warned that these leaks could put active investigations and prosecutions at risk.

Understanding KYC and AML

KYC (Know Your Customer) and AML (Anti Money Laundering) are complex terms. They’re essentially catch-all procedures designed to prevent all kinds of horrors - from global arms dealing and terrorism to human trafficking and modern slavery.

The same processes are used for sanctions. When, for example, the EU and USA place economic sanctions on a country, it's the banks that have to enforce this through their KYC and AML processes.

KYC and AML procedures have evolved over the decades as international payment volumes boomed through the 70s and 80s. After 9/11, the prevention of terrorist financing brought these processes into sharper view, and post-financial crisis, banks were found to have several failings which lead to hefty fines.

KYC requires each bank to formally identify who their customer is. So if the customer is a company, the bank needs to know who each Ultimate Beneficial Owner (UBO) is. It’s surprisingly tricky, partly because criminals often build shell companies in offshore jurisdictions which are owned by companies in another country, and so on. These shell companies are handy for hiding who the real owners are.

The bank must then follow a series of Customer Due Diligence (CDD) - and sometimes Enhanced Due Diligence - checks. They must be able to provide a proof of identity (e.g., passport) to confirm whether they are a Politically Exposed Person (PEP), which might mean they could be subject to bribes. The bank must also check that the person isn't on a sanctions list (e.g. they're not considered a danger by the USA or EU).

When all of that is taken care of, the banks may well "know" their customer. But the reality is that most transactions happen between their client’s customers and other bank customers.

A bank relies on their correspondent banks to be performing the same level of checks. But how can you trust that the other bank is doing a good job? The best they can do is to sit their compliance teams down together every few years and audit each other's processes.

What about the regulators?

The global regulators coordinate through a body called the Financial Action Task Force (FATF). They issued the first report in 1990 as recommendations, which was revised in 2001 and again in 2012. These recommendations are then interpreted by local and regional regulators and translated into law where necessary.

What’s key to remember here is that banks are responsible for preventing, detecting, and reporting crime. Banks are, in effect, the “money police.”

Banks are, in effect, the “money police.”

Where does that leave us now?

So, to recap: the banks have a process, auditors audit those processes, and regulators fine the banks if major failures happen.

But almost nobody measures how effective these processes are. As a result, the recent headlines miss some pretty important points!

  1. Raising a suspicious activity report doesn't mean a bank has any evidence of wrongdoing.
  2. Banks can’t tell a customer why a payment was blocked (or allowed to proceed) or even that they're being investigated due to tipping-off rules.
  3. Banks have reacted to previous failings with more people and processes, but not better processes or data.
  4. Most financial crime happens either via complex shell companies or physical notes and cash.
  5. Regulators focus on whether the process exists, rather than how effective the process is.
  6. Yet in the past decade, we've seen the emergence of regulatory technology ("regtech") and some exciting initiatives.
  7. There's a real opportunity off the back of these papers to make a huge difference.

A SAR isn’t always evidence of wrongdoing

It’s important to note that banks and law enforcement regularly monitor transactions, and they will prevent them where they have significant reason to do so.

A SAR doesn’t always mean that’s the case, however. A bank only “knows” its own customer; they don’t know the other bank’s customer. So they may not have all the facts.

A SAR could simply mean, “Hey, we’re not sure about this - we want to work with law enforcement and our correspondent bank to look into it.”

Banks can’t block everything that looks suspicious

Under recommendation 21b of FATF, banks are “prohibited by law from disclosing (“tipping-off”) the fact that a suspicious transaction report (STR) or related information is being filed with the FIU”.

While the media might claim that “banks saw transactions and did nothing to prevent it,” it may be the case they did exactly as they were told to.

Banks are known to throw people at a data problem

Banks have consistently hired more AML specialists in the past two decades in response to problems from regulators.

While there have been real efforts to introduce regtech, overwhelmingly the banks are still following similar - if not the same - outdated processes from a decade ago.

This is despite the creation of new, more effective regtech solutions. These are capable of performing automated transaction monitoring, automating KYC and AML, and outperforming human agents (thanks to the introduction of machine learning).

For example, “digital onboarding” has been seen by banks as a customer experience benefit rather than a compliance necessity.

While there have been real efforts to introduce regtech, overwhelmingly the banks are still following similar - if not the same - outdated processes from a decade ago.

Criminality isn’t something banks alone can prevent

Cash is still a big issue and one that central banks have grappled with for decades.

While physical notes can be useful for the vulnerable, elderly and financially excluded, high denomination notes like the $100 bill and the £50 note are consistently linked with criminal acts.

This is not something the banks alone can manage.

Plus, complex corporate hierarchies are something lawmakers need to consider. These corporate structures are consistently used by criminals, including the infamous Dr Ruja who scammed the world into investing billions in her infamous bitcoin alternative.

Regulators have focused on auditing when they should be considering effectiveness

According to defense think tank RUSI, there is very little evidence that requiring banks to implement the SAR process effectively prevents criminality.

RUSI calls for less emphasis on pure “private sector leadership” and more information sharing between the public and private sectors. In other words the existing process doesn’t work, and it’s a problem the banks can’t be responsible for solving.

We’ve seen some exciting initiatives emerge over the last 10 years

As a self-confessed fintech and regtech nerd, I get excited because, actually, we already have the technology for data-driven AML prevention and control.

In the last few years, a couple of momentous things have happened:

  1. SWIFT launched GPI, a system that allows banks to see the status of any transaction.
  2. JP Morgan launched the Interbank Information Network (IIN), which allows banks to share information about active clients and concerns without tipping-off. (This uses a blockchain and complex privacy-preserving cryptography.)

On top of this, we’ve witnessed the birth of hundreds of interesting regtech and fintech startups. There’s so much more to be gained from implementing some creativity and digitisation when it comes to solving money laundering.

The criminals involved certainly don’t lack creativity, so why should we?

There’s so much more to be gained from implementing some creativity and digitisation when it comes to solving money laundering.

Where do we go from here?

Clearly, public and private sector partnerships should be playing a much more significant role. We need to recognise that the banks aren’t the only issue - the whole global system’s approach needs to change.

What if forming a company involved just a little more due diligence in most countries? Could we improve the processes by giving banks better ways to share information with law enforcement?

Ultimately, AML is essential.

If you care about preventing criminality - including human trafficking, terrorism and tax avoidance - this is an issue not just for the regulatory nerds to resolve. The responsibility lies with all of us.


Thanks to Rex Sailsbury at a16z and Matt from privacy.com for providing inspiration for some of the concepts discussed in this blog.