As most readers of this blog are likely well aware, last week BuzzFeed News and the International Consortium of Investigative Journalists (ICIJ) released a bombshell story about international money laundering through major financial institutions. The collection of stories—more of which are likely in the works—is based on an analysis of a large trove of leaked documents from the U.S Treasury Department’s Financial Crimes Enforcement Network (FinCEN), which the journalists reporting on the case have dubbed the “FinCEN Files.” These files consist of so-called Suspicious Activity Reports (SARs), which are documents that, pursuant to a U.S. statute called the Bank Secrecy Act (BSA), banks and certain other institutions are legally required to file with FinCEN whenever the bank has reason to suspect that a transaction it’s handling involves money laundering or some other criminal activity, or simply lacks an apparent lawful purpose. The bank does not inform its customer that it’s filing a SAR—indeed, the BSA prohibits banks from doing so. FinCEN can use SARs to detect and investigate financial crime, and may share SARs with other law enforcement agencies in the context of an investigation, but otherwise SARs are supposed to remain strictly confidential. However, in October 2018 a FinCen employee leaked over 2,100 SARs to a BuzzFeed reporter. (While BuzzFeed and ICIJ do not identify their source, it is almost certain that this former employee, who pled guilty last January to illegally leaking the documents, is the source.) Journalists with BuzzFeed and the ICIJ analyzed these documents and have published multiple stories (see, for example, here and here) about what these documents reveal regarding the global anti-money laundering (AML) regime, together with a subset of the actual SARs. (The journalists released only those SARs that support reporting in specific stories, principally SARs that pertain to known criminal figures. They are not publishing a database of all the SARs in their possession due to concerns about privacy of the individuals involved, many of whom are not currently accused of any wrongdoing.)

The picture that these stories paint of the global AML regime is not a pretty one. While the stories are lengthy and detailed, and discuss many different aspects of the overall issue, if I had to try to distill all this reporting into a simple punchline, it would go something like this: The leaked SARs reveal that the major banks repeatedly handled huge and highly suspicious transactions for corrupt kleptocrats, organized crime groups, terrorists, fraudsters, sanctions evaders, and others, and relatively little was done, by the government or the banks, to stop it. As the ICIJ puts it, “The FinCEN Files show trillions in tainted dollars flow freely through major banks, swamping a broken enforcement system.” Or as BuzzFeed puts it, the FinCEN files reveal “how the giants of Western banking move trillions of dollars in suspicious transactions,” while “the US government, despite its vast powers, fails to stop it.”

I’m still working my way through all the FinCEN Files stories, and I’m certainly no expert on money laundering or banking regulation. (I come to this issue sideways, from an interest in anticorruption, rather than any professional expertise in AML as such.) But, in the interest of getting some ideas down in writing and perhaps stimulating some further conversation on what we can learn from the FinCEN Files reporting, let me share a few scattered, somewhat disconnected preliminary observations.

• First, I’ve gathered (mainly as a passive observer of some spirited exchanges on various online anticorruption discussion groups) that there’s something of a division of opinion within the anticorruption/AML community about whether the leak of the SARs, and the reporting based on them, are a helpful or counterproductive development for the larger struggle against money laundering and other forms of financial crime. As one might expect, most of the people in advocacy NGOs (and, of course, other investigative journalists) have celebrated these revelations as shining some much-needed light on a broken system, and those taking this view have criticized the efforts of the banks and the U.S. government to keep information like this hidden from public view as self-serving. I confess that my general sympathies tend in that direction as well. But my initial instincts have been tempered somewhat by the fact that many anticorruption/AML professionals—several of whom I know and respect—have expressed substantial concerns about both the leak itself and the journalists’ decision to publish many of the SARs. These critics, who tend to be former law enforcement officials, raise a few concerns that are at least worth taking seriously. First, they argue that leaks of SARs may make banks less likely to submit SARs in the first place, because they’re worried about jeopardizing clients’ confidentiality and thus losing clients. To be honest, I don’t find this argument terribly convincing. Banks, if anything, have incentives to over-report suspicious activity, and it’s hard to imagine that a leak like this, even a big one, would discourage banks from reporting as a general matter. But the critics make another, in my view more serious, argument as to why it may be a mistake to publish a big trove of SARs: If criminals have a better sense of what sorts of transactions are likely to trigger a SAR, or which banks have more or less stringent standards for filing SARs, this may make it easier for them to figure out how to arrange transactions that will avoid triggering a SAR in the first place. Additionally, if the crooks have a better sense of which entities (say, which shell companies) the banks and the government have already flagged as suspicious, and which ones they apparently haven’t, the crooks can use this information to evade detection more effectively. As an outsider, it’s hard for me to assess how big of a risk this actually is. My intuition is that it’s not all that large in this case, partly because the SARs in question are at least two years old, partly because the 2,100 leaked SARs only represent a small fraction of the millions of SARs filed during the relevant period, and partly because the journalists are only publishing a relatively modest proportion of those 2,100. Still, it’s worth keeping in mind that SARs are generally supposed to be confidential for a reason—a reason that’s not about protecting the banks or the clients (indeed, banks and others are punished for “tipping off” a client that a SAR has been filed). The confidentiality is supposed to aid law enforcement, so the bad guys don’t necessarily know what the government is looking at, or what factors tend to trigger more scrutiny.
• Second, I think it’s useful, when discussing AML law in the United States, to keep in mind the distinction between two different bodies of law, both of which pertain to money laundering and proceeds of crime, but that are different in terms of scope and application. First, the general federal criminal law (codified at Title 18 of the U.S. Code) establishes a crime of money laundering, as well as a related crime of engaging in monetary transactions in the proceeds of specified unlawful activities. Conviction for these crimes, which are codified at 18 U.S.C. §§ 1956 and 1957, requires that the government prove, beyond a reasonable doubt, that the defendant knows that the property involved in the transaction is the product of unlawful activity. These laws apply to bankers (and to banks), but in practice it can be very hard to prove that the intermediaries handling financial transactions had the requisite level of knowledge, particularly because sophisticated parties may take steps to avoid creating such (provable) knowledge. This observation naturally implicates broader philosophical questions about how to balance the interest in protecting the rights of defendants against the social interest in deterring and punishing crime. But the fact that very few banks (or bankers) are prosecuted under §§ 1956 and 1957 may have less to do with prosecutorial fecklessness or the “capture” of the justice system than with the fact that these crimes are very hard to prove in this context. Separate from the provisions of the federal criminal code on money laundering and proceeds of crime, though, the BSA, codified at Title 31 of the U.S. Code, creates a separate regulatory regime for financial institutions, and this regime includes certain AML requirements. Most of these requirements aren’t specified in the statute itself, but rather are promulgated by the Treasury Department as regulations implementing various sections of the BSA. The requirement that banks file SARs comes from the BSA (31 U.S.C. § 5318(g).) The BSA and its implementing regulations also require banks and other covered institutions to maintain adequate AML programs (31 U.S.C. § 5318(h)), among other obligations. Failure to comply with the BSA or its implementing regulations can result in substantial financial penalties, but criminal penalties (including incarceration) are only available if the violation is willful (31 U.S.C. § 5322). To the best of my knowledge, most of the AML-related sanctions against big banks in the last decade or so have involved violations of the BSA—for example, failure to file SARs, or failure to maintain adequate AML control systems. So while I’m totally on board with the various experts quoted in the BuzzFeed and ICIJ stories who say something like, “The bankers should go to jail!”, I think it’s important to recognize the structural obstacles to those prosecutions. The difficulty of directly prosecuting financial intermediaries for money laundering is, I suspect, one of the reasons the BSA created what’s supposed to be a preventative framework. Of course, one of the big takeaways from the FinCEN Files reporting is that this framework doesn’t seem to be working very well.
• Third, one of the reasons that framework doesn’t seem to be working well, which emerges pretty clearly from the BuzzFeed/ICIJ reporting, is that FinCEN and its counterpart agencies in other countries simply do not have sufficient resources to do what the current system expects of them. Think about it this way: FinCEN has a staff of about 300 people, and its annual budget is under $120 million. It receives over 2 million SARs each year. If every FinCEN employee did nothing but review SARs, and worked 18 hours a day 365 days a year, and if each SAR took an hour to review, FinCEN would still not quite manage to review all the SARs that come in each year. It’s worth keeping in mind, too, that banks have an incentive to over-report rather than under-report. Filing a SAR does not mean a bank can’t proceed with a transaction. The worst-case scenario is that filing the SAR might lead to an investigation, which could implicate the bank, or at least cost the bank money and hassle as it responds to government inquiries. That’s exceedingly unlikely, though. On the other hand, if the bank fails to file a SAR when it should have, it can get itself into trouble. So, when in doubt, it makes sense to file. But that makes it extraordinarily difficult for FinCEN to scrutinize SARs and use them as leads for opening investigations. (Another way to appreciate the difficulty is to consider the fact that it took the BuzzFeed and ICIJ teams, which consisted of scores of journalists, roughly two years to analyze 2,100 SARs and piece together the evidence that these documents revealed about global money laundering operations.) I gather that SARs are still very useful to FinCEN and other law enforcement agencies, but mainly as a resource to employ when they’ve already opened an investigation into a particular individual or company for other reasons. The question that this naturally raises, which I may try to explore more in future blog posts (and which I hope some of our readers might explore in the comment section below), is how we can reform our AML system to address this problem. A regulatory system based primarily on reporting suspicious transactions seems utterly insufficient in light of the scale and scope of the problem. So what can be done? Are there ways to use more sophisticated technology (such as AI systems) to analyze SARs? Should more burden be placed on banks not only to report, but to more rigorously scrutinize and sometimes decline overly suspicious transactions or clients? Is it feasible to drastically scale up enforcement resources? (I’ve heard a couple of advocates observe that money laundering is a national security threat, and if so framed perhaps the Defense Department, with its enormous budget, could take a greater role in addressing this issue.) Are there other ways to alter the incentives—of banks, regulators, or both—to promote more efficient and effective regulation? These are some of the key questions that the FinCEN Files reports have brought to the fore, and if the debate over those questions produces meaningful reform, then by my lights the leaks, whatever their costs, will have proved worthwhile.