Last week, I did a post with some preliminary (and under-baked) reflections on the so-called “FinCEN Files” reports by BuzzFeed News and the Independent Consortium of Investigative Journalists (ICIJ). These stories relied in substantial part on a couple thousand Suspicious Activity Reports (SARs) that had been filed with the U.S. Treasury Department’s Financial Crimes Enforcement Network (FinCEN), and leaked to a BuzzFeed journalist in 2018. The documents, and the reporting based on them, highlight the extent to which major Western banks assist suspected kleptocrats, terrorists, and other criminal actors move (and launder) staggering amounts of money all over the world, and highlight the deficiencies of the existing anti-money laundering (AML) system.
What can we do to rectify this depressing state of affairs? Much of the commentary I’ve seen so far (both in the FinCEN Files stories themselves, and commentary on the reporting from other sources) emphasizes the need for more individual criminal liability—putting bankers in jail, not just fining banks. Even when banks are threatened or hit with penalties, the argument goes, this doesn’t really have much of a deterrent effect, partly because even what seem like very large monetary sanctions are dwarfed by the profits banks stand to make from assisting shady clients with shady transactions, and partly because the costs of monetary sanctions are mostly passed on to the bank’s shareholders, and don’t really hurt the individuals responsible (or the managers who tolerate, or turn a blind eye to, misconduct).
I’m quite sympathetic to both of these arguments, though with a couple of important caveats. Caveat number one: The absence of individual prosecutions of bankers is sometimes attributed to the fecklessness—or, worse, the “soft” corruption—of federal prosecutors, but as I noted in my last post, I tend to think that the more significant obstacle is the fact that it is very difficult in most cases to prove beyond a reasonable doubt that the that bankers or other intermediaries had the requisite level of knowledge to support a criminal money laundering conviction. Caveat number two: I don’t think we should be too quick to dismiss the idea that levying significant monetary penalties on banks can affect their behavior. After all, these institutions are motivated overwhelmingly by money, so hitting them in the pocketbook is hitting them where it hurts. The problem may be less that monetary sanctions are inherently ineffectual in this context, but rather that they are too low and too uncertain to have a sufficient impact on incentives and behavior.
In that vein, I want to suggest a few legal reforms that might make the U.S. AML system function more effectively. I acknowledge that these are “inside the box” ideas, insofar as they seek to make the existing framework more effective rather than to drastically transform that system. That may make these proposals feel unsatisfying to some, though I suspect the proposals will seem radical, even outlandish, to others. I should also acknowledge that I am not at all an AML expert, so it’s quite possible that the discussion below will contain errors or misunderstandings of the law or the system. But, in the spirit of trying to stimulate further discussion by those who really understand this field, let me throw out a few ideas.
- First, the U.S. Code could be amended to create a new strict liability civil offense, applicable to financial institutions covered by the Bank Secrecy Act (BSA), of “failure to prevent transactions in the proceeds of criminal activity.” That “failure to prevent” language is inspired by the UK Bribery Act’s “failure to prevent” bribery offense, but, crucially, I would not create an affirmative defense of “adequate compliance procedures,” as the UK Bribery Act does. Instead, I would make this a strict liability offense, meaning that if it turns out that a bank arranged, processed or otherwise facilitated a transaction that involved the proceeds of specified criminal activity, as defined in 18 U.SC. § 1957 of the U.S. Criminal Code, the bank would automatically be civilly liable. (I suggest further that the civil penalty should be equal in size to the transaction amount, though that’s admittedly just an intuition.) The rationale for this proposal is similar to the rationale for imposing strict liability in tort law: The bank is the institution best positioned to assess and manage the risk that a proposed transaction involves the proceeds of crime, and the specter of monetary liability forces the bank to internalize more of the costs and choose more socially appropriate precautions (or, if the risks are too high, to decline to assist with the proposed transaction). Right now, banks know that they are extremely unlikely to be prosecuted for money laundering or for facilitating transactions in criminal proceeds because, as noted above, it’s very hard to prove the bankers involved had sufficient knowledge. And indeed in many cases the bankers might actually not know that a client is a criminal, even if a deal smells fishy. As long as the bank files a SAR with FinCEN, and applies a sufficient level of due diligence to satisfy regulators in the (unlikely) event that the transaction later attracts scrutiny, the bank is probably in the clear. But if the banks know that the profits from a deal will disappear—in fact, the bank will take a big financial hit—if it turns out that a transaction it processed involved criminal proceeds, the bank has a stronger incentive to look long and hard to make sure the transaction is worth the risk. (Just to illustrate how this would work in the context of the FinCEN Files reports: Many of the examples in the FinCEN files involve SARs that banks filed on clients or transactions that were later shown to be crooked. Under existing law, so long as the bank can show it filed the SAR, had an AML program, and exercised due diligence, it’s off the hook for these cases. Under the proposal sketched here, every one of these transactions would result in the bank having to pay a substantial penalty.) One tricky question about this sort of proposal is whether, in order to trigger the strict civil liability, there needs to be a criminal conviction of the direct parties to the transaction (e.g., the client), or whether the government should be able to establish civil liability by showing that the assets involved in a transaction were, more likely than not, the proceeds of unlawful activity. I confess I’m not sure what I think, but a variety of approaches to this question are compatible with the overall spirit of the proposal.
- Second, while the previous proposal targets banks, it might also be advisable to amend the U.S. code to impose (strict) civil liability on bankers who sign off on transactions that turn out to have involved the proceeds of crime (again, as defined in § 1957). The rationale is essentially the same. The main difference is that the magnitude of the penalty should be proportionally smaller—ideally set in a way that offsets or outweighs (but doesn’t swamp by orders of magnitude) the amount of income the individual banker would receive from the transaction in question. A tricky issue here is whether this rule should apply to lower-level bankers or only more senior managers. My inclination runs in the latter direction. One could imagine a rule which requires that, for every transaction that triggers the filing of a SAR with FinCEN, a sufficiently senior manager must personally sign off on the transaction, and in the event that the transaction later turns out to have involved the proceeds of criminal activity, that responsible individual must pay a civil penalty. This may not be as satisfying as throwing criminal bankers in jail (and again, I wholeheartedly support throwing criminal bankers in jail when possible!), but it would cast a much wider net, and would not impose nearly as substantial a resource burden on the enforcement agencies, since the monetary liability would be automatic once the fact that the assets in question were the proceeds of crime.
- Third, I propose that whenever a financial institution files a SAR with FinCEN, the institution is required to pay—as a kind of fee or tax—a percentage of the transaction amount directly to FinCEN. That fee should be set to be a fraction (not too large but not too small) of the fees or other profits that the bank would collect on the transaction. (The bank would be prohibited from passing that charge along to the client, as doing so would amount to unlawful “tipping off” that a SAR had been filed.) There are a few rationales for imposing this “SAR tax”: First, every time a bank files a SAR with FinCEN, it imposes a burden on that already overburdened agency, and so imposing a per-SAR tax on banks, with the money going directly to FinCEN’s operating budget, is a way to ensure that the regulated entities bear a fair share of the costs of running the regulatory system. Second, and relatedly, this reform would help address FinCEN’s persistent resource shortage. (Think about it: With over two million SARs filed per year, even if each bank paid a fee of only $60 per SAR, this would more than double FinCEN’s current annual operating budget. And the actual fee, if set as a modest but not trivial percentage of the profits banks make from handling suspicious transactions, would likely be much, much higher.) Third, and perhaps most importantly, such a system would make processing suspicious transactions less profitable for the banks, though the fee should be set so that handling such transactions is still economically rational for the bank, so long as nothing goes wrong later on. The idea is not to block all transactions that trigger a SAR–many of these transactions do not in fact involve any illegality. But, by reducing the profitability of this class of transactions, the banks’ cost-benefit analysis would shift in a socially beneficial way: A suspicious transaction that might, under current law, seem worth the risk, might no longer seem worth it, given the bank’s assessments of the red flags. Now, one might immediately wonder (and worry) whether a rule like this might give banks a disincentive to file SARs, at least in borderline cases. The answer is yes. But that may be a feature rather than a bug, at least if the system is designed carefully. Right now, banks have strong incentives to over-report suspicious transactions. This helps insulate the banks from liability, but it makes FinCEN’s job substantially harder. Banks should think harder about whether a particular transaction is sufficiently questionable to add to FinCEN’s pile. Of course, we don’t want this incentive not to report to be too strong. That concern could be addressed in a couple of ways. For one thing, the penalties for failing to file a SAR when it should have been filed could be increased. For another, regulations could mandate that the decision whether to file a SAR be made by a compliance officer who operates with a sufficient degree of autonomy (much like HR departments and audit committees).
The proposals above share a common feature: They seek to induce banks to internalize more of the risks and social costs of money laundering by requiring the banks (or, in some cases, the bankers) to automatically pay an extra cost for facilitating transactions that are suspicious (as in the case of the third proposal) or that turn out to have involved criminal activity (as in the case of the first and second proposals). By raising the costs (and thus reducing the profits of) suspicious transactions, the banks and bankers have a substantially stronger incentive to invest in more effective compliance systems, to improve their internal controls, and to decline to take on certain clients, or process certain transactions, that look too suspicious.
Is any of this practically feasible? I have no idea. But if the FinCEN Files reporting does succeed in stimulating a more serious conversation about meaningful reforms to the U.S. AML system, perhaps proposals along the lines sketched above could and should be part of the conversation.
Are there examples of countries (you mention the UK) that internalize the costs/risks to banks? I’m not sure about the feasibility either, but I do support unloading some of the burden from the public to the private sector. Overall, great post!
Not to my knowledge. (The UK example I mentioned in the post is actually a law on a different issue — bribery. I mentioned it because the UK Bribery Act makes it a strict liability offense for a firm covered by the act to “fail to prevent” bribery by its employees or agents, though there’s an affirmative defense available if the firm can show it had in place an adequate anti-bribery compliance program.) But like you, my instinct is that more of the risk/burden should be shifted to the banks, not so much out of any retributive instinct but because the banks are in the best position to identify and adopt socially efficient risk mitigation measures.
Very intriguing proposals! The current AML framework could certainly use improvement. As an aside, in 2019 the Supreme Court denied cert for AER Advisors v. Fidelity, which challenged the absolute immunity for banks filing SARs—it seems like legislative reform is the only way the system could change, at least in the short term.
I’m curious how a strict liability regime would work in the AML context as compared to OFAC, which already has strict liability. Banks screen transactions prior to processing to identify sanctioned individuals, entities and/or countries (but as we saw with OFAC’s record-breaking civil penalties last year, even that model is not totally foolproof). I can imagine some scenarios where illegal money laundering transactions may be detected at the outset, but it seems that a great deal more only present themselves after more than one transaction. Requiring a bank to make the “suspiciousness” determination ex ante seems to be a high bar to achieve, one which would slow down transaction speed without clearly reducing the incidence of money laundering.
Regarding your second suggestion, the current BSA regime already requires banks to report all SARs filed to their board of directors. To avoid some of the potential pitfalls you mentioned of holding individual bankers liable, perhaps a reform could impose more liability on the board? This would also allow for the inclusion of transactions that do not require an individual banker sign-off (e.g. certain wire transfers, peer-to-peer exchange, etc.).
Finally, would a per-transaction penalty provision just encourage banks to carry out a variety of smaller transactions rather than large ones, making detection of illicit activity even more difficult?
Great comments/questions! Some quick reactions:
1) Yes, I hadn’t thought of the OFAC strict liability system when I wrote this post, but you’re right that this is a good (though perhaps not perfect) parallel. I’ll need to do some more research to get a sense of how well the strict liability system works in that context. If it works well, it may function as a (partial) “proof of concept.” If not, that might be a reason for second thoughts about the proposal sketched here. Do you have a sense of whether the strict liability system for OFAC sanctions violations is considered effective?
2) Agreed that it’s tricky to think about how to deal with situations where the suspiciousness only becomes clear after the transactions have taken place. But of course, with a strict liability system, it doesn’t really matter. The idea is that if you handle dirty money, you have to pay something. But of course that has costs.
3) Greater liability for the board, or other senior execs (in the style of Sarbanes-Oxley) might well be the right way to deal with this issue. It might also be possible for the regulators or examiners to identify the people most responsible for pushing potentially problematic transactions (such as the folks running the private banking and correspondent banking divisions) and place the liability there.
4) On breaking up transactions to avoid penalties, I can think of two ways to address this. First, the anti-structuring rules that already exist could be adapted or extended to this context. Second, one could make the penalties proportional to the size of the aggregate amount transacted, not the number of discrete transactions. Also, if there’s a per-SAR fee, the incentive would presumably be the opposite: To file a single report documenting a set of related suspicious transactions, rather than filing a separate SAR for each one.