Over 2,100 Suspicious Activity Reports (‘SARs’) that were filed with the U.S. Treasury’s Financial Crimes Enforcement Network (FinCEN) between 2011 and 2017, have been leaked to BuzzFeed News and investigated by a team of reporters from the International Consortium of Investigative Journalists (‘ICIJ’). There has been no question regarding the authenticity of the documents. The ICIJ is drip-feeding the results of its investigations, which have involved many major global banks, so we can expect more revelations over the coming weeks and maybe even months. The documents in the FinCEN files cover about $2tn of transactions and they are only a tiny proportion of the SARs submitted over the period.
In this blog we do not propose to look into the rights and wrongs of the leak itself and the daily news stories that have followed. We recognise that many banks have made huge investments in the prevention of financial crime and we clearly observe the commitment, even passion, of many financial crime practitioners to identify and root out the bad actors. Rather, we would like to focus attention upon the practical response banks should be considering now.
Whilst some commentators have dismissed the recent revelations in the so-called ‘FinCEN Files’, as old news, and some of the subsequent reporting has undoubtedly been somewhat sensational, many of the banks involved saw a sudden and direct impact on their share price immediately after publication, mostly attributed directly to the leaks. In addition, a number of prominent politicians and watchdogs in many jurisdictions are apparently using the FinCEN Files to support calls for regulatory reform.
In the UK, the Chairman of the Treasury Committee has asked Chris Woolard (interim CEO of the FCA) what action the FCA will be taking following the publication of the FinCEN Files.
The FinCEN Files question was raised at the FCA Annual Public Meeting on 24th September, and Mark Steward confirmed that the FCA are taking the leaks in the FinCEN Files very seriously. The FCA will be expecting all banks to take some action in response to the FinCEN Files, regardless of whether they are directly implicated.
Our view is that the FinCEN Files should serve as a timely reminder to banks, if one was needed, of some basic challenges and that there is always room for improvement.
KYC standards can always be improved
The fact that suspicions were identified by the banks, and reported to FinCEN, should be a big tick for the banks involved. However, in doing so, the banks have had to acknowledge that, in many cases, they didn’t really know who their clients were. The ICJI found that:
“In half of the FinCEN Files reports, banks didn’t have information about one or more entities behind the transaction”.
The reports suggest that, in many cases, the banks had failed to identify the ultimate beneficial owners of the entities in question at the start of the relationship or through their ongoing due diligence, periodic reviews or batch screening. This should be a concern as many of the subjects will have been listed as Politically Exposed Persons (PEPs), Specially Designated Nationals (SDNs) or subject to adverse media, that should have triggered an investigation.
Suspicious Activity Reports (SARs) need to be better
FinCEN received more than 2 million SARs last year (a twofold increase over the last decade) and the UK equivalent body, the National Crime Agency (NCA), received nearly 480,000 in their last reporting year. Of course, these numbers represent only a small percentage of internal reports that are made and investigated by banks. Suspicious activity reporting is a massive effort on the part of banks.
The SARs that were leaked from FinCEN were variously described as being:
- Lacking in details of ownership.
- Vague – lacking reasons for suspicion.
One of the most harmful observations for the banks is that in many cases they apparently continued the relationships long after the submission of the SAR – “Years after concerns first emerged banks continued to move money for fraudsters, drug dealers and allegedly corrupt officials…”
Whilst there is ongoing debate about the true value of SARs under the current regimes globally, and extensive pressure for reform of the whole system globally, banks do need to satisfy themselves that the quality of SARs is kept under constant review. Further, they need to ensure that they have systems and controls in place to track closely activity on accounts where a SAR has been submitted.
What do banks need to do now?
We would expect that senior management in banks are already asking the following questions of their Financial Crime and MLRO teams:
- Are we named or implicated in the FinCEN Files (or likely to be in subsequent drip-feed releases)?
- Do we have relationships with any of the individuals or entities featured in the reporting?
- How confident are we that our SARs are up to scratch?
- What processes and controls do we have in place to review clients and transactions after the submission of SARs?
- Do we apply additional scrutiny to clients after a SAR has been submitted?
- How many clients have we exited following submission of SARs?
- Does senior management have the right level of information about SARs in both governance forums and management information?
- How confident are we that we have robust KYC on all relevant parties to transactions?
- Would our screening solution pick up these names before or during the client relationship?
- Do we measure the quality of our enhanced due diligence investigations?
The FCA, and indeed other regulators, will expect banks to take decisive action upon the ‘revelations’ in the FinCEN Files (even if the bank itself has not been directly impacted by the reporting). We are advising our clients (as many were required to do following the previous revelations in the 2016 ‘Panama Papers’ and the 2017 ‘Paradise Papers’) to initiate a formal project to review the findings in the reports on the FinCEN Files (together with the questions above). Banks should also advise their regulators that a formal FinCEN File review has been initiated.
The review should include, but not be limited to:
- Making sure your organisation is not implicated – either directly or indirectly.
- Identifying every individual and entity named in the FinCEN File reports.
- Conducting checks to ensure none of their clients appear in the FinCEN Files.
- Reviewing KYC files for any possible matches.
- Conducting deep-dive Enhanced Due Diligence (‘EDD’) where potential concerns are identified through KYC Reviews.
- Reviewing a sample of SARs to ensure that they cannot be criticised for the short-comings identified above.
- Reviewing KYC policies and procedures.
How can New Link Consulting help?
New Link Consulting’s Regulatory and Anti-Financial Crime Practice is run by experienced practitioners. The Head of the Practice has undertaken Skilled Person AML Reviews on behalf the FCA and PRA and the team has worked on numerous regulatory-driven financial crime remediation programmes. Our team has extensive experience and AFC domain expertise and can provide expert independent advice as to whether you have any vulnerabilities in your anti-financial crime systems and controls.
We can help you set up and complete a review and support any remedial actions identified, embedding solutions within a cohesive framework of best practice Client Due Diligence.
If you do identify specific clients or transactions of potential concern, we can also undertake comprehensive Enhanced Due Diligence (EDD) investigations through a global network of primary sources and calling upon unparalleled insights from leaders in government, business, the media and hard-to-access parts of the dark web.
Please feel free to contact us for an initial discussion on your specific requirements.
Peter Brooke – Practice Lead – AFC and Regulatory Practice
M: +44 (0)7590 105185
T: +44 (0)203 826 9700
Walter Hogg – Director – AFC and Regulatory Practice
M: +44 (0)7758 690 261
T: +44 (0)203 826 9700
Andrew Hovell – Director – AFC and Regulatory Practice
M: +44 (0)7493 071 823
T: +44 (0)203 826 970