FinCEN Files: Legacy technology “not up to the challenge” to tackle AML
Legacy technology is just “not up to the challenge” when it comes to dealing with anti-money laundering (AML) requirements, and overreporting from banks playing it safe is putting regulators under undue pressure, say market participants.
A major leak this week showed major banks allowing oligarchs, mobsters, and criminals to launder money more than $2 trillion.
Buzzfeed News obtained more than 2,100 suspicious activity reports (SARs) filed by banks and financial institutions. These were originally submitted to the US Treasury’s Financial Crimes Enforcement Network (FinCEN).
Analysis by the International Consortium of Investigative Journalists (ICIJ) found that between 1999 and 2017 banks flagged transactions worth trillions in SARs submitted to FinCEN.
SARs in their eyes
“Whilst a large number of SAR filings may indicate effective controls in the financial institutions, it may also suggest they are overreporting so as to avoid future regulatory issues as a ‘just in case measure’,” says Rachel Woolley, global director of financial crime at Fenergo.
“This results in increased numbers of reports that [financial intelligence units], which are under resourced, need to investigate. This inevitably leads to inefficiencies and further compounds the resourcing issues.
“Currently the process is hugely manual in many countries. It’s also important to note that when FIs report a suspicion, it often relates to a transaction or series of transactions that have already taken place.”
David McLaughlin, CEO of QuantaVerse, says that finding financial crime among the millions of SAR reports is like “finding a needle in a stack of needles”. He says that legacy technology relief upon by incumbents is “not up to the challenge”.
“Although two million SARs are filed annually, its estimated that financial institutions never even identify between 50% and 70% of the money laundered through global systems. Those are transactions that are never alerted and never investigated with no chance of SARs being filed.
“It’s clear that improved systems need to be deployed throughout the entire chain of financial crime identification and investigation.”
For James Heinzman, executive vice president for financial services at ThetaRay, the leak itself is of greater importance.
“The bigger problem at hand that needs to be addressed immediately is the fact that there was a breach in security that led to these leaks, and that leak needs to be identified.
“The privacy of the people involved — the investigators that determine whether there is something that can be considered criminal or suspicious activity — is paramount to preserve the integrity of the program, and this breach really compromises that.”
Support for regulators
FinCEN’s SAR database is available to more than 450 law enforcement and regulatory agencies in the US. More than 13,000 users use the system millions of times every year. According to US Treasury figures, the number of people working at FinCEN has shrunk by more than 10% since 2010.
Jamal Al-Hindi, acting director of FinCEN in 2017, testified that year to congress that the department faced hiring issues.
Heinzman says regulators are always going to receive an unfair share of the blame when stories like these break. “In reality, the blame should be placed on the funding of these agencies.”
He adds: “Regulators are doing good work with what little funding they have, and they’re working well with banks and the industry as a whole to identify issues.”
Jane Jee, CEO of Kompli-Global, says that there are “disparate rules which are not applied consistently”, especially among the 25 AML supervisors in the UK.
“The files show failures by banks and by implication law firms and accountants. Therefore, the regulators need more expertise and need to create a panel of experts to assess where technology can help reduce abuse.”
Fenergo’s Woolley says that issues arise as the SAR process is looked at in silos. “Many of the issues discussed in recent days refer to the inconsistencies in the SAR reports themselves. These require manual review to make sense of what is being reported.
“Stretched resources are now having to first identify relevant information, extract it, assess it and then make a decision. This increases the time to determine if a SAR was warranted in the first place.”
The 4AMLD/5AMLD solution
The FinCEN leaks concern suspicious transactions flagged between 1999 and 2017. The European Union’s fourth and fifth anti-money laundering directives (4AMLD & 5AMLD) have come into force since. Have these historical issues been plugged by newer legislation?
“I think knowing your customers better is a part of the equation, but it’s not the complete answer,” says Heinzman.
“In order to get a full picture of what’s suspicious, of course you need to know who your customers are and who they’re transacting with, but even more importantly banks need to know what their activities are as well.
“This includes both what they’re actually doing, and what their business is in the context of their relationships. [Regulation is] never going to completely solve this issue as it’s only one piece of the puzzle.”
Kompli-Global’s Jee says there is “no doubt” that some issues have been resolved. She believes that company registered are remain a point of contention.
“Companies House [in the UK] is still the weak link as there are practically no checks carried out on the information filed. Now, there are proposals to reform but when will they come into force?”
Woolley believes that the leaks are going to trigger some definite activity among regulators and banks. “Ticking boxes to show you met the minimum standard isn’t working. We need a more joined-up approach that focuses on effective outcomes.”
Jee says the current controls on AML “are not working well enough” but there are steps being taken to combat it.
“These cases should not be dismissed as old cases because many can still occur today. More should be done to stop dirty money getting into the financial system and moving round the world.”
Heinzman says that it remains important to keep in mind that the leaked SARs were banks investigating and reporting.
“What happened after they reported it to FinCEN? We don’t know. Also, bear in mind that these aren’t definitively criminal findings; they’re just reports of suspicion. They should certainly be investigated, but whether or not they have been is another story.
“The biggest ramification isn’t the SAR itself. It’s the fact that a lot of information about sources and the means to identify this suspicious activity will give the bad guys insight into how things work at the banks.
“There’s going to be scrutiny around the security of these reports, and how information like this could be leaked. This breach has jeopardised the integrity of the whole financial crime investigation and reporting system.”