Department of Justice: Will the Third Time Be a Charm?
January 3, 2024
2024 will be the third year that the DOJ was to release a detailed report on the use of BSA reports. The first two annual reports were not detailed. Hopefully, their third report will be better.
The Anti-Money Laundering Act of 2020 (AML Act) was passed by Congress and became law over the veto of then-President Trump on January 1, 2021. Section 6201 of the AML Act requires the Department of Justice (“DOJ”) to submit an annual report to the Department of Treasury (Treasury) on the usefulness of Bank Secrecy Act (“BSA”) data.
More specifically, section 6201 requires the DOJ to report “statistics, metrics, and other information on the use of BSA reports”, including:
- the frequency with which the reported data contains actionable information that leads to further proceedings by law enforcement or actions by intelligence or national security agencies;
- the time between the reporting of the information and its use;
- an analysis of the transactions, including legal entities and persons, and any patterns or trends in cross-border transactions;
- the number of legal entities and individuals reported;
- information the on extent to which arrests, indictments, convictions, and forfeitures were related to the reports; and
- data on investigations resulting from the reported data.
Apparently, the Justice Department has submitted two such annual reports. How did they do?
Not so good. In fact, pretty bad.
The private sector producers of BSA reports must get feedback from the public sector consumers of BSA reports.
One of the stated uses of the reports was “to enhance feedback and communications with financial institutions … including by providing more detail in the reports published and distributed under section 314(d) of the USA PATRIOT Act.” (that section requires FinCEN to publish periodic reports on the use and utility of BSA reports).
I’ll point out that FinCEN has always been the agency that was expected to, and in a limited way did, provide feedback on BSA reports. But those efforts were not seen as sufficient; thus, Congress turned to the DOJ to provide feedback.
The DOJ’s Money Laundering and Asset Recovery Section (MLARS) submitted the first report to Treasury in January 2022. This was confirmed by (then) FinCEN Acting Director Him Das in testimony before the House Financial Services Committee on April 28, 2022. As best I know, that report has not been made public: I sent a FOIA request to FinCEN. FinCEN responded with ” don’t ask us, ask Justice”. I asked Justice: they didn’t respond.
But apparently that report didn’t provide much in the way of detail, let alone statistics, metrics, and other information on the use of BSA reports.
An August 2022 Government Accountability Office (GAO) report on BSA report feedback generally, and on DOJ’s compliance with Section 6201, looked at both what FinCEN had been doing to provide feedback, and on what the DOJ had done to satisfy section 6201. The findings weren’t pretty. The GAO found that “FinCEN receives limited data from law enforcement agencies on their use of BSA reports or their impact on case outcomes because agencies largely do not collect such data. As a result, FinCEN cannot provide comprehensive feedback to financial institutions on the usefulness of the BSA reports they file.” The GAO also found that “DOJ’s first annual report focused on qualitative information and statistics already available to FinCEN. DOJ stated that agencies faced challenges collecting data that connect their use of BSA reports to case outcomes using current data systems.”
The GAO found more:
- The DOJ report “did not include new statistics on the use and impact of BSA reports, including the summary statistics required under the act. For example, it did not include the frequency with which BSA reports contained actionable information; the extent to which arrests, indictments, convictions, or other actions were related to the use of the reports; and the length of time between when reports were filed and when they were used. Instead, the report primarily included qualitative descriptions from 12 agencies on how they used BSA reports and the value of those reports to their investigations and other activities.” Page 14
- “DOJ’s report did not include the statistics required by section 6201 because the agencies that provided information to MLARS face challenges tracking their use of BSA reports in ways that would allow them to generate those statistics.” Page 15
In response, the MLARS staff at the DOJ offered a number of reasons or excuses why they couldn’t satisfy the requirements of section 6201. Those included “difficulty linking BSA reports to outcomes”, an “unclear definition of ‘use'”, and legal and regulatory limitations on SAR confidentiality, grand jury confidentiality, etc.
But it really came down to two things: the agencies have never had to provide feedback, and doing so would be expensive to implement. The GAO noted: “DOJ officials told us the cost of tracking their use of BSA reports and connecting specific reports with case outcomes would be prohibitive with their current data systems … agencies would need to dedicate substantial resources to reviewing documentation at the end of a case to identify the BSA reports investigators used” and, even if that was possible, “using limited resources for this purpose might affect an agency’s ability to fulfill its core mission.”
But two federal law enforcement agencies currently track their use of BSA reports. According to the GAO, IRS-CI tracks cases it initiated based on information in BSA reports (13 percent of all its investigations in fiscal years 2020 and 2021), and the Secret Service tracks the number of their investigations that used BSA reports (313 and 275 in 2020 and 2021, respectively).
Interesting side note: apparently the MLARs folks sought information from eighteen (18) federal law enforcement agencies, including the IRS-CI and Secret Service, and did so by email. The GAO noted that “IRS-CI officials told us they did not respond because a liaison responsible for handling the request left the agency” and “Secret Service officials told us they were not aware of any request for information from DOJ for its report.”
“I never got an email” or “if you sent an email it must have ended up in my junk folder” shouldn’t be acceptable excuses. Not getting a response from federal agencies to questions mandated by statute should have prompted MLARs to reach out to those agencies by other means.
Another interesting side note: this isn’t the first time the GAO has looked at this issue. In a report issued on June 11, 1986 (yes, 1986), the GAO recommended that Treasury should “obtain information from law enforcement agencies which would identify cases when the BSA and/or its data is used in criminal investigations and prosecutions.”
Thirty-eight years later, and the private sector is still looking to obtain information from law enforcement agencies.
The DOJ is responsible for the reporting requirements in section 6201. Is it stepping up to get the needed information from the law enforcement agencies?
Apparently not. It seems that the DOJ doesn’t think it is their responsibility to provide the information they are responsible for reporting. As the GAO found: “MLARS officials stated they do not plan to coordinate with individual agencies to improve or expand the data available for future annual reports because they do not see this as the office’s role. Officials added that the office did not have the resources or expertise for such coordination or to develop new data infrastructure such as case tracking systems. Officials noted that they do not plan to make recommendations to other agencies on the tracking of BSA-related information because, in their view, doing so is not part of DOJ’s responsibilities generally or as provided in section 6201. They stated that in MLARS’s view, how an agency tracks or analyzes its use of BSA reports is the prerogative of that agency and subject to that agency’s operational needs.”
But the DOJ has a plan!
Something called the Foundations for Evidence-Based Policymaking Act of 2018 requires federal agencies to develop data strategies to improve their data systems and collect additional information that can be used as evidence by policy makers.
In response to that Act, since 2019 (before the AML Act), and according to the GAO report, “DOJ has been implementing a comprehensive Data Strategy to improve its data collection, data infrastructure, and evidence-based policy making” with a goal “to optimize the impact of information and related IT investments on its mission and promote transparency and accountability” by building “capabilities for data management [and] information sharing”, among other things.
That sounds promising, and seems like the best way to obtain the required BSA-related data. But – and this is a big but – “DOJ has not included data on the use of BSA reports in its ongoing efforts to improve data collection”. The GAO noted that “DOJ officials cited three primary reasons that they excluded data on the use of BSA reports from their efforts to improve data collection”. The GAO debunked all three reasons, even noting “MLARS did not use a rigorous methodology to develop the DOJ report … they did not prepare evaluation design, planning, or methodological documents detailing an approach for report development … [and] … did not plan for following up with agencies that did not respond to initial email requests … [and] … they did not identify steps for getting additional information from those agencies in the future.” The GAO ended with a reminder for, if not a scolding of, the DOJ:
“Incorporating data on the use of BSA reports into its ongoing efforts to improve data collection would give DOJ an opportunity to examine how component agencies’ data systems might allow users of BSA reports to track their use. This would help DOJ comply with the NDAA requirement to provide summary statistics on use of BSA reporting, which in turn would enhance FinCEN’s ability to provide feedback to financial institutions on their reports’ usefulness.” (page 19).
All in all, if the GAO was a regulator, and the DOJ a financial institution, it’s not a stretch to conclude that the result of the report would not simply have been a couple of recommendations, but a Cease & Desist Order and appointment of a monitor.
Congress – or at least a Congressman – isn’t pleased with the DOJ’s efforts to satisfy its AML Act reporting obligations
On February 1, 2023 Representative Blaine Luetkemeyer (R. MO), Chair of the National Security, Illicit Finance, and International Financial Institutions Subcommittee of the House Financial Services Committee, wrote a letter to Attorney General Merrick Garland regarding section 6201 and the required report from the DOJ to Treasury on the usefulness of BSA data. Rep Luetkemeyer wrote, “Congress included Section 6201 to provide greater transparency regarding the usefulness of BSA data filed with the Financial Crimes Enforcement Network (“FinCEN”) from financial institutions.”
Representative Luetkemeyer went directly to the point. He wrote:
“The DOJ’s disregard for section 6201 has cemented a lack of transparency into the usefulness of the reported data. If DOJ is unable to state the usefulness of BSA reported date, it begs the question if the burdensome reporting is worthwhile. This inaction plays into the hands of criminals using our financial system by preventing FinCEN and Congress from determining the effectiveness of the U.S. anti-money laundering regime.”
Representative Luetkemeyer ended his letter by asking the Attorney General for answers to six questions, including:
“Why did you fail to provide the information outlined in Section 6201 to FinCEN?”
“Does the DOJ currently plan on completing the requirements of section 6021? If not, why not?”
“Who is the highest-level staffer within the DOJ involved in the preparation of the report to Treasury regarding BSA use data?”
I haven’t been able to confirm whether the DOJ responded to the Congressman’s requests.
But why was Congress compelled to impose reporting obligations on the Department of Justice?
For years financial institutions have been clamoring for more feedback on which of its BSA reports – primarily Suspicious Activity Reports – provide actionable information for law enforcement and, as important, why. Law enforcement agencies and FinCEN have responded with some vague statistics or general statements, but there has never been a concerted effort to get specific feedback. As the letter noted: “Determining the effectiveness of this data is critical to ensure financial institutions are providing FinCEN with the most relevant data to certify bad actors are not using our financial services industry to fund illicit activities.”
I have been writing about this issue, and offering solutions, for years. For example, in an article I published on November 21, 2019 titled “Like Sam Loves Free Fried Chicken, Law Enforcement Loves “Free” Suspicious Activity Reports“ I wrote about a young boy from Buffalo, New York who stood in line in the snow and cold to get a year’s worth of free fried chicken.
He did it because he loved fried chicken, particularly free fried chicken (you’ve got to watch the YouTube video of young Sam and his explanation). I compared that young boy and his love of free fried chicken to law enforcement’s love of free Suspicious Activity Reports, or SARs.
In the United States, over 30,000 private sector financial institutions – from banks to credit unions, to money transmitters and check cashers, to casinos and insurance companies, to broker dealers and investment advisers – file more than 3,600,000 SARs every year. And it costs those financial institutions billions of dollars to have the programs, policies, procedures, processes, technology, and people to onboard and risk-rate customers, to monitor for and identify unusual activity, to investigate that unusual activity to determine if it is suspicious, and, if it is, to file a SAR with FinCEN. From there, about 13,000 of the roughly 18,000 federal, state, tribal, and local law enforcement agencies across the country can access those SARs and use them in their investigations into possible tax, criminal, or other investigations or proceedings. To law enforcement, those SARs are, essentially, free. And like Sam loves free fried chicken, law enforcement loves free SARs. Who wouldn’t?
My article continued —
But should those private sector SARs, that cost billions of dollars to produce, be “free” to public sector law enforcement agencies? Put another way, should the public sector law enforcement agency consumers of SARs need to provide something in return to the private sector producers of SARs?
I say they should. And here’s what I propose: that in return for the privilege of accessing and using private sector SARs, law enforcement shouldn’t have to pay for that privilege with money, but with effort. The public sector consumers of SARs should let the private sector producers know which of those SARs provide tactical or strategic value.
A 2022 Mid-Size Bank Coalition of America (MBCA) survey found the average MBCA bank (and there are about 50 of them in the Coalition) had about 9.6 million transactions/month being monitored, resulting in about 4,000 alerts/month (0.04% of transactions alerted), resulting in 350 cases being opened (9% of alerts became a case), resulting in just over 100 SARs being filed (30% of cases or 3% of alerts). The survey included narratives on the alert-to-SAR ratio and the case-to-SAR ratio, and on what the industry refers to as the “false positive rate” – in this case a rate of 97 percent because only 3 percent of alerts end up being reporting in a filed SAR. And financial institutions are focused on improving their false positive rate to be more efficient and, somehow, more effective.
But the survey ended with SARs filed. The survey didn’t ask whether any of those SARs were of interest or useful to law enforcement.
I argue that the Alert/SAR and even Case/SAR ratios are all of interest, but tracking anything to SARs filed in the financial industry is like a car manufacturer tracking how many cars it builds but not how many cars it sells, and which cars, and who they’re selling them to, why those buyers like those cars or how well those cars perform, how long they last, and how popular they are. And it’s only that end-consumer data and performance data that allows the manufacturers to tune their assembly lines, streamline their supply chains, and become more efficient and more profitable.
Yet financial institutions don’t know which of their products is being purchased, or which of their SARs are being used, by which law enforcement agencies, and why. Just like the automobile industry measuring how many cars are purchased, by which consumers, and why, the better measure for AML programs is “SARs purchased”, or SARs that provide value to law enforcement.
Without that information, most of the time and treasure expended on machine learning and artificial intelligence to transform anti-money laundering programs is being thrown away. That’s not stopping the machine learning and artificial intelligence proponents from convincing banks that they can disrupt and revolutionize the current “broken” AML regime’s AML alert generation and disposition and reduce the false positive rate. The result, if we believe the ML/AI community, is a massive reduction in the number of AML analysts that are churning through the hundreds and thousands of alerts, looking for the very few that are “true positives” worthy of being labelled “suspicious” and reported to the government. But the fundamental problem that every one of those ML/AI systems has is that they are using the wrong data to train their algorithms and “teach” their machines: they are looking at the SARs that are filed, not the SARs that have tactical or strategic value to law enforcement.
The feedback solution: Tactical or Strategic Value Suspicious Activity Reports, or TSV SARs
The best measure of an effective and efficient financial crimes program is how well it is providing timely, effective intelligence to law enforcement. And the best measure of that is whether the SARs that are being filed are providing tactical or strategic value to law enforcement. How do you determine whether a SAR provides value to law enforcement? One way would be to ask law enforcement, and hope you get an answer. That could prove to be difficult. Can you somehow measure law enforcement interest in a SAR? Many banks do that by tracking grand jury subpoenas received to prior SAR suspects, law enforcement requests for supporting documentation, and other formal and informal requests for SARs and SAR-related information. As I write above, an Alert-to-SAR rate may not be a good measure of whether an alert is, in fact, “positive”. What may be relevant is an Alert-to-TSV SAR rate.
A TSV SAR is one that has either tactical value – it was used in a particular case – or strategic value – it contributed to understanding a typology or trend. And some SARs can have both tactical and strategic value. That value is determined by law enforcement indicating, within seven years of the filing of the SAR (more on that later), that the SAR provided tactical (it led to or supported a particular case) or strategic (it contributed to or confirmed a typology) value. That law enforcement response or feedback is provided to FinCEN through the same BSA Database interfaces that exist today – obviously, some coding and training will need to be done (for how FinCEN does it, see below). If the filing financial institution does not receive a TSV SAR response or feedback from law enforcement or FinCEN within seven years of filing a SAR, it can conclude that the SAR had no tactical or strategic value to law enforcement or FinCEN, and may factor that into decisions whether to change or maintain the underlying alerting methodology. Over time, the financial institution could eliminate those alerts that were not providing timely, actionable intelligence to law enforcement. And when FinCEN shares that information across the industry, others could also reduce their false positive rates.
FinCEN’s attempts at SAR-related feedback
FinCEN is working to provide more feedback to the private sector producers of BSA reports. As former FinCEN Director Ken Blanco stated at a November 2019 conference:
“Earlier this year, FinCEN began the BSA Value Project, a study and analysis of the value of the BSA information we receive. We are working to provide comprehensive and quantitative understanding of the broad value of BSA reporting and other BSA information in order to make it more effective and its collection more efficient. We already know that BSA data plays a critical role in keeping our country strong, our financial system secure, and our families safe from harm — that is clear. But FinCEN is using the BSA Value Project to improve how we communicate the way BSA information is valued and used, and to develop metrics to track and measure the value of its use on an ongoing basis.”
FinCEN receives every SAR. Indeed, FinCEN receives a number of different BSA-related reporting: SARs, CTRs, CMIRs, and Form 8300s. It’s a daunting amount of information. As FinCEN Director Ken Blanco noted in the same speech:
FinCEN’s BSA database includes nearly 300 million records — 55,000 new documents are added each day. The reporting contributes critical information that is routinely analyzed, resulting in the identification of suspected criminal and terrorist activity and the initiation of investigations.
Former Director Blanco continued:
“FinCEN grants more than 12,000 agents, analysts, and investigative personnel from over 350 unique federal, state, and local agencies across the United States with direct access to this critical reporting by financial institutions. There are approximately 30,000 searches of the BSA data taking place each day. Further, there are more than 100 Suspicious Activity Report (SAR) review teams and financial crimes task forces across the country, which bring together prosecutors and investigators from different agencies to review BSA reports. Collectively, these teams reviewed approximately 60% of all SARs filed.”
“Each day, law enforcement, FinCEN, regulators, and others are querying this data: 7.4 million queries per year on average. Those queries identify an average of 18.2 million filings that are responsive or useful to ongoing investigations, examinations, victim identification, analysis and network development, sanctions development, and U.S. national security activities, among many, many other uses that protect our nation from harm, help deter crime, and save lives.”
This doesn’t tell us how many of those 55,000 daily reports are SARs, but we do know that in 2022 (the last full year of available SAR data) there were just over 3.6 million SARs filed, or about 10,00 per day. And it appears that FinCEN knows which law enforcement agencies access which SARs, and when. And we now know that there are “18.2 million filings that are responsive or useful to ongoing investigations, examinations, victim identification, analysis and network development, sanctions development, and U.S. national security activities” every year. But which filings?
The law enforcement agencies should know which SARs provide tactical or strategic value, or both. If law enforcement finds value in a SAR, it should acknowledge that, and provide that information back to FinCEN. FinCEN, in turn, could provide an annual report to every financial institution that filed, say, more than 250 SARs a year (that’s one every business day, and is more than three times the number filed by the average bank or credit union). That report would be a simple relational database indicating which SARs had either or both tactical or strategic value. SAR filers would then be able to use that information to actually train or tune their monitoring and surveillance systems, and even eliminate those alert types that weren’t providing any value to law enforcement.
Why give law enforcement seven years to respond? Criminal cases take years to develop. And sometimes a case may not even be opened for years, and a SAR filing may trigger an investigation. And sometimes a case is developed and the law enforcement agency searches the SAR database and finds SARs that were filed five, six, seven or more years earlier. Between record retention rules and practical value, seven years seems reasonable.
Sed quis custodiet ipsos custodes – But who will guard the guards themselves?
Nothing lands a financial institution into regulatory and legal hot water faster than failing to meet its reporting obligations under anti-money laundering (AML) laws and regulations. Cease & Desist orders, independent monitors, look-backs, and massive fines are the rule when a bank fails to satisfy its reporting obligations.
But what happens if a federal agency fails to meet its reporting obligations under AML laws? Not much, it seems. The Department of Justice gives us a good example: if the DOJ was a financial institution, its years-long unwillingness or inability to meet its statutory obligations would likely result in a Cease & Desist Order and make it subject to a monitor’s supervision.
Law enforcement agencies have tremendous responsibilities and obligations, and their resources and budgets are stretched to the breaking point. Adding another obligation – to provide feedback to the banks, credit unions, and other private sector institutions that provide them with reports of suspicious activity – may not be feasible. But the upside of that feedback – that law enforcement may get fewer, but better, reports, and the private sector institutions can focus more on human trafficking, human smuggling, and terrorist financing and less on identifying and reporting activity that isn’t of interest to law enforcement – may far exceed the downside.
Besides, Congress has said that the public sector consumers of BSA reports owe the private sector producers of BSA reports more actionable statistics, metrics, and other information on the use and utility of those reports. It’s the law. Congress has tools available to compel executive branch agencies to do their jobs (and obey the law): those tools are summarized nicely in a Congressional Research Service report. As Juvenal suggested, circa 100 AD, we need someone to guard the guards themselves … and that someone is Congress.
Post Script: The three people who read my February 21, 2023 blog post “The Justice Department Isn’t Obeying the New AML Law – Now What?“ might recognize much of that blog post in this January 2024 post. Stay tuned for 2025: I don’t have much hope that anything will change between now and then.