FinCEN files leak: a look at what's to come

With the leak of thousands of suspicious activity reports (SARs) filed by financial institutions with the US Treasury’s Financial Crime Enforcement Network (FinCEN) causing shockwaves across markets, we take a look at some of the issues financial institutions and regulators will be considering going forward.

The FinCEN files are a cache of about 2,100 SARs (and other US Treasury documents) filed by nearly 90 different financial institutions reporting suspicions involving transactions which took place between 1999 and 2017. The majority of those leaked (85%) were filed by some of the world’s largest financial institutions.

While SARs are not evidence of any criminal wrongdoing, they are crucial to law enforcement for pursuing lines of inquiry or investigation. Although emanating from the US, the leak is likely to have global repercussions, including in the UK.

Confidentiality and trust

A crucial element for any SARs regime is confidentiality. In the UK, those making a SAR are prohibited from disclosing the content or even the fact of a SAR to its subject by laws against ‘tipping off’ and ‘prejudicing an investigation’ under the Proceeds of Crime Act 2002. Similarly, it is a federal crime in the US to make an unauthorised disclosure of a SAR, with FinCEN asserting that to do so “undermines the very purpose for which the suspicious activity reporting system was created - the protection of our financial system through the prevention, detection, and prosecution of financial crimes and terrorist financing”.

The UK’s National Crime Agency has echoed this sentiment in a statement following the FinCEN files leak:

“Money laundering fuels and enables crime, and the SARs system is a key tool in the fight against it, in the UK, in the US and worldwide. The unauthorised disclosure of such information risks undermining that system and compromising law enforcement investigations, and is deeply irresponsible. We will not be commenting on individual investigations.”

Confidentiality is fundamental to the trust placed in global AML systems and agencies by those who submit SARs. It is important that those making reports are confident that their identities will not be revealed and that the subjects of SARs are not tipped off and do not have their reputations unduly tarnished before adequate investigation.

While it should be noted that the SARs leaked only represent 0.02% of all SARs filed with FinCEN in the period they cover, a system founded on trust and confidentiality, and which relies on cooperation between regulators and financial institutions, may well be negatively affected, at least in the short term, particularly where increased intelligence sharing is an area for development. Although the leak affected a US regulator, this may raise concerns about the security of disclosures to other regulators worldwide. In the UK, with intelligence sharing being a key focus of the UK Government’s Economic Crime Plan 2019 – 2022, the plan’s express aim to maintain the confidentiality of the SARs regime will be central to achieving the “ambitious programme to transform the UK’s SARs regime”.

Conversely, the position taken by the International Consortium of Investigative Journalists (ICIJ) contends that while combating financial crime is indeed the aim of the US SARs regime, and that FinCEN forwards SARs onto the FBI and other agencies for fuller investigation, there is a gap between the aim and the outcome – and there is a strong public interest in identifying this.

For financial institutions, the leak raises reputational concerns, questions over the effectiveness of their policies and procedures (notwithstanding that at first blush the leak shows the banks doing what is required and making SARs) and may result in them having to navigate a potentially more zealous regulatory/enforcement environment in response to public pressure going forward.

There is also the very real risk that the leak may prompt investigations outside the US by authorities in jurisdictions where no SAR may have been filed by the relevant financial institution. The UK Serious Fraud Office has confirmed that it is monitoring the leak’s fall out and working with the National Economic Crime Centre (NECC) to determine if any action is required. This may yet become a significant consequence given that banks, whether represented in the FinCEN files or not, will be considering whether they should submit retrospective SARs in the US, UK or other jurisdictions, upon revisiting prior transactions or client relationships mentioned in the leak.

The ICIJ points to transactions executed after suspicions were raised, others carried out without knowing the identities of the natural persons with significant control of the client company (ultimate beneficial owners (UBOs)) and also the time taken by banks to file SARs after transactions. The reputational and, possibly, legal challenge for financial institutions is that, taken together, these factors undermine their intended role as the first line of defence against money laundering and other financial crimes.

David Lewis, the Executive Secretary of the Financial Action Task Force, noted in an interview in May 2020 regarding the quality of national AML regimes that “everyone is doing badly, but some are doing less badly than others”. Therefore, the solution, according to the ICIJ, lies with both authorities and financial institutions.

Looking forward

The leak must be placed in the context of countries seeking to tighten AML regulations. In the US, shortly after the Panama Papers leak in 2016, FinCEN issued its Customer Due Diligence Final Rule which required financial institutions to identify and verify UBOs. In October 2019, the US House of Representatives approved the Corporate Transparency Bill, which would require relevant entities to provide their UBO information to FinCEN. While the President’s administration has expressed support for the bill, it has also said that further steps must be taken to improve it such as “aligning the definition of “beneficial owner” to [FinCEN’s] Customer Due Diligence Final Rule, protecting small businesses from unduly burdensome disclosure requirements, and providing for adequate access controls [to the information gathered]”. While this bill seems to have stalled, particularly due to the pandemic, FinCEN appears to have acted in a bid to pre-emptively address some of the issues that it anticipated would be brought to light by the FinCEN files. On 15 September 2020, FinCEN released a Final Rule tightening and expanding requirements on AML, customer identification and UBO identification programs.

In recent years, the EU has mandated the creation/expansion of UBO registers under the Fourth Money Laundering Directive. Again, following the Panama Papers leak, there has been a renewed focus on transparency, with the EU’s subsequent Fifth Money Laundering Directive further extending the public’s access to such registers. The UK’s own register, the ‘Persons with Significant Control’ regime, has undergone similar changes to its scope and accessibility. Moreover, the UK Government has sought to implement similar registers in its Overseas Territories under the Sanctions and Money Laundering Act 2018 over the coming years. The Law Commission has reviewed and made recommendations to improve the UK’s SARs regime including the quality of SARs so that they are of greater use to law enforcement. The UK Government has committed to making a number of improvements in its Economic Crime Plan 2019 – 2022. British companies appear in the FinCEN files more than those from any other country. With one of the leaked US Treasury documents referring to the UK as a “higher-risk jurisdiction”, the UK Government, as well as UK-based financial institutions, will be keen to ensure that this perception does not persist.