SARS Epidemic

No, Gonzo followers, this is not another boring narrative about that respiratory illness outbreak in China back in 2003.  When bankers see S-A-R-s, only one thing comes to mind…those Bank Secrecy Act filings we all love so much, Suspicious Activity Reports.  You know those detailed reports that you’re required to file with the Financial Crimes Enforcement Network (FinCEN) and never hear about again. 

A consistent message I’m hearing from BSA officers and bank executives across the country is that BSA compliance is taking a much larger pool of resources than in the past.  The culprit:  increased regulatory requirements, including the push for more sophisticated risk-based analysis and a rise in SAR filings.  In three words: USA PATRIOT Act. 

Let’s face it, the pre-Patriot Act days of simply tracking single suspicious transactions are over as more sophisticated risk-based analysis in the back-office is required.  Yeah, the branches complained about the extra paperwork but reluctantly completed required currency transaction reports and a limited number of SARs to satisfy audit.  Now, the world is much different and branches aren’t the only ones complaining.

The Law

Before the Patriot Act

• BSA of 1970 – required banks to file CTRs on single cash transactions in excess of $10,000
• April 1996 – required banks to file SARs to FinCEN reporting known or suspected criminal offenses or a transaction that a bank suspects involves money laundering or violates the BSA
• Focus on drug trafficking

After the Patriot Act

• Title III expanded the scope of BSA to focus on terrorist financing
• Section 313/319 restricts business dealings with foreign banks
• Section 314 requires banks to share confidential information with federal agencies investigating terrorist activity or money laundering
• Effective Oct. 1, 2003, Section 326 requires financial institutions to develop a customer identification program.   This includes the verification of the identity of the customer (name, DOB, address, SSN) as well as determining whether the customer appears on the Office of Foreign Assets Control (OFAC) list.
• Section 327 establishes a review of an institution’s Anti-Money Laundering record in approving mergers, acquisitions or other activity under the Bank Holding Company Act or Federal Deposit Insurance Act
• Sections 365 requires businesses to file CTRs for large cash transactions
• Added requirements for casinos, money services businesses and registered broker/dealers to file SARs and CTRs 
• Establishment of internal controls including an appointed BSA officer and board responsibility

There’s no doubt the Patriot Act has become a catalyst for more stringent BSA/AML compliance.  The latest rules involving tighter audit control requiring transaction testing and risk assessments of customers, products, geographic locations and services are weighing on banks nationwide.  Most banks now have a significant portion of their risk management staff focused entirely on BSA compliance.  SARs filings are at record numbers, and the regulators don’t seem to be keeping up. 

Take a look at the correlation between the number of SAR filings and the dollar amount of fines handed out over the past few years.  Banks are so intimidated by the regulators that they are filing an unprecedented number of SARs just to play it safe.   According to a 2005 report issued by the U.S. Treasury Department’s Office of Inspector General, 62% of all SARs sampled had data quality problems, citing the narrative sections of the SAR as “inadequate to convey necessary information.”

Source:  FinCEN: The SAR Activity Review, May 2006

The growth in filings is staggering: up 37% from 2004 to 2005.  Think about it, in 10 years filings have skyrocketed by over 700%!  One of the reasons we’re seeing the steady increase in filings is related to the flat dollar thresholds that were set over 10 years ago, which remain unadjusted.  More importantly, a crackdown on compliance is generating a record number of SARs as banks adopt a defensive strategy with the regulators. 

These reports are filed with FinCEN, which collects, analyzes and shares the data with other governmental agencies to catch the bad guys.  This is how it’s supposed to work, anyway.  The challenge is that the crackdown on BSA compliance has created a large flow of data that has overloaded FinCEN.  The latest push requiring reporting of international transactions will create even more data.  Unfortunately, it doesn’t look like FinCEN is ready the deal with it. 

If you have a few hours of time to kill and a fifth of Jack Daniels, give the following  article from the OIG a read: Terrorist Financing/Money Laundering: FinCEN Has Taken Steps to Better Analyze Bank Secrecy Act Data But Challenges Remain. In summary, the OIG states that the FinCEN database needs to be replaced due to inaccurate and incomplete data. Oh yeah… and the latest coming out of Washington is that the data is not secure.  That’s just what you wanted to hear after spending hundreds of thousands of dollars securing your customers’ identities over the last few years, eh? 

Given all these uncertainties, I thought a look at FinCEN’s strategic plan would shed some light.  One of the initiatives is designed to shift efforts from routine data retrieval (reactive) into complex data mining (proactive) to meet the requirements of the Patriot Act.  I’ve gotta say, the results out of FinCEN on these efforts are a little disheartening.  According to the OIG report, FinCEN’s proactive cases grew from 6% to a whopping 10% from 2003 to 2005.  A closer look at the footnotes revealed that the validity of this data cannot be trusted due to unreliable information in the FinCEN database. 

It’s not all bad, though.  FinCEN is working on initiatives like “BSA Direct” to ease the burden of the paperwork on both sides of the street, allowing for electronic filing of SARs and CTRs.  Great!  But wait…due to existing database and security issues and pressure from OIG, BSA Direct initiatives have been put on hold.  As a side note, this project is being headed by our old friends at EDS, who seem to be failing to meet major milestones. 

Other initiatives including exemption list legislation have also been reviewed to ease some of this pain.  As a result of Hurricane Katrina, the House passed the Seasoned Customer CTR Exemption Act of 2006 through committee to help banks in affected areas.  This unfortunately is only a temporary fix, and opposition by law enforcement (namely the FBI) will in all likelihood put the kibosh on any of these temporary measures.

Regulators want banks to follow these stringent requirements but aren’t themselves held accountable.  This April, the U.S. Government Accountability Office published a report to the Senate Committee on Banking, Housing and Urban Affairs that specifically deals with Congressional concerns over regulators’ oversight of BSA compliance, specifically FinCEN.  These hundred page reports prove one thing: something’s wrong with the system.  Call me a cynic, but why weren’t these regulatory issues resolved before requiring banks to spend millions of dollars on compliance? 

Protecting the public from terrorism and other hazards should be a top priority, and I’m sure the intent of tighter compliance was not to put banks out of business by overloading them with hundreds of emails and thousands of pages of manuals to review. The concern I hear in banks today is that the extra compliance is not producing any meaningful results.

One thing is for sure… this stuff isn’t going away.  In the near future, tighter compliance will exist on the content of SAR filings and details related to the narrative section.  Also, policies will be put into place to discourage defensive over-filing that has created data overload for FinCEN.  There will be a complete revamping of the FinCEN database including new ways to store, mine and communicate data.  The good news is that regulators understand and admit there are problems and are working to resolve them. 

When? No one knows!   
-ew