The Suspicious Activity Reports (SARs) that banks submit to overseers such as FinCEN, as part of their AML requirements, often contain information and financial intelligence that can jeopardize the safety and well-being of an organization or individual. If a SAR falls into the wrong hands, as with the recent FinCEN Files leak, the ramifications can be dangerous.
FinCEN’s recent loss of data could have catastrophic consequences, yet very few people are focusing on the mechanics of the breach – rather, instead, the resultant leaks. If this data breach had been derived from the private sector, government reprisals would have been swift and severe. Those disclosing SARs need to be confident that, when filing them, their data will remain confidential. If not, then they need to have the right to a remedy against FinCEN.
The FinCEN Files contain the names of fraudsters, terrorists, and those suspected of organized crime links. But not all of the information passed to FinCEN outlines criminality, merely that the source has considered it to be suspicious. Many SARs are defensive reports, and as such, this overly cautious approach will often see ordinary people and their businesses feature in disclosures.
Banks are required to file SARs with the U.S. government within 30 or 60 days of learning of a questionable transaction. A reporting bank is effectively permitted by law to breach client confidentiality when passing on information to an AML regulator, so what of the poor customers who inadvertently find themselves contained within a government data breach? Could they consider this to be a case of defamation?
The FinCEN leak appears to be focused on correspondent banking. One of the questions we need to be asking is why the perpetrators targeted this particular element of the SARs system. Is there an underlying rationale? Correspondent banks can pose a hot zone of risk for money center banks, but there again, so do many other areas. There are around 500,000 SARs reported to FinCEN every year. The leak relates to just over 2,000 SARs going back over some time. Why has the “leak” been so selective?
The mainstream media appears to be obsessed with bad news regarding financial institutions and blinkered when it comes to the criminality giving rise to a leak. If this were a whistleblower leak, then our attitude would possibly change. I place great store in whistleblowing as the ultimate deterrent to those who would take advantage of our financial systems. But the recent ICIJ-reported FinCEN leak does not appear to fall into this category.
Ultimately, the press will have their day. But confidential information should not be taken, leaked, or disseminated in a lawless fashion. We must respect the rule of law and the dignity of all persons. For dignity is inextricably linked to privacy.
The State (or others) should only be able to poke around inside our bedrooms or bank accounts based on a reasonable suspicion of wrongdoing. And whatever the incentive, I hope for the leaker’s peace of mind that no harm comes to those who feature in the leak.
With thanks to Tony McClements, Senior Investigator at Martin Kenney & Co, for his assistance with this post. He served for 33 years with UK police forces and has specialized in Fraud & Financial Investigation since 1998. He is also a lecturer in these subjects at the University of Central Lancashire (UCLAN).