The FinCEN Files: What the leak means for bankers

The recent leak of more than 2,000 FinCEN Suspicious Activity Reports (SARs), now commonly dubbed “The FinCEN Files,” has left bankers across the country with many questions. How will this impact my institution? What, if anything, should I be doing differently? Should I de-risk highly risky people or businesses? What will industry fall out look like?

Many of these answers will depend on a bank’s existing Bank Secrecy Act (BSA)/Anti-Money Laundering (AML) program, and the holes that may need to be filled. Now is the time to conduct an internal audit reviewing BSA/AML, SARs procedures, and what has been reported.

First, bankers should confirm that they have sufficient staff and resources necessary to manage their BSA/AML programs. It can be difficult to justify adding employees to BSA units because it doesn’t generate revenue, but it’s imperative to have the proper investment and expertise. As demonstrated by The FinCEN Files, if a BSA/AML program isn’t appropriately managed and executed, the result can be devastating to a bank’s reputation.

BSA/AML systems should also be closely evaluated. Technology should provide transparency within the unit – full visibility into the detection models being run, as well as all cases created and SARs submitted. There should also be buy-in across the institution. Successful compliance programs are supported from the top down and ingrained throughout a bank’s culture.

Determining if extra filings are needed

Bankers are also asking if a review of past SARs and additional defensive filings might be necessary in the wake of The FinCEN Files. The answer comes down the strength of the processes and procedures in place. If a bank’s program is already sound, there is likely no need to go back. However, if there are gaps or any concerns, a SARs review should be considered. Ask the following questions as a good starting point:

  • What do your detection models look like?
  • Do you have all data sources feeding into your models?
  • Do you have the necessary staff to look through the alerts in details?
  • What processes do you have in place to start investigations?
  • Who handles and how in-depth are those investigations?
  • Do you have a quality review process for your investigations?
  • Were all investigations brought to your SAR committee for filing review?
  • Did you file those SARs that the committee approved?

Work through this check list and immediately close any identified gaps. Re-run alerts with fresh data, review new alerts and cases, and file new SARs if necessary. The gaps closed during this exercise will only strengthen the bank’s BSA/AML program going forward. And, don’t forget to document the progress for future BSA examinations.

De-risking consumers or businesses

Another natural question bankers ask is if they should de-risk their high-risk customers, or terminate their relationships with these individuals or businesses.

In 2014, FinCEN’s then-director Jennifer Shasky Calvery issued a statement around de-risking, suggesting that the practice would force criminals to go underground with their finances and prevent official authorities from gaining necessary insights into their investigations. These sentiments were reiterated in June 2020 by deputy director Jamal El-Hindi.

FinCEN’s stance on de-risking is clear: It’s ultimately up to each individual institution. A best practice is to avoid de-risking an entire class, but rather to approach decisions on a case-by-case basis. If services have been successfully provided to high-risk customers, with a sound program around tracking in place, there is likely no need to make changes.

Looking ahead to potential changes

While no one can predict the future, some regulatory trends can be anticipated based on the past. Several reports suggest the FinCEN leaks were likely internal – if true, FinCEN is likely to work on further restricting access to data to prevent something similar from recurring.

FinCEN is expected to continue closely monitoring the data from institutions. Major changes are unlikely unless it notices institutions either curtailing their filings or reducing the level of detail in their narratives.

Banks with strong BSA/AML processes, procedures and staff in place have little to worry about when it comes to The FinCEN Files. But institutions with reservations or doubts about their BSA/AML capabilities should take this event as a wakeup call to reassess their current programs and start closing any gaps. Not only will this provide protection against current risks, but it can also boost a bank’s overall compliance posture.

Rene Perez is a financial crimes consultant at Jack Henry & Associates.

Subscribe to the BAI Banking Strategies newsletter and podcast.