Second in a Two-Part Series on the Utility of BSA Filings

In this post, we will once again consider the issue of the utility of Bank Secrecy Act (BSA) filings to the global anti-money laundering/countering the financing of terrorism (AML/CFT) compliance regime. 

In our first blog post in this series, we invited Don Fort, a former Chief of the Internal Revenue Service’s Criminal Investigation (CI) Division, to answer questions on utility of BSA filings from the perspective of law enforcement.  Here, we will discuss two recent publications by industry groups:  one by the Bank Policy Institute, the Financial Technology Association, the Independent Community Bankers of America, the American Gaming Association, and the Securities Industry and Financial Markets Association (collectively, the Associations), and another by the Wolfsberg Group, which is an association of 12 global banks which aims to develop frameworks and guidance for the management of financial crime risks.

The Associations respond to an estimate by the Financial Crime Enforcement Network (FinCEN) concerning the time required to complete a Suspicious Activity Report (SAR).  The Associations’ observations on SAR filing compliance costs are targeted and precise and serve as a good segue into the broader critiques and recommendations made by the Wolfsberg Group regarding overall AML/CFT reporting and how it might be more effective.

The Associations

In May 2024, FinCEN published a notice of information collection and request for comment (Renewal Notice) on its proposed decision to renew the SAR form as well as the Currency Transaction Report (CTR) without any changes. The Renewal Notice provides the agency’s estimates on the time to complete each type of report, the number of annual total reports (in hours), and the total annual burden (in hours).  As usual, the estimate was optimistic.

With respect to SARs, FinCEN estimates that it takes a filer about 1.98 hours to complete one report. The Renewal Notice does not provide details as to how FinCEN calculated the time expenditure estimates, nor does it explain its decision not make any changes. Furthermore, FinCEN’s estimate per report does not take into consideration the different types of SAR filers.

The Associations filed a joint comment (the Comment). The Comment focused on a singular, targeted concern:  that FinCEN’s estimate of 1.98 hours per SAR “substantially underestimates the amount of time required to thoroughly undergo the reviews and processes required” to file a SAR.  The Comment requests that FinCEN “expeditiously” determine “an accurate burden estimate” (not a “more accurate” estimate).  In the Associations’ view, this “will facilitate a more efficient use of the limited resources of both the government and SAR filers, and help financial institutions allocate the appropriate resources to adequately fulfil the regulatory requirement.”

The Associations’ main reason for critiquing FinCEN’s estimate shortfall is that the agency did not recognize and adapt its estimate for the full complexity involved in filing a SAR:

An institution’s process is not just the mechanical process of generating, submitting, and storing the SAR. This process includes the time dedicated to investigating the underlying reason for filing a SAR, obtaining and reviewing supporting documentation, conducting a second review, obtaining necessary approvals, documenting the investigation and decision process, and overseeing the process of filing a SAR.

The Comment observes that a burden estimate must account for each of the steps that a BSA filer must undertake to comply with SAR requirements. Although the Comment acknowledges that FinCEN has made efforts to improve its time estimates, the agency’s methodology to estimate the time burden still fails to account for all steps – including the crucial steps of reviewing transaction monitoring alerts and transforming alerts into investigatory cases which made lead to filed SARs. Filers of SARs will appreciate the observation that filing a SAR involves more than simply completing the report and “hitting send” – rather, it can involve a laborious and careful internal review of available records, follow-up with the customer, and many more steps.

The Comment notes that in February 2024, FinCEN published another notice and request for comment putting forth its SAR burden estimate.  To respond, the Bank Policy Institute conducted a survey and informed FinCEN in April 2024 that the survey indicated that completing a SAR took 21.41 hours on average – ten times as much as the agency’s estimate.  Ultimately, of course, the time to complete a particular SAR will depend on the particular financial institution, the level of sophistication of its systems and employees, and the complexity of the potentially suspicious activity under review.

The Wolfsberg Group

The Wolfsberg Group’s lengthier “Statement on Effective Monitoring for Suspicious Activity” (Statement) suggests areas of improvement regarding how financial institutions (FIs) can develop a more effective and efficient system to monitor for suspicious activity.  At the core of the Wolfsberg Group’s recommendations is the notion that FIs should move “towards a true risk-based approach (RBA)” and so focus less on strict compliance with rules and more on generating higher-quality filings leads for law enforcement to use in its efforts to thwart financial crime. 

The Wolfsberg Group “does not believe that the value being derived from the (constantly increasing) volume of SARs/STRs [i.e., Suspicious Transaction Reports] is contributing proportionately to effective outcomes in the fight against financial crime.”

The Wolsberg Group’s recommendations rest on three core elements of assessing a FI’s compliance subsystem:

1. Compliance with AML/CFT laws and regulations;
2. Provision of “highly useful information to relevant government agencies” for certain priority enforcement areas; and
3. Establishment of a “reasonable and risk-based set of controls to mitigate the risk of an FI being used to facilitate illicit activity.”

The Statement’s recommendations are summarized, at a high level, as follows.

Targeting and Measuring Effectiveness and Outputs

The Wolfsberg Group critiques the current effort by FIs to ensure technical compliance by including onerous processes such as updating an ever-creasing red flag scheme and “[e]nsuring that no historical SAR/STR is ‘left behind,’ which results in ineffective and over-alerting monitoring programmes.”

The Wolfsberg Group critiques the current effort by FIs to ensure technical compliance by including onerous processes such as updating an ever-creasing red flag scheme and “[e]nsuring that no historical SAR/STR is ‘left behind,’ which results in ineffective and over-alerting monitoring programmes.”

This approach has resulted in a substantial increase in the volume of SARs/STRs but there is no corresponding evidence that this has resulted in more helpful information to the government agencies or reduced financial crime and money laundering activity. Part of the solution, according to the Statement, is for FIs to implement risk-based monitoring that focuses on “crystallised risk” (i.e., real world risk) as opposed to hypothetical risk. Another step is for FIs to better understand the value of the SARs/STRs filed, which requires helpful feedback from the government side.  With such feedback, FIs could adjust their system to better assess false negatives and the completeness of helpful information in a SAR/STR.

Innovation  

The Statement cautions FIs that while technology can greatly improve effectives for suspicious activity monitoring, new challenges arise when changing to a new system or integration across systems. In advocating for patience from all sides, the Statement urges “FIs, regulators and law enforcement need to understand that innovation is a journey which can take multiple years before benefits can be realized.” As noted above, the Wolsberg Group sees an opportunity for enhancing effectiveness where FIs tune their technology to look for crystallised risk, revisit and improve the parameters for alert generation, and focus on sometimes neglected areas of improvements such as optimizing case management systems and improving control oversight mechanisms.

In regards to the use of machine learning (ML), the Statement provides that “FIs will need to document clearly and analyse ML models against the crystallised outcomes of detection to demonstrate how these solutions can continue to mitigate financial crime.”  When data is fed into a ML system, “[s]acrificing some past cases may help predict higher value outputs in the future.  Aiming for 100% recall, or ‘No SAR/STR left behind,’ is likely to lead to an ineffective system.”

The data management realm represents another area of improvement. FIs should consider integrating not only FI-internal data (e.g., customer transactional data, internal reference lists, etc.) into their suspicious activity monitoring platforms, but also more dynamic data sources, such as IP addresses of customer devices and Internet access points.

Enabling Factors  

The Statement urges regulators to promote collaboration with FIs, promote “sandbox” development in which FIs feel free to experiment with innovative approaches, and enhance information sharing.  The Statement posits that FIs can be slow to adjust their model risk management out of a fear of being criticized by regulators, even when a regulator has provided guidance that allows for greater innovation.

Likewise, the Statement stresses that FIs need feedback from law enforcement and regulators: a “FI’s ability to understand if their monitoring programmes are effective” is significantly impacted by intelligent feedback from regulators, law enforcement, or public-private partners. For example, FIs can align their resources better with national priorities if they know more about the typologies used by criminals and the networks monitored by law enforcement.  The Statement proposes that FIs could learn this information from feedback resulting from closed investigations and use that information to produce better outputs in their SAR/STR filings, thereby creating a “virtuous circle” of better outputs by FIs leading to more actionable intelligence for the government and ultimately more legal actions against illicit actors.  Further, anonymization technologies could facilitate the sharing of otherwise confidential information.  In practice, feedback loops may be hampered by limits on the government’s resources to gather and summarize the relevant information and then provide it in a digestible format that a FI can use to train its employees and improve its processes.

[View source.]