FinCEN recently released the factors it will use when deliberating an action against a financial institution for Bank Secrecy Act violations. FTI Consulting’s Jaco Sadie, Michael Buffardi and Stephanie Fauerbach explore how discrete issues could trigger multiple FinCEN enforcement factors.
On August 18, 2020, the Financial Crimes Enforcement Network (FinCEN) published a statement identifying the factors it will consider when determining the nature of any Bank Secrecy Act (BSA) violations and the actions it may take in response (“Enforcement Factors Statement”).[1] In explaining the release of its Enforcement Factors Statement, FinCEN’s Director, Kenneth A. Blanco, stated, “FinCEN is committed to being transparent about its approach to BSA enforcement. It is not a ‘gotcha’ game.”
FinCEN’s Enforcement Factors Statement establishes a clearer lens through which the regulator will execute its authority under the BSA, though some questions remained. Most immediately, how would FinCEN put its newly organized framework to use? Also, what level of transparency would FinCEN provide when applying its factors? The industry did not have to wait long to see this evolving regulatory landscape come into clearer focus.
FinCEN’s Enforcement Factors in Action
On October 19, 2020, FinCEN initiated its first enforcement action and assessment of a civil money penalty since publishing its Enforcement Factors Statement. The action was against Larry Dean Harmon, individually, and as the primary control person behind multiple unregistered money services businesses (MSBs), for willful and ongoing violations of the BSA.[2] FinCEN determined that Harmon was operating virtual currency/cryptocurrency exchangers, many of which involved darknet vendors selling controlled substances and illegal narcotics, firearms and stolen credit card numbers.[3]
FinCEN alleged widespread “pillar” failures related to Harmon’s darknet-related business model, including failure to implement reasonably designed internal controls, failure to designate a BSA Officer in charge of day-to-day compliance and extensive failures to file suspicious activity reports (SARs) on several thousands of cryptocurrency transactions. In addition to the $60 million civil money penalty assessed by FinCEN for these violations, its largest ever penalty against an individual, Harmon was also indicted by the U.S. Department of Justice for two counts of operating an unlicensed money transmitter and conspiracy to launder monetary instruments related to more than $300 million in illicit virtual currency transactions.[4]
For most AML compliance personnel, who rightfully take pride in their work on the front lines of combating financial crime, the instinct may be to believe the number of lessons gleaned from the Harmon matter to be precisely zero: I am not willfully violating the BSA. This perspective may be compounded by the widely accepted notion that it is generally inadvisable for financial institutions to adjust, or even benchmark, their AML compliance programs in response to enforcement actions against peer institutions. This perspective may be further rationalized by the fact that 1) each BSA/AML formal investigation has its own exclusive set of facts and circumstances and 2) each financial institution has a unique AML risk profile based on its size, location, products and services offered and customer base. However, to dismiss Harmon outright as irrelevant due to the extreme nature of the facts would be to look a regulatory gift horse in the mouth.
Leave the Facts, Take the Analysis
The way FinCEN applied its enforcement factors in Harmon provides invaluable insight into the bureau’s analytical process when applying facts to BSA enforcement decisions. FinCEN was direct in its approach, enumerating each relevant factor and identifying whether the circumstances surrounding the violations were mitigating or aggravating to its enforcement action and penalty amount. Facts were often used multiple times throughout the action, across multiple factors, highlighting the potential compounding effect of BSA deficiencies.[5]
For example, the suspicious nature of the underlying customer activity in Harmon was pervasive within FinCEN’s analysis. When weighing Factor 2: “impact or harm of the violations on FinCEN’s mission to safeguard the financial system from illicit use, combat money laundering and promote national security,” FinCEN laid out the respondent’s and his customers’ egregious activity in detail. The seriousness of that activity was again an aggravator for Factor 9, “systemic nature of violations” and Factor 3, “pervasiveness of wrongdoing within an entity…”
FinCEN is letting the industry know not only that can patterns of missed SAR filings result in a BSA violation, but also that the substance of the underlying activity can be used against them in multiple ways during penalty assessment.
Similarly, the lack of dedicated AML resources identified by FinCEN in Harmon, such as appropriate staff and automated surveillance, was repeatedly highlighted as a causal factor in the substantive violations identified. When assessing Factor 5: “financial gain or other benefit resulting from, or attributable to, the violations,” FinCEN did not rely solely on the fees and profits obtained during the scheme to calculate financial gain. Rather, the regulator also specifically identified cost savings – from failures to dedicate adequate resource to AML compliance – as being an aggravating factor associated with a financial benefit. FinCEN’s view of adequate AML compliance resources, or lack thereof, when assessing the narrower profiteering feature of Factor 5 is a shot across the bow that budget decisions can have multiple enforcement implications.
FinCEN’s enforcement history contains matters with varying severity of the underlying facts and circumstances. However, most actions do not correspond to a federal criminal indictment as in Harmon. FinCEN’s analytical breadcrumbs can still be followed and applied to more common AML risks so financial institutions can game-theory their potential exposure. Failure to pay attention may result in a lack of appreciation for the true AML risk underlying a specific issue.
Applying FinCEN’s Analysis to a Common AML Risk
One risk that many financial institutions struggle with (which could result in a BSA violation) is a backlog of AML-related surveillance alerts. FinCEN, like other federal and state regulators, has viewed backlogs (large numbers of aged work items within an AML process) as being a potential feature of a BSA enforcement action and civil money penalty. When assessing the breadth and depth of an AML backlog, a financial institution should be conducting its own “mitigating or aggravating” analysis following what was laid out by FinCEN in Harmon.
The existence of an AML alert backlog (e.g., 20,000 aged/unreviewed alerts generated by a surveillance exception report) is a single data point. However, financial institutions need answers to relevant rhetorical questions to determine the nature of the backlog and the potential regulatory impact of that single data point: How long has the backlog existed? Did the institution itself identify the backlog, and if so, what steps did it take when the issue was identified? Did the backlog result in failures to file timely SARs? How serious was the activity that should have been captured in those SAR filings? How many times has the institution encountered programmatically impactful backlogs? The answers to these questions can, and likely will, dictate how many enforcement factors FinCEN believes have aggravators.
Breaking this down further, a common approach to assessing the impact of AML alerts backlogs is quantifying SAR output statistics. For AML-related exception reports with low SAR outputs, management may determine that the backlog is not an immediate concern because few SARs would have been missed. Because of this determination, the financial institution allows the backlog to continue, or grow, usually due to operational constraints and priorities. As applied to Factor 2: “impact or harm of the violations on FinCEN’s mission to safeguard the financial system from illicit use, combat money laundering and promote national security,” a low-output exception report could be viewed as having limited impact on FinCEN’s mission. While the backlog could technically be a BSA violation itself, the SAR output could be viewed as a mitigating factor, lessening an enforcement remedy sought by FinCEN – in theory.
Financial institutions who stop their analysis at SAR output statistics are putting themselves at regulatory risk. Institutions must assess all quantitative and qualitative data surrounding the SAR output statistics themselves to ensure that data point is not promoting a dangerous and false sense of security.
Does Your Data Support Your Presumption?
When assessing factors as potentially mitigating or aggravating in a BSA investigation, financial institutions should be incorporating all relevant information to determine if underlying data reasonably supports their presumption of a deficiency’s severity. Failure to step back and reassess how data is interpreted could result in unforeseen aggravating factors or even new violations. For SAR output statistics, the “low SAR output” presumes: 1) the parameters of the automated surveillance exception report generating the alerts are reasonably designed and 2) analysts are sufficiently reviewing for and identifying red flags for suspicious activity.
If a financial institution has not recently conducted a model validation, the low SAR output may be a symptom of an unreasonably designed surveillance exception report, not a low-risk customer base. Improperly tuned exception reports can be an increased risk to SAR statistics if, since the last model validation:
- the institution’s customer base has grown or changed,
- enhancements were made to products and services,
- account or transaction types have been re-categorized in a way that affects data integrity within the surveillance system or
- system enhancements or modifications have been made.
If these potential facts are not properly acknowledged, SAR output statistic could then not only be useless as a mitigating factor, but also highlight an unreasonably designed system, creating a second enforcement problem instead of solving the first.
From a qualitative perspective, if the institution does not have sufficiently trained staff to identify AML red flags, or quality assurance processes to detect systemic alert review shortcomings, the SAR output statistic could become a liability. Without adequate reviews by analysts, alerts can be incorrectly identified as “false positives,” which can then be easily critiqued by regulators for patterns of missed red flags. Systemic instances of analysts missing red flags can likewise create more enforcement headaches than originally anticipated.
Understanding and Interpreting Your Data Before FinCEN Does
Financial institutions should be maintaining a keen eye on the raw data available to them, regardless of how the data is being currently utilized. BSA Officers should be asking themselves: 1) is there an alternate interpretation of our data, which could turn a mitigating factor into an aggravating one, and 2) is there information underlying a data point we are relying on that needs to be independently assessed?
During an enforcement investigation, internal data and statistics could be used as ammunition by regulators to support their interpretation of events. Financial institutions should use that same approach when addressing systemic BSA deficiencies so they are not late to the party. Otherwise the presumption of mitigation is just that – a presumption.
The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, Inc., its management, its subsidiaries, its affiliates or its other professionals. FTI Consulting, Inc., including its subsidiaries and affiliates, is a consulting firm and is not a certified public accounting firm or a law firm.
[1] FinCEN Statement on Enforcement of the Bank Secrecy Act (August 18, 2020) (accessed October 20, 2020) (the “Enforcement Statement”).
[2] In the Matter of Larry Dean Harmon d/b/a Helix, United States Department of the Treasury, Financial Crimes Enforcement Network, No. 2020-2 (October 19, 2020) (accessed October 21, 2020) (“Harmon”).
[3] Id. at pp. 7-11.
[4] U.S. v. Larry Dean Harmon, 19-cr-00395 (D.D.C. December 3, 2019) (accessed on October 21, 2020). See also Enforcement Statement at fn 5 (“’Pillar violations’ would include the lack of one or more required elements of an AML program. Although AML program requirements may vary among categories of financial institution, all financial institutions that are subject to AML program requirements must implement a set of internal controls, conduct training and independent testing, and designate one or more individuals to assure day-to-day compliance with the BSA. See, e.g., 31 C.F.R. § 1022.210 (AML program requirements for money services businesses).”).
[5] Harmon at pp. 4-6.