Documents leaked to the International Consortium of Investigative Journalists (ICIJ) have uncovered details of Suspicious Activity Reports (SARs) that were filed with US authorities over a period of almost 20 years (1999-2017). The leaked documents – dubbed the FinCen Files – unveil information about thousands of SARs, which were filed by numerous high-profile banks on more than 2,100 transactions amounting to around $2 trillion. While the files mainly uncover good practice from the banks, there are instances of malpractice.
The numbers appear large, and have certainly caught the attention of the headlines, though it is worth noting that the figures are only a fraction of SARs that will have been filed for that time period. Moreover, it is imperative to note that SARs are only indicative of transactions that are deemed ‘suspicious’ and do not provide factual evidence of wrongdoing or illicit behaviour.
It is perhaps not surprising that the FinCen Files do uncover instances where banks may have fallen short in their management of financial crime – including occasions where firms continued to enact transactions for known perpetrators of financial misconduct, including those that had faced previous prosecution. However, it is key to note that many of the SARs are historical – in some instances dating back to the late nineties. As one affected global bank commented, “the issues have already been investigated and led to regulatory resolutions.”
All banks have issued separate statements to note that they have since upgraded their policies and controls surrounding financial crime. A Tier-1 bank involved in the leaks responded that “we learnt from our mistakes and systematically tackled the issues and made changes to our business perimeter, our controls and our personnel”. It is likely that the compliance measures that most financial institutions have in place in 2020 will be significantly different and more advanced than those of ten or twenty years ago – or at least they should be.
What can we learn?
While the FinCen Files provide a previously unseen insight into highly sensitive SARs, they essentially uncover information about common practice. As one industry commentator noted, “the fact that SARs are filed shows that the system works. It’s when dirty transactions are not flagged that we should be concerned”. SARs are only alerts of potential issues and almost every bank affected by the leaked documents has issued a statement to confirm that they met all legal and regulatory duties in enacting any related transactions. Perhaps the leak should instead be viewed as a demonstration that the system is effective, rather than broken?
There is little doubt that the FinCen Files have thrust banks back into the public eye and may open them up to renewed scrutiny. While many of the banks involved have not committed any wrongdoing, both the public and the regulators will be watching closely for any signs of illicit behaviour or ineffective compliance practices. Banks will do well to ensure that their systems and controls are effective and utilising modern technologies to bolster their compliance teams.
The more pressing issue – that so far seems to have been overlooked – is that of data privacy and protection. SARs are highly sensitive and confidential – so much so that financial institutions are precluded from even acknowledging them. Wider questions need to be asked about how such sensitive documents were leaked, and what systems can be put in place to ensure such leaks do not reoccur.