A leaked trove of secret bank documents – known as the FinCEN files – shows how some of the world’s largest financial institutions were party to billions of dollars of shady transactions over the last decade. At least, that’s the narrative in the flurry of international press reports covering September’s bombshell revelations.

The explosive ingredient in the exposé is thousands of suspicious activity reports, or SARs. Banks routinely file these reports to government agencies to flag irregular financial activity. US agency FinCEN, or the Financial Crimes Enforcement Network, received more than 2.3 million such reports in 2019 alone.

Only a small fraction of these reports are ever investigated. Even fewer lead to prosecution. Bank financial crime experts say this low hit rate is largely attributable to a lack of manpower in government enforcement agencies.

“You put the onus on banks to report, but enforcement authorities don’t have the capacity to handle this volume of reports. It’s a monumental waste of resources,” says a financial crime executive at a large global bank whose reports were among those leaked.

Banks have the power to freeze payment flows by halting transactions and seizing assets, but they don’t have the authority to pursue criminals or compel law enforcement agencies to take action. Rather, they are dependent on the agencies for feedback that can help them provide law enforcement with the information they need.

Too often, however, they claim they aren’t getting it.

“If the FinCEN files indicate anything, it’s that the SAR regime is on a path where it needs to pause so that information sharing isn’t a one-way street from a bank to law enforcement,” says the head of financial crime at a large global bank.

​You put the onus on banks to report, but enforcement authorities don’t have the capacity to handle this volume of reports. It’s a monumental waste of resources

Financial crime executive at a large global bank

To open up this one-way street, banks are pushing regulators to offer more guidance on what to include in SARs. They are also seeking greater co-operation in determining how to target potential hotspots for money laundering.

The signs are that regulators are listening. Forthcoming rule changes in the US and Europe will introduce what’s hoped to be a more targeted approach to detecting dirty money. Firms will be required to identify specific risks and address them directly, instead of the current, blanket approach that leaves authorities swamped with reports, many of which are not an enforcement priority.

The industry has already made attempts to improve lines of communication. The Financial Action Task Force (FATF), an international financial crime body, updated its standards a few years ago calling for greater co-operation between agencies responsible for anti-money laundering and data privacy. And 13 global banks have formed the Wolfsberg Group, a forum with a mission to share and publish information on best practice in anti-money laundering.

For banks, the stakes are high: in 2019, fines for violations of anti-money laundering rules in the US and Europe totalled $8.2 billion, according to ORX News. The figure includes an appealed €4.5 billion ($5.3 billion) fine for UBS for alleged tax evasion, and a £102 million ($133.6 million) fine for Standard Chartered for poor money laundering controls and breaching sanctions against countries including Iran.

A SAR is born

The process leading up to a SAR filing begins with monitoring of clients and transactions that trigger red flags, such as a customer doing business in countries or sectors linked with money laundering or terrorist financing. Banks create scenarios to identify whether a transaction is outside normal boundaries, at which point it is escalated, reviewed and investigated.

Law authorities talk of a SAR “conversion rate”. This refers to the proportion of reports that lead to official action. The action could be further analysis, or use within an existing investigation, or the basis for a new investigation. In simple terms, if a report doesn’t “convert”, it is effectively ignored.

The conversion rate for SARs filed in the European Union is just over 10%, a Europol report in 2017 found. Many insiders believe the conversion rates are, in reality, lower.

“Banks report that less than 5% of SARs filed are pursued for further investigation. If there’s no follow-up on the SAR for supporting documentation, that SAR is probably not being used in a prosecution,” says Patricia Sullivan, global co-head of financial crime compliance at Standard Chartered.

US banks alone filed 1.1 million SARs in 2019. “There’s quite a large number of SARs being filed in the US that may not be yielding an effective outcome,” she adds.

The system doesn’t work well because there are so many SARs filed and there’s not enough information coming back from law enforcement to the banks in order to build cases

Matt Ekberg, Institute of International Finance

While banks have large numbers of staff reviewing automated transaction monitoring alerts and preparing SARs, financial intelligence units are poorly staffed. FinCEN in the US has around 300 staff members. And a 2018 review of the UK’s anti-money laundering capacity by the FATF reported that the UK government’s financial intelligence unit had 80 full-time staff.

With relatively few government officials to assess reports and engage with financial institutions, the lines of communication between banks and agencies are sporadic, experts say.

“The system doesn’t work well because there are so many SARs filed and there’s not enough information coming back from law enforcement to the banks in order to build cases. So a fundamental element is to have that feedback loop closed between the public and private sector,” says Matt Ekberg, senior policy adviser at the Institute of International Finance.

This feedback loop – where authorities tell the private sector what information is needed in the SARs they file – has proved elusive, however. Banks claim they are being told to interpret what useful information looks like from the reports that do end up getting prosecuted, giving them a very small sample with which to work.

“A former federal prosecutor told me: ‘The closest you’re going to get to a feedback loop is referring to indictments or negative news articles on different patterns that were identified and trying to point [to] that as a positive SAR,’” says Jason Somrak, chief of product and strategy for anti-money laundering analytics at Oracle.

Danske Bank SARs climb

Denmark’s largest lender, Danske Bank, has seen a threefold rise in the number of SARs it has filed over the past two years, says chief compliance officer Philippe Vollot.

The bank has had recent troubles detecting and preventing dirty money from flowing through its network of banks. In September 2017, the bank was fined Dkr12.5 million ($1.9 million) by the Danish state prosecutor and ordered to set aside Dkr10 billion to cover future penalties for anti-money laundering violations. The enforcement action followed the discovery of billions of dollars in suspicious transactions diverted through its Estonian arm over preceding years.

In September 2018, the bank published a report detailing “major deficiencies” in anti-money laundering processes in its Estonia operations. The chief executive, Thomas Borgen, subsequently resigned. And the following February, the European Union’s banking watchdog launched a probe into supervisory failings at Danish and Estonian national regulators relating to the case.

Formal investigations in the US and Europe are still ongoing, and the timing and size of fines are yet to be announced.

The response at Danske Bank has been a heightened focus on money laundering. Vollot says frontline employees are more aware of how to spot potential fraud and what action to take. This has led not only to more SAR filings, but it has increased the effectiveness of the ones that are filed.

“A bank is effective at combatting financial crime when you have employees thinking about it,” says Vollot. “We have more escalation coming from branches than before. The branch calls the financial crime department, and [reports a] person depositing a large amount of cash. This is proper intelligence [needed] to potentially file a SAR.”

To some, Covid-19 provides an example of how regulators, law enforcement and financial institutions can align priorities. During the early stages of the pandemic, regulators provided guidance supporting a risk-based approach to financial crime risks. Companies were encouraged to pinpoint elevated risks from the pandemic and to understand how operational processes may suffer with a reduced workforce.

Regulators shared with the private sector red flags related to fraud – for example, activity in cash-intensive businesses that had ostensibly been shut, yet were still receiving mysteriously large volumes of cash. Authorities made clear they accepted that heavy volume processes such as monitoring and screening may be affected.

“It’s difficult to stop a live fraud if you’re not working in close partnership with law enforcement. Covid is a great example of shared priorities and the value of public-private partnerships,” says Standard Chartered’s Sullivan.

Who’s the boss?

A key weapon in the fight against financial crime is reliable, transparent and accessible information on beneficial ownership, insiders say. In other words, authorities need to know who pulls the strings in the company.

The FinCEN files reveal the ability of criminals to hide behind shell companies. Conflicting rules and regulations often make it impossible to ascertain beneficial ownership with any degree of certainty.

“There are lawyers and accountants who are actively working with criminals setting up vehicles for laundering money. They create schemes that [make it] incredibly difficult to identify the laundered funds,” says the first bank’s financial crime executive.

New European Union rules aim to harmonise beneficial ownership information across member states. The fifth Anti-Money Laundering Directive (5AMLD), which came into effect at the start of the year, calls for increased co-operation between national regulators and an EU-wide overhaul of bank account registers and retrieval systems.

“The big thing is getting international standards of conformity,” says Kyle Phillips, director of corporate and financial crime at law firm Fieldfisher. “Whilst there is a requirement to say who the person who has significant control of the business is, and who is the beneficial owner, there is very little policing. We have clients who have judgements in their name, and when they go to enforce the judgement, the company has no money because it’s been moved around.”

Legislation pending in the US would require corporations to disclose to law enforcement and banks information on who owns and controls the entity. The bill states that updates be filed annually, and allows FinCEN to determine if more frequent reporting is necessary.

In the UK, banks must ensure they obtain a company’s publicly available beneficial ownership details from a government register and compare this against the information they receive from the company itself during the onboarding process. Any material discrepancies must be reported to the government.

“Both the US and EU have requirements for disclosing beneficial ownership based on national registers, but there are differences between the two approaches. It will be interesting to see if the US changes how beneficial ownership information is collected and supplied,” says Brad Cohen, an associate at law firm Mayer Brown.

Targeted intervention

Lawmakers are also aiming to tighten up how banks develop internal policies to tackle financial crime. FinCEN has issued a proposed rule calling on banks to develop “effective and reasonably designed” anti-money laundering programmes based on their own assessments of the risks they face.

In the EU, banks are required to review the countries in which they operate to make sure there are no gaps in their onboarding procedures and transaction monitoring for cross-border customer business. In the UK, the government has pledged to spend an extra £100 million a year to improve co-operation between UK agencies and international partners.

“We expect a greater volume of information requests from regulators, so banks should have sufficient resources and robust record-keeping systems to manage these,” says Andrew Lee, a partner with law firm Debevoise Plimpton.

FinCEN’s recent proposed regulatory changes would bring the US approach to designing banks’ anti-money laundering programmes more in line with European practices under 5AMLD and earlier regimes.

For a number of years, a fundamental plank of EU anti-money laundering rules has been to require banks to carry out risk assessments and then implement controls that are tailored to mitigating and managing the risks they have identified. Although many US banks will already apply a risk-based approach to their AML programmes, FinCEN is now explicitly recognising the importance of this.

“This is a sensible and proportionate approach that encourages banks to address real AML risks, rather than simply engage in ineffective box ticking against generic criteria,” says Lee.

FinCEN’s proposal also requires banks to provide information “with a high degree of usefulness” to law enforcement authorities. In other words, banks are encouraged to be more selective in their reporting, in a bid to reduce the ticker tape of SARs inundating US authorities.

This is in contrast to the EU, which still requires banks to report all suspicious transactions. Although interpretations of “suspicious” differ among EU countries (the UK in particular sets a very low threshold for suspicion), the EU approach is to place the onus on national authorities to review reports and determine what information is useful to them, rather than leaving this assessment to the banks.

Editing by Alex Krohn