The Bank Secrecy Act (BSA) is actually a misnomer. It does not promote the sanctity of bank records as its name suggests. Rather, the statute enlists banks as the eyes and ears of the government in its efforts to prevent criminals from availing themselves of the civilized world’s financial system. It does this by defining the circumstances in which banks are required to report customer activity to the government, spontaneously and without a request. The reports take the form of official BSA-mandated filings, like “currency transactions reports” (CTRs), which banks and car dealers file whenever they are party to a transaction involving over $10,000 in the hands of their customers. The government entity that receives BSA-required reports is the Financial Crimes Enforcement Network (FinCEN). It is the U.S. financial intelligence unit, an entity mandated by international law. This much is clear: banks do not have a privileged relationship with their customers, akin to lawyers or psychotherapists or priests. If they observe their customers involved in crime, they have an obligation to snitch on them.
If the Bank Secrecy Act does not assure that bank information is kept secret, there is another statute that does. It is called the “Right to Financial Privacy Act.” It says that banks cannot share customer information unless there is a request supported by adequate legal weight, like a subpoena. This means American banks are caught in the middle of conflicting laws. On the one hand, they are required to report on their customers, via BSA reports. Meanwhile, they are prohibited from sharing customer information with the government unless the government requests it through some legal process, like a grand jury subpoena. This strain is akin to the First Amendment, where the government cannot establish religion while simultaneouslty being prohibited from interfering with the free exercise of religion.
In the old days, it was unclear how much privacy attached to bank records of customer transactions. One customer actually appealed to the Supreme Court, when records obtained from his bank were used to convict him of fraud. He argued that the records should have been suppressed because the government did not obtain them with a search warrant. The Court rejected this argument, based on the idea that bank records were not subject to a reasonable expectation of privacy entitling the customer to Fourth Amendment protection. That was 1976.
The BSA was enacted in 1970, but it was not until 1986 that it really started being used and enforced. The latter year came during the War on Drugs, and BSA regulations started to require banks to file reports and examining them for dereliction. Among these reports was the CTR - which is triggered upon a clear financial transaction involving $10,000 or more - and reports of general suspicious activity by customers, referred to as “Suspicious Activity Reports” (SARs). These reports are not optional, even though SARs involve a certain amount of discretion. Banks that fail to file CTRs or SARs when they should have are punished by their regulators, based on the idea that their failure jeopardizes the reputation of the bank and therefore the safety and soundness of customer deposits.
What gives the bank the knowledge upon which to exercise discretion to file SARs? Banks have a regulatory obligation to “know their customers” well enough to notice anomalies in customer behavior. This means banks are obliged to engage in “due diligence” to determine whether their customers are engaged in activity warranting the filing of a SAR.
The bolstering of the BSA-mandated requirements spawned an entire industry known as bank compliance. These days, the major financial institutions have compliance departments consisting of people who understand their banks’ systems of records and what the law requires them to report to the government. They obtain their expertise by attending educational seminars and conferences, like those hosted by entities like Money Laundering Alert and Bankers' Toolbox.
I have couple of observations about the bank compliance industry, based on my experience after 9/11 as head of the Department of Justice’s terrorist financing criminal enforcement program, a position which required me to occasionally deal with banks. Compliance officers are often fighting cultural problems within their institutions, since what they do does not produce revenue. As a result, they often find it difficult to do what they believe the law requires and obtain necessary resources from their institutions. This sometimes results in attempts outsource their due diligence back to the government, through phone calls to their regulators and other government agencies. The Treasury Department’s Office of Foreign Asset Control (OFAC) receives calls from banks, and they are trained not to opine. After all, due diligence and “know your customer” is the responsibility of the institutions. If the government assumes this burden, the BSA breaks down.
There is also a tendency to argue that the regulations are too esoteric, and difficult to understand. In response to this, I often note that Zacarias Moussaoui deprived us of the opportunity to charge him with bulk cash smuggling, because he actually filed a Currency and Monetary Instrument Report (CMIR) when he flew into the U.S. through Chicago O’Hare in February 2001 with in excess of $30,000 on his person. This means that al Qaida knows our Bank Secrecy Act, and trains its operatives in how to avoid trouble by not violating it. Bankers have little excuse to be ignorant.
A few days ago, I posted an article (here) in which I opined that the threat of civil liability in suits by victims of terrorism may cause banks to get better at identifying customers acting on behalf of front organizations for Hamas and Hizballah, a good thing. The calls and e-mails I received suggested that people may have been confused by my statement. What I was referring to was the certainty that the terrorist designation process results in terrorist groups engaging in tradecraft to avoid law enforcement scrutiny. How can this tradecraft be defeated? I believe it can be done by a system where bankers are incentivized to go beneath the surface and determine whether their customers are engaging in transactions involving terrorists, at which point they can file SARs. The key is due diligence, not watered down.
Have we arrived there yet? I don’t think so, in part because there are still elements that want to excuse banks from failing to uncover legitimate-looking transactions in the course of their BSA compliance. This tendency underlies the courts' starting to establish a “routine transaction” defense to wrongful death actions filed against banks allegedly involved in terrorist money movement. Like my student Stephen Landman, who wrote an excellent article on this issue (here), I believe this tendency cuts against efforts to promote better due diligence in the banking industry.
What is the answer? In many ways, I feel the compliance officers’ pain. They are fighting cultural battles within their own institutions. The government, when it chooses to make an example of a particularly unscrupulous bank, is very good at highlighting “worst practices” of the industry. There is little in the way of “best practices,” though the public release of the bank examiner’s handbook was a step in the right direction. The honest compliance officers inevitably suffer some sleepless nights, since institutional reputation is so easily lost through failure to uncover things that the BSA requires, and their necks are on the line.
For me, the answer is easy, though implementation will require a heavy dose of political will: start giving bank compliance officers security clearances. That way, the FBI may share sensitive real-time intelligence with our counterparts in the private sector. Can they be trusted? I think so. Do they deserve it? I believe they do. After all, compliance officers are the government’s eyes and eyes at the gates of the financial system. When they carry that burden, they are entitled to some benefits.
No comments:
Post a Comment