From outrage to action: how to prevent another 11 years of inaction after the FinCen files

The FinCen files leak disclosed information on “suspicious transaction reports” filed by banks between 2000 and 2017 to the US Financial Intelligence Unit (“FinCen”) in charge of monitoring anti-money laundering.

Although a lot could be said about this leak, there are many outrageous highlights: the leak refers to transactions of $2 trillion (twelve zeros: $2,000,000,000,000). Some banks kept on processing transactions on an account despite several red flags. And the worst part is it appears that both banks and regulators consider that to comply with the law and prevent risky transactions it’s enough just to file suspicious transaction reports, regardless of their quality or timing. That’s like saying that a company is complying with regulations on beneficial ownership registration even if they registered “Mickey Mouse” as the beneficial owner.

But no one is surprised. As described by anti-corruption campaigner Anthea Lawson:

If banks are sometimes complying, and many times only formally “complying” (by filing low-quality or outdated suspicious transaction reports), but money laundering schemes keep popping up (Azerbaijani Laundromat, Moldova Laundromat, Danske Bank, etc.), it’s quite clear that money laundering isn’t being prevented (and even when it’s discovered, it’s very hard to recover any of the money).  It’s clear that the system is part of the problem. David Lewis, the Executive Secretary of the main international body in charge of anti-money laundering regulation, the Financial Action Task Force (FATF), confirms this. As reported by the International Consortium of Investigative Journalists (ICIJ):

Although most countries now have dedicated laws and regulations to combat money laundering, Lewis said: “they are rarely being used effectively, or to the extent that we would expect….

‘I would sum up the results as ‘everyone is doing badly, but some are doing less badly than others,’ Lewis said…

Lewis said many countries had only shown a last-minute commitment to tackling money laundering because they faced an upcoming FATF evaluation. “You see a sudden uptick in money laundering investigations and activity as they prepare to compensate for [past inaction], or to tell a good story to the assessors,” he explained.

As Lewis suggests, part of the problem may be on enforcing current laws.

However, ensuring governments properly resource authorities tackling financial crimes, given countries’ lack of interest or their need to face with multiple challenges, including urgent matters (eg Covid-19), is a long shot. The question is how serious governments really are about tackling corruption and money laundering, as the Hudson Institute and Kleptocracy Initiative’s Nate Sibley tweeted:

Before dunking on FinCEN, remember the tiny agency tasked—effectively—with policing the integrity of the global financial system has an annual budget of just $120 million. That’s less than the US government accidentally sends in benefits to dead federal employees each year.”

This blog post has some ideas on what we think should happen to improve the system without merely hoping that current laws will one day be enforced. Of course, part of the problem would be solved if banks and other enablers directly involved with customers and their money were to do a proper job. This would require going beyond asking customers for information and just believing everything they say. After all, a lawyer from Cyprus may (legally) be the beneficial owner of an entity that opened a bank account, but that doesn’t explain the source of the funds, let alone why millions of dollars are being channelled through that account. Banks are already required to apply enhanced due diligence and other measures if they have suspicions, so this is a matter of enforcement.

This blog post proposes new objective measures that would help different players obtain information while discouraging illegal schemes. To put this in perspective, a regulation could say “check that the customer isn’t lying”. While this is a matter of effort and enforcement, our proposed measures neither contradict nor modify that main goal, but try to impose new provisions – for example – “ask for a copy of their ID” which may be easier to enforce or at least to monitor, than the rather general goal of ‘detecting lies’.

First, countries should apply these things, which we’ve been calling for for years:

A: Availability of relevant ownership data

1. Beneficial ownership of account holders: Banks should not be allowed to open accounts, hold them or do any transaction if they haven’t determined the beneficial owner of the account holder (beyond doubt). Ideally, determining the beneficial owner of an account should go beyond asking for corporate information proving that ‘John’ is the beneficial owner because he is the shareholder of Company A, which opened the bank account. Banks should try to determine whether John is really benefitting, controlling and able to justify the source of funds and the movement of money through that account.
2. SWIFT messages with beneficial ownership data. The SWIFT messaging standard used to communicate international bank transfers among banks should be upgraded to require data on the beneficial owner of the sender and recipient account to be included in the SWIFT message, to enable the sending bank, the recipient and any intermediary (eg correspondent bank) to run proper customer due diligence checks. We have written more on this in this blog post. Alternatively, until SWIFT upgrades its standard to add beneficial ownership data, correspondent banks should require beneficial ownership data from any sending and recipient bank before they allow a transaction to take place.

Just as the US obliged SWIFT to hand in information for anti-terrorism purposes, the US and the EU should now require SWIFT to upgrade the standard to include beneficial ownership data. As discussed in point 9 below, the US and the EU could also require all local banks which are members of SWIFT to request that SWIFT upgrades the standard in this way.

3. Public beneficial ownership registries: Governments should make beneficial ownership information publicly available in open data format for all types of legal vehicles, including trusts, so that banks all over the world may cross-check the beneficial ownership information declared by their customers.

B: Verification of ownership data

4. Verified beneficial ownership data: Governments have a responsibility to properly resource their beneficial ownership registries or other relevant authorities to enable them to verify beneficial ownership data, for instance by cross-checking registered data against other government databases, validating data, etc. We have set up a multi-stakeholder group precisely to promote these types of verifications, where  experiences from different countries, researchers and the private sector were presented. Governments should also explore their full list of registered entities to identify outliers. For example, we have analysed the legal ownership chains of UK companies.

5. Involvement of banks in verifying registered beneficial ownership data: Banks (and enablers in general) should report discrepancies between the information declared by their customers and the information contained in beneficial ownership registries, as already required under the EU Anti-Money Laundering Directive.

6. Banks detecting discrepancies amongst each other: In addition to banks reporting discrepancies to the beneficial ownership register, they should be able to exchange customer information in a confidential way so they can detect cases where the same customer has given inconsistent information to two different banks. The UK’s financial intelligence unit (FCA) has been working on pilots for this purpose. If mismatches are detected and persist beyond mere simple errors, authorities should automatically be required to investigate.

7. Beneficial ownership registries as sources of compliant customers: Beneficial ownership registries should warn users about any legal vehicle (eg company, trust) with redflags, for example if a vehicle failed to register or update information, if its information doesn’t match other government databases, or if discrepancies have been reported. Banks shouldn’t be allowed to operate (open an account or do a transaction) with any entity marked with a redflag warning on the beneficial ownership register. We described how this could work in the Annex of our paper on beneficial ownership verification.

C: The specific role of bank

8. Systematic analysis to detect money laundering: As presented by Howard Cooper and Chris Ives from Kroll, banks should do much more than just ask information from each customer and analyse transactions on an isolated basis. Instead, they should analyse their full customer base to detect cases of connections between apparently unrelated customers. For instance, customers who share the same legal owners, beneficial owners, director, power of attorney, addresses, IP address, or whose transactions are highly related (either because they mirror each other or because transactions only take place among the same accounts). This has been described further here.

9. SWIFT as a source or centralisation of global anti-money laundering detection: While banks should do more systematic analyses of their customer base and transactions (see point above), this will only detect transactions involving each particular bank. However, money laundering schemes may involve many banks from many countries. For this reason, we have proposed that SWIFT, which already provides money-laundering services to some banks, should help detect or red-flag global money laundering schemes. Alternatively, if SWIFT is unable or unwilling to do this, governments should oblige SWIFT to hand over raw data for the Central Banks or financial intelligence units to conduct those checks, just as SWIFT provides transaction data to the US for the detection and prevention of terrorism.

If SWIFT refuses to do this claiming that it can only implement changes based on what its member banks require, the solution may be for each government to demand any local bank (that is a member of SWIFT) to require SWIFT to implement this centralisation and monitoring work (as well as to update the SWIFT system to include beneficial ownership data, as mentioned in point 2 above).  

A first partial solution would be for banks to report all of their transactions on a daily basis to a government authority, eg the Central Bank or the Financial Intelligence Unit, so that analyses can be run at the national level. This wouldn’t be as good as centralising and analysing information at the global level, but it would be a very good start. For instance, banks in Australia must report the equivalent of SWIFT data for every international bank transfer to a central authority.

Now some new ideas we haven’t discussed before:

10. Checking the ownership chain up to the beneficial owner. Banks should refrain from opening accounts unless they can directly check the ownership of every entity integrating the ownership chain of the customer, in the corresponding commercial register. For instance, if the customer is Company A from the UK, owned by Company B from Delaware and allegedly owned by John, a bank should be able to obtain legal ownership information from the registries available in the UK and the US to confirm that John is the beneficial owner. If any of the country links fails to provide this information, the bank shouldn’t open the bank account, regardless of the information self-reported by the customer. This would put pressure on jurisdictions to establish public registries of legal ownership and beneficial ownership.

11. Banks exchanging information on suspicious cases and patterns. As explained in point 6, the UK is working on a system for banks to  confidentially exchange information with each other to detect discrepancies (without disclosing the actual details of their customer). By the same token, banks should be able to confidentially exchange with each other (without access to the actual personal details), or through a central database held by the financial intelligence unit, information about trends, patterns as well as cases of closure or rejection of accounts, or the filing of a suspicious transaction report.

For instance, if bank A wanted to make a bank transfer for customer X, they would have to check this central database to make sure that no bank has closed or reported a transaction for that same customer. The lack of a warning or the presence of a warning shouldn’t be binding, but the presence of a red-flag reported by another bank (without knowing which one), should alert the bank to the need to potentially do enhanced due diligence. If the red flag warning indicated why the account is flagged, eg “suspicions on the source of funds”, the bank would then know what to look into.

A bank would still be able to go along with the transaction, but if in the end it is revealed that the transaction was involved in a money laundering case, the bank should be subject to heavier sanctions, given that they disregarded the warnings by other banks. This would prevent risky customers from finding more ‘flexible’ banks to open their accounts with.

At the very least banks should be able to share these (anonymous) customer risks within members of the same banking group, even if located abroad. Given that these measures also create risks (eg banks relying solely on third-party risk assessments, de-risking which excludes certain people), these measures should be monitored to prevent negative consequences, and could be reserved for extremely high-risk situations, where the money laundering risk is almost certain (eg similar to an in fraganti illegal activity).

12. Hierarchical approval for moving forward with any customer that triggered a suspicious transaction report. Any risk situation, eg establishing a relationship with a customer rejected or flagged by another bank (based on point 11), or moving forward with a bank transfer that triggered the filing of a suspicious transaction report should require the justification and signature of a responsible hierarchical authority. In other words, if a situation, customer or request of a transaction triggered the filing of a suspicious transaction report, a bank should only be allowed to move forward if a hierarchical authority puts on the record a written justification and authorisation to move forward. This could be used in the future to prove reckless actions by banks and their employees, in case of a money laundering investigation.

13. Track or prevent transactions. An alternative or addition to the two points above would be that the recipient bank of any transaction that was alerted or that triggered a suspicious transaction report should monitor that account for, say, 30 days. During that time, any subsequent bank receiving funds from that account should be subject to the same tracking and monitoring requirement. If the customer then intended to do a transaction that prevented further tracking (eg a bank in a different country, the withdrawal of money in cash or its conversion into crypto-currencies), such transaction should be delayed until the original bank (or the financial intelligence unit) confirms that the subsequent transactions do not involve any money laundering risk.

The way to enforce this would be the following: the bank that filed the suspicious transaction report, and all other banks involved (the recipient bank and any subsequent bank that receives funds from the recipient account) would have to report all the transactions related to those accounts for say, 30 days to the Financial Intelligence Unit. At the very least, this extra monitoring may discourage banks from accepting those customers or allowing the transaction. The alternative, not to file a suspicious transaction report, may be a breach of the law (that’s why banks currently file suspicious transaction reports, sometimes excessively).

D: Suspicious transactions reports

14. Report suspicious transactions in real time. Any suspicious transaction report filed later than 24 hours or 48 hours should be subject to sanctions. Given that money may be transferred and withdrawn in minutes, suspicious transactions reports should occur in real-time, ideally before the transaction takes place. Reports about transactions that are weeks or months old are useful sources of information, but have no practical use in preventing illegal transfers or recovering money.

This requirement for real-time checks may result in financial transactions taking more time than they currently do (to allow for proper checks and approvals, many of which would be automated). However, people may have to adapt to this. (We never get tired of reminding people about the case of airports. Decades ago, taking a flight was much faster with much fewer security checks on the luggage and personal belonging of passengers. Now, people have got used to not having any liquids in their carry-ons, so it’s a matter of adaptation).

15. Preventing “over-reporting” as a way to compensate the low quality reporting. The current system where banks are penalised for failing to file a suspicious transaction report to the financial intelligence unit, or where no one actually monitors or sanctions the quality of the reports, only creates an incentive to file them excessively and with low-quality. For this reason, in addition to giving feedback on the quality of the suspicious transaction reports, and statistics of the filings by other banks, the financial intelligence unit should sanction poor quality, excessive filings.

16. Sanctioning the lack of actions by banks. While banks are required to file suspicious transactions reports, they should be sanctioned in cases where they have many red-flags on one account, and nevertheless, decide to allow the transaction. In other words, in addition to sanctioning the under-reporting of banks, there should be clear criteria to prevent particularly  suspicious transfers from taking place (eg a customer that triggered more than two suspicious transaction reports, a transaction worth much more than the source of funds declared by the customer, etc). To avoid excessive bureaucracy, the system could work by shifting the burden of proof. While the presence of these factors should be an indication that the bank should not perform the transfer, if the bank is convinced and may prove that the transaction is safe, it could decide to go ahead. If proven wrong, the sanctions should be heftier. This should be accompanied by point 12, where a hierarchical authority must give written justification and authorisation for going ahead with the red flagged transactions.

E: Coordination and transparency

17. Disclosure of anti-money laundering breaches. Based on the “naming and shaming” measures, countries should publish details, including the name of the bank and the case description, of any failures to implement preventive measures (eg under-filing or over-filing suspicious transaction reports, transferring money without beneficial ownership data, etc). This will also help each bank determine which other institutions represent a higher risk. In addition, countries should publish information on the fines, prosecutions, investigations or other sanctions (including the firing of directors or other staff) to monitor enforcement of these preventive measures.

18. Regional coordination. To monitor enforcement of the measures and transparency requirements, and to have a global overview and analysis of money laundering schemes, regional or multi-national authorities should be established. For instance, Joshua Kirschenbaum [N2] [AK3] [AK4] has been calling for the EU to establish a European money-laundering supervisor.

Finally, it may be the case that heftier sanctions should be imposed in general, including personal liability for bank directors or losing of licenses to operate in certain countries.

If you have any comments on our proposals or if you have additional ideas, please write to [email protected]

* This blog post received very useful feedback and ideas from Markus Meinzer, Maira Martini, Agustin Carrara and others who prefer to remain anoymous.