Bank Secrecy Act
Suspicious Activity Report Use Is Increasing, but FinCEN Needs to Further Develop and Document Its Form Revision Process
Gao ID: GAO-09-226 February 27, 2009
To assist law enforcement agencies in their efforts to combat money laundering, terrorist financing, and other financial crimes, the Bank Secrecy Act (BSA) requires financial institutions to file suspicious activity reports (SAR) to inform the federal government of transactions related to possible violations of law or regulation. Depository institutions have been concerned about the resources required to file SARs and the extent to which SARs are used. GAO was asked to examine (1) factors affecting the number of SARs filed, (2) actions agencies have taken to improve the usefulness of SARs, (3) federal agencies' use of SARs, and (4) the effectiveness of the process used to revise SAR forms. GAO reviewed laws and agency documents; analyzed SAR filings; and interviewed representatives from the Financial Crimes Enforcement Network (FinCEN), law enforcement agencies, bank regulators, and depository institutions.
In 2000 through 2007, SAR filings by depository institutions increased from about 163,000 to 649,000 per year; representatives from federal regulators, law enforcement, and depository institutions with whom GAO spoke attributed the increase mainly to two factors. First, automated monitoring systems can flag multiple indicators of suspicious activities and identify significantly more unusual activity than manual monitoring. Second, several public enforcement actions against a few depository institutions prompted other institutions to look more closely at client and account activities. Other factors include institutions' greater awareness of and training on BSA requirements after September 11, and more regulator guidance for BSA examinations. FinCEN and law enforcement agencies have taken actions to improve the quality of SAR filings and educate filers about their usefulness. Since 2000, FinCEN has issued written products with the purpose of making SAR filings more useful to law enforcement. FinCEN and federal law enforcement agency representatives regularly participate in outreach on BSA/anti-money laundering, including events focused on SARs. Law enforcement agency representatives said they also establish relationships with depository institutions to communicate with staff about crafting useful SAR narratives. FinCEN, law enforcement agencies, and financial regulators use SARs in investigations and financial institution examinations and have taken steps in recent years to make better use of them. FinCEN uses SARs to provide public and nonpublic analytical products to law enforcement agencies and depository institution regulators. Some federal law enforcement agencies have facilitated complex analyses by using SAR data with their own data sets. Federal, state, and local law enforcement agencies collaborate to review and start investigations based on SARs filed in their areas. Regulators use SARs in their examination process to assess compliance and take action against abuse by depository institution insiders. After revising a SAR form in 2006 that still cannot be used because of information technology limitations, in 2008, FinCEN developed a new process for revising BSA forms, including SARs, that may increase collaboration with some stakeholders, including some law enforcement groups concerned that certain of the 2006 revisions could be detrimental to investigations. However, the limited documentation on the process does not provide details to determine the degree to which the new process will incorporate GAOidentified best practices for enhancing and sustaining federal agency collaboration. For example, it does not specify roles and responsibilities for stakeholders or depict monitoring, evaluating, and reporting mechanisms. By incorporating some of these key collaboration practices and more fully developing and documenting its new process for form revisions, FinCEN could achieve some potential benefits that could come from closer adherence to the practices--such as greater consensus from all stakeholders on proposed SAR form revisions.
Recommendations
Our recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.
Director:
Team:
Phone:
GAO-09-226, Bank Secrecy Act: Suspicious Activity Report Use Is Increasing, but FinCEN Needs to Further Develop and Document Its Form Revision Process
This is the accessible text file for GAO report number GAO-09-226
entitled 'Bank Secrecy Act: Suspicious Activity Report Use Is
Increasing, but FinCEN Needs to Further Develop and Document Its Form
Revision Process' which was released on March 30, 2009.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as part
of a longer term project to improve GAO products' accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
Report to Congressional Requesters:
United States Government Accountability Office:
GAO:
February 2009:
Bank Secrecy Act:
Suspicious Activity Report Use Is Increasing, but FinCEN Needs to
Further Develop and Document Its Form Revision Process:
GAO-09-226:
GAO Highlights:
Highlights of GAO-09-226, a report to congressional requesters.
Why GAO Did This Study:
To assist law enforcement agencies in their efforts to combat money
laundering, terrorist financing, and other financial crimes, the Bank
Secrecy Act (BSA) requires financial institutions to file suspicious
activity reports (SAR) to inform the federal government of transactions
related to possible violations of law or regulation. Depository
institutions have been concerned about the resources required to file
SARs and the extent to which SARs are used. GAO was asked to examine
(1) factors affecting the number of SARs filed, (2) actions agencies
have taken to improve the usefulness of SARs, (3) federal agencies‘ use
of SARs, and (4) the effectiveness of the process used to revise SAR
forms. GAO reviewed laws and agency documents; analyzed SAR filings;
and interviewed representatives from the Financial Crimes Enforcement
Network (FinCEN), law enforcement agencies, bank regulators, and
depository institutions.
What GAO Found:
In 2000 through 2007, SAR filings by depository institutions increased
from about 163,000 to 649,000 per year; representatives from federal
regulators, law enforcement, and depository institutions with whom GAO
spoke attributed the increase mainly to two factors. First, automated
monitoring systems can flag multiple indicators of suspicious
activities and identify significantly more unusual activity than manual
monitoring. Second, several public enforcement actions against a few
depository institutions prompted other institutions to look more
closely at client and account activities. Other factors include
institutions‘ greater awareness of and training on BSA requirements
after September 11, and more regulator guidance for BSA examinations.
FinCEN and law enforcement agencies have taken actions to improve the
quality of SAR filings and educate filers about their usefulness. Since
2000, FinCEN has issued written products with the purpose of making SAR
filings more useful to law enforcement. FinCEN and federal law
enforcement agency representatives regularly participate in outreach on
BSA/anti-money laundering, including events focused on SARs. Law
enforcement agency representatives said they also establish
relationships with depository institutions to communicate with staff
about crafting useful SAR narratives.
FinCEN, law enforcement agencies, and financial regulators use SARs in
investigations and financial institution examinations and have taken
steps in recent years to make better use of them. FinCEN uses SARs to
provide public and nonpublic analytical products to law enforcement
agencies and depository institution regulators. Some federal law
enforcement agencies have facilitated complex analyses by using SAR
data with their own data sets. Federal, state, and local law
enforcement agencies collaborate to review and start investigations
based on SARs filed in their areas. Regulators use SARs in their
examination process to assess compliance and take action against abuse
by depository institution insiders.
After revising a SAR form in 2006 that still cannot be used because of
information technology limitations, in 2008, FinCEN developed a new
process for revising BSA forms, including SARs, that may increase
collaboration with some stakeholders, including some law enforcement
groups concerned that certain of the 2006 revisions could be
detrimental to investigations. However, the limited documentation on
the process does not provide details to determine the degree to which
the new process will incorporate GAO-identified best practices for
enhancing and sustaining federal agency collaboration. For example, it
does not specify roles and responsibilities for stakeholders or depict
monitoring, evaluating, and reporting mechanisms. By incorporating some
of these key collaboration practices and more fully developing and
documenting its new process for form revisions, FinCEN could achieve
some potential benefits that could come from closer adherence to the
practices”such as greater consensus from all stakeholders on proposed
SAR form revisions.
What GAO Recommends:
GAO recommends that the Secretary of the Treasury direct FinCEN to
further develop a strategy that fully incorporates certain GAO-
identified practices to enhance and sustain collaboration among federal
agencies into the forms-change process. The FinCEN Director generally
agreed with the recommendation.
To view the full product, including the scope and methodology, click on
GAO-09-226. For more information, contact Jack Edwards at (202) 512-
8678 or edwardsj@gao.gov.
[End of section]
Contents:
Letter:
Results in Brief:
Background:
A Number of Factors Influenced the Large Increase in SARs Filed by
Depository Institutions in 2000 through 2007:
FinCEN and Law Enforcement Agencies Took Multiple Actions to Improve
SAR Filings and Educate Filers about Their Usefulness in
Investigations:
Federal Agencies Use SARs in a Variety of Ways and Have Taken a Number
of Actions in Recent Years to Make Better Use of Them:
The Process FinCEN Used to Revise the SAR Did Not Result in a Usable
Form and Its New Process Provides Few Details on How Past Problems Will
Be Overcome:
Conclusions:
Recommendation for Executive Action:
Agency Comments and Our Evaluation:
Appendix I: Objectives, Scope, and Methodology:
Appendix II: Comments from the Financial Crimes Enforcement Network:
Appendix III: GAO Contact and Staff Acknowledgments:
Tables:
Table 1: Number of SARs Filed by Industry, Calendar Years 2000-2007:
Table 2: Entities at Which Interviewees Provided Perspectives and
Documentary Evidence for the Objectives:
Figures:
Figure 1: The Process for Filing and Accessing SARs:
Figure 2: Change in Percentage of SARs Filed by Filing Type, Calendar
Years 2004-2007:
Figure 3: SARs Filed by Banks, Thrifts, and Credits Unions by Asset
Size, Calendar Year 2007:
Abbreviations:
AML: anti-money laundering:
BSA: Bank Secrecy Act:
CBRS: Currency and Banking Retrieval System:
CMP: civil money penalty:
DEA: Drug Enforcement Administration:
DOJ: Department of Justice:
FBI: Federal Bureau of Investigation:
FDIC: Federal Deposit Insurance Corporation:
FinCEN: Financial Crimes Enforcement Network:
HIFCA: High Intensity Financial Crime Area:
IAP: institution-affiliated party:
ICE: Immigration and Customs Enforcement:
IRS: Internal Revenue Service:
IRS-CI: Internal Revenue Service-Criminal Investigation:
NCUA: National Credit Union Administration:
OCC: Office of the Comptroller of the Currency:
OTS: Office of Thrift Supervision:
PRA: Paperwork Reduction Act:
SAR: suspicious activity report:
[End of section]
United States Government Accountability Office:
Washington, DC 20548:
February 27, 2009:
The Honorable Barney Frank:
Chairman:
The Honorable Spencer Bachus:
Ranking Member:
Committee on Financial Services:
House of Representatives:
The Honorable Stephen F. Lynch:
House of Representatives:
In part, to assist law enforcement agencies in their efforts to combat
money laundering, the financing of terrorist activities, and other
financial crimes, the Bank Secrecy Act (BSA) requires financial
institutions to inform the federal government of any suspicious
transaction related to a possible violation of law or regulation.
[Footnote 1] BSA--which the U.S. Department of the Treasury's
(Treasury) Financial Crimes Enforcement Network (FinCEN) administers--
and its implementing regulations provide for the filing of suspicious
activity reports (SAR) by depository institutions when they detect a
known or suspected violation of any law or regulation. Under the
regulations administered by FinCEN, a SAR is required when the
suspicious activity involves a transaction of at least $5,000 conducted
or attempted by, at, or through the institution; involves funds derived
from illegal activities; is designed to evade any reporting requirement
under federal law or other BSA requirement; has no business or apparent
lawful purpose; or the transaction is not the sort in which the
customer normally engages and there is no reasonable explanation known
for the transaction. Suspicious activity reporting is one component of
broader anti-money laundering (AML) programs that depository
institutions (banks, thrifts, and credit unions) and other financial
institutions implement to comply with BSA. A financial institution's
decision to file a SAR may be subjective and is based on its knowledge
of the customer and the customer's usual banking activity.
Federal banking regulators--the Board of Governors of the Federal
Reserve System (Federal Reserve), the Office of the Comptroller of the
Currency (OCC), the Federal Deposit Insurance Corporation (FDIC), the
Office of Thrift Supervision (OTS), and the National Credit Union
Administration (NCUA)--and state banking regulators examine depository
institutions for compliance with BSA, generally as part of their
regularly scheduled safety and soundness examinations.[Footnote 2]
Depository institutions have been required to submit SARs since 1996,
longer than any other type of financial institutions, and they file the
majority of these reports. FinCEN issued regulations subsequent to
passage of the USA PATRIOT Act of 2001 that added SAR filing
requirements for securities and futures firms, money services
businesses, casinos, and insurance companies, among others.[Footnote 3]
Depository institutions have expressed concerns in congressional
testimony about the resource challenges involved in complying with SAR-
related requirements and the extent to which law enforcement agencies
use SARs and other reports required under BSA. Federal law enforcement
agency officials have testified they review and use SARs proactively--
separately and in multiagency teams, which often include state and
local agencies--to identify potential money laundering cases and money
laundering trends, in addition to using them in ongoing investigations
of financing of terrorism and other financial crimes. They contend that
SARs can be useful in investigations months or years after they have
been filed, as the actions of subjects or co-conspirators are
uncovered. Depository institution officials have commented they lack
clear guidance on what law enforcement is looking for and finds useful
in these reports.
In this context, you requested that we examine a number of issues
related to suspicious activity reporting, which is part of a larger
body of work we are doing about FinCEN and its administration of BSA.
Specifically, this report examines (1) the underlying factors that
affected the number of SARs filed by depository institutions from 2000
through 2007, (2) actions that federal agencies have taken to improve
the usefulness of SARs for law enforcement, (3) ways in which federal
agencies use SARs and actions they have taken to make better use of
them, and (4) whether the process FinCEN uses to revise SAR forms is
effective in assuring that information collected is appropriate for law
enforcement needs. As agreed with your office, we focused our work on
depository institutions. Related and ongoing GAO efforts will address
other BSA-related issues.
To address our objectives, we reviewed relevant laws, regulations,
agency documents, and past GAO work. We interviewed representatives
from FinCEN, the Federal Reserve, FDIC, OCC, OTS, and NCUA, as well as
representatives from federal law enforcement agencies, including the
Secret Service, the Internal Revenue Service-Criminal Investigation
(IRS-CI), Immigration and Customs Enforcement (ICE), the Federal Bureau
of Investigation (FBI), the Drug Enforcement Administration (DEA), and
the Department of Justice (DOJ). We also obtained and analyzed data
from FinCEN on depository institutions' SAR filings for calendar years
from 2000 through 2007. We assessed the reliability of these data and
found them sufficient for the purposes of this report. We interviewed
representatives of the five largest depository institutions by number
of SAR filings in 2007. We established 3 categories of depository
institutions SAR filing numbers in 2007 and interviewed representatives
from 15 depository institutions randomly selected from these categories
about their experiences with SAR filing. We obtained data about SAR
review teams (multiagency teams with federal, state, and local law
enforcement representation) and interviewed staff from 13 teams
randomly selected from these data. Similarly, we interviewed law
enforcement representatives from High Intensity Financial Crime Areas
(HIFCA) in Chicago, Illinois; Los Angeles, California; Miami, Florida;
and New York, New York.[Footnote 4] We also obtained information from
IRS (which stores and maintains BSA data for FinCEN) to determine the
frequency with which federal and state law enforcement agencies access
SAR data.[Footnote 5]
We conducted this performance audit in from July 2007 through February
2009 in accordance with generally accepted government auditing
standards. Those standards require that we plan and perform the audit
to obtain sufficient, appropriate evidence to provide a reasonable
basis for our findings and conclusions based on our audit objectives.
We believe that the evidence obtained provides a reasonable basis for
our findings and conclusions based on our audit objectives. Appendix I
explains our scope and methodology in greater detail.
Results in Brief:
From 2000 through 2007, depository institutions filed an increasing
number of SARs each year and representatives from federal regulators,
law enforcement, and depository institutions with whom we spoke
attributed the increase to a number of factors. According to FinCEN
data, SAR filings by depository institutions increased from
approximately 163,000 in 2000 to more than 649,000 in 2007. Our
analysis of SAR and banking data from 2004 through 2007 indicates that
the growth rates in SAR filings varied over time among depository
institutions of different asset sizes. For example, the greatest
increase in SARs filed during this period by the largest depository
institutions occurred from 2004 to 2005, and SARs filed by small credit
unions nearly doubled from 2005 to 2006. Representatives of federal
banking regulators, law enforcement agencies, and depository
institutions most frequently attributed the increase to two factors:
technological advances in detecting suspicious activity and the effect
of public enforcement actions on institutions. According to the
representatives, automated transaction monitoring systems can flag
multiple indicators of suspicious activity and identify much more
unusual activity than could be identified manually. At the largest
depository institutions, these systems conduct complex analyses
incorporating customer profiles. The representatives also said that
issuance of several public enforcement actions in 2004 and 2005 with
civil money penalties (CMP) and forfeitures up to $40 million against a
few depository institutions prompted many institutions to file more
SARs after looking more closely at their clients and their account
activities. FinCEN and the federal banking regulators took the actions
because of systemic BSA program noncompliance, which sometimes included
failures to meet SAR filing requirements. DOJ also has taken action
against a limited number of depository institutions that involved fines
and penalties of up to $40 million. Depository institution
representatives with whom we spoke also cited a third factor that
influenced the increase--concerns they would receive criticisms during
examinations about decisions not to file SARs. To avoid such criticism,
they said their institutions filed SARs even when they thought a SAR
may have been unnecessary--a practice sometimes referred to as
"defensive SAR filing." However, according to the federal regulators
and some law enforcement officials with whom we spoke, there is no
means of determining what, if any, portion of the increase in filings
could be attributed to defensive filing. Additional factors
representatives suggested as contributing to the increase include
institutions' greater awareness of BSA requirements after September
2001, more regulator guidance for BSA examinations, and increased BSA-
related training at the institutions.
FinCEN and law enforcement agencies have taken multiple actions to
improve the quality of SAR filings and educate filers about their
usefulness. Since 2000, FinCEN has issued written products with the
purpose of making SAR filings more useful to law enforcement. These
include (1) a regularly issued publication for all financial
institutions that gives tips on topics such as the preparation of SARs
and (2) SAR-related guidance for depository institutions and other SAR
filers. For example, FinCEN issued guidance on addressing common errors
in suspicious activity reporting in 2007 and filing SARs about the
proceeds of foreign corruption in early 2008. FinCEN representatives
also help educate filers by regularly participating in outreach events
on BSA/AML issues, including events focused on SARs. FinCEN chairs the
Bank Secrecy Act Advisory Group--a forum for federal agencies and
financial industry representatives--to discuss BSA administration,
including SAR-related issues. Federal law enforcement agency
representatives said actions they have taken to improve SARs'
usefulness include conducting outreach events and establishing
relationships with depository institutions in their local areas to
communicate with staff about crafting useful SAR narratives.
Representatives from some multiagency law enforcement teams told us
that they subsequently noticed improved SAR narratives from local
depository institutions.
FinCEN, law enforcement agencies, and banking regulators use SARs in
investigations and depository institution examinations and have taken
steps in recent years to make better use of them. FinCEN uses SARs to
provide a number of public and nonpublic analytical products to law
enforcement agencies and depository institution regulators. In 2004 and
2005, several federal law enforcement agencies signed memorandums of
understanding with FinCEN to receive bulk BSA data, including SARs.
They combined these data with information from their law enforcement
databases to facilitate more complex and comprehensive analyses.
Different types of team structures have been established to better
analyze SARs. For example, in 2000 and again in 2003, DOJ issued
guidance that encouraged the formation of SAR review teams with
federal, state, and local representation. These teams review SARs filed
in their area on a monthly basis to determine which would merit
additional investigation for a variety of suspected financial crimes.
In 2006, DOJ and IRS-CI collaborated on a pilot to create task forces
and add federal prosecutors to augment SAR review teams in selected
districts. These task forces specifically investigate possible BSA
violations that have the potential for seizures or forfeitures. The
regulators use SARs in their depository institution examination scoping
and also review SARs relating to known or suspected unlawful activities
by current and former institution-affiliated parties, including
officers, directors, and employees. Although law enforcement agency
representatives generally were satisfied with their ability to access
BSA data, various agencies and multiagency teams we interviewed said
that formatting and other issues related to the data system slowed
their downloads and reviews. FinCEN and IRS officials said that, when
budgetary resources are available, these and other data management
challenges will be addressed as part of FinCEN's technology
modernization plan, developed in collaboration with IRS.
FinCEN encountered a number of problems in its most recent revision of
the SAR form; although FinCEN has developed a new process for form
revisions, the information currently available on the process is
limited and does not fully indicate how FinCEN will avoid or address
some of the problems previously encountered. FinCEN and the federal
banking regulators issued proposed substantive and formatting revisions
to the SAR form in 2006. The revisions to the form were finalized but,
because of technology limitations with IRS's data management system,
the revised form has not been implemented. Law enforcement agency
officials we interviewed had mixed views on the proposed revisions to
the form. They generally supported most of the proposed revisions, but
some felt they had been insufficiently consulted and also expressed
concerns that some revisions could affect their work negatively. For
example, one change would replace the name and title of a person with
personal knowledge about the suspicious activity with a contact office,
possibly increasing the time it would take law enforcement
investigators to reach a person knowledgeable about the suspicious
activity. However, banking regulators supported this change because of
concerns that a SAR with a named contact listed could jeopardize the
safety and privacy of that person if it were inappropriately disclosed.
FinCEN has developed a new form revision process that it says it will
use to revise BSA forms, including SARs. The documentation of the
planned process suggests some greater stakeholder involvement at an
early stage of the process, but the documentation for the new process
that we received does not indicate FinCEN has fully incorporated
certain GAO-identified practices that can enhance and sustain
collaboration among federal agencies. In a previous report, we
identified such practices--for example, that collaborating agencies
define a common outcome; agree on their respective roles and
responsibilities, including how the collaborative effort will be led;
and create the means to collect information on, monitor, evaluate, and
report their efforts to enable them to identify areas for
improvement.[Footnote 6] If FinCEN more fully incorporated some of
these key collaboration practices FinCEN might achieve some potential
benefits from closer adherence to the practices--such as greater
consensus from all stakeholders on proposed SAR form revisions.
We are recommending that the Secretary of the Treasury direct the
Director of FinCEN to further develop and document its strategy to
fully incorporate certain GAO-identified practices to enhance and
sustain collaboration among federal agencies into the form change
process and distribute that documentation to all stakeholders. In
written comments on this report, the FinCEN Director said he generally
agreed with our recommendation and that FinCEN recognized the need to
work with a diverse range of stakeholders to revise BSA forms.
Background:
This section provides general information on how federal agencies carry
out BSA responsibilities, what their SAR reporting requirements are,
the mechanisms they use to monitor suspicious activity, and law
enforcement agencies that use SARs.
FinCEN and Other Federal Agencies Carry Out BSA Responsibilities:
The Secretary of the Treasury delegated overall authority for
enforcement of, and compliance with, BSA and its implementing
regulations to the Director of FinCEN. FinCEN's role is to oversee BSA
administration. To fulfill this role, FinCEN develops policy and
provides guidance to other agencies, analyzes BSA data for trends and
patterns, and pursues enforcement actions when warranted. However,
FinCEN also relies on other agencies in implementing the BSA framework.
These activities include (1) ensuring compliance with BSA requirements
to report suspicious activity and certain financial transactions and
taking enforcement actions, when necessary; (2) collecting and storing
the reported information; and (3) taking enforcement actions or
conducting investigations of criminal financial activity.
FinCEN relies on other agencies to conduct examinations to determine
compliance with, BSA and its implementing regulations. The Secretary of
the Treasury delegated BSA examination authority for depository
institutions to five banking regulators--the Federal Reserve, OCC, OTS,
FDIC, and NCUA.[Footnote 7] The federal regulators examine an
institution's policies and procedures for monitoring and detecting
suspicious activity as part of their examination programs.[Footnote 8]
Periodic on-site safety and soundness and compliance examinations are
conducted to assess an institution's financial condition, policies and
procedures, adherence to BSA regulations (for example, filing of SARs
and other BSA-related reports), and compliance with other laws and
regulations. These examinations generally are conducted every 12 to 18
months at small-to-midsized depository institutions (such as community
banks, midsize banks, savings associations, and credit unions) on the
basis of the regulator's rating of the institution's risk. At large
complex banking organizations and large banks, federal regulators
conduct examinations on a continuous basis in cycles of 12 to 18
months. Banking regulators use SARs in their scoping for these
examinations.
Depository institutions file SARs and other BSA reports with FinCEN.
Under a long-standing cooperative arrangement with FinCEN, IRS's
Enterprise Computing Center-Detroit serves as the central point of
collection and storage of these data. The center maintains the
infrastructure needed to collect the reports, convert paper and
magnetic tape submissions to electronic media, and correct errors in
submitted forms through correspondence with filers.[Footnote 9] IRS
investigators and other authorized officials access the data system
directly through IRS's intranet site in what is known as the Web
Currency and Banking Retrieval System (WebCBRS). FinCEN controls non-
IRS law enforcement users' access to BSA data in WebCBRS through a
portal called Secure Outreach.[Footnote 10]
Federal regulators and FinCEN can bring formal enforcement actions,
including CMPs, against institutions for violations of BSA. For
instance, federal regulators and FinCEN may assess a CMP against
depository institutions for significant BSA violations, including the
failure to file SARs and establish and implement an AML program that
conforms to federal regulations as required by BSA. Formal enforcement
actions generally are used to address cases involving systemic,
repeated noncompliance; failure to respond to supervisory warnings; and
other violations. However, most cases of BSA noncompliance are
corrected within the examination framework through supervisory actions
or letters that document the institution's commitment to take
correction action.
Whereas FinCEN and the regulators can take a variety of civil actions
against depository and other financial institutions, DOJ may bring
criminal actions against individuals and corporations, including
depository and other financial institutions, for money laundering
offenses and certain BSA violations. The actions may result in criminal
fines, imprisonment, and forfeiture actions. Institutions and
individuals willfully violating BSA and its implementing regulations,
and structuring transactions to evade BSA reporting requirements, are
subject to criminal fines, prison, or both.[Footnote 11] DOJ generally
identifies institutions violating BSA regulations through criminal
investigations of the institutions' customers. Some corrective actions
taken against depository institutions have resulted in guilty pleas and
others resulted in deferred prosecution agreements, contingent on the
depository institutions' cooperation and implementation of corrective
actions. In each case, the depository institution paid a monetary
penalty or was required to forfeit assets, or both.
Law enforcement agencies in DOJ and the Department of Homeland Security
use SARs in their investigations of money laundering, terrorist
financing, and other financial crimes. Entities in DOJ that are
involved in efforts to combat money laundering and terrorist financing
include FBI; DEA; the Department's Criminal and National Security
Divisions; the Bureau of Alcohol, Tobacco, Firearms, and Explosives;
the Executive Office for U.S. Attorneys; and U.S. Attorneys' Offices.
The Secret Service and ICE; (in the Department of Homeland Security)
also investigate cases involving money laundering and terrorist
activities. IRS-CI uses BSA information to investigate possible cases
of money laundering and terrorist financing activities. Federal and
multiagency law enforcement teams, which may include state and local
law enforcement representatives, also use SAR data to provide
additional information about subjects, such as previously unknown
addresses; businesses and personal associations; and banking activity
during ongoing investigations.
BSA Requires Depository Institutions to Report Suspicious Activity and
the Institutions Implement Policies and Procedures to Facilitate Such
Reporting:
Among its provisions, the Annunzio-Wylie Anti-Money Laundering Act
(Annunzio-Wylie) amended BSA by authorizing Treasury to require
financial institutions to report any suspicious transaction relevant to
a possible violation of a law.[Footnote 12] As authorized by Annunzio-
Wylie, FinCEN issued a regulation in 1996 requiring banks and other
depository institutions to report, using a SAR form, certain suspicious
transactions involving possible violations of law or regulation,
including money laundering.[Footnote 13] During the same year, the
federal banking regulators issued regulations requiring all depository
institutions to report suspected money laundering, as well as other
suspicious activities, using the SAR form.
In general, depository institutions are required to file a SAR for
suspected insider abuse by an employee; known or suspected violations
of law for transactions aggregating $5,000 or more where a suspect can
be identified; known or suspected violations of law for transactions
aggregating to $25,000 or more regardless of a potential suspect; and
potential money laundering or violations of BSA for transactions
aggregating to $5,000 or more.[Footnote 14] The SAR rules require that
a SAR be filed no later than 30 calendar days from the date of the
initial detection of the suspicious activity, unless no suspect can be
identified. If no suspect can be identified, the filing period is
extended to 60 days. In addition, banks should report continuing
suspicious activity by filing a report at least every 90 days.
Depository institutions can file a SAR through the mail or
electronically through FinCEN's BSA E-File program.
Depository institutions implement policies, procedures, and systems to
monitor for and identify suspicious activity.[Footnote 15] In addition
to following regulations and guidance related to identifying suspicious
activities, depository institutions develop monitoring procedures,
which typically encompass identification or referrals by employees who
conducted the transaction for the customer, manual systems, automated
systems, or any combination thereof. Manual monitoring might consist of
staff reviewing reports generated by the institution's management
information systems. Large depository institutions that operate in many
locations or have a relatively large number of high-risk customers
generally use automated account-monitoring systems--computer programs
that are developed in-house or purchased from vendors for the purpose
of identifying individual transactions, patterns of unusual activity,
or deviations from expected activity. In general, these systems capture
a wide range of activity, such as deposits, withdrawals, funds
transfers, automated clearing house transactions, and automated teller
machine transactions directly from the institution's core data
processing system. After identification of unusual activity, depository
institution staff conduct additional research to determine whether to
file a SAR. (The process is summarized in figure 1, which also depicts
SAR data collection, storage, and access.)
Figure 1: The Process for Filing and Accessing SARs:
[Refer to PDF for image: illustration]
Conductor:
Depository institutions are required to file a SAR no later than 30
days following the discovery of any known or suspected:
* Violations aggregating to $5,000 or more where a suspect can be
identified;
* Violations of the BSA or potential money laundering aggregating
$5,000 or more;
* Insider abuse involving any amount.
Bank staff and systems:
Institution staff or automated monitoring systems identify unusual
activity. Alerts of such activity are forwarded to the BSA compliance
officer for review.
Compliance officer:
The compliance officer conducts research and decides to file, signs the
SAR, and sends it electronically to FinCEN, or through the mail
directly to IRS‘s Enterprise Computer Center.
* Monitors for continuing suspicious activity and files additional SARs
every 90 days if activity continues.
* Maintains a copy of all filed SARs and supporting documentation for 5
years from the date of filing.
Stop: Decides not to file and documents the reasons;
Signed: Suspicious activity report.
IRS/FinCEN:
IRS WebCBRS SARs and other BSA reports database:
Feeds IRS-CI;
Feed FinCEN;
Web Portal: Enables non-IRS users to access BSA data:
Federal, state, and local law enforcement agencies;
Federal, and state regulators;
Access to SARs.
Sources: GAO analysis; Art Explosion (images).
[End of figure]
The interagency examination manual that the regulators use says that
depository institutions are encouraged to document SAR decisions.
[Footnote 16] Additionally, banks must retain copies of SARs including
supporting documentation for 5 years from the date of the report.
[Footnote 17] In addition to filing a timely SAR, an institution must
notify an appropriate law enforcement authority, such as IRS-CI or FBI,
for situations involving violations that require immediate attention.
A Number of Factors Influenced the Large Increase in SARs Filed by
Depository Institutions in 2000 through 2007:
For calendar years 2000 through 2007, SAR filings almost quadrupled.
Although depository institutions accounted for the majority of SAR
filings, other institutions increased the number of their filings also.
Representatives of depository institutions, federal banking regulators,
and law enforcement agencies identified a number of factors that, in
their view, collectively contributed to the increase in SAR filings.
The most frequently cited were technology (in the form of automated
monitoring systems) and the effects of public enforcement actions.
Representatives also cited an increased awareness of the risks of
terrorist financing and other financial crimes after September 11 and
improved knowledge of BSA requirements and issues resulting from
regulator and institution guidance and training.
Depository Institutions Filed the Majority of SARs from 2000 through
2007, and Filings Varied across Asset Size Categories:
FinCEN data show that for calendar years 2000 through 2007, SAR filings
by depository institutions increased, from approximately 163,000 in
2000 to more than 649,000 in 2007. In 2007, depository institutions
filed approximately 52 percent of all SARs.[Footnote 18] Depository
institutions have been subject to SAR-related requirements for a longer
period of time than any other financial services industry and they have
filed more SARs every year from 2000 through 2007 than other industries
(see table 1).[Footnote 19] The number of SARs filed by depository
institutions also increased faster in some years than in others.
Table 1: Number of SARs Filed by Industry, Calendar Years 2000-2007:
Industry: Depository institutions;
2000: 162,720;
2001: 203,528;
2002: 273,823;
2003: 288,343;
2004: 381,671;
2005: 522,655;
2006: 567,080;
2007: 649,176.
Industry: Money services businesses:
2000: [Empty];
2001: [Empty];
2002: 5,723;
2003: 209,512;
2004: 296,284;
2005: 383,567;
2006: 496,400;
2007: 578,439.
Industry: Casinos and card clubs;
2000: 464;
2001: 1,377;
2002: 1,827;
2003: 5,095;
2004: 5,754;
2005: 6,072;
2006: 7,285;
2007: 9,943.
Industry: Securities and futures firms;
2000: [Empty];
2001: [Empty];
2002: [Empty];
2003: 4,267;
2004: 5,705;
2005: 6,936;
2006: 8,129;
2007: 12,881.
Industry: Total;
2000: 163,184;
2001: 204,905;
2002: 281,373;
2003: 507,217;
2004: 689,414;
2005: 919,230;
2006: 1,078,894;
2007: 1,250,439.
Source: FinCEN.
Note: The following are the number of SARs filed from January 1, 2008,
through June 30, 2008: depository institutions, 343,974; money services
businesses, 250,180; casinos and card clubs, 5,377; securities and
futures firms, 7,058.
[End of table]
Our analysis of FinCEN and banking asset data indicated that in 2004
through 2007, the number of SARs filed varied across depository
institutions of different asset sizes (see figure 2) and the variations
occurred at different points in time. The largest yearly increase in
the number of SARs filed by very large banks and thrifts (those with
total assets of $50 billion or more) occurred from 2004 to 2005,
whereas the greatest increase in the number of SARs filed by small
credit unions (those less than $10 million in total assets) occurred
from 2005 to 2006.
Figure 23: Change in Percentage of SARs Filed by Filing Type, Calendar
Years 2004-2007:
[Refer to PDF for image: vertical bar graph]
Credit unions: Small (Less than $10 million);
2004-2005: 79%;
2005-2006: 85%;
2006-2007: 25%.
Credit unions: Medium (from $10 million to $100 million);
2004-2005: 112%;
2005-2006: 53%;
2006-2007: 28%.
Credit unions: Large (greater than $100 million);
2004-2005: 109%;
2005-2006: 62%;
2006-2007: 21%.
Banks and thrifts: Small (Less than $100 million);
2004-2005: -19%;
2005-2006: -1%;
2006-2007: 0%.
Banks and thrifts: Medium (from $100 million up to $1 billion);
2004-2005: 37%;
2005-2006: 18%;
2006-2007: 1%.
Banks and thrifts: Large (from $1 billion up to $50 billion);
2004-2005: 37%;
2005-2006: 9%;
2006-2007: -3%.
Banks and thrifts: Very large ($50 billion or greater);
2004-2005: 42%;
2005-2006: 2%;
2006-2007: 5%.
Source: GAO analysis of FinCEN, Federal Reserve, and NCUA data.
[End of figure]
In 2007, the 31 very large banks and thrifts accounted for almost half
(about 44 percent) of SARs filed by depository institutions, although
such institutions represented less than 0.5 percent of depository
institutions (see figure 3). In addition, banks and thrifts with total
assets from $1 billion up to $50 billion filed more than 30 percent of
SARs during the same period. Credit unions of all asset sizes filed
less than 10 percent of all SARs filed by depository institutions,
despite constituting nearly 35 percent of all depository institutions.
Figure 3: SARs Filed by Banks, Thrifts, and Credits Unions by Asset
Size, Calendar Year 2007:
[Refer to PDF for image: table]
Banks and thrifts:
Category of institutions assets: Very large ($50B or more);
Percent of all SARs filed: 44.2%;
Percent of all institutions that filed SARS: 0.3%;
Institutions that filed SARS: 31.
Category of institutions assets: Large ($1B -