BSA info sharing could be greatly improved

The Bank Secrecy Act regulatory regime depends heavily on the sharing of information—from financial institutions to the government, from the government to institutions, and from institutions to each other.

Robust information sharing better positions institutions to conduct customer due diligence; identify suspicious transactions; and file suspicious activity reports. This in turn enables law enforcement to obtain the information that it needs to conduct effective criminal investigations and prosecute money laundering and other financial crimes.

Notwithstanding this, key barriers inhibit information sharing.

Some, such as grand jury secrecy rules and classified information, are unavoidable. But other obstacles can and should be removed.

Law enforcement would receive more complete, accurate, and timely information. Financial institutions would be better able to deter illicit activity, as well as lower compliance costs.

Considering the “safe harbor”

Financial institutions that disclose possible violations of law to the government enjoy a safe harbor from civil liability for doing so.

The “SAR safe harbor,” codified at 31 U.S.C. 5318(g)(3), is actually three safe harbors, covering:

• Voluntary disclosures;

• Disclosures pursuant to section 5318(g), i.e., SARs; and

• Disclosures pursuant to any other authority.

As long as an institution is operating within the bounds of the safe harbor, it cannot be held civilly liable under the laws of the U.S., or any state, or under contract or other legally enforceable agreement for making the disclosure or for failing to provide notice to the person who is the subject of the disclosure.

The theory underlying the SAR safe harbor: If institutions can’t be held liable for filing SARs, they will be less reluctant to file them on their customers and third parties. In addition, they will also file more complete and accurate SARs.

However, that’s not how things work in practice.

The reality is that the SAR safe harbor does not prevent customers or anyone else from suing institutions that file SARs. However, the safe harbor can be asserted by banks to support a motion to dismiss such a lawsuit, and avert a long and costly legal proceeding.

Unfortunately, the SAR safe harbor is not as iron-clad as it appears. Some courts, including at least one federal court of appeals, have held that in order to avail itself of the SAR safe harbor, an institution must be acting in good faith. (The relevant cases in that appellate decision are Lopez v. First Union National Bank of Florida, Coronado v. BankAtlantic Bancorp, Inc., 129 F.3d 1186 (11th Cir. 1997) )

However, it is clear from the face of the statute and its legislative history that Congress did not intend for there to be any “good faith exception” to the SAR safe harbor. Courts that have read such a requirement into the statute have effectively undermined the purpose of the safe harbor by making it more difficult for institutions to dismiss lawsuits based on their filing a SAR, and, therefore. less willing to report suspicious activity and potential crimes.

Absent a split in the circuit courts of appeal and review by the Supreme Court, the only remedy is for Congress to amend section 5318(g)(3) to clarify, once and for all, that there is no “good faith exception” to the SAR safe harbor.

Sharing from government to banks

Another area where information sharing could be improved is from the government to financial institutions. Section 314(a) of the USA PATRIOT Act was originally conceived as a mechanism for downstreaming government information about bad actors and criminal schemes to institutions for use in designing and implementing their anti-money laundering programs.

However, as implemented, information sharing through section 314(a) has largely been a one-way street, from institutions to the government.

The way the section 314(a) process works is that, on a regular basis, the Financial Crimes Enforcement Network transmits the names of individuals and entities obtained from law enforcement to institutions through a secure website. The institutions are required to check the names against their systems to identify accounts and transactions, and report hits back to law enforcement through the website. Law enforcement can then decide whether to issue a subpoena to the institution to obtain detailed account or transaction information.

While this system is doubtless of great value to law enforcement, it provides little value to the institutions for use in implementing their AML systems.

Without diminishing the current use of the 314(a) mechanism, the government could greatly expand its utility by using it more frequently to transmit relevant information to institutions in the manner in which it was originally conceived. Institutions could then take that information and build it into their customer due diligence systems and monitoring software, resulting in more accurate and timely SARs.

Facilitating better inter-bank communication

A third area where information sharing could be improved is from financial institutions to each other.

Section 314(b) of the PATRIOT Act provides another statutory safe harbor from civil liability for institutions that engage in such sharing. However, the scope of the safe harbor is limited to information about individuals, entities, organizations, and countries suspected of engaging in possible terrorist or money laundering activities.

This is a helpful provision, as far as it goes. However, Section 314(b) offers no protection to institutions that share information about other financial crimes. Thus its effectiveness as a means of promoting information sharing is limited.

To optimize its impact, section 314(b) should be expanded to cover the full range of financial crimes. Once again, legislative action is needed to accomplish this.

Sharing under your own roof

The limitations on information sharing even extend to disclosure of SARs within banking organizations.

In 2010, FinCEN, which administers the BSA, amended the confidentiality section of its SAR rule (31 CFR 1020.320(e)). The amended rule provides that a SAR and any information that would reveal the existence of a SAR are confidential and may only be disclosed as authorized in the rule. The rule goes on to say that it does not preclude the sharing of a SAR, or any information that would reveal the existence of a SAR, within the bank’s corporate organizational structure for purposes consistent with Title II of the BSA. 

On the same day that the amended rule was issued, FinCEN also issued a guidance document that provided that the sharing of a SAR, or any information that would reveal the existence of a SAR, with an affiliate that is itself subject to a SAR requirement is consistent with the purposes of Title II of the BSA and therefore permissible. (“Sharing Suspicious Activity Reports by Depository Institutions with Certain U.S. Affiliates,” FIN-2010-G006, November 23, 2010)

While the amended rule and guidance are helpful in promoting information sharing within a banking organization, they don’t go far enough.

The limitation of SAR sharing to affiliates that are subject to a SAR requirement is outdated. This should be expanded, given the benefits of broader information sharing within banking organizations; the importance of establishing enterprise-wide AML systems, especially in large, internationally active banks; and the availability of technology to better ensure the security of SAR information than what was available in 2010.

The amended rule provided a legal standard and lays the groundwork for doing so, which is a finding by FinCEN that such broader sharing is consistent with the purposes of Title II of BSA.

Looking ahead to improvement

While obstacles to more robust information sharing exist, they are not insurmountable, and can be overcome with the mutual support and cooperation of the government and the financial services industry. The BSA serves an important purpose in helping prevent and deter money laundering and other illicit activity. However, as presently implemented, its effectiveness is diminished by unnecessary restrictions on information sharing.