How effective is the current framework for filing Suspicious Activity Reports, or SARs? The AML Act mandates that federal law enforcement agencies provide statistics to assist Congress, regulators, and financial institutions answer this question. Specifically, it requires the Department of Justice (“DOJ”) to annually produce a report to the Secretary of the Treasury containing statistics, metrics and other information on the use of Bank Secrecy Act (“BSA”) reports. It further requires the Financial Crimes Enforcement Network (“FinCEN”), to the extent possible, to periodically disclose to financial institutions summary information on SARs that proved useful to law enforcement; it also requires FinCEN to review SARs and publish information on threat patterns and trends.
Yet, on August 25, 2022, the United States Government Accountability Office (“GAO”) published a report, Action Needed to Improve DOJ Statistics on Use of Reports on Suspicious Financial Transactions, describing how the DOJ has not fulfilled that statutory mandate. The GAO’s report sets forth two recommendations: (1) the DOJ should include data on the use of BSA reports in its ongoing agency-wide efforts to improve data collection; and (2) involve its Chief Information Officer and Statistical Official in the design of its annual BSA statistical report.
Arguably, the most eye-catching observation of the report is that FinCEN itself “cannot currently provide comprehensive feedback on the impact of BSA reports [to the DOJ] because agencies do not provide FinCEN with comprehensive data on their use of those reports or the effect they had.” Accordingly, and despite ongoing calls for FinCEN to provide meaningful feedback (now, a statutory requirement under the AML Act), FinCEN “cannot connect their data on report searches to the impact of those reports on case outcomes.”
A few statistics provide helpful background. The GAO reports that in fiscal year 2020, FinCEN received 2.4 million SARs. The cost of generating those SARs is high. Financial institutions spend, roughly, between 1% and 2% of their operating costs on BSA compliance.
In light of that ocean of data and mounting compliance costs, some have questioned the utility of the current SAR reporting regime in the absence of meaningful feedback from law enforcement to financial institutions. (Prior posts on this discussion are here, here, here, here and here). Indeed, the GAO conducted its analysis in part because the current reporting regime imposes “significant compliance burden[s]” on financial institutions, and limited public information regarding law enforcement’s use of the reports makes it difficult to assess their relative utility.
To help answer that question, the AML Act contains provisions requiring feedback, both from industry and from law enforcement. FinCEN garners industry feedback through myriad sources. As the report notes, feedback was solicited from industry groups through the Bank Secrecy Act Advisory Group; the FinCEN Exchange; and FinCEN’s publications, law enforcement liaisons, and speeches. To be clear, each of these groups are vehicles for information and feedback. Their usefulness is limited to the value of the information they provide. And a key source of that information is the DOJ’s reports on how SARs and other activity reports are useful to its mission.
Accordingly, the AML Act requires the DOJ to provide feedback to the Secretary of the Treasury on its use of BSA reports in the form of specific statistics. This feedback must include data on: (1) the frequency with which reports contains actionable information that leads to law enforcement action; (2) the time between when SARs are filed and when law enforcement takes action; (3) an analysis of the transactions underlying SARs; (4) the number of entities and individuals identified by the SARs; and (5) the extent to which SARs were related to law enforcement actions such as arrests, indictments, and convictions.
The GAO Report
According to the GAO, that mandate has gone unfulfilled. Reportedly, the DOJ could not generate the prescribed statistics using its current database, and instead only provided “qualitative descriptors” on how investigators used SAR reports.
Part of the problem may be that how DOJ uses SARs is not easily reducible into a set of statistics. For instance, consider the following iterative process described by DOJ: in a single investigation, officials may review 100 SARs; some of those SARs provide leads to further evidence, and some may prove useful only after investigators uncover additional facts. That kind of incremental case building does not easily lend itself to quantifying the amount of time between a SAR filing a law enforcement action. And the value of SARs to an investigation, just like any other form of evidence, is going to vary substantially between cases.
Relatedly, the AML Act requires the DOJ to provide statistics on when it “uses” SARs. But it is not clear what counts as a “use.” Directly relying on SARs to build an ongoing investigation may be a clear cut “use,” but what about reviewing a SAR and referring it to another agency? The DOJ reported a range of “uses” of SARs, so imprecision in this definition could render imprecise quantitative data. The DOJ noted that legal prohibitions on the disclosure of SARs prevent prosecutors from citing such evidence in court filings or other easily accessible records; similarly the confidential nature of grand jury investigations also imposes barriers to easily tracking and reporting SAR “use” statistics. Finally, the DOJ raised an argument which beleaguered compliance officers at financial institutions subject to the BSA may find ironic: the DOJ would have to dedicate “substantial resources” to identify BSA reports used by investigators, and the cost of such tracking and reporting would be “prohibitive” under the DOJ’s current data systems. Stated otherwise, compliance with a mandated recordkeeping and reporting regime turns out to be costly and difficult. A fair reading of the GAO report is that the DOJ simply declined to do it.
These shortcomings reportedly hobble FinCEN’s feedback programs. FinCEN informed the GAO that DOJ agencies conducted more than 500,000 searches of SARs through its database in 2020. Further, and although there was some confusion regarding whether the DOJ had reached out to IRS Criminal Investigation (“CI”) to try to obtain data, IRS CI reported to the GAO that it initiated 13 percent of its investigations based on information in BSA reports. Nonetheless, and as the GAO writes: “FinCEN cannot currently provide comprehensive feedback on the impact of BSA reports because agencies [such as the DOJ] do not provide FinCEN with comprehensive data on their use of those reports or the effect they had.” This is because the other government agencies collect data on the impact that BSA reports have had on case outcomes “inconsistently or not at all.”
The DOJ’s challenges in collecting and reporting accurate statistics are not insurmountable. The GAO report offered two recommendations to facilitate data collection and analysis at DOJ. First, the GAO report noted that DOJ is currently improving its general data collection and infrastructure. To date, those improvements have not included changes to how BSA reports are collected and analyzed, so the GAO recommends that the DOJ Chief Data Officer, Evaluation Officer, and Statistical Officer incorporate BSA report data into their improvement efforts.
Second, the GAO recommended that it include all relevant agencies and available data in its statistical report. Specifically, two agencies, IRS CI and the Secret Service, reportedly were not consulted when the DOJ created its report, nor did the report’s authors “prepare evaluation design, planning, or methodological documents detailing an approach for report development.”
These recommendations are discouraging indicators of the DOJ’s willingness to engage in the feedback process. Difficult as it may be to reduce SARs’ utility to a set of statistics, those quantifiable metrics could yield long-term improvements in the quality, efficiency, and cost of the current reporting regime. Moreover, the AML Act requires the government to provide feedback.