6 October 2020

News around the FinCEN Files has brought AML (Anti-Money Laundering) legislation and practices back into sharp focus for many.

The FinCEN files represent a significant breach of confidential information from across the banking sector relating to suspicious or potentially suspicious financial transactions. The SARs (Suspicious Activity Reports) are communications from financial services organisation to the US Financial Crimes Enforcement Network (FinCEN) highlighting what they deem to be suspicious transactions.

This release has indicated three significant concerns within the broader financial services industry.

Firstly, the leak itself, given that this data covers a wide range of organisations, it seems obvious that the leak came from a central source. This raises questions on data security and access rights, that have allowed so much information to be exposed in this way.

For this information, that is highly confidential related to potential criminal activity, to be so easily leaked indicates that data governance, internal control and security processes and protocols are either lax or I suspect in many cases, based on our experience, non-existent.

Outdated information management toolsets and technologies are often the main sources of cyber-crime (whether external attack or internal leaking). Data of this sensitivity should be protected from even internal leakage through the application of Digital Rights Management tools or strict audited access control.

Historically organisations achieved this by keeping sensitive content on internal disconnected solutions to prevent the egress of data. In the current reality with COVID-19 and increasing home-working this just isn’t feasible any more, not to mention that cloud solutions such as Microsoft 365 provide a more secure and robust platform than the legacy internal or on-premise solutions in use.

Secondly, the details of the exposure ask questions of how seriously financial services organisations have taken their role in preventing organised crime from making use of their facilities. A key takeaway from the revelations is that most of the transactions that were reported were successfully concluded and the SARs were reported as a safety net in order to avoid prosecution of the organisation or its executives even if they went on to endorse the fraudulent activity.

Questions that every CEO and CISO in financial services must be asking themselves are: Did I know that this was happening? Have I implemented controls to ensure this type of activity is alerted? Is this what my Board and customers expect of me? How do I prevent this from happening in the future?

In a world where damage to a financial institution’s reputation is more costly in terms of customer loyalty and share price decline compared to any statutory fines for mismanaging information, complacency and ignorance are not good bedfellows.

Finally, this draws into the spotlight the current legislation for AML and its adequacy to protect the sector. It’s a damning indictment for any financial centre or institution to be considered “high risk” and points to a need to have a rethink on how organisations identify, report and act on suspicious activity. Indeed, in response to the latest leak both FinCEN and the UK Department for Business, Energy and Industrial Strategy (BEIS) have announced reviews and reforms to their AML practices.

Organisations need to be confident that they have the capability in place to ensure that they are aware of potentially fraudulent activity in real-time, ensuring that issues are raised and reporting takes place. Furthermore, they need to ensure that they are working in a transparent and ethical manner for the confidence of their customers and their shareholders. The former can be solved with technology, the latter requires the Boards of financial services institutions to determine how they wish to be viewed and respected.

In a recent analysis against the ENRON publicly available dataset, our Automated Regulatory Compliance platform, with no special training, identified 2,677 separate documents that directly relate and highlight examples of fraud and suspicious activity.