How FinCEN grew to become the honeypot for delicate private information
If the banking of a despotic government has been leaked, yours may also have been leaked.
This is possibly the most overlooked yet worrying impact of the recent data dump of more than 2,000 Suspicious Activity Reports (SARs) filed by financial institutions with the U.S. Financial Crimes Enforcement Network (FinCEN).
A series of investigations from Buzzfeed News, known as FinCEN Files, focused on the way major banks used SARs to avoid liability for potentially illegal transactions. However, the leak raises much bigger questions about privacy: what personal data does SARs contain, how long is it kept, and is it really protected by the government?
CoinDesk interviewed numerous lawyers and compliance experts, including a former FinCEN employee, and none was able to provide specific information on how long SAR data is kept by the government. The majority doubted that the information was ever actually deleted.
Overall, the talks painted a picture of an understaffed agency sitting on a huge database. Because financial institutions only need to report large or potentially suspicious transactions, they also collect information from people who have not committed a crime.
"They have personal, private information in a database and conduct allegations," said Melissa G.R. Goldstein, former lawyer advisor at FinCEN and now Special Counsel at the financial law firm Schulte Roth & Zabel. "Just because someone is named in a SAR doesn't necessarily mean they are guilty of a crime."
FinCEN did not respond to multiple interview requests for this article or to a list of questions that included data security procedures and how long a SAR or Currency Transaction Report (CTR) is kept in its database.
FinCEN was founded in 1990 and is responsible for the prevention and detection of money laundering. This means that a gigantic database of SARs is kept, which contains detailed documentation on suspected cases of money laundering or fraud.
FinCEN's original mission, according to the Treasury Department's website, was to "provide a government-wide network of multi-source information and analysis to aid in the detection, investigation and prosecution of national and international money laundering and other financial crimes." The US Patriot Act of 2001 made it an office of the Treasury Department, and containing terrorist financing became an important part of its jurisdiction.
SARs are supposed to document everything that a bank considers unusual. And when submitted, they contain detailed details about an individual.
Vanessa Williams, chief compliance officer at CrossTower, a digital asset exchange operator, said in a telephone interview that these files include “your name, address, date of birth, social security number and a description of the suspected activity. If there is any evidence, you will be asked to provide it, including professional information. "
Read more: "Digital Mercenaries": Why Blockchain Analytics Companies Have Engaged Data Protection Attorneys
This information is gathered from everyone involved, as well as details such as passport or driver's license numbers, relevant data, and the codes that the suspicious activity falls under.
In the US, a SAR must be filed if, for example, insider trading is suspected or there is potential money laundering or breaches of banking secrecy law. Evidence of computer hacking or a customer running an unlicensed money services business also automatically requires a SAR.
But potentially harmless transactions could also be recorded. Any cash deposit of $ 10,000 or more triggers a CTR, which must be filed with FinCEN, and can be paired with a SAR if a bank employee thinks it is suspicious. Banks must file a SAR if they discover a suspicious transaction of $ 5,000 or more. It is a crime to break a deposit into smaller amounts so that it does not exceed the CTR threshold. A click through rate includes personal information like social security and driver's license numbers.
There was debate about increasing the amount of money that triggers a click-through rate, but bills like the 2018 Counter Terrorism Act and Unauthorized Funding, which would have raised the threshold from $ 10,000 to $ 30,000, failed. The bill also proposed raising the threshold for filing a SAR from $ 5,000 to $ 10,000.
FinCEN is actually trying to move in the opposite direction to collect even more data. It has been proposed to lower the threshold for the "travel rule", the transaction amount for which banks must collect and store money transfer information. As CoinDesk reported, his proposal would reduce the $ 3,000 minimum to $ 250 for all transfers leaving the US.
Buzzfeed, meanwhile, alleged that filing SARs gave financial institutions "near-immunity," which further eased, and most importantly, earned fees for money movements tied to shady characters, even after notifying regulators.
Buzzfeed's leaked files showed that, in some cases, multiple SARs were filed, but no action was taken against banks or the individuals or organizations on which the SARs were based.
Read more: The web wasn't designed for privacy, but it could be
"Some banks treat SARs as a kind of non-jail card that will issue alerts about a wide variety of transactions without actually stopping them," Buzzfeed reported.
According to the agency, FinCEN received more than 12 million SARs from a variety of industries from 2011 to 2017. In 2019 alone, 2 million or almost 5,500 were sent a day. Banks must retain these reports for five years after they are reported.
"I don't think government data retention is being seriously considered," said Michael Yaeger, a shareholder in Carlton Fields law firm, who focuses on regulatory investigations and cybersecurity issues. "They say how long they keep it at the bank level but the government doesn't. It's not a habit to destroy data."
Between a rock and a hard place
FinCEN's mission is to collect and disseminate data. In 2012, FinCEN took all of its data, including personal data contained in SARs, and made it electronic and searchable. This means that law enforcement agencies with proof of eligibility can search for a person's social security number or name using narrow or broad parameters and get all the relevant data about them. According to FinCEN, the database contains details from 300 million reports.
Goldstein was part of the team overseeing this transition towards the end of her tenure at FinCEN from 2009 to 2013.
After the BSA-E-Filing system went into operation in 2013, banks were able to submit SARs digitally and this too. Law enforcement officers with credentials can also log in and search by social security number, name, date and zip code. You could also narrow your search parameters to get specific reports and information.
Goldstein said FinCEN is stuck in a difficult location because its mission is to "collect, analyze and share information with law enforcement and regulators."
Read more: Cory Doctorow: The Monopoly Web is Already Here
On its website, FinCEN describes the benefits law enforcement can get from the financial data it collects:
“Combined with other data collected by law enforcement and intelligence agencies, the FinCEN data helps investigators link the points in their investigations by enabling a more complete identification of the respective subjects with information such as: personal information; previously unknown addresses; Corporations and personal associations; Bank pattern; Travel pattern; and communication methods. "
It also lists numerous successful cases in which its data has been used.
At FinCEN, there is a group of people whose job it is to search through all credentials, any search done with those credentials, and other activities. And theoretically, only a few people from any US attorney's office should have access to the system. However, these internal precautions do not prevent data from being hacked or leaked by bad actors. Three high profile SAR leaks have occurred since 2017.
"There's no question that any central location that stores data is considered a honeypot," said Angela Angelovska-Wilson, co-founder of DLx Law and former chief legal and compliance officer of blockchain software company Digital Asset. "The government is probably one of the best and largest honeypots out there."
She cites the Cyberspace Solarium Commission's report, released in March, as a cause for concern about the security of government data.
"It draws a very worrying analysis of the state of our systems of government such as the financial system and other critical infrastructures," said Angelovska-Wilson. “You are ill-prepared for modern cybersecurity warfare. Would FinCEN be a great honeypot in terms of SAR data? In my personal opinion, absolutely. "
Read more: Social Engineering: A Plague On Crypto And Twitter That Is Unlikely To End
Yaeger was a US assistant attorney when he learned that the Office of Personnel Management (OPM) had been hacked. The hack is largely attributed to the People's Liberation Army of China.
"I had a national security questionnaire in which I had to fill out about 24 pages with lots of information," he said on a phone call. "Like everyone else filling out this form, I had to write many details about my life there, including my family's life."
Because of the OPM violation, he believes these 24 pages of data are now in the hands of the Chinese government.
“Does it need more data protection resources? Probably, ”said FinCEN's Goldstein.
The involvement of multiple law enforcement agencies also creates a dynamic in which data is exchanged on a larger scale. Doing this in various law enforcement and government agencies is at higher risk due to the number of companies dealing with it.
Yaeger said the data that FinCEN stores could be used to see what cash flows are documented in SARs. You can look at a specific bank source to get an overview of their activity, or you can reuse the data for other reasons.
"It's a window into the financial system and especially into things that are flagged as potentially illegal activity," said Yaeger. "No matter what the use, whether it's individual criminals who see 'oh yes, they're on me' or blackmail that you could use against people, the limits are really just your imagination."
Companies will be fined if they don't keep the data for the required five year period. It remains unclear how long FinCEN stores the data itself. Both Angelovska-Wilson and Yaeger doubted the data would ever be deleted.
"The retention issue is generally not given that much attention because we generally want data, right? The first rule of big data would be to get a lot of data," said Yaeger.
Representation of the banks
Banks have filed more and more SARs, the number of which has almost doubled in the past decade.
According to Angelovska-Wilson, financial institutions have made a more defensive SAR filing, turning a thoughtful process into something more like the check box. Basically, the idea is for banks to file large amounts of SARs to protect themselves from liability or to face fines for possible non-compliance with the BSA.
Even if it is just an unusual transaction, it is at the discretion of the compliance officer to file a SAR just in case. Now you have a SAR of personal information, even if you are a law abiding citizen.
Financial institutions are now filing so many things that, according to Angelovska-Wilson, there is a “data avalanche”.
As the number of SARs submitted to FinCEN increases, the department itself is shrinking. FinCEN's employees were reduced by 10% in the same period and currently employ around 300 people.
Given the 24-hour nature of financial transactions, law enforcement pressure to attend to compliance officers, and the basic need for sleep, financial institution compliance officers don't have the easiest job of making decisions about what to file or what to file Not. So the data continues.
"The data (SARs) are used like data from other mass surveillance programs," Michael German, a former FBI special agent who is an expert on national security and privacy, told Buzzfeed. "Find someone you want for whatever reason, then search through the huge amounts of data to find anything to hang them up with."