How FinCEN Became a Honeypot for Sensitive Personal Data
If a despotic government’s bank transactions can be leaked, so can yours.
That’s perhaps the most overlooked yet unsettling implication of the recent data dump of more than 2,000 suspicious activity reports (SARs) filed by financial institutions to the U.S. Financial Crimes Enforcement Network (FinCEN).
An investigative series by BuzzFeed News, known as the FinCEN Files, focused on the ways that big banks were using SARs to avoid liability for potentially illicit transactions. But the leak raises much larger questions about data privacy: What personal data do SARs include, how long is it being retained and is the government really protecting it?
CoinDesk interviewed numerous lawyers and compliance experts, including a former FinCEN employee, and none were able to give concrete details as to how long SAR data is retained by the government. The majority doubted the information was ever actually deleted.
Overall, the conversations painted a picture of an understaffed agency sitting on top of a huge trove of data. Because financial institutions merely need to report large or potentially suspect transactions, they also gather data of individuals who have not committed a crime.
“You’ve got personal, private information in a database and allegations of conduct,” said Melissa G.R. Goldstein, a former attorney-advisor at FinCEN and now Special Counsel at financial law firm Schulte Roth & Zabel. “Just because someone is named in a SAR doesn’t necessarily mean that they are guilty of something criminal.”
FinCEN did not respond to multiple interview requests for this article, or to a list of questions that included data security procedures and how long a SAR or Currency Transaction Report (CTR) is kept in its database.
Established in 1990, FinCEN is responsible for preventing and detecting money laundering. That means it maintains a gargantuan database of SARs that provide detailed documentation of suspected instances of money laundering or fraud.
FinCEN’s original mission was to “provide a government-wide, multi-source intelligence and analytical network to support the detection, investigation and prosecution of domestic and international money laundering and other financial crimes,” according to the Department of the Treasury website. It became a bureau of the Treasury Department as a result of the U.S. Patriot Act in 2001, and mitigating terrorist financing became a key part of its purview.
SARs are meant to document anything that a bank deems out of the ordinary. And when they are submitted, they include granular details about an individual.
Vanessa Williams, chief compliance officer at CrossTower, a digital asset exchange operator, said in a phone interview these files “include name, address, date of birth, Social Security number and a description of the alleged activity. If circumstantial evidence is available, you’re encouraged to provide that, which may include occupational information.”
Read more: ‘Digital Mercenaries’: Why Blockchain Analytics Firms Have Privacy Advocates Worried
This information is gathered on all the parties involved, as well as details like passport or driver’s license numbers, relevant dates and what codes the suspicious activity falls under.
In the United States a SAR must be filed if, for example, insider trading is suspected or potential money laundering or violations of the Bank Secrecy Act. Evidence of computer hacking or a customer operating an unlicensed money services business also automatically requires a SAR.
But potentially innocuous transactions could be recorded as well. Any cash deposit of $10,000 or more triggers a CTR to be filed with FinCEN and can be coupled with a SAR if a bank employee deems it suspicious. Banks must file a SAR if they identify a suspicious transaction involving $5,000 or more. Breaking up a deposit into smaller amounts in such a way as to avoid hitting the CTR threshold is a crime. A CTR includes personal information such as Social Security and driver’s license numbers.
There have been discussions about raising the amount of money that triggers a CTR, but bills such as the Counterterrorism and Illicit Finance Act, introduced in 2018, which would have raised the threshold from $10,000 to $30,000, didn’t pass. The bill also proposed raising the threshold for when a SAR must be filed from $5,000 to $10,000.
FinCEN, in fact, is trying to move in the opposite direction, seeking to capture even more data. It has proposed lowering the “Travel Rule” threshold, the transaction amount at which banks must collect and store fund transfer information. As CoinDesk reported, its proposal would reduce the minimum from $3,000 to $250 for any transfers that leave the U.S.
BuzzFeed, meanwhile, claimed that filing SARs provided “near immunity” for financial institutions that continued to facilitate and, importantly, collect fees from money movements tied to shady characters even after alerting regulators to them.
The leaked files from BuzzFeed showed that although multiple SARs were filed in some instances, no action was taken against banks or the people or entities on which the SARs were based.
Read more: The Web Wasn’t Built for Privacy, but It Could Be
“Some banks treat SARs as a kind of get-out-of-jail-free card, filing alerts about a huge array of transactions without actually moving to halt them,” BuzzFeed reported.
FinCEN received more than 12 million SARs from a wide range of industries from 2011 to 2017, according to the agency. It was sent 2 million in 2019 alone, or nearly 5,500 a day. These reports must be kept by banks for five years after they’re reported.
“I don’t think data retention is seriously thought about at the government level,” said Michael Yaeger, a shareholder at the law firm of Carlton Fields, who focuses on government investigations and cybersecurity matters. “They specify how long they retain it at the bank level, but the government doesn’t. It’s not in the habit of destroying data.”
Between a rock and a hard place
FinCEN’s mission is to acquire and disseminate data. In 2012, FinCEN took all its data, including the personal details included in SARs, and made it electronic and searchable, meaning credentialed law enforcement could search for a person’s Social Security number or name along narrow or wide parameters, and obtain all the data pertaining to them. The database includes details from 300 million reports, according to FinCEN.
Goldstein was a part of the team that oversaw that transition toward the end of her tenure at FinCEN from 2009 to 2013.
After the BSA e-filing system went live in 2013, banks could file SARs digitally and did so. Law enforcement members with access credentials could also log in and search by Social Security number, name, dates, and zip codes. They could also narrow their search parameters to get specific reports and information.
Goldstein said FinCEN is stuck in a hard place because its mission is to “collect, analyze and disseminate information to law enforcement and regulators.”
Read more: Cory Doctorow: The Monopoly Web Is Already Here
On its website, FinCEN outlines the benefits law enforcement gains from the financial data it gathers:
“When combined with other data collected by law enforcement and the intelligence communities, FinCEN data assists investigators in connecting the dots in their investigations by allowing for a more complete identification of the respective subjects with information such as: personal information; previously unknown addresses; businesses and personal associations; banking patterns; travel patterns; and communication methods.”
It also lists numerous successful cases in which its data was used.
There is a group of people at FinCEN whose job it is to trawl through every log-on credential, every search that is done by that log-on credential and other activity. And, in theory, only a few people from each U.S. Attorney’s Office are supposed to have access to the system. Still, these internal precautions do not prevent data from being hacked or leaked by bad actors. There have been three high-profile SARs leaks since 2017.
“There is no question that any central body which stores data is viewed as a honeypot,” said Angela Angelovska-Wilson, co-founder of DLx Law and former chief legal and compliance officer of blockchain software firm Digital Asset. “The government is probably one of the best and biggest honeypots that are out there.”
She points to the Cyberspace Solarium Commission Report, which was released in March, as a reason for concern about the security of government data.
“It paints a very worrisome analysis of the state of our government systems, like the financial system and other crucial infrastructure,” said Angelovska-Wilson. “They are ill-prepared for modern cybersecurity warfare. So for FinCEN, with respect to SAR data, would it be viewed as a great honeypot? In my personal opinion, absolutely.”
Read more: Social Engineering: A Plague on Crypto and Twitter, Unlikely to Stop
Yaeger was an assistant U.S. attorney when he learned the Office of Personnel Management (OPM) had been hacked. The hack is largely attributed to the People’s Liberation Army of China.
“I had a national security questionnaire where I had to fill, like, 24 pages with a lot of information,” he said in a phone call. “Like everyone else who fills out that form, I had to put a lot of details on my life there, including my family’s life.”
Because of the OPM breach he said he believes those 24 pages of data are now in the hands of the Chinese government.
“Does it need more resources for data protection? Probably,” said Goldstein of FinCEN.
The involvement of multiple law enforcement agencies also creates a dynamic where data is shared more widely. Doing so across various law enforcement and government agencies creates greater risk because of the number of entities handling it.
Yaeger said the data FinCEN stores could be used to see what money flows are being documented in SARs; you could look at a particular bank source to get a view of their activities, or you could repurpose the data for other reasons.
“It’s a window into the financial system, and specifically things that are flagged as potentially illegal activity,” said Yaeger. “So whatever use it has, whether it’s individual criminals seeing ‘oh yeah they’re onto me’ or it’s blackmail material you could use against people, the limits are really just determined by your imagination.”
Companies are fined unless they retain the data for the required period of five years. It remains unclear how long FinCEN itself stores the data. Both Angelovska-Wilson and Yaeger said they doubted the data was ever deleted.
“There isn’t as much attention in general on the retention issue, because in general we want data, right? The first rule of Big Data would be to get a lot of data,” said Yaeger.
Deputizing the banks
Banks have been filing more and more SARs, the number of which have nearly doubled in the last decade.
Financial institutions have been doing more defensive SAR filing, according to Angelovska-Wilson, turning what was a thoughtful process into something that is more akin to just checking the box. Essentially, the idea is that banks are filing large numbers of SARs to protect themselves from liability or being hit with fines for potential noncompliance with the BSA.
Even if it’s just an out-of-the-ordinary transaction, compliance officers have the discretion to file a SAR, just in case. Now you’ve got a SAR on you, full of personal information, even if you’re a law-abiding citizen.
Financial institutions are now filing so many things that it’s leading to an “avalanche of data,” according to Angelovska-Wilson.
As the number of SARs filed to FinCEN grows, the department itself is shrinking. FinCEN staff were reduced by 10% over that same period, and currently numbers around 300 employees.
With the 24-hour nature of financial transactions, pressure from law enforcement to go after compliance officers, and the basic need for sleep, compliance officers at financial institutions don’t have the easiest job when it comes to making decisions on what to file or not. So the data keeps coming.
“The [SARs] data is used like the data from other mass surveillance programs,” Michael German, a former FBI special agent who is a national security and privacy expert, told BuzzFeed. “Find someone you want to get for whatever reason then sift through the vast troves of data collected to find anything you can hang them with.”