A U.S. agency that fights financial crime is encouraging financial institutions, ranging from banks to cryptocurrency exchanges, to share customer information with one another to catch wrongdoers.
The Financial Crimes Enforcement Network (FinCEN), a bureau of the Treasury Department, issued a fact sheet Thursday spelling out that the 2001 Patriot Act gives institutions wide latitude in what kind of information they are permitted to share.
Overall, the sheet seemingly lowers the obstacles for further sharing of personal customer information among banks, the threshold of what qualifies as “suspicious” activity and whether the entities sharing customer information even need to be financial institutions.
Among other matters, the fact sheet clarifies that Section 314(b) of the act, and the regulations putting it into practice, “impose no limitations on the sharing of personally identifiable information.” The sheet added that institutions have to protect the security and confidentiality of this data, and use it only for the purposes laid out in the nearly 20-year-old law, passed a month after the 9/11 attacks.
Still, the guidance is likely to chafe privacy advocates inside and outside the crypto community who are already uneasy about the honeypot of personal data that FinCEN’s suspicious activity report (SAR) database has become. The more places information is shared, after all, the more ways it can be misused or stolen.
“It seems that in the spirit of ‘protecting our communities and preventing crimes and bad acts,’ FinCEN’s guidance is dramatically expanding its expectation of banks to share data, at the expense of individuals’ privacy, while potentially exposing them to very real cyber risks, when it is not clear that such a move is necessary,” said Nizan Geslevich Packin, an associate professor of law at City University of New York.
In a speech Thursday, FinCEN Director Kenneth Blanco framed interbank data sharing as a public safety measure.
“Information sharing among financial institutions through 314(b) is critical to identifying, reporting and preventing crime and bad acts,” he said in prepared remarks for a virtual gathering of bankers and lawyers. “It is an important part of how we protect our national security.”
However, he suggested institutions have been reluctant to take part.
“Many have been calling for clarity in this area for a long time,” so the agency saw fit “to clarify in greater detail the circumstances where 314(b) applies, with the hope of enhancing participation,” Blanco said.
Lowering the bar
The information that can be shared is not limited to activities suspected of involving proceeds of a specified unlawful activity (SUA), Blanco said.
Institutions do not need “specific information that these activities directly relate to proceeds of an SUA, or to have identified specific proceeds of an SUA being laundered” in order to share data with each other, he said. Nor must they have made “a conclusive determination that the activity is suspicious.”
The FinCEN fact sheet claims additional reporting can shed “more light upon overall financial trails” and build “a more comprehensive and accurate picture of a customer’s activities that may involve money laundering or [where] terrorist financing is suspected.”
Angela Angelovska-Wilson, co-founder of DLx Law and former chief legal and compliance officer at blockchain software firm Digital Asset, recognized that while multiple financial entities handling sensitive data could create additional vulnerabilities, it may ultimately be a positive.
If banks can share data about what might be suspicious among each other, it could stop some entities from acting with blinders on, she argued. For example, if someone is engaging in one kind of activity in a certain account, and then behaving differently in another, that might seem suspicious to both banks. But if they communicate about this data before filing a SAR, it could benefit the customer as a more holistic picture of their financial activities could illuminate that they’re not doing anything suspicious.
“Basically what 314(b) has done in the past is it has hampered people’s ability to share information in order to figure out whether or not something is actually suspicious and be able to thoughtfully report to FinCEN,” said Angelovska-Wilson.
Yet others read FinCEN’s continued efforts to widen the information-snagging net as a sign of policy failure.
“This shows that Congress has not been performing its oversight function,” said Michael German, a former FBI special agent, privacy expert and a fellow at the Brennan Center for Justice. “It’s waiting for the Treasury Department to claim that this is an effective measure against terrorism or money laundering. But after two decades of increased sharing of suspicious activity reports, it has not resulted in measurable successes against terrorism or money laundering. It’s time for our elected representatives to protect our data, the way that is promised under the Bank Secrecy Act, rather than these exceptions for sharing.”
FinCEN, he said, “is only going to keep pushing for more information and more information, even if that information is useless to its stated goals.”
Don’t tell a soul
Financial institutions are still forbidden to disclose that a SAR exists, and that applies even when the report was filed jointly with another company, FinCEN’s fact sheet stated.
“However, financial institutions participating in Section 314(b) that are considering filing or have filed a joint SAR may freely discuss the prospective or already filed joint SAR [among] themselves,” the fact sheet said.
While crypto exchanges aren’t explicitly listed, money services businesses and securities brokers are. Both categories include cryptocurrency businesses.
Compliance vendors and associations of financial institutions, including unincorporated ones governed by a contract between members, are also permitted to take part in information-sharing, FinCEN added.
“The big takeaway from this seems to be that FinCEN is encouraging people to engage in more data sharing,” said Michael Yaeger, a shareholder at the law firm of Carlton Fields, who focuses on government investigations and cybersecurity matters. “They are doing so in a variety of ways, including pointing out that a financial institution does not need to have made a conclusive determination that activity is suspicious or closely tied to a specified unlawful activity. An institution need not have concluded a SAR must be filed.”
As CoinDesk reported Thursday, over the years there has been a move toward so-called defensive filing, meaning that if there is any question something could be deemed suspicious, banks are encouraged to file a SAR.
This has led to what one compliance officer called an “avalanche of data” because financial institutions have been filing more and more to FinCEN.
“Many questions about the safety of the information collected by FinCEN, as well as the bureau’s failure to provide clear guidelines regarding how and when it eventually deletes the data it has, remain unanswered,” Packin said. “This is concerning … in an era in which cybersecurity [has] become a major concern.”
Read more: How FinCEN Became a Honeypot for Sensitive Personal Data