TRENDING:

Anti-Money Laundering Update: Did The System Work in the Spitzer Case?

Opinions Split Over Public ID of Banks that Filed SARs Linda McGlassonMarch 18, 2008    
Anti-Money Laundering Update: Did The System Work in the Spitzer Case?
Of all the emotions stirred by last week's scandalous resignation of New York Gov. Eliot Spitzer (Anti-Money Laundering Reports Help Take Down NY Governor), the hottest words exchanged in the banking community are over the Suspicious Activity Reports (SARs) that tipped off investigators to the ex-governor's alleged financial improprieties.

Spitzer resigned after revelations that he is under investigation for involvement with a high-priced prostitution service. The scandal made the headlines, but the real news to financial institutions is that this investigation was spurred by SARs filed by two New York banks (North Fork Bank and HSBC) with the U.S. Treasury department and the Internal Revenue Service after Spitzer reportedly moved large sums of cash in bank accounts he controlled.

In the wake of these revelations, one side praises the public acknowledgement of these private reports, saying that the Spitzer case shows the anti-money laundering reporting system works.

Opponents fear the public spotlight will deter institutions from filing such reports in the future.

"Leaking the names of the banks that filed the SARs by law enforcement was a very bad thing, but it is not the first time that this type of leak has occurred," says Alan Abel, CPA and Executive Global AML Practice Leader at Crowe Chizek and Company. Suspicious activity reporting doesn't work in a country where you don't have safe harbor provisions for the institutions that report it, he says. The institutions must have indemnification from litigation and "Without this, you don't have absolute privacy and secrecy of the SAR."

Bankers Speak Out
As news of the Spitzer scandal spread last week, the banking community was quick to react to news of the SARs that ignited the investigation.

This case will not encourage banks to file SARs, says one compliance officer. "It will make them apprehensive that their name will appear in the media in the future, and their safe harbor is in danger," says Patricia Regier, Compliance and BSA vice president at Farmers & Merchants National Bank, Fairview, OK ($60 million in assets).

Another financial services professional (who prefers to remain anonymous) says of the leak, "Not only was the law broken by Spitzer, but it was also broken by whoever spilled the beans on which banks filed the SARs. That is a tremendous failure of our banking system and the laws that govern it."

In Indiana, Ruth Jones, Senior Vice President of Human Resources and Bank Secrecy Act Officer at Owen County State Bank in Spencer, says she hopes it was not the banks who leaked the information. "The confidential nature of this information reported in the media was a shock to compliance officers and others in the financial services industry," Jones says. (The names of the banks filing the SARs were, in fact, leaked by law enforcement officials involved in the investigation to media.)

Another compliance officer at a Texas bank registers similar dismay. "I am appalled at the likes of CNN, FoxBusiness, Wall Street Journal, the Associated Press, and all media that have blatantly disregarded the law and put financial institutions at a disadvantage regarding SARs," she says, also preferring anonymity. The public does not have a "need to know" or "even a right to know everything about a system that is designed to protect them and the country as BSA/AML is designed to do."

As a former regulatory compliance auditor at Chase, Robert Matthews, who now leads the consulting service MatthewsConnection.com, sees the increased use of SARs and Currency Transaction Reports (CTRs) in law enforcement investigations as an encouraging sign. "SARs and CTRs have historically been used to further an investigation; they are rarely the initiating event," Matthews says.

Why did Spitzer attempt to structure the cash movements, asks banker Jonathan Miskell of the First State Bank of Blakely, GA, with $300 million in assets and six branches. "If he had not structured the amount, and therefore CTRs were filed when applicable, this may not have been scrutinized," he says. SARs are red flags while "CTRs represent everyday business in America - 99 percent of the time," says Miskell, Internal Auditor and Security Officer. Aside from the Spitzer case, a large percentage of bank customers who engage in structuring are not masking cash that came from illegal means. "They do it because they think the Tax Man would pay attention to their CTR," he says.

Lessons Learned
Among the key takeaways from the Spitzer case: The Financial Crimes Enforcement Network (FinCEN) does read SARs, and they are a valuable tool in law enforcement investigations.

"We do read them," says FinCEN spokesperson Steve Hudak. "In a recent speech given by FinCEN Director James Fries, and I quote him: 'Primarily with respect to SARs, but also sometimes with the other forms, the information provided can be the first tip that starts an investigation. An employee's good instincts can, and do, result in the contribution of critical information that serves to set investigatory wheels in motion to track down suspected criminal activity. For example, the IRS often says that Money Laundering is tax evasion in progress; BSA information can be the first lead into investigations that can recoup these funds and help to reduce the tax gap. Most people understand and expect these types of lead or tip-off usage, yet fail to appreciate the following, arguably broader uses of BSA data.'"

Stephen Katz, President of Security Risk Solutions and former CISO of CitiGroup and Merrill Lynch, is a recognized industry thought-leader who voices a positive note about the Spitzer case. "What I think is great about this is that banks file these SARs all the time, and it takes time, effort and a lot of work goes into doing it right," Katz says. "These reports appear to be a burden, but this is a reminder that they (SARs) are taken seriously by regulators and law enforcement."

Yvonne Hancock, BSA Officer at the Bank of Augustine, St. Augustine, FL. agrees with Katz, adding, "I think they are effective -- the system works!"

Is the Spitzer case a deterrent? Again, opinions are mixed. "The mere fact that a criminal knows that an institution will file these reports has deterrent value," says FinCEN's Hudak.

Katz isn't entirely sold on this idea. "Spitzer knew about these types of reports better than anybody; it didn't serve as a deterrent to him," Katz says. "He knew the ways that SARs were used to track suspicious activity and the oversight involved. He knew the fact that they don't just track the SARs in terms of dollar amounts, but also in some cases the people who are involved. He knew this. It was simple hubris on his part in thinking his transactions wouldn't be reported."

Previous
Managed Messaging Security and Archiving
Next
Security Awareness: How to Create an Effective Program for Employees

About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.



Around the Network

Evolving Threats Facing Robotic and Other Medical Gear
Evolving Threats Facing Robotic and Other Medical Gear
Is It Generative AI's Fault, or Do We Blame Human Beings?
Is It Generative AI's Fault, or Do We Blame Human Beings?
Properly Vetting AI Before It's Deployed in Healthcare
Properly Vetting AI Before It's Deployed in Healthcare
How the NIST CSF 2.0 Can Help Healthcare Sector Firms
How the NIST CSF 2.0 Can Help Healthcare Sector Firms
Protecting Medical Devices Against Future Cyberthreats
Protecting Medical Devices Against Future Cyberthreats
Safeguarding Critical OT and IoT Gear Used in Healthcare
Safeguarding Critical OT and IoT Gear Used in Healthcare
How 'Security by Default' Boosts Health Sector Cybersecurity
How 'Security by Default' Boosts Health Sector Cybersecurity
Identity Security and How to Reduce Risk During M&A
Identity Security and How to Reduce Risk During M&A
Medical Device Cyberthreat Modeling: Top Considerations
Medical Device Cyberthreat Modeling: Top Considerations
Transforming a Cyber Program in the Aftermath of an Attack
Transforming a Cyber Program in the Aftermath of an Attack

Continue »

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.