Financial Crimes Enforcement Network
American Bankers Association/American Bar Association
Financial Crimes Enforcement Conference
January 13, 2022
Thank you, Ryan, and thank you all for welcoming me. My name is Him Das. I’m the Acting Director of FinCEN. It’s a real pleasure to address this iteration of the ABA/ABA Financial Crimes Enforcement Conference.
My predecessors have always approached this speech as something of a State of the Union for financial crimes and the community of people who work to prevent them. I see it the same way – although with a few distinctions.
Over the past 30 years, the average length of the presidential State of the Union has been about an hour and four minutes. So, for one thing, I promise you my remarks will be much shorter today. I also want to avoid giving you a laundry list of policies and proposals because I think what’s happening in our space is not so scattershot. There is a clear storyline here, a succinct narrative. It’s a story of two adjacent and related transformations, interlocking gears that are turning together.
The first is a transformation of the anti-money laundering/counter-terrorist financing (AML/CFT) regulatory regime writ large.
Until recently, the overarching legal foundation of our regime was an artifact of the moment it was most recently updated – in the wake of 9/11 – and like most 21-year-old things, it has not entirely kept up with the times. Just as earlier incarnations of the Bank Secrecy Act were laser-focused on countering drug-related financial flows, the updates in the USA PATRIOT Act really emphasized disrupting the money flows of groups like al Qaida. It never anticipated the challenges of the 2020s: digital assets, strategic corruption, an explosion of kleptocrats hiding their wealth in American shell companies, or artificial intelligence that could help us recognize these crimes and others.
And although there has been important work through regulation, rulemaking, and guidance to keep pace with evolving risks, our legal foundation was in many respects built, as the aphorism goes, “to fight the last war.” Or at least that was the case until 2021, when Congress passed the Anti-Money Laundering Act of 2020, or the AML Act.
The AML Act, as this group knows, touched off a new, post-post-9/11 era for anti-money laundering, giving FinCEN the authority to, quote, “streamline, modernize, and update the AML/CFT regime of the United States,” and that, indeed, is what we are doing.
At the 2019 ABA/ABA conference, my predecessor, Ken Blanco, spoke about the reorganization of FinCEN, including entire new divisions. There was the creation of the Global Investigations Division, which combined our efforts against foreign bad actors involved in everything from terrorism to human trafficking, and the Strategic Operations Division, which helps coordinate and share information with law enforcement, national security agencies, financial institutions such as yours, and foreign partners. We also have the Enforcement and Compliance Division, which resolves high-impact investigations across the entire financial sector, including evolving corners of it, like cryptocurrency.
Since Ken’s speech, particularly through the dedication and vision of FinCEN’s Deputy Director AnnaLou Tirol, we’ve been scaling up those divisions, hiring more staff and honing our work to meet the mandate of the AML Act. We’re moving as quickly as our resources will allow.
This is the second transformation I mentioned, and it is the story I want to tell in greater depth today – the story of how FinCEN is helping transform our nation’s AML/CFT regime from post-9/11 to post-pandemic; from al Qaida to AI and digital assets – and, importantly, where your institutions fit into that work.
It’s a story, I think, best told in three chapters, and they could be titled:
- New threats;
- New innovations; and
- New partnerships.
Let me take each in turn.
First, new threats.
We have to ensure our AML/CFT regime reflects modern national security needs, attacking threats as they exist in 2022 and as they continue to evolve. Yes, counterterrorism will always be a core priority, but as you’re well aware, there is a far broader set of criminals who use our financial system to facilitate their bad acts. In fact, the government-wide AML/CFT priorities that FinCEN issued last year confirm the broad range of threats to the U.S. financial system and our national security. We will update these priorities regularly, and that will help us keep pace with the shifting threat landscape.
We’ve witnessed, for example, a proliferation of “strategic corruption,” state-sponsored crimes aimed at weakening our institutions. Last year, for instance, the DOJ indicted three North Korean military hackers who extorted roughly $1.3 billion by robbing companies like Sony Pictures and stealing from cryptocurrency wallets.
There are also gangs of cybercriminals operating without state sponsorship who have launched ransomware attacks on virtually every kind of American organization imaginable, from Texas’ Welasco Independent School District, which had the personal information of 16,000 of its students leaked on the dark web, to the University of Vermont’s hospital, which had its IT systems crippled for weeks during the height of the pandemic. Doctors were unable to access medical records or surgery schedules. Cancer patients had to delay their chemotherapy.
As FinCEN’s Ransomware Trends Report stated, in just the first six months of 2021, FinCEN received 635 ransomware-related suspicious activity reports – a 30 percent jump from the total number received all year in 2020.
The entire government is needed to combat the threat of ransomware. It’s not just a FinCEN job, but it is one in which we play a key role, issuing ransomware advisories to highlight new typologies and trends and bolstering the ability of financial institutions to identify and report ransomware attacks and ransom payments. We also work with our law enforcement partners to recover funds after ransomware attacks.
But as much as we prevent criminals from using the financial system to steal money, we need to prevent them from laundering and hiding it, too. As Secretary Yellen has said, “There’s a good argument that right now, the best place for criminals to launder their ill-gotten gains is the United States – and that’s because of how we allow people to establish shell companies.”
Until last year, we did not have the ability to uncover the true owners of certain companies formed in the United States, but last January, the Corporate Transparency Act was passed, directing FinCEN to build a national database for beneficial ownership information. Last month, FinCEN issued a proposed rule to collect the necessary information that will help us build this database. It will require many U.S. and foreign companies to report their true beneficial owners to FinCEN and to update that information when those beneficial owners change.
In the private sector, we know there is significant interest in the beneficial ownership database – and how that will interplay with the Customer Due Diligence Rule. We are carefully examining these issues and will have more to share in the coming months.
We’re also ensuring that a similar principle of transparency applies to real estate. After all, many corrupt actors can hide their money in homes the same way they do in shell companies. Secretary Yellen has called them, “money laundromats on the 81st floor.”
We want to change this. When someone buys one of these properties with all cash, they should not be able to hide their identity, which is why last month FinCEN began the rulemaking process with the publication of an Advance Notice of Proposed Rulemaking. It seeks public input on a proposal to require reporting of beneficial ownership and other information stemming from certain real estate transactions. We value your input during these rulemaking processes, and I’d really encourage you to weigh in.
Finally, our reorganized Global Investigations Division is renewing focus on using FinCEN’s special authorities to protect national security. There are jurisdictions and financial institutions out there that are complicit in or actively involved in money laundering and other illicit activity that threatens the integrity of our financial system. Geographic Targeting Orders and special measures under Section 311 of the USA PATRIOT Act allow us to take a flexible and creative approach to better understanding and combating these threats, and we will lean forward on using these authorities.
But an AML/CFT regime that merely accounts for new threats is not sufficient. In some cases, we face the same threats we always have, but they’re amplified by financial innovations and new technologies, which is why, at the end of last year, we issued a Request for Information on ways to streamline and modernize the AML/CFT regime.
After all, when our regime received its last major update in 2001, there were also cyberattacks. Fifty million machines had recently been infected by the ILOVEYOU computer virus – the biggest attack in history up to that point.
But what rendered the 2000 ILOVEYOU attack different from, say, the 2017 WannaCry ransomware attacks – what rendered it toothless and rudimentary by comparison – was its inability to ransom anything. There was very little financial infrastructure built into the web in 2001, and certainly no cryptocurrency. It was a crime, but not a financial crime. (See https://security.cs.georgetown.edu/~tavish/cyberattacks_report.pdf)
There is less of a distinction these days. As the digital world increasingly becomes the financial world – and vice versa – we need a regulatory regime to match, one that accounts for crypto and other digital assets, evolution in the payments space, and other innovations that are driving the creation of new products, services, and delivery channels.
FinCEN’s view is that our regulatory framework needs to approach these innovations in a way that recognizes not only the risks that they pose, but the opportunities that they present: How do we build a regulatory framework that creates the room to foster what’s positive about innovation while at the same time ensuring that bad actors can’t take advantage of innovations more effectively than the good guys?
That is the central question, and the answer, I think, begins with clear and constant communication.
Sometimes, that will come through enforcement, through consent orders and settlements, as it did in the recent BitMEX case. BitMEX is one of the oldest and largest virtual currency derivative exchanges. For six years, it operated without a compliant AML program, facilitating more than $200 million in transactions involving known darknet markets or unregistered money services businesses. After the fact, we found 588 instances of suspicious transactions – but none had prompted BitMEX to file a single suspicious activity report (SAR).
By assessing a $100 million penalty against BitMEX last August, we hope to convey the message that the Bank Secrecy Act applies to institutions dealing in digital assets and cryptocurrency the same way it does to those dealing in fiat currency.
That said, regulators cannot only communicate via red lights; we cannot only say what NOT to do. To encourage innovation in this space, we know we have to flash yellow lights – and even the occasional green light.
For years, many of us have talked about the contours of “a risk-based-approach to AML/CFT regulation.” The AML Act compels us to bring more specifics to that discussion: What does “a risk-based-approach” look like? What is the right allocation of resources? The AML Act reinforces the view that it certainly doesn’t look like the status quo.
We know that your institutions are devoting enormous amounts of man-hours and dollars, reviewing transactions for compliance, and often this work feels like nothing more than checking boxes – and a very long series of boxes at that. One representative from M&T Bank recently testified before Congress that her team of 300 individuals reviews thousands of cases each year, and each investigation, she said, “consists of seven pages of narrative text and 50 attachments, which average 250-to-280 pages total, regardless of whether that investigation results in a SAR.”
New technologies – AI, blockchain, machine learning – have the potential to automate this work, but of course, it’s not as simple as flipping a switch. There are a number of considerations. First, it’s not enough that these technologies make compliance more efficient; they also have to make it more effective – or at least, keep the new system on par with the old one. Many of these machine learning and AI systems can be black boxes, and we have to be sure that these systems can perform when it comes to key metrics – like how many alerts actually lead to SARs or whether law enforcement finds the information actionable.
We also know that innovation will only happen if the private sector feels it has latitude to innovate. Few institutions would risk testing a new technology if they thought that test might put them in regulatory crosshairs, and that is exactly what’s happening, as one recent report from the Financial Action Task Force concluded. “In some cases,” it found, “innovation [is being] curtailed by concerns as to whether and how technologies may be used under the FATF Recommendations or in specific AML/CFT regulatory frameworks.” At FinCEN, we’re committed to remedying this, to ensuring that the space to innovate is as large and as safe as it has to be.
Three years ago, a group of regulators, including the Federal Reserve, the OCC, FDIC, NCUA, and FinCEN released a joint statement, encouraging financial institutions to adopt innovative approaches, including the use of AI, to meet their obligations under the Bank Secrecy Act. We said that we wouldn’t penalize financial institutions for failing to innovate along these lines, but we wanted to support those that did. FinCEN is working with other regulators and moving forward with what that support actually looks like.
We recognize the value that technologies like AI and machine learning can have within our own operations, and we also continue to explore the creation of regulatory sandboxes, a series of interim, but formal, frameworks for how your institutions can pilot the use of, say, AI to transform traditional rules-based transaction monitoring. Some of the other ideas we’re considering are new approaches to customer risk rating and institutional risk assessment, digital identity tools and utilities, and automating the adjudication and filing of SARs related to certain types of activity.
If we could stand up these sandboxes tomorrow, we would. We know there’s a lot of eagerness for something like this, and we’re going to move as quickly as possible. We need more staff and budget to help build the program, and we are working on that. But we’re also limited by another factor – and it is one that you can help with: We cannot design these sandboxes without knowing how your institutions would like to use them. What are you interested in building? What assurances do you need to start? What risks should we be on the lookout for?
This brings us to the third – and final – change that I’d like to cover today: The AML Act enshrines some of FinCEN’s existing work with the private sector and calls for further enhancing engagement with the private sector – a public-private partnership where we’re working together to modernize and enforce this regime. That won’t just require us communicating with you; it will require your institutions communicating with FinCEN; collaboration, back-and-forth.
Indeed, the idea of regulatory sandboxes extends from our current Innovation Hours program, which FinCEN has been hosting for two years. We want to consolidate what we’ve learned there – because we have learned so much. I’m grateful to the many of you that have participated in this program and in other forums like FinCEN Exchanges and the BSA Advisory Group. In just the past year, regulators from across the government have attended Innovation Hours to hear about your digital ID efforts, as well as how selective disclosure of financial information can be done between financial institutions safely and compliantly through privacy enhancing technologies.
But in order for this information flow to work, we need to take a thoughtful approach and we need it to be useful. This shouldn’t be just information-sharing for information-sharing’s sake, and I know that often when your institutions communicate with FinCEN and other regulatory bodies, especially via SARs, there’s very little sense of where the data goes – or what it’s for. Is law enforcement using it? Is it helpful?
Our goal is to create a feedback loop – not just to collect information from you, but to crunch it and tell you what it did. This way, the data you provide can be leveraged to inform your risk assessments and compliance decisions. The same goes for cyber threat intelligence data. We are working to create real-time data flows that will help to protect against future cyberattacks.
With the implementation of the AML Act, we are now at the beginning of a new era for the regulatory regime that guides our work. I expect that years from now, we’ll look back and see 2022 as a year like 2001 or 1970, which is when the Bank Secrecy Act was first passed. If history is any guide, the precedents we set and the rules we write now will stick – perhaps for the next two or three decades.
If we work together – if we collaborate to combat new threats and adopt new technologies – then I am confident the regulatory framework we build will work to serve us well for all those years and many more.
# # #