A U.S. agency fighting financial crime is encouraging financial institutions, from banks to cryptocurrency exchanges, to share customer information with one another in order to catch culprits.
The Financial Crimes Enforcement Network (FinCEN), an office of the finance department, issued a bulletin Thursday stating that the Patriot Act 2001 gives institutions wide leeway in how to share information.
Overall, the paper appears to lower the barriers to further exchanges of personal customer information between banks, the threshold for “suspicious” activity, and the question of whether the companies that exchange customer information need to be financial institutions at all.
The fact sheet clarifies, among other things, that Section 314 (b) of the Act and the regulations that put it into practice "do not impose any restrictions on the exchange of personal data". The paper added that institutions are required to protect the security and confidentiality of this data and only use it for the purposes set out in the nearly 20-year-old law passed a month after the 9/11 attacks.
Still, the guide is likely to scour privacy advocates inside and outside the crypto community who are already unsure of the importance of the FinCEN Suspicious Activity Data Source (SAR). The more location information that is shared, the more opportunities there are to misuse or steal it.
“It seems that in the interests of protecting our communities and preventing crime and evil deeds, FinCEN's guidelines dramatically increase banks 'expectation of sharing data at the expense of individuals' privacy and potentially expose them to very real cyber risks, if so it is not clear that such a step is necessary, ”said Nizan Geslevich Packin, Associate Professor of Law at the City University of New York.
In a speech on Thursday, FinCEN director Kenneth Blanco presented the exchange of interbank data as a measure for public safety.
"The exchange of information between financial institutions up to 314 (b) is critical to the identification, reporting and prevention of crime and wrongdoing," he said in prepared remarks for a virtual meeting of bankers and lawyers. "It's an important part of protecting our national security."
However, he suggested that the institutions were unwilling to participate.
"Many have long requested clarification in this area," the agency said, "in order to clarify the circumstances under which 314 (b) applies in hopes of improving participation," said Blanco.
Lower the bar
The information that can be shared is not limited to activities that are suspected to include proceeds from any particular illegal activity (SUA), Blanco said.
Institutes do not need "specific information that these activities are directly related to the revenues of an SUA or that they have identified certain revenue from a laundered SUA" in order to share data, he said. Nor must they have "made a conclusive determination that the activity is suspicious".
The FinCEN factsheet claims that additional reporting "may shed more light on overall financial pathways" and "may provide a broader and more accurate picture of a client's activities that are suspected of being money laundering or (where) terrorist financing".
Angela Angelovska-Wilson, co-founder of DLx Law and former chief legal and compliance officer of blockchain software company Digital Asset, realized that while multiple financial firms handling sensitive data can create additional vulnerabilities, they can ultimately be positive.
If banks can share data on what may be suspicious of one another, it could deter some companies from trading blinders, she argued. For example, if someone does a certain activity on one account and then behaves differently on another account, this can appear suspicious to both banks. However, communicating about this data prior to filing a SAR could benefit the customer as a more holistic picture of their financial activity could show that they are not doing anything suspicious.
"Basically, 314 (b) has historically impaired people's ability to share information, to find out whether something is actually suspicious or not, and to be able to report thoughtfully to FinCEN," said Angelovska-Wilson .
Financial institutions are still prohibited from disclosing the existence of a SAR, even if the report was co-filed with another company, the fact sheet says.
"Financial institutions participating in Section 314 (b) that are considering filing or have filed a joint SAR are free to discuss the potential or previously filed common SAR (with each other)," the fact sheet states.
While crypto exchanges are not explicitly listed, they are money service providers and stock brokers. Both categories include cryptocurrency companies.
Compliance providers and associations of financial institutions, including unregistered companies for which there is a contract between members, are also allowed to participate in the information exchange, FinCEN added.
"The big takeaway from this seems to be that FinCEN is encouraging people to share more data," said Michael Yaeger, a shareholder in Carlton Fields law firm, which focuses on government investigations and cybersecurity issues. “They do this in a number of ways, including by pointing out that a financial institution is not required to definitively determine that an activity is suspicious or closely related to a particular illegal activity. An institution does not need to have concluded that a SAR needs to be submitted. "
As CoinDesk reported Thursday, there has been a move over the years towards what is known as defensive filing, which means that banks will be asked to file a SAR if there are any questions that could be classified as suspicious.
This has resulted in what one compliance officer has termed a "data avalanche" as more and more financial institutions submit to FinCEN.
"Many questions about the security of the information FinCEN collects, as well as the office's failure to provide clear guidelines on how and when the data it holds is deleted, go unanswered," said Packin. "This concerns … at a time when cybersecurity has become a major concern."
Continue reading: How FinCEN became the honeypot for sensitive personal data