A U.S. agency that fights financial crime is encouraging financial institutions, ranging from banks to cryptocurrency exchanges, to share customer information with one another to catch wrongdoers.
The Financial Crimes Enforcement Network (FinCEN), a bureau of the Treasury Department, issued a fact sheet Thursday spelling out that the 2001 Patriot Act gives institutions wide latitude in what kind of information they are permitted to share.Â
Overall, the sheet seemingly lowers the obstacles for further sharing of personal customer information among banks, the threshold of what qualifies as âsuspiciousâ activity and whether the entities sharing customer information even need to be financial institutions.Â
Among other matters, the fact sheet clarifies that Section 314(b) of the act, and the regulations putting it into practice, âimpose no limitations on the sharing of personally identifiable information.â The sheet added that institutions have to protect the security and confidentiality of this data, and use it only for the purposes laid out in the nearly 20-year-old law, passed a month after the 9/11 attacks.
Still, the guidance is likely to chafe privacy advocates inside and outside the crypto community who are already uneasy about the honeypot of personal data that FinCENâs suspicious activity report (SAR) database has become. The more places information is shared, after all, the more ways it can be misused or stolen.
âIt seems that in the spirit of âprotecting our communities and preventing crimes and bad acts,â FinCENâs guidance is dramatically expanding its expectation of banks to share data, at the expense of individualsâ privacy, while potentially exposing them to very real cyber risks, when it is not clear that such a move is necessary,â said Nizan Geslevich Packin, an associate professor of law at City University of New York.
In a speech Thursday, FinCEN Director Kenneth Blanco framed interbank data sharing as a public safety measure.Â
âInformation sharing among financial institutions through 314(b) is critical to identifying, reporting and preventing crime and bad acts,â he said in prepared remarks for a virtual gathering of bankers and lawyers. âIt is an important part of how we protect our national security.â
However, he suggested institutions have been reluctant to take part.Â
âMany have been calling for clarity in this area for a long time,â so the agency saw fit âto clarify in greater detail the circumstances where 314(b) applies, with the hope of enhancing participation,â Blanco said.
The information that can be shared is not limited to activities suspected of involving proceeds of a specified unlawful activity (SUA), Blanco said.
Institutions do not need âspecific information that these activities directly relate to proceeds of an SUA, or to have identified specific proceeds of an SUA being launderedâ in order to share data with each other, he said. Nor must they have made âa conclusive determination that the activity is suspicious.â
The FinCEN fact sheet claims additional reporting can shed âmore light upon overall financial trailsâ and build âa more comprehensive and accurate picture of a customerâs activities that may involve money laundering or [where] terrorist financing is suspected.âÂ
Angela Angelovska-Wilson, co-founder of DLx Law and former chief legal and compliance officer at blockchain software firm Digital Asset, recognized that while multiple financial entities handling sensitive data could create additional vulnerabilities, it may ultimately be a positive.Â
If banks can share data about what might be suspicious among each other, it could stop some entities from acting with blinders on, she argued. For example, if someone is engaging in one kind of activity in a certain account, and then behaving differently in another, that might seem suspicious to both banks. But if they communicate about this data before filing a SAR, it could benefit the customer as a more holistic picture of their financial activities could illuminate that theyâre not doing anything suspicious.Â
âBasically what 314(b) has done in the past is it has hampered peopleâs ability to share information in order to figure out whether or not something is actually suspicious and be able to thoughtfully report to FinCEN,â said Angelovska-Wilson.
Yet others read FinCENâs continued efforts to widen the information-snagging net as a sign of policy failure.
âThis shows that Congress has not been performing its oversight function,â said Michael German, a former FBI special agent, privacy expert and a fellow at the Brennan Center for Justice. âItâs waiting for the Treasury Department to claim that this is an effective measure against terrorism or money laundering. But after two decades of increased sharing of suspicious activity reports, it has not resulted in measurable successes against terrorism or money laundering. Itâs time for our elected representatives to protect our data, the way that is promised under the Bank Secrecy Act, rather than these exceptions for sharing.â
FinCEN, he said, âis only going to keep pushing for more information and more information, even if that information is useless to its stated goals.â
Financial institutions are still forbidden to disclose that a SAR exists, and that applies even when the report was filed jointly with another company, FinCENâs fact sheet stated.
âHowever, financial institutions participating in Section 314(b) that are considering filing or have filed a joint SAR may freely discuss the prospective or already filed joint SAR [among] themselves,â the fact sheet said.
While crypto exchanges arenât explicitly listed, money services businesses and securities brokers are. Both categories include cryptocurrency businesses.
Compliance vendors and associations of financial institutions, including unincorporated ones governed by a contract between members, are also permitted to take part in information-sharing, FinCEN added.
âThe big takeaway from this seems to be that FinCEN is encouraging people to engage in more data sharing,â said Michael Yaeger, a shareholder at the law firm of Carlton Fields, who focuses on government investigations and cybersecurity matters. âThey are doing so in a variety of ways, including pointing out that a financial institution does not need to have made a conclusive determination that activity is suspicious or closely tied to a specified unlawful activity. An institution need not have concluded a SAR must be filed.âÂ
As CoinDesk reported Thursday, over the years there has been a move toward so-called defensive filing, meaning that if there is any question something could be deemed suspicious, banks are encouraged to file a SAR.Â
This has led to what one compliance officer called an âavalanche of dataâ because financial institutions have been filing more and more to FinCEN.Â
âMany questions about the safety of the information collected by FinCEN, as well as the bureauâs failure to provide clear guidelines regarding how and when it eventually deletes the data it has, remain unanswered,â Packin said. âThis is concerning ⦠in an era in which cybersecurity [has] become a major concern.â
Read more: How FinCEN Became a Honeypot for Sensitive Personal Data
