Bloomberg Law
Oct. 16, 2020, 8:28 AM

ANALYSIS: The FinCEN Files — Third Leak in Three Years

Robert Kim
Robert Kim
Legal Analyst

The leak of the FinCEN Files— more than 2,100 suspicious activity reports (SARs) from the Bank Secrecy Act (BSA) report database of the Financial Crimes Enforcement Network (FinCEN) — has proved a bounteous source for media reporting on money laundering. Less examined so far is the FinCEN Files’ relationship to other recent high-profile SAR leaks.

Media interest in SARs has resulted in a series of breaches of SAR confidentiality since 2017, creating problems for the U.S. anti-money laundering (AML) regime that could undermine the very anti-corruption efforts that the FinCEN Files leakers profess to champion.

SAR Leaks in 2017–2020

The release of the FinCEN Files is the third highly publicized incident involving leaks of SARs from FinCEN’s database of BSA reports since 2017.

In 2017–18, a series of media reports on Russian interference in the 2016 presidential election cited information from leaked SARs, and FinCEN employee Natalie Edwards was indicted for the SAR leak in October 2018. The indictment stated that forensic analysis found that Edwards had stolen more than 24,000 files from FinCEN in 2017 and 2018, including “thousands of SARs,” on a wide variety of subjects, many of them unrelated to the 2016 presidential election. In January 2020, Edwards pleaded guilty to the criminal charge against her in USA v. Edwards.

In 2018, former attorney Michael Avenatti used information from leaked SARs in media statements related to the lawsuit by Stormy Daniels against President Donald Trump. Leaked SARs became the foundation of a media campaign by Avenatti about payments allegedly made to Stormy Daniels through former Trump attorney Michael Cohen. An analyst with Internal Revenue Service Criminal Investigation (IRS-CI) in San Francisco, John Fry, was charged with disclosing the SARs to Avenatti in February 2019. The criminal complaint stated that Fry downloaded five SARs after conducting searches focused on Cohen. In August 2019, Fry pleaded guilty to the charges in USA v. Fry.

Media focus on SARs during the Stormy Daniels incident made them a subject for newspaper front pages, magazine investigative reporting, and evening television news features, likely for the first time since the introduction of the SAR filing requirement in 1996. The FinCEN Files matter ensued in 2019–20.

According to the International Consortium of Investigative Journalists (ICIJ), the release of the FinCEN Files in September occurred 16 months after the ICIJ received them from one of its media partners, which places that phase of their public disclosure in May 2019. The ICIJ’s source was the same media company that published articles based on the Edwards leak in 2017–18.

The FinCEN Files consist of more than 2,600 files, of which more than 2,100 are SARs, all dating back to 2017 or earlier. The data set seems large when viewed in isolation, but it is almost an order of magnitude smaller than the data stolen from FinCEN in 2017–18, which totaled more than 24,000 files, including “thousands” of SARs.

These details provide significant circumstantial evidence that the FinCEN Files are a subset of the FinCEN data stolen in that earlier instance, and FinCEN’s official statement on the matter, issued Sept. 1, indicates that the agency considers them to be so. FinCEN declared that it was aware that media outlets were going to publish articles based on unlawfully disclosed SARs and other sensitive government documents “from several years ago” and “has referred this matter to the U.S. Department of Justice and the U.S. Department of the Treasury’s Office of Inspector General.”

The possibility that additional leakers are the source of at least some parts of the FinCEN Files cannot be ruled out yet, however. Treasury’s Office of Inspector General is likely to be investigating this issue. Moreover, the ICIJ has refrained from issuing a definitive statement about the source of the FinCEN Files. The ICIJ’s FAQs on the FinCEN Files ask the question, “Has a whistleblower been named?” The answer states only, “In January 2020, a former U.S. Treasury Department official, Natalie Mayflower Sours Edwards, from Virginia, pleaded guilty to unlawfully disclosing confidential Treasury documents.” By avoiding the question, the ICIJ has left it open.

Why SAR Leaks Matter

The recent surge of interest in SARs as a gold mine of newsworthy information creates a new problem for BSA/AML regulation and compliance. Compliance with the SAR filing requirement was already complicated in the two decades of relative obscurity following 1996. Since 2017, there has been an emerging problem with maintaining the confidentiality of SAR filings, which is a fundamental principle of the SAR filing requirement.

The purpose of SARs is to require financial institutions to detect and report possible money laundering and other suspicious activities by persons who could be litigious or downright dangerous. As a result, confidentiality has been required from SAR filers. Disclosing the filing of a SAR to a participant in the reported transactions is a criminal offense (31 U.S.C. § 5318(g)(2)). Even sharing SAR filings between the head office and branches of a bank was once considered problematic enough to require FinCEN guidance to clarify what was allowed.

That the U.S. government, the receiver of SAR filings, risks becoming unable to ensure their confidentiality creates new problems for both sides of the SAR filing requirement. The full consequences of this development for BSA/AML regulation and compliance remain to be seen.

FinCEN will be only one of many U.S. government agencies affected by this problem. SARs and other BSA data exist to assist a network of law enforcement agencies to investigate financial crimes — hence the name “Financial Crimes Enforcement Network,” not “Financial Crimes Enforcement Czar.” Widespread access to FinCEN’s database is crucial for SARs to be used effectively. Uncertainty about the security of the BSA database at law enforcement agencies (e.g. IRS-CI) may affect their access to it in the future.

The short-term media frenzy over the FinCEN Files has overlooked these long-term problems, which remain for legal and regulatory compliance professionals to address. They are unlikely to make any news headlines, but they are likely to be the substantive legacy of the release of the FinCEN Files.

If you’re reading this on the Bloomberg Terminal, please run BLAW OUT <GO> in order to access the hyperlinked content.