Skip Navigation

Treasury’s Turf War Over Domestic Spying

We have grown accustomed to stories of mass data collection by federal intelligence agencies, and while being incredibly troubling, this one is ripe with bureaucratic hypocrisy and inside-the-Beltway intrigue.

October 25, 2017

Cross-posted from Just­Se­cur­

BuzzFeed News recently repor­ted seri­ous alleg­a­tions that the Treas­ury Depart­ment’s Office of Intel­li­gence Affairs (OIA) is illeg­ally access­ing and analyz­ing the ­fin­an­cial records of Amer­ic­ans, accord­ing to unnamed offi­cials inside the depart­ment. Treas­ury quickly respon­ded to this news with a strong denial, but the depart­ment’s inspector general is reportedly look­ing into the matter. Though the sources are unnamed, it seems likely these are offi­cials taking the side of the Finan­cial Crimes Enforce­ment Network (FinCEN), another branch inside Treas­ury, who has long been in a kind of turf war with OIA.

We have grown accus­tomed to stor­ies of mass data collec­tion by federal intel­li­gence agen­cies, and while being incred­ibly troub­ling, this one is ripe with bureau­cratic hypo­crisy and inside-the-Belt­way intrigue, since FinCEN has been amass­ing this very same collec­tion of data on Amer­ic­ans’ finan­cial activ­it­ies and distrib­ut­ing it to intel­li­gence agen­cies and law enforce­ment for decades.

FinCEN and OIA have long been in a kind of turf war. The Bank Secrecy Act of 1970, as modi­fied by the USA Patriot Act of 2001, requires finan­cial insti­tu­tions (broadly defined to include banks, hedge funds, casi­nos, used car deal­er­ships, and pawn­shops, among others) to file two types of reports with FinCEN: Currency Trans­ac­tion Reports (CTRs), required when someone with­draws or depos­its more than $10,000 in cash, and Suspi­cious Activ­ity Reports (SARs), required when insti­tu­tions identify unusual or poten­tially illegal activ­ity. Almost 2 million suspi­cious activ­ity reports were filed in 2016. Roughly 15 millioncurrency trans­ac­tion reports are filed each year as well. Put bluntly, FinCEN already collects the domestic finan­cial records its offi­cials now accuse OIA of unlaw­fully obtain­ing.

There is some merit to FinCEN’s argu­ment that OIA should not have access to these records. FinCEN is a law enforce­ment agency that focuses on domestic and inter­na­tional money laun­der­ing, terror­ism finan­cing, and other finan­cial crimes. Its collec­tion of SAR and CTR data is inten­ded to assist in its enforce­ment of these finan­cial crimes. Estab­lishedby the Intel­li­gence Author­iz­a­tion Act of 2004, OIA is legally considered part of the “intel­li­gence community.” Though this distinc­tion might seem trivial, it is at the crux of this dispute. As an intel­li­gence compon­ent, OIA is governed by a Reagan-era exec­ut­ive order, E.O. 12333, which strictly limits the collec­tion of inform­a­tion about U.S. persons defined as both U.S. citizens and legal perman­ent resid­ents. E.O. 12333 (as amended by Pres­id­ent George W. Bush) requires OIA to estab­lish internal guidelines, approved by the attor­ney general – some­thing it has never done – before collect­ing any U.S. persons inform­a­tion. 

Reportedly, OIA has been access­ing these domestic finan­cial records for years, but it “only became contro­ver­sial in 2016, when offi­cials at FinCEN learned about it and began object­ing.” Inter­est­ingly, this was around the same time that the agency over­see­ing OIA, Treas­ury’s Office of Terror­ism and Finan­cial Intel­li­gence, sugges­ted shift­ing much of FinCEN’s work to OIA. This proposal would have cut FinCEN’s budget and would have trans­ferred many of its employ­ees over to OIA.

It was at this point that FinCEN invoked E.O. 12333 and began arguing the proposed shake-up was illegal. OIA, which was already amass­ing domestic finan­cial inform­a­tion at the time of these disputes, countered by saying it was comply­ing with the order because it had a draft of the internal guidelines (which, over a year later, have not been final­ized).

One unnamed senior offi­cial at Treas­ury told BuzzFeed that OIA’s activ­it­ies consti­tute “domestic spying.” But iron­ic­ally, FinCEN accuses OIA of collect­ing and retain­ing domestic finan­cial inform­a­tion from FinCEN’s own data­base. So, if OIA is enga­ging in “domestic spying,” FinCEN is too.

How prob­lem­atic is this spying? Track­ing with­draw­als or depos­its of over $10,000 in cash is a straight­for­ward endeavor governed by object­ive stand­ards. However, the Bank Secrecy Act, passed in 1970, failed to peg the CTR threshold dollar amount to infla­tion (adjus­ted for infla­tion, the amount today would be over $60,000), and so there has been a steady increase in the number of reports filed. SAR filing require­ments, however, are decidedly less clear cut. Though FinCEN offers broad guidelines for making these determ­in­a­tions, specific­ally instruct­ing insti­tu­tions to report evid­ence of money laun­der­ing or trans­fers to foreign terror­ist organ­iz­a­tions, it acknow­ledges that “the decision to file a SAR is an inher­ently subject­ive judge­ment.” Many banks have complained these guidelines do not provide suffi­cient instruc­tion on the broader require­ment to report poten­tially illegal or suspi­cious-seem­ing activ­ity.

The number of SAR filings has exploded since the USA Patriot Act expan­ded the BSA require­ments in 2001. Accord­ing to FinCEN reports, finan­cial insti­tu­tions submit­ted just over 160,000 SARs in 2000, compared to almost 2 million in 2016, more than a ten-fold increase. Federal white-collar crime prosec­u­tions, includ­ing those for money laun­der­ing, have lagged over that same time period, suggest­ing that FinCEN’s SAR and CTR programs are not well-designed to identify cases of law-break­ing.

They are, on the other hand, an extremely potent form of domestic surveil­lance. SAR reports include a tremend­ous amount of personal and private finan­cial inform­a­tion, includ­ing an indi­vidu­al’s address, tax iden­ti­fic­a­tion number, social secur­ity number, account numbers, and finan­cial trans­ac­tion history. The indi­vidual making the “suspect” trans­ac­tion is not noti­fied that a SAR has been filed. Report­ing insti­tu­tions are not held liable for the accur­acy of inform­a­tion they put into a SAR, but they are held liable for neglect­ing to file if the Treas­ury Depart­ment later determ­ines one was clearly warran­ted. Natur­ally, this leads to over-report­ing. FinCEN instructs them to include “all known subject inform­a­tion” in SARs, and the reports are kept indef­in­itely in FinCEN’s data­base.

FinCEN shares SAR and CTR inform­a­tion broadly through­out the law enforce­ment community. The FBI, U.S. Immig­ra­tion and Customs Enforce­ment, the Secret Service, and the Internal Revenue Service can access and down­load SAR and CTR records in bulk for analysis. These agen­cies can then incor­por­ate SAR data into exist­ing data­bases, with other law enforce­ment data.

Though this data is widely access­ible to law enforce­ment, it is surpris­ingly diffi­cult for a person subjec­ted to a SAR to obtain it through other means. It is exempt from discov­ery in civil court, and finan­cial insti­tu­tions are prohib­ited from reveal­ing anything about the contents or exist­ence of a SAR, includ­ing in cases request­ing damages for their disclos­ures. Civil courts are not author­ized to order disclos­ure of a SAR. FinCEN does issue annual reports with SAR filing data, includ­ing stat­ist­ics on the category of activ­ity being repor­ted, but these reports offer limited insight into how FinCEN or other law enforce­ment agen­cies use SARs, or the inform­a­tion contained within them.

The over­breadth, wide distri­bu­tion, and lack of inde­pend­ent or public over­sight over the govern­ment’s use of SAR data creates high poten­tial for abuse. A 2002 FinCEN reportindic­ated that an unspe­cified number of SARs were filed because indi­vidu­als “appeared to be of Middle-East­ern descent.” The report goes on to advise against report­ing based on ethni­city but does not offer any incent­ive for insti­tu­tions to do so, nor any system of account­ab­il­ity to protect against biased report­ing based on race, ethni­city, reli­gion, national origin, or any other protec­ted char­ac­ter­istic.

To echo the unnamed Treas­ury offi­cial quoted by BuzzFeed: This is domestic spying. To recog­nize the danger posed by FinCEN’s own activ­it­ies is not to dimin­ish the threat of OIA’s lawless access to FinCEN’s data­bases, but rather to put it in context. Any data collec­tion system that lacks inde­pend­ent over­sight and due process poses a threat to Amer­ic­ans’ privacy and civil liber­ties. A system that offers no protec­tion against report­ing that can target Amer­ic­ans based on race, reli­gion, and polit­ical affil­i­ation must change. Finan­cial insti­tu­tions must be given more specific guidelines about making SAR filing decisions, so this report­ing is narrowly tailored to identify crim­inal or terror­ist activ­ity. Equally import­ant, due process protec­tions need to be incor­por­ated into the system, and there must be more effect­ive over­sight and public account­ab­il­ity over all domestic intel­li­gence collec­tion programs that impact the privacy of millions of Amer­ic­ans.

The views expressed are the author’s own and not neces­sar­ily those of the Bren­nan Center for Justice.

(Photo: AP)