Cross-posted from JustSecurity.org
BuzzFeed News recently reported serious allegations that the Treasury Department’s Office of Intelligence Affairs (OIA) is illegally accessing and analyzing the financial records of Americans, according to unnamed officials inside the department. Treasury quickly responded to this news with a strong denial, but the department’s inspector general is reportedly looking into the matter. Though the sources are unnamed, it seems likely these are officials taking the side of the Financial Crimes Enforcement Network (FinCEN), another branch inside Treasury, who has long been in a kind of turf war with OIA.
We have grown accustomed to stories of mass data collection by federal intelligence agencies, and while being incredibly troubling, this one is ripe with bureaucratic hypocrisy and inside-the-Beltway intrigue, since FinCEN has been amassing this very same collection of data on Americans’ financial activities and distributing it to intelligence agencies and law enforcement for decades.
FinCEN and OIA have long been in a kind of turf war. The Bank Secrecy Act of 1970, as modified by the USA Patriot Act of 2001, requires financial institutions (broadly defined to include banks, hedge funds, casinos, used car dealerships, and pawnshops, among others) to file two types of reports with FinCEN: Currency Transaction Reports (CTRs), required when someone withdraws or deposits more than $10,000 in cash, and Suspicious Activity Reports (SARs), required when institutions identify unusual or potentially illegal activity. Almost 2 million suspicious activity reports were filed in 2016. Roughly 15 millioncurrency transaction reports are filed each year as well. Put bluntly, FinCEN already collects the domestic financial records its officials now accuse OIA of unlawfully obtaining.
There is some merit to FinCEN’s argument that OIA should not have access to these records. FinCEN is a law enforcement agency that focuses on domestic and international money laundering, terrorism financing, and other financial crimes. Its collection of SAR and CTR data is intended to assist in its enforcement of these financial crimes. Establishedby the Intelligence Authorization Act of 2004, OIA is legally considered part of the “intelligence community.” Though this distinction might seem trivial, it is at the crux of this dispute. As an intelligence component, OIA is governed by a Reagan-era executive order, E.O. 12333, which strictly limits the collection of information about U.S. persons defined as both U.S. citizens and legal permanent residents. E.O. 12333 (as amended by President George W. Bush) requires OIA to establish internal guidelines, approved by the attorney general – something it has never done – before collecting any U.S. persons information.
Reportedly, OIA has been accessing these domestic financial records for years, but it “only became controversial in 2016, when officials at FinCEN learned about it and began objecting.” Interestingly, this was around the same time that the agency overseeing OIA, Treasury’s Office of Terrorism and Financial Intelligence, suggested shifting much of FinCEN’s work to OIA. This proposal would have cut FinCEN’s budget and would have transferred many of its employees over to OIA.
It was at this point that FinCEN invoked E.O. 12333 and began arguing the proposed shake-up was illegal. OIA, which was already amassing domestic financial information at the time of these disputes, countered by saying it was complying with the order because it had a draft of the internal guidelines (which, over a year later, have not been finalized).
One unnamed senior official at Treasury told BuzzFeed that OIA’s activities constitute “domestic spying.” But ironically, FinCEN accuses OIA of collecting and retaining domestic financial information from FinCEN’s own database. So, if OIA is engaging in “domestic spying,” FinCEN is too.
How problematic is this spying? Tracking withdrawals or deposits of over $10,000 in cash is a straightforward endeavor governed by objective standards. However, the Bank Secrecy Act, passed in 1970, failed to peg the CTR threshold dollar amount to inflation (adjusted for inflation, the amount today would be over $60,000), and so there has been a steady increase in the number of reports filed. SAR filing requirements, however, are decidedly less clear cut. Though FinCEN offers broad guidelines for making these determinations, specifically instructing institutions to report evidence of money laundering or transfers to foreign terrorist organizations, it acknowledges that “the decision to file a SAR is an inherently subjective judgement.” Many banks have complained these guidelines do not provide sufficient instruction on the broader requirement to report potentially illegal or suspicious-seeming activity.
The number of SAR filings has exploded since the USA Patriot Act expanded the BSA requirements in 2001. According to FinCEN reports, financial institutions submitted just over 160,000 SARs in 2000, compared to almost 2 million in 2016, more than a ten-fold increase. Federal white-collar crime prosecutions, including those for money laundering, have lagged over that same time period, suggesting that FinCEN’s SAR and CTR programs are not well-designed to identify cases of law-breaking.
They are, on the other hand, an extremely potent form of domestic surveillance. SAR reports include a tremendous amount of personal and private financial information, including an individual’s address, tax identification number, social security number, account numbers, and financial transaction history. The individual making the “suspect” transaction is not notified that a SAR has been filed. Reporting institutions are not held liable for the accuracy of information they put into a SAR, but they are held liable for neglecting to file if the Treasury Department later determines one was clearly warranted. Naturally, this leads to over-reporting. FinCEN instructs them to include “all known subject information” in SARs, and the reports are kept indefinitely in FinCEN’s database.
FinCEN shares SAR and CTR information broadly throughout the law enforcement community. The FBI, U.S. Immigration and Customs Enforcement, the Secret Service, and the Internal Revenue Service can access and download SAR and CTR records in bulk for analysis. These agencies can then incorporate SAR data into existing databases, with other law enforcement data.
Though this data is widely accessible to law enforcement, it is surprisingly difficult for a person subjected to a SAR to obtain it through other means. It is exempt from discovery in civil court, and financial institutions are prohibited from revealing anything about the contents or existence of a SAR, including in cases requesting damages for their disclosures. Civil courts are not authorized to order disclosure of a SAR. FinCEN does issue annual reports with SAR filing data, including statistics on the category of activity being reported, but these reports offer limited insight into how FinCEN or other law enforcement agencies use SARs, or the information contained within them.
The overbreadth, wide distribution, and lack of independent or public oversight over the government’s use of SAR data creates high potential for abuse. A 2002 FinCEN reportindicated that an unspecified number of SARs were filed because individuals “appeared to be of Middle-Eastern descent.” The report goes on to advise against reporting based on ethnicity but does not offer any incentive for institutions to do so, nor any system of accountability to protect against biased reporting based on race, ethnicity, religion, national origin, or any other protected characteristic.
To echo the unnamed Treasury official quoted by BuzzFeed: This is domestic spying. To recognize the danger posed by FinCEN’s own activities is not to diminish the threat of OIA’s lawless access to FinCEN’s databases, but rather to put it in context. Any data collection system that lacks independent oversight and due process poses a threat to Americans’ privacy and civil liberties. A system that offers no protection against reporting that can target Americans based on race, religion, and political affiliation must change. Financial institutions must be given more specific guidelines about making SAR filing decisions, so this reporting is narrowly tailored to identify criminal or terrorist activity. Equally important, due process protections need to be incorporated into the system, and there must be more effective oversight and public accountability over all domestic intelligence collection programs that impact the privacy of millions of Americans.
The views expressed are the author’s own and not necessarily those of the Brennan Center for Justice.