Some Information Is Not Meant to be Free

With apologies to Samuel Johnson, to keep a secret may be wisdom, but to expect others to keep it may be folly.

The world is awash in data, new ways to analyze it, and tools for exploiting it that were unthinkable not very long ago. This is a good thing and data and analysis has been fundamental to financial crimes compliance for a very long time. At the same time organizations like the Lazarus Group and other networks dedicated to stealing vast amounts of information make it a fraught landscape to be sure. people slowly are becoming numb to breaches involving sensitive data, often large thefts of huge volumes of it. The crew Robert Redford led in Sneakers looks quaint compared to what we see in the news these days, as does its fable about not allowing the tools we rely on to be used to harm the very people they are designed to protect.

In financial crimes compliance we are familiar with the notion of risk-based compliance and embrace the notion that we can allocate resources to mitigate our greatest risks. But we know we are not free to simply ignore the smaller risks. Similarly, when it comes to the data we collect and report or analyze, we must not to lose sight of the risks involved in "small" and very old fashioned breaches. For all he leaps in technology there is always the threat of sloppiness, people simply losing sight of the purpose of the data and how it can impact others, or in some cases ill intent. Good old-fashioned "sneaker net" - walking out the door with records or data - poses a threat that still is not easily controlled by technology.

The hard work financial industry professionals do to comply with the Bank Secrecy Act is a cornerstone of the financial crimes regulatory framework in the U.S. Both private sector and government officials are deeply committed to protecting that reporting. SARs are neither evidence nor proof that the subject has done anything wrong. But the impact of a SAR made public is no less harmful for that fact. There are obvious privacy and reputational risks, threats to ongoing investigations, and physical risks to investigators and bank personnel.

Everywhere I have worked over nearly 30 years in both the public and private sectors has understood and emphasized the sensitivity of Suspicious Activity Reports (SARs). Mishandling BSA data is potentially very dangerous. In several of my professional roles, protecting the security of BSA-related information and investigating possible breaches was one of my primary responsibilities, and I have seen only a very few examples of a breach - and nearly all of them due to mistake or sloppiness rather than malice.

I know from personal experience how seriously FinCEN and the Treasury Department take security surrounding BSA data and I am certain the data is in good hands. Data unused is useless data, however, and to be useful, BSA data must be made available to a large population of users. The simplest formulation of the restrictions on the use of the data is that certain government officials have access to the data because of their role and are allowed to use the data for fulfilling their agencies' lawful mission. Furthermore, they may share the data with others who also have obtained access to the system and need it to perform their own agencies' lawful mission.

According to a Treasury Department Office of Inspector General report, Financial Crimes Enforcement Network Year in Review FY 2022, "Collectively, 472 federal, state, and local law enforcement, regulatory, and national security agencies have access to BSA reports and FinCEN Query, and over 25,000 authorized personnel have access to the BSA data." Those users ran 2.3 million searches in FY 2022 according to the OIG. Monitoring this system and its users must be a daunting challenge for a bureau with a total of approximately 300 personnel.

There are examples of something more than sloppiness, however. In 2008, revelations about an investigation into Elliot Spitzer led FinCEN to update regulations related to SAR confidentiality and issue clarifying guidance in 2010. Even so, the Robert Lustyik, and Natalie Edwards cases in 2014 and 2018 suggest that we must continue to pay close attention to the human elements not just the technological ones. In the cases above, it is neither an honest mistake, nor some state-supported cybercriminal or hostile nation-state, but individuals in whom we put our trust who released sensitive data they were provided to help them do a critical job; data they were supposed to protect.

Now this. Keep an eye on this story out of the Nashville area as reported by Phil Williams, Chief Investigative Reporter WTVF-TV, NewsChannel 5. It appears that local law enforcement officials may have used access to FinCEN's data to pull reports about political opponents and provide the information to an organization conducting a "private sector investigation of corruption."

I really hope this turns out not to be true. Even if it is an isolated example, it is a serious problem and a worrisome example. More than merely a breach of security, this would represent a deeply disturbing breach of trust.