Modern anti-financial crime enforcement and the enlistment of financial institutions in that pursuit began with the Bank Secrecy Act (BSA) of 1970. The foundational U.S. anti-money laundering law has since been amended many times, replicated in jurisdictions globally, and perennially placed high among regulatory agencies’ supervisory priorities.
AML and CFT (countering the financing of terrorism) rules require massive filings by banks – and by a widening circle of financial and non-financial entities – of reports on potentially suspicious transactions. The data collector, the Treasury Department’s Financial Crimes Enforcement Network (FinCEN), fields continual complaints about the costs of that vigilance.
Some results rise above the din. Bitcoin Mercantile Exchange (BitMEX) pleaded guilty this year to BSA/AML violations. Conspiracy to commit money laundering was one of the criminal charges against Sam Bankman-Fried, the now imprisoned founder of cryptocurrency exchange FTX. Executives of the defunct, FTX-connected Silvergate Bank settled civil charges for AML deficiencies and disclosures.
The dubious distinction of worst banking AML scandal belonged to Denmark’s Danske Bank, whose accountability for wrongdoing in its Estonia branch prior to 2016 included a $2 billion forfeiture obtained by the U.S. Department of Justice in 2022.
Then the boom fell this past October on TD Bank, the 10th-largest bank in the U.S. and a subsidiary of Canada’s second-largest. Penalties totaling $3.09 billion were parceled out by multiple agencies. One of them, the Office of the Comptroller of the Currency (OCC), on top of a $450 million civil money penalty imposed a cap on asset growth to help “ensure that the bank focuses on building proper controls commensurate with its risk profile.”
Growth caps are extreme measures. Wells Fargo Bank has had one since 2018, a consequence of its unauthorized-account-opening scandal. Wells also was not in the clear on the AML front, as of a September 2024 OCC enforcement action. Its prescriptions included an enhanced “second-line Financial Crimes Risk Management function” along with “effective implementation by FCRM of the bank’s enterprise-wide BSA/AML and OFAC [U.S. Office of Foreign Assets Control] sanctions programs.”
Other recent examples of AML as regulatory cudgel are a disclosure by Bank of America that it was in discussions with regulators regarding BSA/AML and sanctions compliance improvements; an “aggravated money laundering” indictment by Switzerland’s Office of the Attorney General against private bank Lombard Odier; and a National Bank of Belgium order concerning the AML controls of cross-border payments fintech Wise, which had previously been fined by Abu Dhabi’s regulatory authority.
Illicit funds enter the financial system at the first (“placement”) of three stages of money laundering. (Source: United Nations Office on Drugs and Crime)
The price paid by TD Bank was unprecedented, authorities said of the $3 billion-plus in penalties, compounded by the growth cap and remediation requirements.
TD was the largest bank in the U.S. ever to plead guilty to BSA program failures and the first bank to plead guilty to conspiracy to commit money laundering, according to an October 10 statement by Attorney General Merrick Garland related to the bank’s $1.8 billion resolution with the Justice Department.
Deputy Attorney General Lisa Monaco: “What not to do.”
Guilty pleas followed allegations of long-term, pervasive and systemic deficiencies in AML policies, procedures and controls, and an absence of remedial action, between 2014 and 2023.
“Every bank compliance official in America” should review the documentation as “a case study of what not to do,” stated Deputy Attorney General Lisa Monaco. “And every bank CEO and board member should be doing the same. Because if the business case for compliance wasn’t clear before, it should be now.”
Treasury and FinCEN penalized TD Bank $1.3 billion, “the largest penalty against a depository institution” in their history. (A November 2023 settlement with the Binance cryptocurrency exchange for AML and sanctions law violations was “the largest penalty in U.S. Treasury and FinCEN history”: $3.4 billion.)
FinCEN additionally imposed a four-year independent monitorship to oversee TD Bank’s remediation steps.
“The vast majority of financial institutions have partnered with FinCEN to protect the integrity of the U.S. financial system. TD Bank did the opposite,” declared Deputy Secretary of the Treasury Wally Adeyemo. “From fentanyl and narcotics trafficking, to terrorist financing and human trafficking, TD Bank’s chronic failures provided fertile ground for a host of illicit activity to penetrate our financial system.”
“For over a decade, TD Bank allowed its AML program to languish, making TD Bank a target for illicit actors, including its own employees,” said FinCEN Director Andrea Gacki. The magnitude of its failings – trillions of dollars in transactions annually going unmonitored, thousands of Suspicious Activity Reports (SARs) unfiled, and delayed or misleading Currency Transaction Reports (CTRs) of large cash transactions – is “consistent with the harm” that the bank caused.
Gacki continued: “This historic action should serve as a powerful reminder that we will not tolerate financial institutions who flagrantly violate their obligation to safeguard our financial system from criminal activity.”
Bank Secrecy Act-mandated reports to U.S. Treasury’s Financial Crimes Enforcement Network, including Suspicious Activity Reports (SARs) and Currency Transaction Reports (CTRs), in fiscal year 2023.
The TD Bank case may be seen as the culmination of an aggressive and coordinated regulatory crackdown, as a clarion call for other firms to up their compliance game, and as a cautionary tale about reputational and other collateral damage of the sort that has befallen TD Bank.
TD called off a planned merger with Tennessee-based First Horizon Corp. in 2023 “for reasons unrelated to First Horizon,” it said at the time. Monica Kowal, TD’s chief compliance officer in Toronto, departed in the middle of this year. “As a part of the process to fix its compliance and risk program, TD hired a number of senior executives including Herb Mazariegos, its chief global anti-money laundering officer from BMO, senior U.S. Federal Bureau of Investigation and Department of Homeland Security officials, Marcy Forman and Jacqueline Sanjuas from Citi, and several others,” Reuters reported.
Bharat Masrani, president and CEO of the TD Bank Group, announced his retirement effective next April, while taking “full responsibility” for AML challenges on his watch. He acknowledged in a December 5 earnings call that the remediation will be a multi-year process.
AML remediation “is our top priority, and we remain focused on strengthening our risk and controls to meet our obligations,” said chief operating officer and CEO-designate Raymond Chun, also expressing confidence that “we will refresh our strategy, drive change and enhance efficient execution to deliver for our shareholders and all stakeholders."
Senator Elizabeth Warren, Democrat of Massachusetts, in an October 30 letter to Garland and Monaco chided the Justice Department for not charging bank executives individually and asked about “compensation clawbacks that regulators will require as part of the agreement.”
Bharat Masrani (left) will retire after 38 years with TD Bank. Group CEO since 2014, he will be succeeded by COO Raymond Chun (right).
The scale and intractability of financial crime may account for the forces arrayed against money laundering and the costs that are borne by or passed through the system. Underlying “the business case for compliance” referenced by the deputy attorney general, those costs range from essential investments in people and systems to fines or penalties for non-compliance. The numbers only seem to go up.
The United Nations Office on Drugs and Crime estimates that the amount of money laundered annually ranges between 2% and 5% of global GDP, or as much as $2 trillion.
According to client lifecycle management and know your customer (KYC) vendor Fenergo, financial regulators levied 80 AML, KYC, sanctions, SARs and transaction monitoring fines globally in the first half of 2024, for a total of $263 million. That figure was $62 million, or 31%, higher than in the 2023 period. The AML amount alone jumped 87%, to $113 million.
“With watchdogs increasingly deploying highly sophisticated technology to more effectively identify wrongdoing,” said Fenergo head of financial crime policy Rory Doyle, “the surge in enforcement actions” is unlikely to abate.
“Financial institutions must take this extremely seriously,” Doyle added. “These penalties disrupt investor confidence, negatively impact share price and damage companies’ reputations – consequences many firms, regardless of their size, cannot afford to shoulder.”
Another benchmark, LexisNexis Risk Solutions’ True Cost of Financial Crime Compliance released last February, put the total for the U.S. and Canada at $61 billion. These compliance costs rose for 99% of institutions.
In U.S.-EMEA survey results reported in November by London Stock Exchange Group, 47% of respondents said their organizations’ financial crime compliance budgets grew in the past year, and 39% recorded no change. “Concerns are tangible” for both groups, LSEG said, adding, “the sheer scale of sanctions compliance in the face of ongoing updates and changes means that budgets would need to be increased just to remain compliant in this one area.”
Sanctions designations and updates this year by the U.S. Treasury Office of Foreign Assets Control (OFAC), in common with international counterpart agencies, continue a two-year upward trend linked to geopolitical conflict, terrorism and other factors. This represents “a new level of normal,” says LexisNexis Risk Solutions.
Several trade groups, including the Bank Policy Institute and Securities Industry and Financial Markets Association, have pressed FinCEN to take a closer look at how SAR filings are straining financial institution resources: “We believe that FinCEN’s burden estimate of 1.98 hours per SAR substantially underestimates the amount of time required to thoroughly undergo the reviews and processes required under applicable requirements to file a SAR.”
FinCEN Director Andrea Gacki
BPI made an all-in calculation of 21.41 hours per SAR, saying “a more accurate estimate will facilitate a more efficient use of the limited resources of both the government and SAR filers, and help financial institutions allocate the appropriate resources to adequately fulfill the regulatory requirement.”
FinCEN Director Gacki addressed the value of SARs in a May 6 speech to SIFMA’s AML Conference. The agency “received nearly 119,000 SARs from securities and futures filers between April 1, 2022, and March 31, 2024,” or nearly 5,000 per month. “Automated clearing house fraud, identity theft, wire transfer fraud, check fraud and suspicious wire transfers were the most frequently reported suspicious activity subtypes.
“Of the top 15 suspicious activity subtypes,” Gacki continued, “the largest percentage increases in reporting from the prior year were for embezzlement, theft or disappearance of funds – which saw a 34% increase – and elder financial exploitation, which increased 63%.”
SAR information is “incredibly valuable to law enforcement and other stakeholders for identifying leads and mapping illicit finance networks,” she remarked. “Most SARs filed in this time period referenced fraud and/or some form of money laundering activity. About 17% mentioned cyber-related terms and about 90 SARs referenced terms related to fentanyl.”
“Another significant priority” that Gacki mentioned – reporting of beneficial ownership information “to fulfill the law enforcement and national security purposes laid out in the Corporate Transparency Act” – may have been derailed by a December 3 federal court decision.
Apart from the hours-per-SAR argument, Bank Policy Institute found in a member survey that total employee hours dedicated to complying with financial regulations and examiner mandates increased by 61% between 2016 and 2023, “even though aggregate employee hours increased only 20% in the same period.” Regulatory or supervisory compliance in 2023 occupied 42% of C-suite time and 43% of board time, compared with 24% C-Suite and 27% board in 2016.
Source: Bank Policy Institute member survey (published October 2024)
Lobbyists are anticipating a more deregulatory tone from a new administration in Washington. Although key policy personnel will be turning over, including those at the top of the Justice and Treasury departments, the AML framework has historically withstood shifting political winds. In addition to its domestic inertia, AML has an international standard-setter, the Financial Action Task Force, analogous to the bank capital regime and the multinational Basel Accords.
FinCEN, which was created in 1990, is working to implement the Anti-Money Laundering Act of 2020. The legislation had broad support and, Gacki said, “included transformational changes to FinCEN’s core authorities, with the overall goal of strengthening, modernizing and streamlining the existing AML regime by promoting innovation, regulatory reform and industry and stakeholder engagement . . . We view revising the AML/CFT program rule consistently with the AML Act to be a substantial step in a multi-year and multi-step effort to transition to a more effective and risk-based AML/CFT framework.”
BPI, for one, has taken opportunities to sound off, calling for more institutional flexibility and discretion, and less box-checking or one-size-fits-all.
In a September 3 comment letter to FinCEN, the institute criticized a proposed rule for undercutting the statute’s intent. “The AML Act’s explicit direction is that financial institutions ensure ‘more attention and resources’ are allocated towards ‘higher-risk customers and activities . . . rather than toward lower-risk customers and activities,’” said the letter signed by senior vice president and senior associate general counsel Gregg Rozansky.
BPI wanted to see an easing of prescriptive timelines, allowing banks to deploy additional resources where most effective and efficient, and extending the implementation timing from six months to at least two years.
An October letter to bank and credit union regulatory agency heads covered similar ground. “In practice,” it maintained, “examiners are exactingly focused on technical compliance (including, for example, documentation and reverification), rather than on effectiveness. This approach is utterly divorced from a focus on management of true risk.
“Yet more concerning, the status quo examination oversight of this regime does not expressly instruct institutions to dedicate efforts to detecting suspected crime or engaging in innovation to this end – efforts that are surely foundational to the integrity of the banking and financial system.”
A late October BPI response to an Economic Growth and Regulatory Paperwork Reduction Act review ran 20 pages, with broad critiques (e.g., “overarching regulatory and supervisory trends that demand disproportionate attention to immaterial matters rather than material risks to the safety and soundness of the U.S. banking system”) as well as BSA/AML specifics (targeted changes to SAR procedures; harmonization of FinCEN/banking agency filing requirements).
While backers of the 2020 AML Act and those engaged in its rulemakings are looking toward modernization or reform, more fundamental, even constitutional questions are coming out of the think tank world.
Brookings’ Aaron Klein: “A fundamental rethink.”
“AML policy needs a fundamental rethink,” Aaron Klein, a Brookings Institution senior fellow, Center on Regulation and Markets, recently tweeted. Back in May, responding to a FinCEN request for information, Klein wrote, “FinCEN and other U.S. financial regulators have too often prioritized questions of how to collect more AML/CFT information but lost sight of why to do it. FinCEN would be better served by fundamentally rethinking what types of data are needed and how they are collected.”
In a December 2020 comment letter to then Treasury Secretary Steven Mnuchin, Klein observed, “AML enforcement is a genuine resource challenge: time, funding and human capital alike.” But as firms go about seeking efficiencies, the AML policy response “has been to generate even greater resource challenges via the snowballing of existing inefficiencies.”
To the right of Brookings on the political spectrum, scholars at the libertarian Cato Institute’s Center for Monetary and Financial Alternatives, wary of a privacy-threatening “surveillance state,” question both the appropriateness and effectiveness of the investigative apparatus that has built up around AML.
A 2022 policy analysis by Norbert Michel and Jennifer J. Schulp characterized the Bank Secrecy Act as “a minor inconvenience for criminals but a major burden on law-abiding citizens."
Five decades of building on what they consider a “shaky BSA framework to supposedly better deter criminals” has brought “no net benefit . . . Rather, the expansion of the BSA has dramatically increased explicit compliance costs for financial institutions and diminished Americans’ constitutionally protected rights.”
This September, their colleague Nicholas Anthony sought to quantify the criminality being caught in the compliance and reporting web.
Drawing from fiscal-year FinCEN and Internal Revenue Service data, Anthony concluded, “Given that the IRS had 2,676 criminal investigations during that time, this means approximately 372 investigations originated from a Bank Secrecy Act report.” Despite financial institutions’ spending $59 billion (per LexisNexis Risk Solutions, 2023) on compliance and “filing over 27 million reports, the reports only initiated 372 criminal investigations.”
Even as BSA filings had a role in 85.7% of IRS investigations recommended for prosecution, and in 15.4% of FBI investigations, the Cato policy analyst underlined the distinction “between investigations that originated with a report, and investigations that benefited from a report.”
Discussing the BSA during a Cato conference in September, Dorsey & Whitney partner Lanier Saperstein came down on the side of a rebalancing, rather than “wholesale rewriting,” of AML law. Regulators’ pushing to be “as stringent as possible” only raises costs for banks. Arriving at an optimal level of regulation requires cost-benefit judgments. One might be that it makes little sense to put “every $35 transaction” through a “full risk-based analysis.”
Representative Patrick McHenry, Republican of North Carolina, chairman of the House Financial Services Committee and a FinCEN critic, who is about to retire from Congress, made a “fireside chat” appearance at the Cato event. Using the needle-in-a-haystack metaphor for the accumulations of SARs and CTRs, McHenry said that instead of collecting more hay, he’d prefer greater reliance on “new technology to find the needle.”
Outgoing HFSC Chairman Patrick McHenry
The transaction reports that pile up at a rate humans can’t keep up with make AML a natural use case for artificial intelligence and machine learning (ML).
There are both anecdotal and empirical indications of rising AI/ML adoption – and expectations for cost relief and returns on investment over time.
JPMorgan Chase president and chief operating officer Daniel Pinto has said that much of the $2 billion the bank expects to reap from AI usage in customer personalization, trading, operational efficiencies, fraud management and credit decisioning will be attributable to fraud prevention.
A Financial Stability Board report in November found uptake of AI in financial institutions’ regulatory technology (regtech) and supervisory bodies’ suptech to be well beyond what the board observed in 2017. In addition to longer-standing anti-fraud applications, AI models are now facilitating sanctions investigations, identifying misuse of legal persons and legal arrangements, uncovering trade fraud and trade-based money laundering, and detecting tax evasion, fraud/scams and money mules.
“While traditional AI may perform better on specific tasks, such as identifying potentially fraudulent transactions,” FSB said, generative AI “can potentially automate the generation of financial crime reports, incorporating a range of different sources and supporting investigators.”
Seven out of 10 financial institutions are using AI and ML to fend off bad actors, according to a report on anti-financial-crime technologies from PYMNTS Intelligence and Hawk AI. The latter is one of a host of tech providers headlining AI-powered analytical processes and products; Chartis RiskTech Quadrant leaders for AML transaction monitoring solutions include SAS, NICE Actimize, Nasdaq subsidiary Verafin and ComplyAdvantage. The last was founded in London in 2014 by Charles Delingpole, a former investment banker and bank money-laundering reporting officer.
Another, WorkFusion, integrates “AI Digital Workers” into transaction monitoring, sanctions screening and other teams.
Iain Armstrong, Global Regulatory Affairs Practice lead at ComplyAdvantage, says regulation is a major driver of demand for the technology, and not just because of the threat of fines. More and more sectors and assets are being pulled into AML scope – motor vehicles, real estate, professional services, art and antiquities, even European football clubs.
Iain Armstrong of ComplyAdvantage
Armstrong further points out, “Many financial crimes start away from regulated institutions on social media networks, dating apps and other social channels, who currently are not held accountable for their role in facilitating these crimes.”
In ComplyAdvantage’s upcoming State of Financial Crime 2025 report, a survey of 600 senior financial-crime decision-makers will show that “compliance leaders place AML fines mid-table” when asked what measures will have the greatest impact on financial crime, Armstrong says. “Many other measures regulators can facilitate, such as greater public/private cooperation around data sharing, will be effective and may act as a prevention strategy, avoiding the need to issue more fines in the future.”
For now, says Fenergo’s Rory Doyle, “watchdog fines” remain a growing risk requiring that “AML and KYC capabilities are as robust as possible. There can be no downplaying the importance of integrating smarter financial crime technology to enhance processes in this context, particularly as firms continue to grapple with a talent shortage for financial crime professionals.”
Offering one of a number of predictions for 2025 by experts at SAS was David Stewart, director of financial crimes and compliance: “Anti-money laundering practitioners will cautiously evolve their responsible innovation practices due to lack of regulatory clarity on effectiveness. Many innovative firms will apply machine learning methods to tune and optimize incumbent monitoring strategies rather than incur the model governance overhead of pure AI-based detection strategies.”
“Skilled in-house compliance teams play a crucial role, but businesses should be actively seeking ways to reduce labor costs while simultaneously improving compliance efficiency,” Matt Michaud, LexisNexis Risk Solutions global head of financial crime compliance, said when the last True Cost of Financial Crime Compliance was released. “Organizations also need to actively counter cybercriminals exploiting artificial intelligence, cryptocurrencies and digital channels.
“Financial institutions must proactively equip themselves with comprehensive datasets, advanced AI/ML-based compliance models and robust analytics” to swiftly identify and respond to new crime patterns.