Treasury watchdog finds poor data practices in financial crimes unit
The Treasury Department bureau in charge of fighting financial crimes hasn’t complied with applicable laws, regulations, directives, or governmentwide standards in its role managing Bank Secrecy Act data, according to a watchdog report released this week.
Treasury’s Office of Inspector General found that the Financial Crimes Enforcement Network has fallen short on a number of data protection mandates. Many of the issues cited by OIG center around FinCEN’s handling of memorandums of understanding for BSA data, including with agencies.
The BSA data overseen by FinCEN — the Treasury division tasked with combatting money laundering, terrorism financing and other illegal activity — covers everything from Suspicious Activity Reports to Currency Transaction Reports. Most BSA data filers are businesses, and roughly 88,000 records are submitted to FinCEN every day, according to the Treasury Inspector General, which conducted its audit from June 2019 through April 2024.
However, the OIG unearthed several problems with agency data transfers. The watchdog pointed specifically to Customs and Border Protection, which provides reports of currency transportation and related information to FinCEN, whose authorized employees access that data and conduct agency business based on it. Access is granted to some external users at agencies under MOUs between FinCEN and the respective agency.
In some cases, according to OIG, FinCEN failed to execute on a bulk data MOU with an agency. The watchdog found that the Office of the Comptroller of the Currency, for example, had access to bulk data for more than a decade without having a written agreement that documented the responsibilities of both parties.
“Since an MOU communicates the mutually accepted expectations of each party, failure to fully execute one can result in misunderstandings as to an agency’s responsibilities, including those regarding information security, documentation, and training, as well as limitations on re-dissemination of BSA information,” the report stated. “In 2022, FinCEN disabled OCC’s bulk data access.”
All told, OIG found that FinCEN granted “platform program access” to users from 11 agencies despite not having MOUs in place, violating standard operating procedures for BSA data. FinCEN told the watchdog that it is now developing SOPs for these instances and plans to present those agreements to the agencies in question.
The MOU issues didn’t end there. According to the report, FinCEN did not update, properly maintain or execute its BSA data MOUs, nor did it accurately track agencies that did sign those agreements. The watchdog noted that the Treasury unit did provide it in 2019 with four records that listed agencies that had BSA data access.
“However, the records were inconsistent as they each identified a different number of agencies with BSA data access because of inaccuracies, including omissions,” OIG wrote. “For example, one FinCEN record identified 13 agencies had bulk data access, while another record identified 14 agencies. However, we found that only 11 of the 13 and 14 agencies had that type of access. Additionally, one record erroneously omitted four direct access MOUs.”
The watchdog delivered 14 recommendations to FinCEN aimed at improving its management of BSA data access. The Treasury bureau agreed with those suggestions and provided corrective actions it had already taken and others it planned to pursue.
