Leaked FinCEN files expose poor data security

Leaked documents, dubbed the “FinCEN Files,” describe global money laundering of $2 trillion processed by many of the world’s biggest banks between 2000 and 2017. The reveal  illuminates the struggle for the financial industry and government to provide ironclad data protection.

“This sensational and unprecedented leak clearly demonstrates a wide spectrum of data protection weaknesses in the governmental sector, affecting even the most developed Western countries,” Ilia Kolochenko, founder and CEO of  ImmuniWeb, said of the files.

“From a cybersecurity standpoint, we may expect a growing lack of trust to governmental agencies, which on one side have quasi-unlimited access to the most sensitive data of the largest organizations, while cannot duly safeguard this data on the other side,” he said.

The latest disclosure exposing apparently insufficient attempts by the public and private sectors to curb corruption came to light in a BuzzFeed News report which detailed more than 2,500 reported cases, including 2,100 Suspicious Activity Reports (SAR) filed by financial institutions with the U.S. Treasury Department’s Financial Crimes Enforcement Network (FinCEN).

JPMorgan Chase, Citigroup, Bank of America, Deutsche Bank, HSBC and Standard Chartered are among the financial institutions cited in the leaked files as processing dirty money around the world. The documents may have come from a whistleblower or insider at FinCEN. The International Consortium of Investigative Journalists (ICIJ), which represents 108 news organizations in 88 countries, is conducting a probe of the matter.

Other similar investigative reports on similar wrongdoing focused single financial, tax or legal institutions, such as the 2017 Panama Papers emanating from clients of the law firm Mossack Fonseca. But the FinCEN docs reveal that a wide array of people from oligarchs and corrupt politicians to drug dealers and organized crime throughout the world know how to circumvent the system’s supposed checks and balances.

To restore confidence, Kolochenko said, calling for a transparent investigation to restore confidence.

FinCEN on Sept. 16 solicited comments solicit public comments due in 60 days on a wide range of questions pertaining to potential regulatory amendments under the Bank Secrecy Act, including FinCEN’s Strategic Anti-Money Laundering Priorities.

“While this event will further erode the public’s trust in both financial institutions and the government entities tasked with overseeing them, it's likely to just become something that generates noise, but no real changes that will cause any lasting impact,” commented Erich Kron, security awareness advocate with KnowBe4.

The most obvious ramification for the government is the loss of trust from the citizens in the ability to protect sensitive information, he added.

As privacy concerns and the individual’s knowledge of the digital footprint everyone generates increases, Kron believes it will become even more difficult for government to pass further laws requiring the use of personal information.

Corporations are also likely to suffer.

“Looking at the current headlines related to these leaked documents, you can clearly see how just the fact that they allowed transfers of suspect funds, even though it was reported, is now being used to show them in a negative light,” Kron said.

With respect to organizations, getting them to report suspected activities will only become more difficult when these sensitive documents that they are supposed to protect are made public, reflecting on the reputation and image of the organization,” he added.

“Internal actors exist in many of these organizations who are willing to continually look the other way,” commented Thomas Hatch, CTO and Co-Founder at SaltStack. “Often, it’s the level of financial reliance on the inflow of funds that enables the level of widespread abuse seen in these cases,” he added.

When large sums of money are flowing, it is easy to allow the abuse to continue – the flow of these funds can have a positive impact on legitimate business. “It’s very Machiavellian – less than ethical leaders are willing to allow these abuses to continue,” Hatch said.

What is most concerning to him is that when funds at this scale are being moved around, the nature of potential security issues becomes exponentially more complicated, he added.

From a legal standpoint, Kolochenko said the organizations and other entities cited in the Buzzfeed research, may have a cause of action against many parties potentially accountable for negligent data protection and possible non-compliance with the enacted data protection laws.

“However, the chances to prevail in a court of law are fairly small,” Kolochenko admitted. “Moreover, given the extremely delicate and toxic nature of the exposed documents, they are better to discreetly settle the matter,” he said, predicting a further hardening of data protection laws that could “dramatically exacerbate the situation if implemented too rapidly or overbroadly.”

On Sept. 1, in response to expected media reports resulting from the BuzzFeed story, FinCEN issued a press release that stated the “unauthorized disclosure of SARs is a crime that can impact the national security of the United States, compromise law enforcement investigations, and threaten the safety and security of the institutions and individuals who file such reports.” FinCEN said it referred this matter to the U.S. Department of Justice and the U.S. Department of the Treasury’s Office of Inspector General. Buzzfeed did not make available the actual SARs in Wikileaks style, but rather described their contents.

In a case related to the Panama Papers, the Justice Department on Sept. 21 reported a former U.S. resident and taxpayer was sentenced in the Southern District of New York to four years in prison for wire fraud, tax fraud, money laundering, false statements, and other charges. 

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.