A senior official in the Treasury Department’s financial crimes unit (FinCEN) was just arrested for leaking thousands of Suspicious Activity Reports (SARs) to a journalist. The SARs covered financial transactions of Trump campaign officials and others, as well as funds transfers from the Russian embassy. The journalist used them to write a series of stories for Buzzfeed.
The Treasury official downloaded the SARs to a flash drive, then sent photos of them to the journalist via an encrypted messaging app. There has been speculation in the security community about how investigators retrieved the encrypted messages. It’s unlikely they were actually intercepted and decrypted. We know the sender’s phone was the subject of a search warrant, so law enforcement most likely accessed archived messages directly from the phone or a cloud backup.
American banks are required to send SARs to FinCEN under the Bank Secrecy Act. The program was expanded after 9/11 by the USA Patriot Act. Nearly seven million SARs were filed last year according to government statistics. You can see a SAR for yourself in this training presentation.
Banks submit SARs when they spot potentially illegal transactions or customer behavior. You may be surprised at how many things you might do that your bank would consider “suspicious”. A transaction exceeding $10,000 triggers a SAR. If you attempt to avoid this, for example by splitting a $10,000 payment into two $5,000 payments, a strategy known as structuring, an alert bank employee will notice and there will still be a SAR. Any transaction that looks like potential money laundering, terrorist financing, currency manipulation, etc. gets a SAR.
In effect your bank is spying on you. In the post 9/11 era, Congress accepted this intrusion in the name of security. However, they required banks and FinCEN to keep SARs confidential. SARs aren’t subject to legal discovery or FOIA requests, and it’s a federal offense to disclose SARs without authorization. We tolerate the federal government’s financial snooping on the understanding that all information collected will be closely guarded and protected.
That’s what makes the Buzzfeed data leak disturbing. This time the recipient was a journalist. Next time it might be a foreign intelligence agency or organized criminal gang. Such a breach would certainly undermine people’s trust in banks if it became known.
FinCEN’s internal controls should detect exfiltration of thousands of SARs from their database to an employee’s flash drive. Data leak protection (DLP) tools exist that would detect or prevent an event like this. For the sake of our financial system, I hope they can stop it from happening again.
Michael McCormick is an information security consultant, researcher, and founder of Taproot Security.