FinCEN should focus on crime, not FBARs

With the rampant criticism you'll find around here for the Financial Crimes Enforcement Network (FinCEN), FinCEN Form 114 (a.k.a. "the FBAR"), and my open mockery of particular sections of the Bank Secrecy Act of 1970, one may get the idea that there is little respect for proper government roles around these parts. That is simply not true.


The government should be able to help citizens and businesses avoid being targets of financial crimes. Not only that, but the government can prosecute those who would commit those crimes.


On December 9, 2015, FinCEN Director Jennifer Shasky Calvery spoke about some of the recent trends she has been seeing with international financial crimes:​

FinCEN is also working with its international and law enforcement partners to combat global cyber threats.  In recent years, law enforcement has seen an increase in spear phishing cases against middle to high-value business targets.  These are instances where cyber criminals obtain and replicate an enterprises’ wire transfer information and send the authenticated data to the compromised company’s financial institution.  The financial institution then wires the funds to an overseas bank account that the criminals control.


However, what she didn't discuss is how phishing attempts can be done so easily. These fraudulent wire authorizations can be so easily carried out because of an extremely common point of weakness – email.


There's a big problem with email, as it relies so heavily on a user. Whether through brute password attempts, malware, or users disclosing pertinent information, your email is not the Fort Knox you may have thought it was. It is incredibly easy to spy and sniff communications, even if an email is coming from a secure server; that's bad news for people who leave important information in their inboxes. And, once an email account is breached, the hacker can cause a lot of trouble.


A hacker, once inside, simply searches the inbox for email attachments that include "wiring authorization," "wire," or perhaps "bank." They download the document, create a similar authorization, and switch the wiring instructions to send funds to their own bank. Finally, they send an email to whomever the authorizations are sent. Voila. Just like that, large sums of money are magically moved. Except it's not magic, it's a simple matter of easily-avoidable fraud made possible by a lack of prevention.


These crimes are so easy to perpetrate as all that is required is a laptop and an internet connection. This can be done anywhere in the world, significantly minimizing the risk of getting caught. Thus, the low risk, high reward of these scams will inevitably lead to them becoming more pervasive.


The solution — for yourself or your company — is to never store wiring authorizations or send them via email. Our suggestion is to use what we use for our clients' sensitive information – a secure document exchange service.


FinCEN implicitly admits FBAR filings are fairly useless


Something else was very interesting about this talk. Not necessarily what was said, but rather, what was left unsaid. The speech details the following:


… brief overview of FinCEN and the specialized work we do in the area of financial intelligence… a discussion of how we are harnessing both technology and data to combat some of our nation’s greatest threats, including cyber threats, which I know is of particular interest for our discussion today.


So far, so good. The greatest threats to our financial system are being recognized, and we can all rest easy knowing that FinCEN is on top of them. And then the hammer drops. In the following excerpt, FinCEN lets us know the tools they rely on to combat these threats:


So, where does FinCEN get its data or so-called “financial intelligence?”  The Bank Secrecy Act (BSA) is a set of provisions constituting our laws in the United States.  The BSA requires a broad range of U.S. financial institutions to maintain records and provide reporting to FinCEN.  The majority of the BSA data FinCEN collects comes from two reporting streams: one on large cash transactions exceeding $10,000, and the other on suspicious transactions identified by financial institutions.


That's it? Did you not maybe forget something? Where was the mention of critical information being gleaned from mandatory FBAR reporting? After all, this is information that is so absolutely crucial to law enforcement that failure to file an FBAR can result in a penalty totaling 50% of account value per calendar year. Penalties for failing to file an FBAR can exceed the penalties for failure to file a large cash transaction report or a Suspicious Activity Report (SAR)!


Something doesn't add up


On one hand, the FBAR form is so critical that the government is terrorizing people with criminal threats and financial ruin for failure to file. And yet, on the other, the FBAR form doesn't seem all that important to the agency that creates and enforces it. After all, their own director didn't make mention of it once during her entire presentation. If something about that doesn't add up for you, you're not alone. You are far from alone (it is mentioned that there are 500,000 individual filers of FinCEN forms; most of those are likely FBAR filers, but that's as specific as the numbers get).

My take on the FBAR reporting requirements.


And again, the penalties for this apparently irrelevant form exceed those of the forms that FinCEN actually uses! So yes, in a speech about financial intelligence, the director of FinCEN seems right not to mention the FBAR.


If you have a tax issue you need assistance with, contact us: