Former New York Governor Eliot Spitzer's prostitute scandal is all the big news here in New York, but the lesser known tale is how an information system--the U.S. Treasury's Financial Crimes Enforcement Network--played a role in his downfall.
But what really snared Spitzer was a money laundering investigation that was flagged by suspicious activity reports (SARs) that banks have to file with the Treasury to surface everything from money laundering to terrorist activity. This network has been around for a while, but its importance escalated following the Sept. 11, 2001 terrorist attacks. According to the FBI's charges the prostitution ring that counted Spitzer as a customer was investigated due to some shady bank accounts, checks and wire transfers with big totals ($39,000, $400,000 and others).
According to the FBI's complaint :
In or about October 2007, the FBI and the United States Internal Revenue Service-Criminal Investigative Division ("IRS-CID") began an investigation focusing on an organization suspected of conducting prostitution and money-laundering crimes in the United States and Europe.
According to the Associated Press, this investigation began with a suspicious activity report on Spitzer. The Wall Street Journal reported that Spitzer's transactions looked like they were kept below $10,000 to avoid federal reporting rules. This behavior to avoid the $10,000 threshold also helps the Feds find strange behavior, say 150 transactions between $7,000 and $9,000. The Journal notes:
There has been a massive federal crackdown on money laundering in the wake of the 9/11 terrorist attacks, and banks have been extremely diligent in filing such reports. Those reports often include details of transactions done by innocent people.
Since January 1, 2003, filings by non-depository institutions, individually, and as a whole, continued increasing, and are encompassing a greater portion of the Suspicious Activity Reports within the Bank Secrecy Act (BSA) database. In 2001, ninety-six percent of the Suspicious Activity Report database consisted of depository institution Suspicious Activity Reports; presently the figure is sixty-four percent. From January 1, 2002 to June 30, 2007, non-depository institution Suspicious Activity Reports comprised roughly 42 percent of all Suspicious Activity Reports filed.
Spitzer, also known as Client-9, had his own share of financial dealings ($4,300 for future favors) with the prostitution ring, but would have never been caught (he shunned wire transfers) if the operation wasn't under investigation and his transactions weren't being monitored. ABC News reported that Spitzer was trying to hide transactions to QAT, the alias of the prostitution ring.
Here's what's known about the FinCEN system (BNET resources), which is enabled by the Bank Secrecy Act and to a lesser extent the Patriot Act.
The IRS collects the data used by FinCEN, which doesn't collect, process or store filed data.
FinCEN will be taking on more management of this data in a move that will "will challenge us to perfect a new array of skills, to upgrade our informational technology management capabilities, and to acquire and steward a significant increase in resources," according to FinCEN's strategic plan for 2006 to 2008.
Financial institutions are required to file transaction reports when a customer makes a cash transaction of more than $10,000.
Institutions must have processes and trained staff in place to identify when and if a CTR (currency transaction report) is required, including the ability to aggregate same-day cash transactions made by or on behalf of the same person, and to file CTRs correctly. While automation has made these tasks less difficult, most institutions reported that their processes still include "manual" steps; for example, most institutions reported that their CTRs are reviewed by branch managers or compliance officers before being sent electronically to FinCEN or by mail to IRS. Institutions we contacted were generally unable to quantify their costs for meeting CTR requirements, in large part because they use the same personnel and processes for meeting other BSA requirements or for other purposes and do not separately account for CTR-related costs.
Technology has helped some depository institutions expedite and streamline many or some parts of the CTR process. Overall, 78 percent of institutions responding to our survey reported that at least one part of their CTR filing process was mostly or fully automated. Many of the institutions we spoke with have software systems that prompt the teller when a CTR is necessary for a transaction, and some institutions have systems that allow tellers to electronically access the CTR form at their workstation and enter the necessary information. Additionally, some depository institutions reported that they had software systems that automatically fill in some parts of the form. Also, some banks have invested in software that processes CTRs for final reviews by their compliance office staff. However, the extent of automation varied widely among specific steps in the process, and no survey respondents reported a completely automated CTR process.
Data is delivered via paper and electronically. According to the GAO's report:
FinCEN, together with the IRS, is responsible for managing and storing the BSA data that financial institutions report. Financial institutions that submit CTRs in paper form mail them directly to IRS's Enterprise Computing Center in Detroit. Institutions that submit data electronically transmit them directly to FinCEN, which in turn transmits them to the center. The center collects and stores all BSA data in its Currency Banking and Retrieval System (CBRS).13 For fiscal year 2007, the IRS estimated the total cost of processing CTRs to be about $7 million, including about $3.5 million to convert CTRs submitted on paper to an electronic format. IRS examiners and investigators access BSA data directly through IRS's Intranet, while FinCEN has a direct connection to the Enterprise Computing Center.
Here's a look at how the data comes in.
The FBI and other law enforcement agencies get this financial data in bulk. The GAO said:
In 2004, FinCEN first provided the FBI with bulk transfer of data, and during 2005 and 2006 FinCEN agreed to provide two federal agencies-the Secret Service and ICE-and a multiagency program established by the Department of Justice (the Organized Crime Drug Enforcement Task Force, or OCDETF Fusion Center) with access to a bulk data set.15 Receiving these data in bulk, rather than accessing the database remotely and querying it for specific records, allows agencies to conduct more sophisticated analyses.
This bulk data winds up in the FBI's Investigative Data Warehouse, a collection of more than 50 multisource data sets. Forty percent of all FBI terrorism subjects turned up in reports filed between Jan. 1, 2000 and June 30, 2006, according to the FBI.
FinCEN is providing better Internet access to this data. Law enforcement staff can access a FinCEN database dubbed WebCBRS, which allows users to download up to 20,000 CTR reports on a query. These can be exported to a spreadsheet.
In other words, some of these Spitzer transactions may have wound up in a spreadsheet somewhere.
Postscript: The Wall Street Journal in its Wednesday edition reports that Capital One's North Fork unit is at least one of the banks that flagged Spitzer's transactions. The Journal notes that banks monitor the financial transactions of politically connected people--legislators, judges and their relatives--to probe for ill-gotten gains.