On February 3, 2011, the Egmont Group of Financial Intelligence Units (FIUs) published "Enterprise-wide STR Sharing: Issues and Approaches," a white paper on the sharing of suspicious transaction reports (STRs) by financial institutions that operate in multiple jurisdictions. The paper notes that it is important for each jurisdiction to consider the issues and possible approaches identified in the paper and consider how to adapt their AML/CTF regime and to establish appropriate mechanisms to facilitate enterprise-wide STR sharing that do not undermine STR confidentiality. While recognizing that enterprise-wide sharing of STRs enables enterprise-wide risk management and presents significant operational efficiencies, the Egmont Group recognizes that international cooperation will be critical to making progress on this issue, as no single jurisdiction can make cross-border STR sharing possible on its own.
The paper, which represents the culmination of two years work by the Egmont Group, presents a few approaches that jurisdictions may take, although it does not endorse any particular approach.
The Egmont Group conducted a survey of its members and found that a significant number allow cross-border STR sharing within a financial group. However, the Egmont Group also found that many jurisdictions did not provide legal protections for STRs generated in other jurisdictions. This loss of confidentiality protections endangers cross-border STR sharing, jeopardizes law enforcement investigations, may violate the financial privacy of the STR subject and may put the compliance staff filing the STR at risk. The Egmont Group recognized that the confidentiality of STRs is paramount to the successful operation of the STR filing regime in any jurisdiction. The paper notes that enterprise-wide STR sharing may enhance all aspects of compliance, including customer due diligence, transaction monitoring, suspicious transaction reporting and operational efficiencies. It further noted that law enforcement agencies in multiple jurisdictions would benefit from enterprise-wide STR sharing, as well, as information filed in one jurisdiction may be of interest to law enforcement in others, particularly in cases involving customers in multiple jurisdictions, terrorist financing, transnational crimes, corruption and the convergence of fraud and money laundering.
The paper presented five different approaches, listing the advantages and limitations with each approach, and indicated that various combinations of the approaches could be used to greater effect than each one individually.
Category of Offenses Approach
International cooperation will be critical to making progress on this issue
Under the Category of Offenses Approach, only certain severe offenses are allowed for STR sharing, such as terrorist financing or non-proliferation crimes. This approach has several advantages in that it allows FIUs to maintain tight control over STRs leaving a jurisdiction and allows financial groups to implement procedures for those crimes most detrimental to their legal and financial interests.
However, this approach does not address the issue of legal protections for STRs in other jurisdictions. It also limits the ability of financial institutions to implement enterprise-wide risk management, placing the burden on financial institutions to determine which STRs can be shared and which cannot, which may be a significant issue as institutions often do not know the specific underlying crime, but rather are only aware of unusual activity.
For governments, this approach requires minimal investment by jurisdictions, as they only need to determine which predicate crimes will enable institutions to share STRs across borders.
Limited Jurisdiction Approach
Under the limited jurisdiction approach, only certain foreign jurisdictions would be permitted for STR sharing. The paper noted that France allows this particular approach. This approach limits risks of sharing to those jurisdictions the government deems acceptable. By having the government make the determination as to which jurisdictions are acceptable, the onus is removed from financial institutions.
However, the process to determine whether a jurisdiction is acceptable for sharing may be cumbersome for governments, as it will include political or foreign policy considerations. The process would likely limit the full potential of enterprise-wide sharing. Since the sharing would need to be determined by the jurisdiction in which the STR was filed, it is possible that this could result in a patchwork sharing effort, which could be complicated to implement, particularly once one considers how much sharing could be done with an STR once it was in another jurisdiction.
For governments, this approach is quite involved, as it requires personnel with high degree of expertise in foreign laws and regulations to determine those jurisdictions where STRs could be shared. Further, the government would need to implement a process to evaluate and re-evaluate jurisdictions as their laws and regulations changed.
Limited Bank Approach
Under the Limited Bank Approach, only certain banks—as determined by competent authorities in each jurisdiction—would be allowed enterprise-wide STR sharing. This is somewhat similar to Australia's Designated Business Group (DBG) concept, although DBGs do not require governmental approval. This approach gives jurisdictions the ability to limit STR sharing risks by determining those financial groups that have sufficient controls in place to restrict STR sharing where it is acceptable.
However, the process to approve financial groups for STR sharing creates the potential for controversy and criticism of the competent authority. This is particularly the case when one financial group is approved for sharing and another is not. This controversy can create reputational concerns for banks, which not only creates safety and soundness concerns for the financial groups that are not approved, but also creates a strong disincentive for the jurisdiction to reject financial groups that apply. This would clearly require a careful and well thought-out process. The approval process would be further complicated by assessment of various foreign operations and requirements imposed on the financial group, such as the ability to refuse to provide a foreign-filed STR — that is an STR that was filed outside the jurisdiction but has been shared with an affiliate in the jurisdiction—upon request by the local authority. This may potentially limit the sharing of STRs within a jurisdiction.
For governments, this approach requires highly specialized personnel to assess the adequacy of STR sharing controls and raises potential questions of competitive neutrality and regulatory equity, including legal challenges.
Sharing Up Approach
Under the Sharing Up Approach, cross-border STR sharing would be allowed only among head offices; head offices may not "share down" to affiliates. The U.S. used this approach until a few months ago. This approach represents a strong endorsement by jurisdictions of enterprise-wide AML compliance and risk management. It also limits the number of STRs disseminated to foreign jurisdictions, lessening STR confidentiality issues, as sharing is only permitted up to the parent, not out to the full network of the financial group.
However, under this approach, jurisdictions may not be able to control when a financial group sends an STR to a foreign head office located in a jurisdiction considered high risk for STR confidentiality purposes. The inability to share down may create operational challenges to an effective enterprise-wide AML program, risk management and customer due diligence. Further, the inability to share down may also limit suspicious transaction reporting, with adverse law enforcement impacts, particularly where knowledge of the STR in one jurisdiction could provide insight into another jurisdiction (e.g., a cross-border criminal operation).
For governments, this approach requires minimal investment by jurisdictions. Under this approach, financial institutions bear the burden of ensuring STR confidentiality in foreign jurisdictions.
Bilateral/Multilateral Agreement Approach
Under the Bilateral/Multilateral Agreement Approach, jurisdictions would enter into agreements to permit STR sharing. This approach allows jurisdictions the greatest flexibility to reduce STR sharing risks. The agreements set clear expectations and requirements, which reduces the burdens and liabilities on financial institutions, to the extent these are addressed in agreements.
However, this approach requires significant efforts for two or more jurisdictions to reach agreement. The ability to implement enterprise-wide risk management is limited by scope of agreements. Since the sharing will be determined by the agreements reached by the jurisdictions, this could result in a complicated patchwork of requirements and sharing for financial groups that seek to share information.
For governments, this approach requires highly specialized personnel to negotiate agreements with varying numbers of other jurisdictions.
The Egmont Group's paper presented the challenges and advantages of five different enterprise-wide STR sharing approaches. While recognizing the importance of enterprise-wide STR sharing, it also recognized various concerns—by industry and governments—with STR sharing. Ultimately, each approach has its strengths and weaknesses; the paper acknowledged this and indicated that a combination of several approaches likely would work best. STR sharing, like most partnership efforts, requires dedication of all parties; in this case, the financial community, law enforcement and regulators. By jointly considering the various approaches and the specific concerns and goals of the parties involved in each jurisdiction, enterprise-wide STR sharing, and the benefits from it, can be achieved while mitigating the risks involved in sharing sensitive information across borders.