FinCEN Fires Shot Across Bow of US Firms and Financial Institutions

This advisory is suited for executive management, boards of directors, risk and compliance executives and the general counsel of financial services firms, including, but not limited to banks, fintech firms, payment processors, broker-dealers, gaming, and money service businesses. Elements of this advisory will also be valuable to risk and compliance executives at corporate entities with international operations.

Click here for PDF

Executive Summary

The Financial Crimes Enforcement Network (FinCEN) on June 30th published a list of anti-money laundering and countering the financing of terrorism (AML/CFT) priorities, putting US financial institutions and other entities that engage in financial services on notice about upcoming regulations and their possible focus. The guidance does not mandate that US firms immediately update their compliance programs, but the accompanying statement advises covered entities to prepare for changes to the Bank Secrecy Act (BSA). This is a shot across the bow for covered firms advising them to start their reevaluation processes early to ensure they are prepared to incorporate these new priorities into their risk-based compliance programs.

The list includes eight priorities that were coordinated with other US Treasury elements, including the Office of Foreign Assets Control (OFAC) and the Office of Intelligence and Analysis, as well as the US Attorney General. Although the document notes that the priorities are not listed in order of importance, we highlight that corruption and cybercrime are among those at the top of the list, probably indicating the Biden administration’s recently increased focus on these issues.

  • Corruption
  • Cybercrime, including cybersecurity and virtual currency considerations
  • Foreign and domestic terrorist financing
  • Fraud
  • Transnational criminal organization activity
  • Drug trafficking organization activity
  • Human trafficking and human smuggling
  • Proliferation financing

FinCEN indicates that it will issue regulations to specify how relevant entities should incorporate the above priorities into their compliance and AML programs and stresses that there is no one-size-fits-all solution. Ultimately, each entity will tailor its program based on its defined risk appetite, but the FinCEN enumerated priorities do provide a clearer roadmap for US firms and financial institutions to follow when updating and revising their compliance and AML/CFT strategies, as well as determining their overall risk-based approach.

Using the FinCEN priority list as a guide, this advisory leverages FiveBy’s and Sigma Ratings’ (“Sigma”) work globally across these risk areas. The following background, associated red flags and insight on potential data approaches and strategies are intended to help institutions align their internal operations with national priorities and encourage a general move by industry toward greater effectiveness as outlined by the Wolfsberg Group on June 30, 2021 and previously by the Financial Action Task Force (FATF).

Finally, the collaboration between FiveBy and Sigma is an effort to provide critical data and insights about regulatory changes that impact US firms and financial institutions, as well as an examination of the deeper meaning of the data and highlight possible risks and vulnerabilities on the horizon for US firms and financial institutions. Sigma provides clients with comprehensive data solutions that can help them mitigate sanctions, AML/CFT, and other risks, allowing them to more efficiently perform customer due diligence (CDD) and know your customer (KYC) investigations. FiveBy supplements the data generated by Sigma’s tools by providing human-driven analysis and research by regional, linguistic, cultural, and certified sanctions and AML/CFT experts, who help clients interpret the data and provide customized assessments to inform their risk decisions.


The Issues

Corruption. On 3 June, President Biden issued a National Security Study Memorandum, highlighting that foreign and domestic corruption threatens US national security by, among other things, weakening democratic institutions, eroding the public’s confidence in their government, and distorting economies. Corrupt actors weaponize kleptocracy to disrupt and undermine democratic processes and institutions not just in their countries, but also abroad through foreign influence campaigns, and use the global financial system to move misappropriated assets, bribes, and other illicit funds to jurisdictions with lax transparency requirements that will allow them to hide the proceeds of fraud and abuse. According to Transparency International, an international NGO that monitors global corruption trends, “research shows corruption not only undermines the global health responses to COVID-19, but also contributes to a continuing crisis of democracy.”

Common Corruption-Related Red Flags

  • Geographic risk
  • Global Magnitsky sanctions
  • Significant use of shell, front, or general trading companies
  • Politically exposed persons (PEPs)
  • Cash purchases of real estate, or buying/selling of real estate at breakeven prices or losses
  • Transactions using government contracts to direct funds to personal accounts
  • Payments to unrelated lines of business
  • Overpricing of goods or services (e.g., technology or art)
  • Complex financial transactions

Access to key data sources is critical in helping institutions holistically understand the risk of their customers and in some instances, their customer’s customer or business partner who may be directly or indirectly facilitating the movement of proceeds of corruption. Where possible, institutions should look to access and utilize the following data points when undertaking higher risk transactions:

  • Establishing and validating Ultimate Beneficial Ownership (UBO) of counterparties is critical, but in some instances, this can be incredibly difficult without access to large corporate registry datasets and human resources to pull key records in certain jurisdictions. Furthermore, some jurisdictions still do not have UBO data available, making this a challenging problem to fully solve without further, collective government action.
  • Access to multilingual global media sources is another key to understanding and managing risk at scale, as well as connecting companies and potential kleptocrats. Media-related research can include articles that are not necessarily negative in sentiment but suggestive of risk by association or geography.
  • Review of potential exposure to PEPs and/or association to a PEP becomes more impactful when considering current PEPs versus former PEPs, as well as the level of corruption and regulation in the country where the PEP resides or formerly held a post of influence. Utilization of multi-factor geographic risk tools, including those that are dynamic in nature, will help institutions more accurately assess PEP risk.
  • Use of derived intelligence, such as jurisdictional and address risk, can highlight potential front and/or shell companies which are commonly used to move and layer corruption proceeds. Several recent public corruption cases shared this typology, including obscurely named companies operating in free trade zones (FTZs) or lax jurisdictions where lines of business, existence, and UBO are difficult to determine.
  • Review of government databases for early detection of conflicts of interest in public procurement can be important in detecting potential corruption flows. Public procurement is particularly vulnerable to corruption as such processes are often complex and include close coordination between PEPs and businesses. “More than half of foreign bribery cases involved the pursuit of a public procurement contract,” according to the Organization for Economic Co-operation and Development (OECD).

Cybercrime. Cybercrime includes common threats, such as ransomware, network attacks, phishing, and software vulnerability exploits. US Treasury is particularly concerned about ransomware after the attacks on the Colonial Pipeline and JBS USA Holdings, which paid an $11 million ransom in bitcoin in June. Issues such as election interference by foreign powers and the exploitation of virtual assets for criminal activity, including through the laundering of illicit proceeds, also make cryptocurrencies and their use in cybercrime a particular concern.

Financial intermediaries are a critical link in facilitating ransomware payments, according to a FinCEN advisory in October 2020. Ransomware schemes most often involve convertible virtual currencies—the preferred payment method of ransomware attackers. The victim will typically transmit funds via wire transfer, automated clearinghouse, or credit card payment to an exchange to purchase the type and amount of virtual currencies demanded by the attacker and will send the amount specified from a “wallet” hosted by the exchange to the criminal’s account or virtual wallet. The perpetrator will need to clean the funds using mixers or anonymizers to convert the money to other virtual currencies or to fiat funds, likely moving them to jurisdictions with weak AML/CFT controls. In addition, virtual currencies are used to obscure the source of funds derived from illicit activities, as well as for payments for purchasing ransomware tools, illicit drugs, child pornography, and other illicit goods online.

Common Cybercrime Red Flags:

  • Cyber indicators that have been associated with possible ransomware activity or cyber threat actors known to perpetrate ransomware schemes
  • Admission by the customer that they are paying a ransom
  • Digital wallet is listed on OFAC’s Specially Designated Nationals (SDN) list
  • IP address located in geography that is a higher risk for cybercrime
  • Transaction comes from sector at high risk for targeting by ransomware attacks, such as government or critical infrastructure
  • Virtual currency transaction outside the customer’s normal range of activities
  • Use of an exchanger or money services business in a high-risk jurisdiction with weak AML/CFT controls
  • Multiple, rapid trades between multiple virtual currencies—especially privacy coins—with no apparent related purpose

In the end, cyber investigations and related counterparty inquiries require real-world data to fully contextualize risk. Entities should consider, as part of their approach, multivariable screening of counterparties to look for potential risk, including risk that may be related to the entity’s network. In the event of an attack, this approach can help investigating teams understand the connections between the perpetrators. Separately, assessing and understanding global geographic risk and its evolution is a logical step institutions can take to further factor in this national priority into their risk assessments.

Foreign and domestic terrorist financing. Foreign terrorist organizations (FTOs), such as ISIS, al-Qa‘ida, Lebanese Hizballah, and Iran’s Islamic Revolutionary Guard Corps (IRGC), pose significant threats to the United States and our allies and continue to plot attacks against US and other western interests. Domestic racially or ethnically motivated violent extremists (RMVEs)—primarily white supremacists and antigovernment violent extremists—pose a threat to US citizens and government officials and infrastructure. Terrorists’ financial needs can include small amounts of money for lone-actor attacks, as well as financing for recruitment of new members, logistics, and large-scale operations.

Most FTOs still rely on traditional banking infrastructures, cash couriers, informal transfer systems like hawalas, and money services businesses (MSBs) to move money, although the recent conflict between Israel and US-designated militant group HAMAS has seen a surge of cryptocurrencies into the coffers of the FTO.

In February 2021, former Treasury Assistant Secretary for Terrorist Financing and Financial Crimes, Daniel Glaser, testified in a Congressional hearing that the US government should develop a counter-illicit finance strategy to hinder REMVEs’ ability to access the US financial system to raise and transfer funds. The first step in this strategy is understanding what methodologies REMVE groups use to access the US financial system and mapping out their financial networks. Although tracking and identifying REMVEs is more challenging because they tend to be decentralized, and the US government does not maintain an official or public list of domestic terrorist organizations or individuals, once REMVE typologies are detected, they should be shared with financial institutions to help them detect red flags.

Common FTO Financing Red Flags:

  • High-risk locations, including countries near areas of conflict
  • Suspicious use of funds by non-profits and charities inconsistent with their purpose
  • Complicated transfers, including use of high-risk goods/services (e.g., used cars) to move funds
  • Structured deposits to avoid detection
  • Multiple cash deposits and withdrawals with suspicious references
  • Frequent use of ATMs in foreign jurisdictions
  • Unusual cash activity in foreign bank accounts
  • Use of multiple foreign bank accounts to transfer funds
  • Parties to the transaction are from countries known to support terrorist activities and FTOs
  • Adverse media about account holder’s connections to FTOs
  • Unidentified beneficial owner of the account
  • Transactions involving foreign currency exchanges followed by funds transfers to higher-risk locations within a short time

Detecting potential terrorist financing is a critical requirement for all institutions that requires both internal and external data to be effective. Moreover, work to advance financial intelligence-sharing between governments and between the government and private sector has resulted in significant success as highlighted by the Royal United Services Institute (RUSI) and its work with the Future of Financial Intelligence Sharing.

In terms of external data, use of geographic risk tools and global multilingual media enable institutions to anticipate risk and apply enhanced monitoring globally. Specifically, scanning client lists for both existing and known nexuses to terrorism, as well as potential links found in news or social media are key approaches institutions can take on a risk basis. An additional critical step is identifying any counterparty address associated with designated FTOs.

Fraud. Bank, consumer, health care, securities and investment, and health care fraud are some of the most common types of illicit activities. Health care fraud alone is estimated to generate roughly $100 billion in annual profits. Proceeds of fraud are laundered much like any other illicit proceeds, including via the use of offshore entities, such as shell companies, to transfer funds to offshore jurisdictions, accounts controlled by cyber threat actors, or money mules. Since last year, fraud related to the COVID-19 pandemic is of particular concern, with illicit actors illegally accessing business loans, selling counterfeit vaccines or protective equipment, and fraudulently obtaining unemployment insurance. Foreign-funded disinformation campaigns maligning COVID vaccines or espionage activities using front companies to steal intellectual property, technology, or sensitive information are also a concern. Fraud is a predicate offense that generates illicit proceeds that need to be laundered.

Fraud-Related Red flags:

  • Use of shell and front companies or trusts
  • Risky offshore jurisdictions
  • Unusual transactions from bank accounts
  • High-volume payments without logical explanation
  • Small frequent transfers to different accounts
  • Suspicious identification documents
  • Discrepancies in provided taxpayer ID numbers or names
  • PEPs involved in deal or transaction
  • Connections to sanctioned individuals or designated terrorists
  • Activities inconsistent with customer business
  • Incomplete address or address shared with multiple other entities in high-risk jurisdictions

Fraud is a financial crime. Understanding counterparty address risk of an entity is one of many useful steps that can be taken to avoid potential fraud. Moreover, examining counterparty addresses can help determine whether a business is legitimate or potentially a front or shell company sharing an address with previously identified fraudulent entities. Using new data sources, institutions can examine address red flags at scale and incorporate this information into other risk functions such as credit teams (which are typically siloed from financial crime teams). Other potential indicators available through data include shared directors and evidence that a business is no longer in operation or was recently closed or incorporated. Finally, understanding the actual line of business versus an entity’s claimed line of business is key to uncovering potentially fraudulent activity.

Transnational Criminal Organizations. Transnational criminal organizations (TCOs) are associated with a host of crimes that threaten US national security. FinCEN considers Mexican and Russian TCOs priority threats but has also highlighted an increase in threatening activity from African and Asian TCOs. These groups engage in a wide variety of crimes, such as drug trade, human trafficking, illegal gambling, financial fraud, extortion, murder, and kidnapping. Malign state actors support, or at least tacitly back these groups and allow them to operate within their borders to bolster their own international agendas that are harmful to US national security.

To keep their funds flowing, Russian TCOs use schemes involving trade-based money laundering (TBML) in auto sales, real estate tax fraud, and shell company bank accounts to make cross-border wire transfers. OFAC sanctioned the “Thieves-in-Law” as an umbrella term for Eurasian organized crime in December 2017. Other groups, such as African TCOs, use e-mail and money mule schemes to fund their activities.

TCO-Related Red Flags:

  • High-risk jurisdictions, including those with higher regulatory or geopolitical risk
  • Use of shell companies or funnel accounts
  • Cash purchases of luxury items, automobiles, or real estate
  • Use of casinos for banking services
  • Use of money mules
  • Unusual customer activity inconsistent with past behavior, such as wiring funds internationally
  • Adverse media connecting entity or individual with organized crime or corrupt officials

Evaluating sophisticated geographic risk information, such as subnational risk statistics, is a data-driven approach that can help institutions better understand risk that may be associated with TCOs. Cross-referencing trade records or other higher risk goods, such as tobacco and used cars, transiting key countries is also useful in uncovering potential risk. Another beneficial practice involves reviewing media to connect relationships and using domestic government sources, such as suspicious business lists, to increase understanding of the risk climate in high-risk jurisdictions.

Drug Trafficking Organizations. For the United States, the largest drug trafficking threat emanates from Mexican and Chinese DTOs collaborating in the Chinese Underground Banking System—a network of professional money launderers. This network enables the DTOs to finance their activities by circumventing banking restrictions in Mexico and China. These schemes also often employ front and shell companies, and these methods were highlighted in 2019 when three Chinese citizens residing in the United States were charged with conspiracy to commit money laundering. Colombia, Peru, and Central American countries are also rife with DTOs.

In a 2019 advisory, FinCEN outlined typologies used by organizations trafficking fentanyl. The advisory also identified red flags that surround these typologies, which included bulk cash smuggling, TBML, structured MSB money transfers, and the use of funnel accounts.

DTO-Related Red Flags:

  • Chemical or pharmaceutical company or other high-risk sectors
  • High-risk locations
  • Kingpin Act designations
  • Banking transactions from foreign entities using MSBs
  • Use of virtual currencies from foreign supply sources.

Evaluating nexus risk between companies and organizations potentially engaged in drug trafficking is critical, and examining extended sanctions lists and other data sets can provide relational context where additional risk or concern exists. Scanning for connections between potential shell or front companies and high-risk goods is another data-driven technique that can uncover drug-trafficking risk. In addition, cross-referencing trade records for precursor chemicals and/or other higher-risk items used to produce narcotics transiting key countries can reveal potential risk.

Human Trafficking/Smuggling. Human trafficking and human smuggling involve exploiting adults and children for forced labor, slavery, or commercial sex. Human trafficking generates as much as $150 billion in illicit profits annually with an estimated 25 million people victimized per year, almost certainly involves human rights abuses and is a predicate crime for money laundering and a funding source for TCOs and FTOs. In its five-year roadmap of legislative proposals, the EU defined human trafficking as a priority in combatting organized criminal gangs. The Biden administration, which sees multilateral cooperation with allies as a priority, could work with the EU in this area.

Businesses need to conduct thorough supply chain and distribution channel due diligence research to ensure they are not using forced labor, and financial institutions need to screen for associated red flags. Human traffickers and smugglers use shell companies to hide their business activities and receive payments using funnel accounts and TBML, according to FinCEN’s October 15, 2020 advisory. Human traffickers often use third-party payment processors to disguise the origin or their proceeds and use virtual currencies or prepaid gift cards. Red flags that a banking customer is a human trafficking victim include low wages that may be immediately wired to a third party, especially a website or modeling agency.

Human Trafficking/Smuggling-Related Red Flags:

  • High-risk jurisdictions
  • Use of virtual currencies
  • Bulk purchases of prepaid gift cards
  • Smurfing
  • Use of virtual currencies to purchase online ads
  • Use of front companies or funnel accounts
  • Use of massage parlors or hair and nail salons in combination with other red flags, taking mostly cash payments or gift cards
  • Real estate or luxury car purchases in cash
  • Third party on accounts other than supposed customer

Institutions and payment processors, can leverage existing watchlist data and adverse media to identify potential direct and indirect links with human trafficking rings. Non-typical data sources, such as NGO websites, are also useful inputs that can provide insights into where and how human trafficking may be occurring—both directly and indirectly. Finally, utilization of open-source business registry information and mapping technology may reveal links between addresses and phone numbers associated with businesses at higher risk of having a human trafficking/human smuggling nexus.

Proliferation Financing. Proliferation Financing (PF) involves trade brokers and front companies that use the US financial system to fund the development or purchase of weapons of mass destruction (WMDs)—nuclear, chemical, and biological weapons—in violation of international laws and treaties. Global correspondent banking is particularly vulnerable to proliferation financing as it processes US dollar transactions for cross-border trade. Enabling this activity are gatekeepers, front or shell companies, exchange houses, or illicit international trade. FATF’s June 29, 2021 guidance advises governments and businesses to mitigate their risk exposure to PF and cites sanctions evasion schemes linked to maritime shipping, trade finance, precious metals and stones, virtual asset service providers, shell and front companies, and correspondent banking relationships as potential avenues for funding the spread of WMDs.

Iran, North Korea, and Syria are a primary PF concern, and Treasury has issued multiple advisories on shipping and supply chain risks associated with these jurisdictions. In a May 2020 advisory, Treasury warned that transactions that facilitate WMD proliferation—even with entities for which an institution has a waiver authorizing transactions—could be exposed to sanctions vulnerabilities. Proliferators could use transshipment, ship-to-ship transfers, or automatic identification system (AIS) manipulation to transport WMD materials. Transactions with jurisdictions that are on the FATF list for increased monitoring are an additional concern, as FinCEN noted in an advisory on counterproliferation in March.

Red flags:

  • High-risk jurisdictions
  • Dual-use goods
  • Indication of transshipment, ship-to-ship transfers, or AIS manipulation
  • Falsified or altered shipping documents
  • Precious metals and stones purchases
  • Use of shell and front companies
  • Use of crypto currency to evade detection
  • Gatekeeper making transactions on behalf of another party

Institutions should include sub-national geotargeting that considers addresses typically used by countries engaging in WMD proliferation in their data inputs. For example, certain addresses in China’s Liaoning Province, Hong Kong’s multi-tenant business centers, and FTZs in Gulf Cooperation Council countries present PF risk.


FinCEN’s priority areas outline a more focused approach to combatting illicit finance and one that will help law enforcement gather strong evidence and investigate cases that are among the greatest threats to the United States. Organizations should embrace this shift internally, including leaning into a tech and data-driven approach to understanding and isolating transactional risk that corresponds with national AML/CFT priorities. By doing so institutions will not only stay ahead of regulations and avoid possible penalties, but better frame their risk-based approaches, further empower their teams and channel more relevant intelligence to law enforcement.

Looking ahead, FinCEN will create a business registry that contains much of the CDD information businesses are required to collect, but this registry will only be available to law enforcement and intelligence agencies. This registry will (among other things) help government enforcement and regulators become more proactive in conducting investigations. The administration is also likely to increase use of the Money Laundering Control Act (MCLA) and Foreign Corrupt Practices Act (FCPA) to reach non-US person defendants and increase focus on intermediaries such as agents, consultants, and distributors. These developments almost certainly signal increased enforcement on the horizon.


About Sigma Ratings. Founded at MIT, Sigma is the leading AI-driven risk intelligence platform used across financial services, professional services and government sectors to power customer onboarding, ongoing monitoring and automated investigative workflows. Sigma’s unified global data, configurable smart entity scoring and encrypted cloud-based delivery is unique to industry and is a shift in legacy approaches to managing risk and compliance at scale. Sigma is backed by a global network of investors including the Fitch Group, FinTech Collective, Contour Ventures and Barclays Bank.

About FiveBy. FiveBy is a specialized risk intelligence services firm that provides clients the opportunity to grow profits, strengthen their brand, and exceed their customer expectations. FiveBy uses expert analysts to design adaptable responses—whether to an ongoing incident or to implement preventive measures—tailored to your business needs and always with a human touch.




Leave a Reply

Your email address will not be published. Required fields are marked *