Bank Secrecy Act: FinCEN and IRS Need to Improve and Better	 
Coordinate Compliance and Data Management Efforts (15-DEC-06,	 
GAO-07-212).							 
                                                                 
In 2005, over 16 million Bank Secrecy Act (BSA) reports were	 
filed by more than 200,000 U.S. financial institutions. Enacted  
in 1970, BSA is the centerpiece of the nation's efforts to detect
and deter criminal financial activities. Treasury's Financial	 
Crimes Enforcement Network (FinCEN) and the Internal Revenue	 
Service (IRS) play key roles in BSA compliance, enforcement, and 
data management. GAO was asked to describe FinCEN's and IRS's	 
roles and assess their effectiveness at ensuring BSA compliance  
and efforts to reengineer BSA data management.			 
-------------------------Indexing Terms------------------------- 
REPORTNUM:   GAO-07-212 					        
    ACCNO:   A64206						        
  TITLE:     Bank Secrecy Act: FinCEN and IRS Need to Improve and     
Better Coordinate Compliance and Data Management Efforts	 
     DATE:   12/15/2006 
  SUBJECT:   Banking law					 
	     Banking regulation 				 
	     Crime prevention					 
	     Criminals						 
	     Data integrity					 
	     Financial institutions				 
	     Financial management				 
	     Fraud						 
	     Internal controls					 
	     Money laundering					 
	     Program evaluation 				 
	     Regulatory agencies				 
	     Risk assessment					 
	     Statistical data					 
	     White collar crime 				 

******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO Product.                                                 **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
******************************************************************
GAO-07-212

   

     * [1]Results in Brief
     * [2]Background
     * [3]FinCEN and IRS Have Distinct Roles in Implementing BSA, but

          * [4]FinCEN Oversees the Government wide BSA Compliance Program,
          * [5]FinCEN Is Responsible for Supporting and Networking the Law
          * [6]FinCEN Relies Heavily on IRS for the Collection, Storage, an

     * [7]IRS Lacks an Effective BSA Compliance Program, Despite Sever

          * [8]FinCEN and IRS Continue to Face Challenges in Identifying th
          * [9]IRS Is Developing a Statistically Valid Risk-Based Approach
          * [10]Although Compliance Challenges Continue to Exist, the Establ

               * [11]Compliance Examination Policies and Procedures
               * [12]Education and Outreach to NBFIs
               * [13]Information Management
               * [14]Performance Measurement

          * [15]FinCEN and IRS Lack a Documented and Coordinated Strategy fo

     * [16]CI Investigates BSA Criminal Violations and Uses BSA Informa

          * [17]CI Dedicates a Portion of Its Resources to Investigate Crimi
          * [18]CI Statistics Show Increases in Enforcement Activity for BSA
          * [19]CI Is a Large Consumer of BSA Data

     * [20]Missed Opportunities for Effective Planning and Poor Project

          * [21]FinCEN Missed Opportunities to Effectively Plan, and Coordin

               * [22]FinCEN Began Reengineering BSA Data Management
                 Activities wi
               * [23]FinCEN Did Not Adequately Communicate and Coordinate
                 Reengin

          * [24]Poor Project Management and Oversight Contributed to the Fai

     * [25]Conclusions
     * [26]Recommendations for Executive Action
     * [27]Agency Comments and Our Evaluation
     * [28]GAO Contact
     * [29]Acknowledgments
     * [30]GAO's Mission
     * [31]Obtaining Copies of GAO Reports and Testimony

          * [32]Order by Mail or Phone

     * [33]To Report Fraud, Waste, and Abuse in Federal Programs
     * [34]Congressional Relations
     * [35]Public Affairs

Report to Congressional Committees

United States Government Accountability Office

GAO

December 2006

BANK SECRECY ACT

FinCEN and IRS Need to Improve and Better Coordinate Compliance and Data
Management Efforts

GAO-07-212

Contents

Letter 1

Results in Brief 3
Background 5
FinCEN and IRS Have Distinct Roles in Implementing BSA, but Share Some
Responsibilities 8
IRS Lacks an Effective BSA Compliance Program, Despite Several
Improvements 11
CI Investigates BSA Criminal Violations and Uses BSA Information
Extensively 23
Missed Opportunities for Effective Planning and Poor Project Management
and Oversight Have Hampered FinCEN's Efforts to Reengineer BSA Data
Management Activities 26
Conclusions 34
Recommendations for Executive Action 35
Agency Comments and Our Evaluation 36
Appendix I Objectives, Scope, and Methodology 38
Appendix II Reports Required by BSA Regulations 41
Appendix III Responsibilities of MSBs under BSA 43
Appendix IV Access to Taxpayer Information for BSA Examinations 44
Appendix V MOUs on BSA Compliance 45
Appendix VI Comments from the Financial Crimes Enforcement Network and
Internal Revenue Service 47
Appendix VII GAO Contact and Acknowledgments 53

Tables

Table 1: Types of Entities Qualifying as NBFIs Not Otherwise Regulated by
a Federal Functional Regulator 6
Table 2: Summary of BSA Compliance Program Improvements and Limitations 19
Table 3: BSA Performance Measures Established to Track Program Activities
in Fiscal Years 2005 and 2006 and Compared to Performance Information
Available for Fiscal Year 2004 22
Table 4: CI's BSA Investigative Time, FTEs, and Costs for Fiscal Years
2002 through 2006 24
Table 5: BSA Investigations Initiated, Investigations Completed,
Recommendations for Prosecutions, and Convictions for Fiscal Years 2002
through 2006 25
Table 6: Criteria Applied by Treasury and IRS When Evaluating Specific
Proposals for Governmental Disclosures 44

Figures

Figure 1: BSA Framework 9
Figure 2: Key Moments in the Development of New BSA Data Management
Systems 30

Abbreviations

BSA Bank Secrecy Act
BSA Direct R&S BSA Direct Retrieval and Sharing 
CBRS Currency and Banking Retrieval System
CFTC Commodity Futures Trading Commission
CIMIS Criminal Investigation Management Information System
CIIRS Criminal Investigations Division
CIO chief information officer
CTR currency transaction report
DEA Drug Enforcement Administration
DHS Department of Homeland Security
ECC-DET Enterprise Computing Center at Detroit 
FBI Federal Bureau of Investigation
FDIC Federal Deposit Insurance Corporation
FFIEC Federal Financial Institutions Examination Council
FinCEN Financial Crimes Enforcement Network
FRB Federal Reserve Bank
FTE full-time equivalent
ICE Immigration and Customs Enforcement
IRS Internal Revenue Service 
MITS IRS Modernization and Information Technology Services
MOU memorandum of understanding
MSB money service business
NBFI nonbank financial institution
NCUA National Credit Union Administration
NRP National Research Program
OCC Office of the Comptroller of the Currency
OIG Office of Inspector General 
OMB Office of Management and Budget
OTS Office of Thrift Supervision
SAR suspicious activity report
SB/SE Small Business Self-Employed Division
SEC Securities and Exchange Commission
TIGTA Treasury Inspector General for Tax Administration 
WebCBRS Web-based Currency and Banking Retrieval System

This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed in
its entirety without further permission from GAO. However, because this
work may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this material
separately.

United States Government Accountability Office

Washington, DC 20548

December 15, 2006

The Honorable Christopher Bond Chairman The Honorable Patty Murray Ranking
Minority Member Subcommittee on Transportation, Treasury, the Judiciary,
Housing and Urban Development and Related Agencies Committee on
Appropriations United States Senate

The Honorable Joe Knollenberg Chairman The Honorable John W. Olver Ranking
Minority Member Subcommittee on Transportation, Treasury, Housing and
Urban Development, the Judiciary, District of Columbia, and Independent
Agencies Committee on Appropriations House of Representatives

Criminals frequently use the financial system in attempts to conceal
illegal or untaxed proceeds from a variety of activities, including
narcotics trafficking, arms trafficking, extortion, and public corruption.
Laundering money, evading taxes, and financing a terrorist plot can
involve many of the same methods. For example, they may use third-party
nominees, currency, wire transfers, multiple bank accounts, or
international "tax havens" to avoid detection. Attempts to convert
criminal income into legitimate assets or conceal the use of legitimate
assets in criminal activity jeopardize not only the security of our
financial system but also our national security.

The Bank Secrecy Act (BSA) establishes the framework used to combat these
activities and prevent the exploitation of our financial system.^1 BSA
requires financial institutions to report certain financial transactions
made by their customers. For example, in 2005, U.S. financial institutions
filed over 16 million BSA reports. These reports provide information used
by law enforcement to detect and prevent a wide range of financial crimes.

^1 Bank Secrecy Act, titles I and II of Pub. L. No. 91-508, 84 Stat. 1114
(1970), as amended, codified at 12 U.S.C. SS 1829b, 1951-1959, and 31
U.S.C. SS 5311-5322.

At the federal level, many agencies have some responsibility for
protecting our financial system, but a key role is played by the
Department of the Treasury (Treasury). Within Treasury, the Financial
Crimes Enforcement Network (FinCEN) oversees the administration of BSA and
the Internal Revenue Service (IRS) has responsibility for ensuring non
bank financial institutions (NBFI), not otherwise subject to examination
by another federal functional regulator, comply with BSA requirements.
NBFIs include, in part, casinos and state-chartered privately insured
credit unions and money service businesses (MSB), such as money
transmitters and check cashers. In addition, IRS's Criminal Investigation
Division (CI) is responsible for the investigation of criminal BSA
violations and money laundering crimes, including those related to taxes.

In the Senate Appropriations Committee Report, the Committee expressed
considerable concern over FinCEN's and IRS's management of BSA compliance
efforts.^2 As proposed by the Senate, the conference agreement mandated
that we review the effectiveness of the roles played by FinCEN and IRS in
those areas for which they share responsibility for carrying out the BSA
legislation.^3 As agreed with your Subcommittees this report

           o describes IRS's and FinCEN's roles and responsibilities for BSA
           compliance, criminal investigations, and data management;
           o assesses IRS's effectiveness in managing its BSA compliance
           program and coordinating with FinCEN;
           o describes the BSA enforcement efforts of CI; and
           o assesses the effectiveness of FinCEN's efforts to reengineer BSA
           data management activities.

           To address these objectives, we reviewed relevant legislative and
           regulatory authorities. We analyzed data on program performance
           and compared estimates of the NBFI population. We compared IRS's
           approach for selecting NBFIs for compliance examinations to the
           approach it uses for examining individual tax returns, as well as
           to guidance from the Office of Management and Budget (OMB), GAO,
           and others. We applied our criteria for internal controls to the
           Title 31 database IRS used to house and store data for BSA
           examination cases. We analyzed BSA Direct planning and
           implementation documents and compared cost, schedule, and
           performance plans against actual progress. We also compared
           FinCEN's approach to GAO's investment management framework. We
           examined the memorandums of understanding (MOU) established
           between FinCEN and IRS, FinCEN and the states, and IRS and the
           states. We interviewed FinCEN officials in Washington, D.C., and
           Vienna, Virginia, and IRS Small Business Self-employed Division
           (SB/SE) officials in Washington, D.C.; New Carrollton, Maryland;
           and Detroit, Michigan. We also interviewed officials from the
           Treasury Office of Inspector General (OIG) and the Treasury
           Inspector General for Tax Administration (TIGTA), and officials
           from the Conference of State Banking Supervisors. Appendix I
           provides a more detailed scope and methodology for this review. We
           conducted our review from July 2005 through November 2006 in
           accordance with generally accepted government auditing standards.

           Earlier this year, we provided detailed briefings on the interim
           results of our work to the Subcommittee on Transportation,
           Treasury, the Judiciary, Housing and Urban Development, and
           related agencies, Senate Committee on Appropriations. Further,
           because FinCEN experienced problems with development and
           implementation of the retrieval and sharing component of BSA
           Direct, we provided our observations on this project in July of
           this year.^4
			  
			  Results in Brief

           FinCEN and IRS have distinct roles in implementing BSA, but share
           some responsibilities. FinCEN's role is to oversee the
           administration of BSA by numerous agencies, including IRS. In this
           role, FinCEN develops policy and provides guidance to both federal
           financial regulators and financial institutions and also controls
           access to BSA data by law enforcement agencies. IRS has three
           roles. First, IRS is one of eight federal financial regulatory
           agencies that conduct BSA compliance examinations-- in IRS's case,
           examinations of NBFIs. Second, CI investigates potential criminal
           BSA violations. Third, IRS collects and stores the reports of
           financial transactions required by BSA and filed by financial
           institutions.

           IRS lacks an effective BSA compliance program, despite several
           recent improvements. IRS faces challenges in identifying NBFIs
           subject to BSA and then using its limited resources to ensure
           compliance.

           o IRS is aware of approximately 107,000 potential NBFIs, yet one
           study commissioned by FinCEN estimates there are up to 200,000 of
           these businesses in the United States. Identifying NBFIs, and
           particularly MSBs, is difficult especially for businesses, such as
           grocery stores, where financial transactions are not the primary
           business activity. FinCEN and IRS could take additional steps to
           identify NBFIs, but some steps are of unproven benefit and would
           require adjusting priorities. Some IRS BSA officials told us that
           tax return information might help identify potential NBFIs, but
           IRS is prohibited by law from disclosing tax information for
           nontax purposes, with some exceptions. The disclosure provisions
           in the Internal Revenue Code do not currently include an exception
           for BSA compliance examinations. IRS does not have evidence about
           the value of tax return information for identifying NBFIs and has
           not made a decision about whether it would be worth pursuing a
           legislative change. Treasury's OIG found that FinCEN's regulations
           and guidance for MSBs can be confusing and easily misinterpreted.
           FinCEN agreed, but officials said verifying MSB registrations is a
           higher priority than revising these instructions.
           o IRS lacks a statistically valid risk-based approach for
           selecting NBFIs for compliance examinations but is working to make
           improvements. A risk-based approach is important because IRS has
           limited examination resources, highlighting the need for building
           risk into the audit selection process. In 2005, IRS completed
           3,712 examinations-- 3.5 percent of the approximately 107,000
           potential NBFIs currently in its database. IRS is conducting a
           study to validate the risk factors it is using to select MSBs for
           examination by randomly sampling from a group of MSBs that have
           filed, are required to file, or are the subject of filed BSA
           reports. This study is a step in the right direction, but IRS's
           approach will continue to have limitations, in part, because the
           study only addresses a segment of NBFIs identified by IRS. In the
           future, IRS can improve its risk-based approach for targeting
           examinations of NBFIs by studying the compliance risks posed by
           the broader population of known NBFIs.
           o IRS has established a new Office of Fraud/BSA accountable for
           BSA enforcement, improved examination guidance, and tracking
           referrals to law enforcement agencies; however, management
           limitations remain. For example, IRS lacks a measure of NBFIs'
           rates of compliance with BSA and thus cannot track program
           effectiveness over time. IRS also lacks a comprehensive
           examination manual that NBFIs can use to develop anti-money
           laundering programs that satisfy BSA requirements. In addition,
           FinCEN and IRS lack a documented and coordinated strategy that
           lists priorities, time frames, and resource needs for addressing
           BSA compliance program limitations.

           As IRS's law enforcement arm, CI dedicates a portion of its
           resources to investigating criminal BSA and money laundering
           violations. CI's direct investigative time for BSA investigations
           has remained relatively constant for the past 5 years at about 12
           percent of total investigative resources. BSA convictions have
           increased during the same period, from 240 in fiscal year 2002 to
           296 in fiscal year 2006.

           FinCEN missed opportunities to effectively plan and coordinate
           early efforts to reengineer BSA data management activities and
           experienced poor project management and oversight of the BSA
           Direct Retrieval and Sharing (BSA Direct R&S) project.
           Specifically, FinCEN did not develop a comprehensive long-term
           plan for reengineering BSA data management responsibilities before
           investing in new information systems. Instead, FinCEN began
           development on BSA Direct R&S before a plan was in place. This
           project--on which work was eventually stopped, in part, because of
           poor project management and oversight--was expected to be the
           cornerstone of the broader reengineering effort. In addition,
           FinCEN did not do an adequate job of communicating and
           coordinating the reengineering effort with IRS, which resulted in
           the development of new systems with some duplicative capabilities.
           With the failure of BSA Direct R&S, FinCEN is now reassessing the
           future of BSA Direct, but does not yet have a plan for moving
           forward with the broader effort to reengineer BSA data management
           activities.

           We are recommending that FinCEN and IRS develop a documented and
           coordinated strategy for improving NBFI compliance with BSA. We
           are making a number of specific recommendations to be incorporated
           into this strategy, such as making a decision about whether to
           pursue accessing taxpayer data to identify NBFIs and developing a
           NBFI compliance manual. We are also recommending FinCEN develop a
           comprehensive plan to guide the effort to reengineer BSA data
           management activities. On December 11, 2006, the Director of
           FinCEN and the Commissioner of Internal Revenue agreed with all
           our recommendations. The Director and Commissioner also stated
           their appreciation that our report notes the steps that FinCEN and
           IRS have already taken to improve BSA compliance.
			  
			  Background

           BSA, enacted by Congress in 1970, authorizes the Secretary of the
           Treasury to issue regulations requiring financial institutions to
           retain records and file reports useful in criminal, tax, and
           regulatory investigations. Following the September 11, 2001
           terrorist attacks, Congress passed the USA PATRIOT Act, which,
           among other things, amended BSA and expanded the number of
           industries subject to BSA regulation.^5 Title III of the act
           expanded BSA powers to combat terrorist financing and required
           financial institutions to establish proactive anti-money
           laundering programs. In addition, the act expanded reporting
           requirements and allowed the records and reports collected under
           BSA to be used in the conduct of intelligence or
           counterintelligence activities and to protect against
           international terrorism.

           The BSA framework focuses on financial institutions' record
           keeping and reporting requirements to create a paper trail of
           financial transactions that federal agencies can trace to deter
           illegal activity and apprehend criminals. Under the BSA framework,
           primary responsibility rests with the financial institutions
           themselves in gathering information and passing it to federal
           officials. "Financial institutions" include both banking
           institutions and NBFIs. Banking institutions include commercial
           banks and trusts, savings and thrifts, branches of foreign
           chartered banks doing business in the United States, and credit
           unions. NBFIs include MSBs, casinos, and some credit unions. MSBs
           include businesses that transmit money, cash checks, and engage in
           certain financial transactions. MSBs are the largest and most
           diverse group of entities that qualify as NBFIs. Table 1 describes
           the different types of entities that qualify as NBFIs not
           otherwise regulated by a federal functional regulator.

^2 S. Rep. No. 108-342 (2004) and Consolidated Appropriations Act, 2005.
Pub. L. No. 108-447.

^3 H.R. Rep. 108-792 (2004).

^4 See GAO, Information Technology Management: Observations on the
Financial Crimes Enforcement Network's (FinCEN's) BSA Direct Retrieval and
Sharing (BSA Direct R&S) Project, [36]GAO-06-947R (Washington, D.C.: July
14, 2006).

Table 1: Types of Entities Qualifying as NBFIs Not Otherwise Regulated by
a Federal Functional Regulator

NBFIs                   Description of institution                         
Casinos                 Nevada casinos, state/territory licensed casinos;  
                           and gaming operations; tribal casinos; and other   
                           gaming organizations, such as card clubs.          
State chartered         Member-owned, member-controlled, not-for profit    
non-federally insured   cooperative financial institutions formed to       
credit unions           permit groups of people who share a "common bond"  
                           to save, borrow, and obtain related financial      
                           services and to participate in their management    
                           that are privately insured and state chartered and 
                           regulated.                                         
Credit card operators   Business in the United States that operates a      
                           system for clearing and settling transactions in   
                           which the operator's credit or debit card is used  
                           to purchase goods or services or to obtain cash    
                           advances.                                          
MSBs                    Businesses that                                    
                                                                              
                              o transmit money;                               
                              o cash checks;                                  
                              o issue, sell, or redeem traveler's checks,     
                              money orders, or stored value;                  
                              o deal or exchange currency; and                
                              o conduct more than $1,000 in the activities    
                              mentioned with the same person on the same day, 
                              and provide money transfer services in any      
                              dollar amount.                                  
                                                                              
                           The U.S. Postal Service (transactions excluding    
                           the sale of postage and philatelic products).      
The USA PATROIT ACT Expanded The Types of Entities That Qualify As NBFIs
Dealers in precious     Manufacturers, refiners, wholesalers, certain      
metals and jewels       retailers considered dealers, and any other        
                           entities engaged in the business of purchasing and 
                           selling jewels, precious metals, precious stones,  
                           or jewelry. Ranges from single artisan goldsmiths  
                           selling unique and rare gemstones on an individual 
                           basis to publicly traded commercial manufacturers  
                           producing millions of pieces each year.            
Insurance companies     Insurance companies that issue permanent life      
                           insurance policies, annuity contracts, and any     
                           other insurance products with features of cash     
                           value or investment. The companies are to          
                           integrate agents and brokers who sell these        
                           products under the insurance companies into their  
                           program requirements and ensure policies and       
                           procedures are followed.                           
Loan/finance companies  FinCEN has not adopted any rules defining which    
Travel agencies         businesses are to be included in these sectors.    
Real-estate closing                                                        
professionals                                                              
Sellers of vehicles                                                        
Unregistered investment                                                    
companies.                                                                 

^5 USA PATRIOT ACT, Pub. L. No. 107-56, 15 Stat. 272 (2001).

Sources: FinCEN and the Financial Action Task Force.

All financial institutions subject to BSA requirements must implement
internal controls, policies, and procedures; maintain records of
transactions; and file reports of cash transactions over the $10,000
dollar threshold and suspicious activities. The USA PATRIOT Act required
all financial institutions to develop written anti-money laundering
compliance programs that detail internal policies, procedures and internal
controls. Each program must designate a compliance officer, provide
ongoing employee training of pertinent personnel, and provide for
independent reviews whose scope and frequency is commensurate with the
risk of the financial services provided.

Registration, record keeping, and reporting are the core elements of
anti-money laundering requirements for MSBs. Certain MSBs are required to
register with the Secretary of the Treasury and renew those registrations
every 2 years. In addition, MSBs that sell money orders, travelers'
checks, or other instruments for cash must verify the identity of each
customer and create and maintain a record of each purchase when the
purchase is cash from $3,000 to $10,000.^6 Also, financial institutions
and certain types of businesses are required to submit reports on cash
transactions over the $10,000 threshold and transactions of a suspicious
nature. Millions of these reports are filed each year. For example, in
2005 over 16 million BSA reports were filed by financial institutions.
Certain civil and criminal penalties can be levied against financial
institutions for violating BSA reporting requirements, with fines ranging
from $500 for negligence to $500,000, 10 years in jail, or both for
certain willful violations. ^7,^8 Appendix III discusses the compliance
reporting responsibilities in more detail.

FinCEN and IRS Have Distinct Roles in Implementing BSA, but Share Some
Responsibilities

FinCEN's role is to oversee administration of BSA government wide. In this
role, FinCEN develops policy and provides guidance to other agencies, as
shown in figure 1. However, FinCEN also relies on other agencies in
implementing the BSA framework, including (1) ensuring compliance with BSA
requirements to report certain financial transactions, (2) conducting
investigations of criminal financial activity, and (3) collecting and
storing the reported information IRS is involved in all three of these
areas.

^6 31 C.F.R. S 103.29.

^7 31 C.F.R. S 103.57(h).

^8 31 U.S.C. S 5322(b).

Figure 1: BSA Framework

aAgency names are listed in the list of acronyms located at the front of
this report.

^bFinCEN collects some BSA information directly through its E-filing
system; however, this information is then provided to IRS and stored with
all other BSA information in IRS's WebCBRS system.

^cCTRs and SARs are only examples of the types of BSA reports stored on
IRS's Web-based Currency and Banking Retrieval System (WebCBRS). See App.
II for the complete list.

^dThere are 215 agencies with access to IRS WebCBRS. This is only a
partial list of these agencies. Additionally, some agencies have duplicate
copies of the information that are incorporated into other data systems;
therefore some agencies do not always have to access WebCBRS to review BSA
data.

FinCEN Oversees the Government wide BSA Compliance Program, While IRS Conducts
Compliance Examinations of NBFIs

As administrator of BSA, FinCEN's compliance role is to develop regulatory
policies for agencies that examine financial institutions and businesses
for compliance with BSA laws, and when appropriate, assess civil penalties
against noncompliant institutions. FinCEN develops and issues BSA
regulatory requirements and provides guidance to financial institutions
that are subject to those requirements. FinCEN is also responsible for
overseeing agency compliance examination activities and provides these
agencies with assistance in educating institutions on their BSA
responsibilities.

As highlighted in the compliance examiners section of figure 1, IRS is one
of eight agencies that actually conduct the compliance examinations that
FinCEN oversees. The Office of Fraud/BSA, within SB/SE, conducts
examinations of NBFIs, including MSBs, which are not regulated by another
federal agency. Appendix III discusses the compliance responsibilities of
MSBs in more detail.

FinCEN Is Responsible for Supporting and Networking the Law Enforcement
Community, Including CI

FinCEN is responsible for supporting and networking law enforcement at the
federal, state, and local levels. FinCEN's network exceeds 180 law
enforcement agencies, and includes CI, the Federal Bureau of
Investigation, the Drug Enforcement Administration, Immigration and
Customs Enforcement, state and local police departments and investigative
bureaus, attorney general and district attorney offices, and foreign
authorities. FinCEN provides investigative leads to support financial
criminal investigations and offers a variety of analytical products on
trends and patterns that can be used by law enforcement to more
effectively target their investigations.

As the enforcement arm of IRS, CI has the authority to investigate
criminal violations of BSA laws. Like other law enforcement agencies, CI
uses financial intelligence, including data provided on BSA reports, to
build investigations and prepare cases for prosecution. The law
enforcement section of figure 1 highlights how FinCEN, IRS CI, and the
broader law enforcement community fit into the BSA framework.

FinCEN Relies Heavily on IRS for the Collection, Storage, and Maintenance of BSA
Data

FinCEN has responsibility for overseeing the management of BSA data, but
from an operational standpoint does not collect, store, or maintain the
official data that are reported by financial institutions. IRS's
Enterprise Computing Center at Detroit (ECC-DET), under a long-standing
cooperative arrangement with FinCEN, has been the central point of
collection and storage of these data. ECC-DET maintains the infrastructure
needed to collect the reports, convert paper and magnetic tape submissions
to electronic media, and correct errors in submitted forms through
correspondence with filers. As illustrated in the data management section
of figure 1, BSA data are processed and warehoused in IRS's Currency
Banking and Retrieval System are accessed through a Web-based interface.
The system is called WebCBRS. IRS examiners and investigations officials
access WebCBRS directly through IRS's intranet. Non-IRS law enforcement
users access BSA data through FinCEN's Gateway computer system. Secure
Outreach functions as a portal through FinCEN's information technology
infrastructure to BSA data housed at ECC-DET.

IRS Lacks an Effective BSA Compliance Program, Despite Several Improvements

Despite many improvements, IRS does not yet have an effective BSA
compliance program. An effective IRS compliance program would require
identifying the population of NBFIs and then periodically testing whether
these NBFIs are complying with their reporting and other BSA requirements.

FinCEN and IRS Continue to Face Challenges in Identifying the Population of
NBFIs Subject to BSA Requirements

Several efforts have been made to estimate the NBFI population, but all of
these estimates have weaknesses. However, IRS and other knowledgeable
observers agree that IRS has only identified a portion of the population.
No recent studies have been conducted that estimate the total population
of NBFIs; however, a number of efforts have been made to estimate the
number of MSBs, the largest group of NBFIs subject to BSA requirements. A
1997 study conducted by a FinCEN consultant estimated the existence of
approximately 158,000 MSBs.^9 One IRS official within the Office of
Fraud/BSA estimates there may be approximately 160,000 MSBs. In 2005,
another FinCEN study estimated the population to be as high as 200,000.^10
Officials from FinCEN, IRS, Treasury, TIGTA, and Treasury's OIG agree that
IRS has only identified part of the NBFI population.

^9 The study reported the total number of NBFIs is estimated at 158,000.
The study conducted a discovery process to identify businesses that
provided services involving (1) check cashing, (2) money orders, (3) money
transmission, (4) retail foreign currency exchange, and (5) travelers
checks.

Several factors contribute to IRS's difficulty in identifying NBFIs.
NBFIs, especially MSBs, are inherently difficult to identify because of
the wide range of sizes, structures, and financial activities they
conduct. Unlike traditional financial institutions, such as federally
insured banks, many MSBs are small, independently owned businesses in
which financial services are offered as a secondary business activity. For
example, many grocery stores, convenience stores, gas stations, and liquor
stores would be considered MSBs because they offer check cashing, money
order, or wire transfer services, even though the primary activity of
these businesses is the sale of consumer goods. In a 2005 report, the OIG
cited language barriers and the limited financial proficiency of some
business owners as reasons many MSBs are not registered, ^11 and therefore
have not been identified.^12

The OIG also found that regulations and guidance for MSBs can be confusing
and easily misinterpreted, thus contributing to the challenge of
identifying MSBs. The report states that the distinction FinCEN makes
between a MSB principal and an agent of that principal is not always
understood by the MSB population and is difficult to verify other than
through an on-site examination. Some BSA rules, such as the registration
requirement, are applicable to principals--the entities issuing financial
instruments--and some are applicable to agents--businesses authorized to
sell the issuers' financial instruments. Another confusing aspect of the
MSB requirements is that businesses whose daily money services
transactions are less than $1,000 per day per person are generally not
considered MSBs. As with the agent exemption, the dollar threshold is
difficult to verify other than through an on-site examination. The OIG
found that FinCEN had plans to assess whether agents of MSBs should be
required to register; however, FinCEN has not taken action to implement
these plans. IRS officials in the Office of Fraud/BSA support a change
that requires all MSBs to register, regardless of whether they are
principals or agents, because it would make identification easier. FinCEN
officials, however, said that their first priority is to ensure that the
current list of MSB registrations is accurate. Therefore, FinCEN does not
have a time-frame for revising MSB regulations and guidance, including
registration requirements.

^10 The study reported the total number of MSBs nation wide is estimated
to be 203,207 with a 95% confidence interval. The study conducted a survey
of a representative sample of 24,000 potential MSBs and got a 10 percent
response rate. The MSBs provided services involving (1) check cashing, (2)
money orders, (3) money transmission (domestic and international), (4)
foreign currency exchange, (5) stored value, and (6) traveler's checks.

^11 Each business (not including branches) that fits within the definition
of an MSB is required to register with FinCEN, except for the U.S. Postal
Service and other agents of the federal, state, or local government and
those businesses that are considered MSBs only because they (1) act as
agents for other MSBs or (2) act as issuers, sellers, or redeemers of
stored value.

^12 Department of the Treasury, Office of the Inspector General, Bank
Secrecy Act: Major Challenges Faced by FinCEN in Its Program to Register
Money Service Businesses, OIG-05-050 (Washington, D.C.: Sept. 27, 2005).

Identifying NBFIs, and particularly MSBs, is challenging and resource
intensive--both FinCEN and IRS have responsibility in this area. IRS uses
CBRS, public and commercial databases, Internet searches, and the yellow
pages to identify potential MSBs. FinCEN searches past BSA reports and
gets referrals from other law enforcement officials about potential NBFIs
and MSBs. However, not all businesses identified from these sources as
potential NBFIs are actually subject to BSA requirements. IRS has
identified 107,000 potential NBFIs, but has not been able to determine how
many of these businesses are subject to BSA. Whenever IRS identifies a new
business it believes may be an NBFI, it sends the business a letter. This
letter explains that IRS believes the business is engaged in an activity
that qualifies it as an NBFI subject to BSA requirements. IRS officials
said they are uncertain about the effectiveness of this letter and that
some businesses do not reply. Further, these officials said often the only
way to confirm whether a business is subject to BSA requirements is to
conduct an on-site examination, a labor-intensive and time-consuming
process.

IRS officials in the Office of Fraud/BSA told us that accessing IRS's tax
return databases might help identify additional potential NBFIs. The
Office of Fraud/BSA is currently unable to use tax return information to
identify businesses that may be subject to BSA requirements because IRS is
prohibited by law from using tax return information for nontax purposes,
with only a few exceptions.^13 The confidentiality of tax information is
considered crucial for promoting voluntary compliance by taxpayers, and
legislative proposals for exceptions have been strictly scrutinized by
Treasury before submission to Congress. IRS currently lacks empirical
evidence that would support making a case to grant an exception (for
example, evidence on the number of potential NBFIs that could be
identified from tax data but not from other sources), and IRS has not
decided whether it should pursue obtaining access in an effort to develop
this evidence. Appendix IV provides more detail on taxpayer disclosures
and the criteria the executive branch considers before submitting a
proposal to Congress for granting exceptions.

^13 I.R.C. S 6103 provides that tax returns and return information are
confidential and may not be disclosed by IRS, other federal employees,
state employees, and certain others having access to the information
except as provided in I.R.C. S 6103. I.R.C. S 6103 allows IRS to disclose
taxpayer information to federal agencies and authorized employees of those
agencies for certain specified purposes.

In another effort to identify potential NBFIs, FinCEN and IRS have
recently agreed to a number of MOUs with state financial regulators to
improve coordination and information sharing.^14 Almost all MOUs are less
than 2 years old, and according to IRS, FinCEN, and officials representing
the states that have signed MOUs, it is still too early to tell how
effectively they will be carried out. Successfully implementing these MOUs
and sustaining the partnerships they establish will be an ongoing
challenge for IRS, FinCEN, and the states involved. For example, states
have differing definitions and licensing requirements for MSBs, which can
make it difficult to ensure consistency in the reporting of information.
Additionally, IRS officials said that meeting the information-sharing
requirements in the MOUs is time intensive because it requires manually
gathering large amounts of information from different parts of the
organization. The benefits to IRS and the states, thus far, have not been
determined. IRS, FinCEN, and the states have only recently begun to
implement the agreements in the MOUs. Therefore, little has been done to
evaluate the usefulness of the information that is being shared. Appendix
V provides additional information on the MOUs.

^14 Some states incorporate BSA compliance reviews as part of safety and
soundness examinations they conduct on certain MSBs.

IRS Is Developing a Statistically Valid Risk-Based Approach to Selecting
Businesses for Compliance Examinations, but Limitations Will Continue to Exist

IRS does not have a statistically valid risk-based approach for targeting
NBFIs for BSA compliance examinations, but it is working on developing
such an approach for a segment of MSBs. A risk-based approach is important
for selecting NBFIs for compliance examinations because IRS only has
resources to examine a small fraction of NBFIs each year. For example, in
2005, IRS completed 3,712 examinations-- 3.5 percent of the 107,246
potential NBFIs in its database.

A risk-based approach uses statistically valid risk factors to select
NBFIs for compliance examinations. Statistically valid risk factors can be
used to better target examinations on those businesses that pose the
greatest risk for noncompliance with BSA requirements. As a result, IRS
would devote fewer of its scarce resources to examining compliant NBFIs.
One approach to statistically validating the risk factors involves testing
them on a sample of NBFIs representative of the population and determining
the extent to which the results correlate with businesses' actual
noncompliance with BSA requirements.^15 IRS already uses a risk-based
approach when selecting individual tax returns for audit. Its approach
involved statistically validating a set of risk factors using a relatively
small but representative sample of individual tax returns.^16 IRS now uses
those risk factors to select individual tax returns for audit from the
entire population.

We, as well as OMB and TIGTA, have recognized the value of risk-based
approaches. Earlier this year, we reported that risk management, including
risk assessment, is a widely endorsed strategy for helping managers and
policymakers make decisions about allocating finite resources and taking
actions under conditions of uncertainty.^17 OMB also recommends making
decisions based on risk assessments. As far back as 1986, we concluded
that BSA regulators would use their resources better by targeting
examinations on entities with a high potential for problems.^18 In 2004,
TIGTA reported that a risk-based, data-driven process to select the
potentially most noncompliant MSBs for compliance checks could be a more
effective selection method than IRS's existing process.^19

15 Successfully completing a validation study offers assurance that the
final results are sufficiently robust and that the method can be relied on
for reproducible results. For an example, see GAO, Anthrax Detection:
Agencies Need to Validate Sampling Activities in Order to Increase
Confidence in Negative Results, [37]GAO-05-251 (Washington. D.C.: Mar. 31,
2005).

^16 The most recent such assessment was called the National Research
Program. See GAO, Tax Administration: IRS Is Implementing the National
Research Program as Planned, [38]GAO-03-614 (Washington, D.C.: June 16,
2003).

^17 GAO, Risk Management: Further Refinements Needed to Assess Risks and
Prioritize Protective Measures at Ports and Other Critical Infrastructure,
[39]GAO-06-91 (Washington, D.C.: Dec. 15, 2005).

IRS's approach for selecting NBFIs for examination is based mainly on the
judgment and experience of IRS managers and examiners. Based on that
judgment and experience, IRS's Office of Fraud/BSA has developed a set of
risk factors that assist in prioritizing and selecting NBFIs for
examination. However, the judgment and experience of managers and
examiners is based on past compliance cases that are not a representative
sample of NBFIs. Further, IRS studied the risk factors to help develop
rules for case selection and used experienced examiners to score these
factors based on their potential for producing cases involving
noncompliant businesses. IRS has not conducted a test to statistically
validate these risk factors.

IRS recognizes that its risk factors have not been tested and validated.
It has a research project under way to test whether the current risk
factors are more effective than chance at identifying noncompliant MSBs.
IRS selected a random sample of potential MSBs from CBRS. Then each MSB in
the sample was scored for risk of noncompliance using the risk factors.
Beginning in January 2007, IRS will examine each MSB in the sample to
determine whether actual noncompliance exists. The examination results
will be compared to the risk scores to determine the effectiveness of the
risk factors at predicting noncompliance. The results could also be used
to make improvements to the factors. The research project is slated for
completion in December 2007. If the project is completed on time, IRS
officials expect any changes made to the risk factors would go into effect
in time to guide the selection of cases for examination in calendar year
2008.

IRS's research project is a step in the right direction. For MSBs in CBRS,
it will provide empirical validation for IRS's current risk factors or a
basis for improving them. However, this risk-based approach will continue
to have limitations, including the following.

^18 GAO, Bank Secrecy Act: Financial Institution Regulators' Compliance
Examinations, [40]GAO/GGD-86-94 (Washington, D.C.: Aug. 1, 1986).

^19 See Treasury Inspector General for Tax Administration, Additional
Efforts Are Needed to Improve the Bank Secrecy Act Compliance Program,
2004-30-068 (Washington, D.C.: Mar. 12, 2004).

IRS's research study was not designed to be representative of all the
potential MSBs identified by IRS. IRS is testing the validity of the
risk-based selection process by sampling from a subpopulation of potential
MSBs, not the entire population. The study samples from a list of 59,701
potential MSBs entered into CBRS in 2004 or 2005 because they either filed
BSA-required reports, such as MSB registrations, CTRs, and SARs, or were
named in such reports by third parties. However, the population of
potential MSBs that IRS has identified is larger. IRS has approximately
105,710 potential MSBs in the Title 31 database and is responsible for
determining whether all of them are complying with BSA.^20 According to
IRS officials, IRS did not draw from the Title 31 database to conduct this
study because inconsistency in the quality and completeness of the
information it contains on NBFIs limited its usefulness as a reliable
source. IRS's decision to use CBRS as the source of the study is a valid
one. However, because the research study does not address the entire known
population, IRS will not know how useful the risk factors are for
producing cases within the segment of the population it did not study. IRS
does not have plans for validating the risk factors for the entire known
population of MSBs.

IRS's risk-based approach to selecting MSBs for compliance examinations
necessarily ignores the unknown part of the population. As discussed
previously, there is widespread agreement that despite its efforts to
date, IRS has not identified all MSBs. As IRS uses new information sources
and methods to identify additional MSBs, the risk factors may not take
into account the characteristics of these previously unidentified MSBs.
The only way to ensure IRS is adapting its risk-based selection process to
reflect changes in the identified population of MSBs is to continue
updating its risk assessments. IRS does not have plans for reassessing the
validity of the risk factors as additional MSBs are identified.

^20 The Title 31 database is the primary source of data for building cases
for BSA examination because it contains all the information IRS has on
NBFIs and potential NBFIs. The database includes business names, owners,
employees, addresses, and types of financial services offered. It is also
where IRS documents the status of compliance examination activity, such as
case summaries and results of past examinations. Therefore, there is the
potential for the same NBFIs to be identified in both the Title 31
database and CBRS.

IRS's study and the risk factors applied are only applicable to MSBs and
do not take into account the risks of other NBFIs. IRS does not have a
statistically validated risk-based approach for selecting casinos,
wholesale jewelers, or insurance agents for examination. In addition, as
more types of NBFIs are required to comply with BSA requirements, IRS will
be required to incorporate those businesses into its compliance
examination efforts. From a long-term perspective, a risk-based approach
that looks across the different segments of the NBFI population could
result in a more effective use of resources for compliance examination.
IRS does not have plans for a risk assessment of the full range of NBFIs.

Addressing the limitations in IRS's current risk-based approach for
targeting NBFIs for examination will require time and resources.
Identifying unknown NBFIs is inherently challenging and gradual--no easy
solution exists for addressing this problem. Compliance research is
costly; IRS estimates the research that is currently under way will cost
approximately $1.7 million. Furthermore, IRS's ability to mount separate
efforts to deal with the range of limitations will be constrained by
management capacity and research capacity.

The benefits of a statistically valid risk-based approach to ensuring
compliance are potentially very great. The nation would have data-based
assurance that the NBFI compliance examination program is targeting its
resources where the risks of NBFI noncompliance, and the resulting lack of
reporting about suspicious financial transactions, are known to be
greatest.

Although Compliance Challenges Continue to Exist, the Establishment of an Office
of Fraud/BSA Has Resulted in Some Improvements

In October 2004, IRS established the Office of Fraud/BSA within SB/SE.
This office is responsible for ensuring NBFIs comply with BSA
requirements. IRS appointed an executive to oversee the office. This
executive reports directly to the SB/SE Commissioner. The establishment of
this office came, in part, in response to TIGTA findings that IRS needed
to strengthen oversight of the BSA compliance program.^21 For example,
prior to reorganizing, IRS did not have examiners dedicated specifically
to conducting BSA compliance examinations. Instead, according to IRS
officials, examinations were conducted by tax examiners who split their
time among tax examinations, BSA examinations, and collections activities.

^21 Treasury Inspector General for Tax Administration.

With the establishment of the Office of Fraud/BSA, IRS dedicated over 300
staff in 33 field offices specifically to conducting BSA compliance
examinations. The dedication of these staff reflects IRS's decision to
place a greater priority on meeting its BSA examination responsibilities.
Since establishing the Office of Fraud/BSA and dedicating staff
specifically to BSA issues, IRS has centralized and increased uniformity
of BSA compliance examinations. However, the program still has management
limitations and the improvements do not address the significant problems
that IRS has in identifying NBFIs and targeting compliance examinations.
Table 2 shows the improvements IRS management has made and some remaining
management limitations.

Table 2: Summary of BSA Compliance Program Improvements and Limitations

Program area      Improvements              Limitations                    
Compliance        IRS has centralized, more IRS's Internal Revenue Manual, 
examination       fully documented, and     the resource for IRS's         
policies and      better implemented        official policies and          
procedures        policies and procedures   procedures, has not been       
                     for conducting            amended since January 2003.    
                     examinations of NBFIs for                                
                     compliance.                                              
Education and     FinCEN and IRS have       Unlike the agencies that       
outreach to NBFIs expanded and better       examine banks for BSA          
                     coordinated education and compliance, IRS lacks a        
                     outreach efforts directed comprehensive manual that      
                     to the NBFI community.    NBFIs can use to develop       
                                               anti-money laundering programs 
                                               that are compliant with BSA    
                                               requirements.                  
Information       IRS has centralized and   IRS's Title 31 database, which 
management        taken steps to improve    contains IRS's information on  
                     the accuracy and          NBFIs, is labor intensive to   
                     reliability of all data   maintain and has limited       
                     on NBFIs and information  functionality and security and 
                     used to manage            stability concerns.            
                     examination resources.                                   
Performance       IRS has established and   IRS lacks a way of measuring   
measurement       benchmarked a number of   the extent to which known      
                     performance measures of   NBFIs comply with BSA          
                     program activities.       requirements.                  

Source: GAO.

  Compliance Examination Policies and Procedures

Before establishing the Office of Fraud/BSA, IRS did not have centrally
managed, or consistently implemented, BSA examination policies and
procedures. IRS lacked formal guidance for documenting BSA compliance
examinations and determining whether a case warranted referral for civil
or criminal enforcement by FinCEN or CI, respectively. Since establishing
the Office of Fraud/BSA, IRS has established uniform instructions that
compliance examiners use for requesting records and examining institutions
for compliance with BSA requirements. Additionally, IRS has developed
better procedures for determining whether a case has enough support to
warrant a referral for civil enforcement by FinCEN or criminal enforcement
by CI. According to FinCEN officials, the documentation for cases referred
for civil penalty assessment has improved significantly as a result of
these changes. CI officials have also noticed improvements in case
documentation and referrals that they attribute to the establishment of
the new organization.

However, many of the changes to the processes and guidance have not been
incorporated into the Internal Revenue Manual--IRS's official internal
policies and procedures document resource. Instead, many of IRS's new or
revised policies and procedures are distributed to compliance examiners
via memorandums and electronic mail. Distributing guidance in this manner
makes it difficult to keep track of the changes and ensure consistent
understanding and implementation over the long term. IRS recognizes these
challenges and has slowly made progress in generating an update, but this
process began in 2004 and was not complete as of November 2006. IRS could
not provide a definitive deadline for when the updated Internal Revenue
Manual would be published.

  Education and Outreach to NBFIs

IRS's outreach is conducted by the SB/SE Stakeholder Liaison Office. The
liaison office works with FinCEN in coordinating the development and
distribution of standardized and consistent information through brochures,
newsletters, presentations, and other materials.

However, IRS has not provided the NBFI community with a comprehensive
source of information that can be used to guide efforts to develop a
program that meets BSA requirements. In June 2005, the Federal Financial
Institutions Examination Council (FFIEC) addressed this issue for the
agencies responsible for conducting BSA examinations of banks and similar
financial institutions.^22 FFIEC, with support from FinCEN, developed the
Bank Secrecy Act/Anti-Money Laundering Examination Manual.^23 Although
this manual is intended to guide examiners when examining financial
institutions for compliance with BSA requirements, the banking industry
has applauded its development and publication because it makes examination
procedures transparent and provides excellent guidance on what is expected
of banks.

^22 FFIEC's five member agencies are the Board of Governors of the Federal
Reserve System, Federal Deposit Insurance Corporation, National Credit
Union Administration, Office of the Comptroller of the Currency, and
Office of Thrift Supervision.

^23 This FFIEC Bank Secrecy Act/Anti-Money Laundering Examination Manual
was published on June 30, 2005. It provides guidance to examiners for
carrying out compliance and Office of Foreign Assets Control examinations.
An effective compliance program requires sound risk management; therefore,
the manual also provides guidance on identifying and controlling risks
associated with money laundering and terrorist financing. The manual
contains an overview of compliance program requirements, risks and risk
management expectations, industry sound practices, and examination
procedures.

Despite agreement by FinCEN and IRS that a similar manual is needed for
the NBFI community, such a manual has not been developed. According to IRS
officials, they have recently hired a training coordinator who will be
responsible for developing this manual. However, no timeline has been
established for when the process for developing this manual will begin.

  Information Management

Prior to the establishment of the Office of Fraud/BSA, the management of
BSA compliance program information was decentralized. Each of the 16 field
offices maintained its own, separate lists of potential NBFIs and
information on the examinations it was conducting. Once the new office was
established, IRS took steps to combine all of this information into one
centralized database, the Title 31 database.

The Title 31 database, however, was not built using a disciplined systems
development process and is not supported by IRS Modernization and
Information Technology Services (MITS). As a result, the database
potentially contains duplicate, outdated, and sometimes inaccurate
information from the 16 merged systems. IRS officials believe it has
addressed many of these issues but could not validate that all have been
addressed. Further, IRS officials stated that the database has other
limitations, including (1) limited capacity to handle the number of fields
required to maintain and close cases, (2) issues with connectivity across
field locations, (3) limited controls to prevent the entry of invalid
information, and (4) system instability. IRS has obtained MITS support in
creating a new system to maintain the information in the Title 31
database. However, IRS will continue operating within existing system
constraints until the new system is fully operational.

  Performance Measurement

IRS has made progress in tracking and measuring program activities, but
lacks a measure of the extent to which NBFIs comply with BSA requirements.
Prior to the new organization, IRS had only one consistently measured
performance goal for the BSA compliance program--delivery of direct
examination staff years. In a 2004 review, TIGTA found that IRS needed to
establish performance indicators that measure case results and their
cumulative impact on compliance. For fiscal year 2005, IRS established a
suite of measures that it is using to track and assess program
performance. Table 3 lists these measures and the fiscal year 2005 results
and fiscal year 2006 goals and results.

Table 3: BSA Performance Measures Established to Track Program Activities
in Fiscal Years 2005 and 2006 and Compared to Performance Information
Available for Fiscal Year 2004

                                                      Fiscal year Fiscal year 
                                     Fiscal    Fiscal        2006        2006 
BSA performance measure        year 2004 year 2005 through May target/goal 
Number of closures                 3,481     3,712       3,681       6,427 
Hours per case                        ^a        49          44          50 
Cycle time                             a       218         219          ^b 
Cases in inventory                                                         
Assigned to                            c        ^c       2,593           b 
examiner--examination not                                                  
started                                                                    
Assigned to                            c         c       2,754           b 
examiner--examination started                                              
Net number of new starts               c         c       4,837           b 
Referrals to CI                        9        21          10           b 
Referrals to FinCEN                    8        10           4           b 
Referrals to tax examiners         1,663     1,572         471           b 

Source: IRS Office of Fraud/BSA.

^aInformation on hours per case and cycle time was not captured until
January 2005.

^bNo targets and goals have been identified.

^cInformation not provided for fiscal years 2004 and 2005.

IRS performance measures in table 3 do not provide information on the rate
of NBFI compliance. Although measuring compliance rates can be
challenging, IRS has done so for taxpayer compliance of individuals under
Title 26. IRS's research to validate the risk factors it uses to target
MSB examinations could also be used to estimate a compliance rate for MSBs
in CBRS. This compliance rate would not be generalizable to the entire MSB
or NBFI population; however, it would allow IRS to get a better
understanding of the extent to which the MSB population captured within
CBRS complies. Without a measure of the compliance rate, IRS and external
parties such as Congress will not know the effect, over time, of IRS's
efforts to ensure compliance. IRS has no plans to measure the NBFI
compliance rate.

FinCEN and IRS Lack a Documented and Coordinated Strategy for Improving NBFI
Compliance with BSA Requirements

FinCEN and IRS have taken a number of steps to improve efforts to ensure
that NBFIs comply with BSA, but they lack a documented and coordinated
strategy for moving forward. Our previous discussion shows that many
additional steps could be taken to identify the population of NBFIs,
ensure compliance of those NBFIs that have been identified, and strengthen
management of IRS's BSA compliance program. Addressing these limitations
will be challenging and will take time. The challenges are compounded by
the fact that the types of NBFIs that are IRS's responsibility under the
law are growing. Some actions to address these challenges could be taken
by the agencies individually, but others will require a coordinated
approach to be effective. Further, limited resources and time constraints
mean that additional actions will have to be prioritized, alternatives
will need to be considered, and trade-offs may need to be made. FinCEN and
IRS do have some elements of a strategy to guide future efforts.^24
However, FinCEN and IRS do not have a documented and coordinated strategy
that prioritizes actions, lists time frames, and explains resource needs
over multiple years.

Without a strategy that prioritizes and guides IRS and FinCEN's collective
efforts to improve NBFI compliance, the risk is greater that noncompliance
will go undetected and uncorrected. Noncompliance by NBFIs means that
suspicious financial transactions, such as money laundering and terrorist
financing that occur at these institutions, might go undetected.

CI Investigates BSA Criminal Violations and Uses BSA Information Extensively

CI investigates individuals and businesses, including financial
institutions, for BSA and money laundering violations, usually in
conjunction with other tax law violations.

^24 Both FinCEN and IRS have developed some elements of a strategy. IRS
has a Concept of Operations for the Office Fraud/BSA that describes the
strategic objectives, goals, and outcomes of the program, as well as an
annual program letter that describes the program priorities for the fiscal
year. FinCEN has a strategy to improve MSB compliance.

CI Dedicates a Portion of Its Resources to Investigate Criminal BSA Violations

BSA investigations constituted roughly 12 percent of CI's direct
investigative time in fiscal year 2006. Full-time equivalents (FTE)
dedicated to BSA enforcement from 2002 to 2006 remained relatively
unchanged, as shown in table 4.

Table 4: CI's BSA Investigative Time, FTEs, and Costs for Fiscal Years
2002 through 2006

                  Fiscal year Fiscal year Fiscal year Fiscal year Fiscal year 
                         2002        2003        2004        2005        2006 
Direct               11.1%       12.3%       12.4%       12.0%       11.8% 
investigative                                                              
time                                                                       
Total FTEs             450         478         474         453         451 
BSA costs      $56,684,148 $63,760,525 $69,183,775 $66,516,938 $68,286,292 

Source: IRS's Criminal Investigation Management Information System.

CI highlighted enhancing BSA compliance in its strategy and program plan
for fiscal years 2005 through 2006. In the plan, CI outlines its
strategies to support IRS's strategic plan goal to enhance enforcement of
tax laws. One of CI's major compliance strategies involves effectively
working with Treasury, the Department of Justice and other law enforcement
partners among other things, to enhance BSA compliance efforts.^25 CI
recently introduced new performance measures based, in part, on a previous
TIGTA report and an OMB review. During the OMB review, Treasury, CI, and
OMB jointly determined that the old measure of completed investigations
was insufficient to measure program effectiveness. As a result, CI
introduced three new annual performance measures: the number of
convictions (a measure of impact on compliance), the conviction rate (a
measure of quality of investigations), and conviction efficiency (a
measure of cost efficiency). CI reported 296 convictions for BSA
violations during fiscal year 2006. From fiscal years 2002 through 2006,
convictions increased about 23 percent.

CI investigates individuals and businesses for BSA or money laundering
violations, but according to CI officials, agents do not typically
investigate many financial institutions for Title 31 violations.
Generally, if an institution is the subject of an investigation, it is for
failure to have an anti-money laundering program in place or because an
individual within the institution is causing the institution to not file
required forms. According to CI officials, structuring is the most common
type of BSA violation CI investigates among individuals. Structuring
occurs when a person conducts or attempts to conduct currency transactions
at financial institutions for the purposes of evading the reporting
requirements of BSA. Many BSA investigations involve structuring, failure
to file reports on transactions or bulk cash, and smuggling activities,
according to CI officials.

^25 In GAO, Bank Secrecy Act: Opportunities Exist for FinCEN and the
Banking Regulators to Further Strengthen the Framework for Consistent BSA
Oversight, [41]GAO-06-386 (Washington, D.C.: Apr. 28, 2006), we reported
on some of the BSA criminal cases pursued by the Justice Department.

BSA criminal violations are usually investigated in conjunction with other
tax violations, according to CI officials. In one recent case, a sales
executive for an international telecommunications company was sentenced to
24 months in prison and fined $20,000 in a money laundering case involving
cash deposits. The sales executive structured bank deposits and made 31
cash deposits totaling over $250,000 to accounts in two different banks to
avoid currency transaction reports being filed to IRS. The sales executive
forfeited $59,400 and filed amended income tax returns to report an
additional $250,000 in income that he was attempting to hide with his
structuring activity. The case was developed from information reported in
SARs.

CI Statistics Show Increases in Enforcement Activity for BSA Violations

BSA convictions increased from fiscal years 2002 through 2006. Likewise,
investigations completed and prosecutions recommended increased during the
same period. Table 5 shows CI's BSA investigations initiated,
investigations completed, prosecutions recommended, and convictions.

Table 5: BSA Investigations Initiated, Investigations Completed,
Recommendations for Prosecutions, and Convictions for Fiscal Years 2002
through 2006

                               Fiscal    Fiscal    Fiscal    Fiscal    Fiscal 
                            year 2002 year 2003 year 2004 year 2005 year 2006 
Investigations initiated       563       525       523       546       554 
Investigations completed       418       513       700       546       628 
Prosecutions recommended       292       322       501       379       437 
Convictions                    240       239       310       343       296 

Source: IRS's Criminal Investigation Management Information System.

CI Is a Large Consumer of BSA Data

CI is a big user of BSA data and IRS's database that stores the
data--CBRS. CI's enforcement mission coupled with being organizationally
located within IRS places it in a unique position for utilizing BSA data.
CI queries CBRS more than any other federal, state, or local agency.
During fiscal year 2005, CI made about 57 percent of the over 1.5 million
queries made of the system. Additionally, CI was responsible for more than
66 percent of the document viewing activity in CBRS.

During 2006, CI transitioned to a new Web-based version of CBRS. CI
officials reported the system has advantages for improving CI's ability to
develop investigative leads. One advantage is the ability to conduct
searches within narratives on BSA reports. Analysts and investigators can
now search narratives on SARs, for instance, for specific words and were
unable to do so under the old CBRS system. Another advantage cited is the
ability to better use downloads of SAR data. With the Web-based system, an
analyst or investigator can put downloads in Access or Excel. Once the
data are in a spreadsheet or database management applications program,
analysts or investigators can easily look for trends in certain addresses
or occupations. With the old CBRS system, the analyst had to print out
downloads and manually look at the different fields of information from
SARs.

Missed Opportunities for Effective Planning and Poor Project Management and
Oversight Have Hampered FinCEN's Efforts to Reengineer BSA Data Management
Activities

In 2003 FinCEN began an effort to reengineer BSA data management
activities However, the cornerstone of FinCEN's reengineering effort, BSA
Direct R&S, was permanently halted because of a multitude of problems.

FinCEN Missed Opportunities to Effectively Plan, and Coordinate with IRS, Early
Efforts to Reengineer BSA Data Management

FinCEN made two mistakes in the early stages of its effort to reengineer
BSA data management activities: it began reengineering without a
comprehensive implementation plan and did not adequately communicate and
coordinate with IRS.

  FinCEN Began Reengineering BSA Data Management Activities without a
  Comprehensive Implementation Plan

According to our Business Process Reengineering Assessment Guide, before
an agency initiates business process reengineering, a comprehensive
implementation plan should be developed that spells out the work that
needs to be done.^26 This plan should include time frames, milestones,
decision points, and resource allocations. Although FinCEN commissioned a
series of studies to examine and recommend an approach to reengineering
BSA data management activities, these studies were only recommendations
and did not constitute a comprehensive plan for conducting the
reengineering effort. Instead, FinCEN made the decision to move forward
with one aspect of the broader reengineering effort, BSA Direct R&S,
before establishing a comprehensive plan. FinCEN commissioned the MITRE
Corporation to develop a comprehensive reengineering plan that would serve
as a road map for the reengineering effort after the BSA Direct R&S
project was well under way. Further, this plan was developed under the
assumption that BSA Direct R&S would be completed successfully. FinCEN
expected BSA Direct R&S to be the center of FinCEN's broader reengineering
effort and serve as the catalyst for its execution.

FinCEN intended to establish the technology for implementing the
reengineering effort before establishing the reengineering plan itself. We
have found in examining reengineering and technology acquisition efforts
that technology is an enabler of process reengineering, not a substitute
for it. We have also found that acquiring technology in the belief that
its mere presence will somehow lead to process innovation is a root cause
of bad investments in information systems. FinCEN's decision to implement
one aspect of the reengineering effort, BSA Direct R&S, before developing
a comprehensive plan for conducting the broader effort exemplifies this
problem. FinCEN viewed BSA Direct R&S as a strategic initiative, as it was
intended to eventually interface with other systems in order to facilitate
all BSA reporting and data related processes from IRS to FinCEN over time.

^26 GAO, Business Process Reengineering Assessment Guide, GAO/AIMD-10.1.15
(Washington, D.C.: May 1997), provides a general framework for assessing a
reengineering project, from initial strategic planning and goal setting to
post-implementation assessments.

  FinCEN Did Not Adequately Communicate and Coordinate Reengineering Efforts
  with IRS

FinCEN did not adequately communicate and coordinate its BSA data
management reengineering efforts with IRS, namely efforts to develop new
information systems used to house and disseminate BSA data. Had better
communication and coordination occurred, a more effective technology and
business solution might have been achieved. The cornerstone of FinCEN's
effort to take control of all BSA data management responsibilities was the
development of BSA Direct R&S, a new information system that was to store
and disseminate all BSA data. At the same time, IRS developed its own
system, WebCBRS, with many of the same capabilities. FinCEN did not
actively engage in discussions with IRS about WebCBRS as it was being
developed. FinCEN, IRS, and Treasury all have a role in the reengineering
effort. However, FinCEN's goal is to take over all BSA data management
responsibilities currently conducted by IRS. Therefore, FinCEN is driving
the reengineering effort and has responsibility for communicating and
coordinating its activities to the other agencies. Key moments in the
development of these two systems are documented in figure 2.

This page is left intentionally blank.

Figure 2: Key Moments in the Development of New BSA Data Management
Systems

In examining the above timeline, we identified at least three missed
opportunities early in the implementation of the two projects where better
planning and coordination might have resulted in more effective and
efficient systems development efforts:

           o In April 2002, Treasury, with FinCEN's input, recommended IRS
           maintain its role in BSA data management; yet over the next 2
           years FinCEN decided to pursue alternative approaches while IRS
           initiated the transfer of BSA data to WebCBRS, a new system.

           o In the fall of 2003, FinCEN decided to launch the BSA Direct
           project just a month before ECC-DET at IRS secured additional
           funding and accelerated the development of WebCBRS with an
           anticipated completion of 2006 instead of 2009. FinCEN, however,
           justified the need for BSA Direct without fully accounting for (1)
           the expected capabilities that IRS's WebCBRS system would provide
           and (2) IRS's revised and more aggressive conversion schedule. For
           example, part of FinCEN's justification to OMB for BSA Direct was
           that it would allow IRS to discontinue the development of WebCBRS,
           potentially resulting in financial savings for the agency.
           However, officials at both FinCEN and IRS said no discussion on
           discontinuing IRS's effort ever took place before this
           justification was presented.

           o In December 2004, the Chief Information Officer (CIO) of
           Treasury issued a memorandum documenting key agreements between
           the department, IRS, and FinCEN on the future of BSA data
           management, but it is unclear how some of these agreements were
           actually implemented. For example, an agreement stated that IRS
           would be a preferred user of FinCEN's system, yet IRS officials
           stated that they remained uninformed throughout the process about
           their current and future access to BSA data. Additionally, an
           agreement stated that the Treasury CIO would lead a joint effort
           to identify, eliminate, and prevent any potential duplication of
           efforts. However, no information was provided to demonstrate how
           this agreement was to be carried out.
			  
			  Poor Project Management and Oversight Contributed to the Failures
			  of BSA Direct R&S

           BSA Direct R & S failed, in part, because project management
           issues continued throughout the project's life and were not
           adequately addressed by agency executives. On March 15, 2006, the
           Director of FinCEN placed the BSA Direct R & S project under a
           temporary "stop work" order because of significant cost, schedule,
           and performance issues. Over the following 4 months, FinCEN
           reassessed the project with the assistance of two outside
           consultants. Then, on July 12, 2006, the Director decided to
           permanently halt the project because of a multitude of problems.
           Among these were inadequate project governance and a lack of
           demonstrated project management expertise by the project
           contractor and FinCEN.

           In a previous review we found that FinCEN did not always apply
           effective investment management processes to oversee the BSA
           Direct R&S project.^27 This, in part, contributed to the problems
           experienced by the project, because issues that occurred at the
           project management level continued and were compounded, yet were
           not addressed at the executive level. For example, the MITRE
           Corporation--the organization assisting FinCEN with project
           monitoring--identified multiple occasions where FinCEN did not
           take action to mitigate project risks or address significant
           descoping of project functionality.

           BSA Direct R&S repeatedly missed program milestones and
           performance objectives and exceeded the project budget. The
           original cost estimate of $8.9 million for the prime contract
           increased to $15.1 million. Of that amount, $14.4 million was
           spent. FinCEN estimates that an additional $8 million would be
           required for operations and maintenance. Also FinCEN could not
           ensure that any additional investment would achieve the desired
           product. Therefore, FinCEN terminated the project and is currently

           o formalizing a replanning effort for BSA Direct R&S, to include
           strategic, technical, and resource planning issues, as well as
           stakeholder analysis;
           o evaluating the discrete elements of BSA Direct R&S for
           salvageability; and
           o developing a road map to achieve BSA Direct R&S in steps, as a
           program with multiple projects, both business and technology
           oriented.

           In our previous review we noted that the problems with BSA Direct
           R&S indicate systemic problems with FinCEN's management and
           oversight of information technology projects. As a result, the
           Subcommittee on Transportation, Treasury, Housing and Urban
           Development, the Judiciary, and Related Agencies, Senate Committee
           on Appropriations, directed FinCEN to ensure it has an
           executive-level review process for information technology
           projects.^28 We also recommended that FinCEN develop a plan for
           managing BSA Direct that focuses on establishing policies and
           procedures for executives to regularly review investments progress
           against commitments and take corrective actions when these
           commitments are not met. In October 2006, FinCEN developed an
           interim information technology management improvement plan that
           acknowledges that these and other actions are needed to build its
           information technology management capabilities. However, the plan
           focuses on improving FinCEN's information technology management
           capabilities but does not address FinCEN's broader efforts to
           reengineer BSA data management activities.

           Based on past issues, FinCEN will continue to face challenges in
           building information technology management capability, while at
           the same time continuing efforts to reengineer and transition BSA
           data management processes. The MITRE Corporation, prior to the
           failure of the BSA Direct project, characterized reengineering of
           BSA data management as a daunting effort, in part, because it
           involved highly interdependent tasks that must be conducted under
           short implementation time frames. The decision to discontinue the
           BSA Direct R&S project provides FinCEN with an opportunity to take
           a more deliberate and disciplined approach to implementing the
           effort to reengineer BSA data management activities.
			  
			  Conclusions

           FinCEN and IRS play important roles in the national effort to
           combat money laundering and terrorist financing activity. Both
           have recently taken significant steps to make their efforts more
           effective; however, a great deal more could and should be done.

           FinCEN and IRS have taken action to improve NBFI compliance with
           BSA requirements, but making significant progress in identifying
           NBFIs and ensuring that they comply with BSA requirements is a
           long-term effort with no simple solutions. In some cases, IRS,
           FinCEN, or both have actions under way but no timetable for
           finishing. In other cases, action has yet to begin. Some of these
           actions include deciding whether to pursue gaining access to
           taxpayer information, clarifying the definition of an MSB,
           updating the Internal Revenue Manual, developing an NBFI
           compliance examiner's manual, creating a more functional and
           secure mechanism for storing NBFI data, and developing a NBFI BSA
           compliance measure. These actions have not been completed, in
           part, because of competing priorities. However, without a
           coordinated, documented strategy that guides the agencies'
           approach over time, the agencies do not have assurance they are
           moving in the right direction and are limited in their ability to
           measure progress in achieving improvements. Furthermore, Congress
           and the public will have difficulty understanding the overall
           approach that IRS and FinCEN are taking to ensure that NBFIs are
           complying with BSA.

           To date, FinCEN's effort to reengineer and transition BSA data
           management activities has not been successful. The failure of BSA
           Direct R&S was a considerable setback in this effort. However,
           FinCEN is now in a position to reassess the goals of the
           reengineering effort and develop a comprehensive long-term
           strategy. FinCEN and IRS must also find ways to improve
           communication and coordination as FinCEN proceeds with its effort
           to reengineer BSA data management activities. Moving forward,
           FinCEN will need to take a measured and disciplined approach to
           strengthening its ability to oversee and manage information
           technology projects. Significant changes, such as FinCEN's data
           management reengineering effort, are complex and slow to
           implement, requiring a long-term, but flexible, strategy and a
           strong and consistent focus to be successful.
			  
			  Recommendations for Executive Action

           To improve BSA compliance, we are making the following 8
           recommendations.

           The Secretary of the Treasury should direct the Director of FinCEN
           and the Commissioner of Internal Revenue to develop a documented
           and coordinated strategy that outlines priorities, time frames,
           and resource needs for better identifying and selecting NBFIs for
           examination. This strategy should include the full complement of
           actions that FinCEN and IRS can take to build a more effective BSA
           compliance program, including the specific compliance program
           recommendations we make below.

           The Director of FinCEN should establish a time frame for revising
           MSB regulations and guidance, including registration requirements.

           The Commissioner of Internal Revenue should decide whether to
           pursue gaining access to taxpayer data for better identifying
           NBFIs.

           The Commissioner of Internal Revenue should direct the Office of
           Fraud/BSA to

           o build upon the study to validate compliance risk factors by
           developing a plan to assess the noncompliance risks posed by all
           NBFIs;
           o establish time frames for finalizing and publishing the Internal
           Revenue Manual with updated BSA compliance program policies and
           procedures;
           o develop a NBFI compliance examiner's manual that examiners can
           use to guide examinations and businesses can use to ensure they
           are in compliance with BSA requirements, and establish time frames
           for its publication;
           o create a more functional and secure mechanism for storing and
           accessing the information contained in the Title 31 database; and
           o use the results of the forthcoming risk factor validation study
           to estimate the compliance rate for the population of MSBs from
           which the study sample was drawn.

           To improve BSA data management, we recommend the following:

           The Director of FinCEN, in cooperation with the Commissioner of
           Internal Revenue, should develop and implement a comprehensive and
           long-term plan for reengineering BSA data management activities
           before moving forward with the BSA Direct R&S project. This plan,
           at a minimum, should

           o take a broad and crosscutting approach to the reengineering
           effort, and not focus solely on one component, such as BSA Direct;
           o include short- and intermediate-term goals for reengineering BSA
           data management processes, including the transition of IRS's data
           management responsibilities to FinCEN; and
           o incorporate collaboration strategies into the plan by clearly
           defining the role of IRS's ECC-DET in the transition process and
           more actively involving it as a key stakeholder in the
           reengineering effort.
			  
			  Agency Comments and Our Evaluation

           The Director of FinCEN and the Commissioner of Internal Revenue
           jointly provided written comments on a draft of this report in a
           letter dated December 11, 2006 (which is reprinted with its
           enclosures in app. VI). FinCEN and IRS agreed with all our
           recommendations. The Director and Commissioner also stated their
           appreciation that our report notes the steps that FinCEN and IRS
           have already taken to improve BSA compliance. They highlighted
           staff attrition as another challenge faced by the program. The
           Director and Commissioner also raised some issues about the
           difficulty in drawing a correlation between IRS's process for
           selecting tax returns for audit and selecting NBFIs for BSA
           compliance examination, but we view IRS's tax audit case selection
           process as a potentially useful model for selecting cases--even if
           the audits are for other purposes.

           While agreeing with our first recommendation, the Director and
           Commissioner expressed concern that we did not recognize the
           efforts that they have already taken to better identify and select
           NBFIs for examination. However, IRS's Workload Identification
           Process, which they cite, has not yet been funded. Further, our
           report recognizes the use of BSA information in the CBRS
           system--which includes SARs. Additionally, we acknowledge efforts
           to improve coordination of BSA activities with the states through
           MOUs.

           If you or your staff has any questions, please contact me at (202)
           512-5594 or [email protected]. Contact points for our Offices of
           Congressional Relations and Public Affairs may be found on the
           last page of this report. Key contributors to this report are
           listed in appendix VII.

           James R. White
			  Director, Tax Issues Strategic Issues Team
			  
^27 [42]GAO-06-947R .

^28 S. Rep. No. 109-293 (2006).
			  
			  Appendix I: Objectives, Scope, and Methodology

           To describe the Internal Revenue Service's (IRS) and the Financial
           Crimes Enforcement Network's (FinCEN) Bank Secrecy Act (BSA)
           related roles and responsibilities, we reviewed and summarized
           relevant legislative and regulatory authorities. We also reviewed
           BSA rules and guidance, agency reports, and strategic planning
           documents. Further, we interviewed officials at FinCEN and IRS
           Small Business Self-Employed Division (SB/SE) and IRS Criminal
           Investigations Division (CI), and the IRS Enterprise Computing
           Center at Detroit (ECC-DET). We examined the information obtained
           to determine the BSA roles and responsibilities at FinCEN and IRS,
           changes to these roles over time, and the potential for overlap
           and duplication of responsibilities.

           To determine the extent to which IRS has been effective in
           managing its BSA compliance program and coordinating with FinCEN,
           we reviewed relevant legislative and regulatory authorities. We
           analyzed data on program performance and compared estimates of the
           nonbank financial institutions (NBFI) population. We compared
           IRS's approach for selecting NBFIs for compliance examinations to
           the approach it uses for examining individual tax returns, as well
           as to guidance from the Office of Management and Budget, GAO, and
           others. We applied our criteria for internal controls to the Title
           31 database IRS used to house and store data for BSA examination
           cases. We reviewed strategic planning documents related to BSA
           compliance examination and program management, including the
           Internal Revenue Manual, FinCEN and IRS strategy and program
           plans, and expenditure documents. We reviewed Treasury Inspector
           General for Tax Administration (TIGTA) and the Department of the
           Treasury (Treasury) Office of Inspector General (OIG) reports and
           Treasury's response and disposition on recommendations made. We
           also reviewed the Federal Financial Institutions Examination
           Council manual established for federal banking supervisors to
           ensure that the banks have consistent application of BSA
           requirements. To obtain information on the total population of
           NBFIs in the United States for which IRS has BSA compliance
           examination responsibility, we reviewed reports from Coopers &
           Lybrand, KPMG, and Treasury's OIG and Federal Register notices of
           the interim and final reports that contained information on the
           additional BSA industries IRS will be responsible for regulating.
           We also reviewed documentation on IRS's examination and referral
           processes and IRS's performance measures, including the number of
           cases closed, number of referrals, cycle time, hours per case,
           number of new cases initiated, and cases in inventory. We examined
           IRS's BSA case selection criteria and the Title 31 database used
           to house and store data for BSA examination cases. We examined the
           memorandums of understanding (MOU) established between FinCEN and
           IRS, FinCEN and the states, and IRS and the states. We used our
           report on key collaboration practices as criteria for assessing
           IRS's and FinCEN's efforts to collaborate with each other and the
           states. We interviewed IRS SB/SE officials involved with BSA
           examinations; BSA case selection; and the SB/SE Stakeholder
           Liaison office involved in outreach and education for NBFIs,
           FinCEN regulatory policy officials, officials from Treasury's OIG
           and TIGTA, and officials from the BSA Advisory Group and the
           Conference of State Banking Supervisors.

           To describe CI's BSA role, we reviewed legislative and regulatory
           authorities, agency reports, strategic planning documents,
           internal policies and processes for conducting investigations and
           making BSA case referrals, and the 1999 Webster Commission Report.
           We also reviewed CI's statistics for BSA-related staffing
           resources and caseload, including full-time equivalents, closed
           cases, cases with violations, and referrals to FinCEN. We
           interviewed officials from CI, SB/SE, FinCEN, the Department of
           Justice Asset Forfeiture and Money Laundering Section, and the
           Department of Homeland Security Immigration and Customs
           Enforcement on use of BSA data and access to BSA data. We assessed
           the reliability of IRS's Criminal Investigation Management
           Information System--a database containing nationwide data on the
           status of CI investigations: how CI agents use direct
           investigative time; the number and type of staff on board; and the
           inventory of equipment. Our assessment included reviewing existing
           information about the data and the system that produced them and
           interviewing agency officials knowledgeable about the data. We
           determined that the data were sufficiently reliable for the
           purposes of this report.

           To assess the effectiveness of FinCEN's efforts to reengineer BSA
           data management activities, we reviewed and analyzed BSA Direct
           planning and implementation documents and interviewed agency
           officials at IRS and FinCEN and some users of BSA information,
           such as federal law enforcement agencies. We also reviewed project
           documents such as the Office of Management and Budget Exhibit 300,
           the original BSA Direct contract and revisions, progress reports,
           interim briefings, and project assessments conducted by the MITRE
           Corporation. We also interviewed FinCEN officials responsible for
           investment management and the BSA Direct project, the contractor
           conducting the BSA Direct project, and MITRE Corporation officials
           involved in the project. In a previous review, we also examined
           FinCEN's application of information technology investment
           management processes to the retrieval and sharing component of the
           BSA Direct project using our guide, Information Technology
           Investment Management: A Framework for Assessing and Improving
           Process Maturity. We did not conduct a comprehensive review of
           FinCEN's investment management practices. We focused on critical
           processes associated with stage 2 of the five-stage framework
           because they represent the practices needed for basic
           project-level control.

           We performed our review from July 2005 through November 2006 in
           accordance with generally accepted government auditing standards.
			  
			  Appendix II: Reports Required by BSA Regulations	  
			  
                                                                      Reports 
                                             Who is required to      filed in 
Report           Description              file                        2005 
Money Service    Form used by certain MSB Businesses that offer     16,329 
Business         to register with FinCEN. money orders,                    
Registrations                             traveler's checks,               
(RMSB)                                    check cashing,                   
                                             currency dealing or              
                                             exchange, and stored             
                                             value, and such                  
                                             businesses that                  
                                             conduct more than                
                                             $1,000 in MSB                    
                                             activity with the                
                                             same person on the               
                                             same day, or money               
                                             transfers in any                 
                                             amount.a                         
Bank Suspicious  Reports that describe    Financial/depository     525,750 
Activity Reports insider abuse of         institutions.                    
(SAR-DI)         financial transactions                                    
                    of any amount and type                                    
                    that financial                                            
                    institutions suspect may                                  
                    be unusual or irregular,                                  
                    violations of $5,000 or                                   
                    more where a suspect can                                  
                    be identified or involve                                  
                    potential money                                           
                    laundering, violations                                    
                    aggregating $25,000 or                                    
                    more regardless of a                                      
                    potential suspect, and                                    
                    computer intrusion.                                       
MSB Suspicious   Reports that describe    Money transmitters;      381,304 
Activity Reports financial transactions   issuers, sellers, and            
(SAR-MSB)        that are conducted or    redeemers of                     
                    attempted by, at, or     traveler's checks and            
                    through an MSB, involve  money orders; and the            
                    or aggregate funds or    U.S. Postal Service.             
                    other assets of at least                                  
                    $2,000, and the MSB                                       
                    knows, suspects, or has                                   
                    reason to suspect that                                    
                    the transaction (or                                       
                    pattern of transactions                                   
                    of which the                                              
                    transactions are a part)                                  
                    involves funds derived                                    
                    from an illegal                                           
                    activity, is designed to                                  
                    evade reporting                                           
                    requirements, has no                                      
                    reasonable purpose or                                     
                    explanation, or involves                                  
                    the use of the MSB to                                     
                    facilitate criminal                                       
                    activity.                                                 
Casino           Reports that describe    Casinos and card           5,865 
Suspicious       financial transactions   clubs.                           
Activity Reports conducted by, at, or                                      
(SAR-C)          through a casino                                          
                    involving at least                                        
                    $5,000 if they are                                        
                    suspected to derive from                                  
                    illegal activity, are                                     
                    conducted to hide or                                      
                    disguise funds, are                                       
                    designed to evade                                         
                    reporting requirements,                                   
                    have no reasonable                                        
                    purpose or explanation,                                   
                    or involve the use of                                     
                    the casino to facilitate                                  
                    criminal activity.                                        
SAR Securities   Reports that describe    Brokers and dealers        6,897 
and Futures      financial transactions   in securities,                   
Industries       conducted by, at, or     futures commission               
                    through a broker or      merchants, and                   
(SAR-SF)         dealer in securities     futures introducing              
                    involving at least       brokers.                         
                    $5,000 if they are                                        
                    suspected to derive from                                  
                    illegal activity, are                                     
                    designed to evade                                         
                    reporting requirements,                                   
                    have no reasonable                                        
                    purpose or explanation,                                   
                    or involve the use of                                     
                    the broker or dealer in                                   
                    securities to facilitate                                  
                    criminal activity.                                        
Currency         Reports that describe    Financial and         14,228,961 
Transaction      each deposit,            nonfinancial                     
Report (CTR)     withdrawal, exchange of  institutions.                    
                    currency, or other                                        
                    payment or transfer by,                                   
                    through, or to a                                          
                    financial institution,                                    
                    which involves a                                          
                    transaction in currency                                   
                    of more than $10,000.                                     
                    Transactions reported                                     
                    include those conducted                                   
                    by, or on behalf of the                                   
                    same person, conducted                                    
                    on the same business                                      
                    day, and either a single                                  
                    or multiple currency                                      
                    transaction.                                              
Casino Currency  Reports that describe    Casinos and card         634,912 
Transaction      transactions greater     clubs                            
Report (CTR-C)   than $10,000 in currency                                  
and Nevada       as well as suspicious    and Nevada casinos               
Casino (CTRC-N)  transactions. In         with greater than                
                    addition, casinos must   $10,000,000 in annual            
                    report suspicious        gross gaming revenue             
                    transactions and         and with over                    
                    activities on FinCEN     $2,000,000 of                    
                    SAR-C. Nevada casinos                                     
                    must file Form 103N,     table games                      
                    Currency Transaction     statistical winnings.            
                    Report by Casinos -                                       
                    Nevada (CTRC-N)--reports                                  
                    that describe                                             
                    transactions involving                                    
                    more than $10,000 in                                      
                    cash. Also, smaller                                       
                    transactions occurring                                    
                    within a designated                                       
                    24-hour period that                                       
                                                                              
                    aggregate to more than                                    
                    $10,000 in cash                                           
                                                                              
                    are reportable if the                                     
                    transactions are the                                      
                    same types of                                             
                    transactions within the                                   
                    same monitoring area or                                   
                    if different types of                                     
                    transactions occur                                        
                    within the same visit at                                  
                    one location.                                             
Form 8300        Reports of cash payments Individuals involved     157,920 
                    over $10,000 received in in trades or                     
                    a trade or business.     businesses that are              
                                             not financial                    
                                             institutions.                    
Foreign Bank and Annual reports of        Individuals or           281,762 
Financial        financial interest in    depository                       
Account Report   foreign accounts if the  institutions having              
(FBAR)           aggregated value of a    an interest in, and              
                    foreign financial        signature or other               
                    account exceeds $10,000  authority over, one              
                    at any time during the   or more bank,                    
                    calendar year.           securities, or other             
                                             financial accounts in            
                                             a foreign country.               
Designation of   Reports banks file to    Depository               105,775 
Exempt Person    exempt eligible          institutions.                    
(DOEP)           customers from currency                                   
                    transaction report                                        
                    reporting requirements.                                   
                    Exempt customers include                                  
                    banks, government                                         
                    agencies/authorities,                                     
                    listed companies and                                      
                    subsidiaries, eligible                                    
                    nonlisted businesses                                      
                    with a history of                                         
                    frequent currency                                         
                    transactions, and                                         
                    payroll customers.                                        
Report of        Reports the              Individuals,                NA^b 
International    transportation           corporations,                    
Transportation   (physically, or mailing  partnerships, trusts             
of Currency or   and shipping or receipt) or estates, and                  
Monetary         of currency into or out  associations.                    
Instrument       of the United States and                                  
(CMIR)           certain other monetary                                    
                    instruments on any one                                    
                    occasion in excess of                                     
                    $10,000.                                                  

           Source: GAO analysis.

           ^aExceptions include (1) businesses serving as agents of another
           MSB; (2) businesses whose only MSB activity is the issuance, sale,
           or redemption of stored value; (3) the U.S. Postal Service or
           agencies of the United States, a state, or a political subdivision
           of any state; and (4) MSB branch offices.

           ^bInformation is processed and kept by Immigration and Customs
           Enforcement.
			  
 Appendix III: Responsibilities of MSBs under BSA

           Included within the BSA reporting and record-keeping requirements
           are MSBs. A business is generally considered to be an MSB if (1)
           it offers one or more of the following services: money orders,
           traveler's checks, check cashing, currency dealing or exchange,
           and stored value and (2) the business either conducts more than
           $1,000 in these activities with the same person in one day or
           provides money transfer services in any amount.

           Each business (not including branches) that fits within the
           definition of an MSB is required to register with FinCEN, except
           for the U.S. Postal Service and other agents of the federal,
           state, or local governments, and those businesses that are
           considered MSBs only because they (1) act as agents for other MSBs
           or (2) act as issuers, sellers, or redeemers of stored value.
           Certain MSBs are required to file suspicious activity reports for
           transactions involving at least $2,000 in which the MSB believes
           or has reason to believe that the transaction (1) involves funds
           derived from illegal activity or is intended to hide such
           activity; (2) is otherwise designed to evade the reporting
           requirements under BSA; (3) has no business or apparent lawful
           purpose or is not the type of transaction in which the customer
           would normally be expected to engage; or (4) involves the use of
           an MSB to facilitate criminal activity.

           All MSBs are required to develop and implement risk-based BSA
           compliance programs. MSBs are also required to file currency
           transaction reports for cash transactions of over $10,000, and
           must maintain information pertaining to the sale of and verify the
           identity of those purchasing certain monetary instruments (e.g.,
           money orders and traveler's checks) valued from $3,000 to $10,000.
           MSBs must also maintain information on funds transfers of $3,000
           or more.

Appendix IV: Access to Taxpayer Information for BSA Examinations

One way to improve the IRSï¿½s knowledge of the NBFI population subject to BSA
requirements would be to access specific identifying information reported on
income tax returns. However, the IRS Office of Fraud/BSA is unable to use
taxpayer information to identify businesses that may be subject to BSA
requirements. Section 6103 of the Internal Revenue Code, which prohibits IRS
from disclosing returns or return information unless a statutory exception 
pplies, does not currently specifically allow disclosure for Title 31
examinations. Over the years, however, Congress has amended section 6103 to
allow access to taxpayer information for specific purposes, including
disclosure to federal officials for the administration of certain federal
laws not relating to tax administration. According to Treasury the burden
of supporting an exception to the section 6103 prohibition should be on the
requesting agency, in this case IRS, to make the case for disclosure and
provide assurances that the information will be safeguarded appropriately.
To date, IRS has not done so. Table 6 lists the criteria Treasury and IRS
have applied when evaluating specific legislative proposals.

Table 6: Criteria Applied by Treasury and IRS When Evaluating Specific
Proposals for Governmental Disclosures

Criteria to be addressed by Is the requesting information highly relevant  
the requesting agency       to the program for which it is to be           
                               disclosed?                                     
                                                                              
                               Are there substantial program benefits to be   
                               derived from the requested information?        
                                                                              
                               Is the request narrowly tailored to the        
                               information actually necessary for the         
                               program?                                       
                                                                              
                               Is the same information reasonably available   
                               from another source?                           
Criteria to be addressed by Will the disclosure involve significant        
the requesting agency and   resource demands on IRS?                       
Treasury/IRS                                                               
                               Will the information continue to be treated    
                               confidentially within the agency to which it   
                               is disclosed, pursuant to standards prescribed 
                               by IRS?                                        
                                                                              
                               Other than I.R.C. S 6103, are there any        
                               statutory impediments to implementation of the 
                               proposal?                                      
Criteria to be addressed by Will the disclosure have an adverse impact on  
Treasury/IRS                tax compliance or tax administration?          
                                                                              
                               Will the disclosure implicate other sensitive  
                               privacy concerns?                              

Source: Office of Tax Policy, Department of the Treasury.

Appendix V: MOUs on BSA Compliance Appendix V: MOUs on BSA Compliance

FinCEN and IRS are forging a more collaborative approach to implementing
BSA compliance efforts. FinCEN and IRS recognize that a more collaborative
approach to BSA compliance will allow them to better leverage interagency
and intergovernmental resources. Since 2005, FinCEN and IRS have begun to
formalize more collaborative relationships with each other and a number of
state regulatory/banking agencies that examine NBFIs for BSA compliance.
The principle vehicle for developing these relationships has been the
MOUs. These MOUs provide formalized procedures for coordinating BSA
activities and sharing information. Separate MOUs between FinCEN and IRS,
FinCEN and 42 state regulatory/banking agencies and Puerto Rico, and IRS
and 34 state regulatory/banking agencies and Puerto Rico have been signed.

           o The MOU between FinCEN and IRS establishes procedures for the
           exchange of information between the two agencies with the goal of
           enforcing BSA compliance. The MOU dictates that IRS provide a wide
           range of information to FinCEN through quarterly and annual
           reports, including new or revised examination policies,
           procedures, or guidance and quantitative data on examinations
           conducted, violations discovered, and referrals made. The MOU
           dictates that FinCEN will provide IRS with information on
           enforcement actions and analytical products on patterns and trends
           as well as provide technical and analytical assistance in
           overseeing industry compliance.
           o MOUs between FinCEN and 42 states and Puerto Rico have been
           signed in an attempt to advance the sharing of information and
           enhance uniform application of BSA. FinCEN expects to receive
           information on businesses examined and enforcement actions taken.
           In exchange, the states expect to receive analytical tools from
           FinCEN that will maximize resources and highlight areas and
           businesses with higher risk for money laundering. Both FinCEN and
           the states expect the agreements to help them improve the
           coordination of collective actions and concerns by providing a
           clearer picture of the various financial industries regulated.

           IRS has signed MOUs with 34 states and Puerto Rico to establish
           information sharing to assist in the examination of MSBs and other
           NBFIs. The IRS/State MOUs involve the coordination of examination
           activities and the sharing of examination procedures, schedules,
           and lists of MSBs. These MOUs are different from the MOUs between
           FinCEN and the states because FinCEN's agreement involves FinCEN
           sharing analytical information gathered from various regulators.
           By collaborating with the states, IRS hopes to improve the quality
           and coverage of compliance examinations and make better use of
           examination resources. The agreements established in the MOUs are
           intended to eliminate duplicative examination efforts and
           regulatory requirements, and build greater quality and consistency
           through training. IRS, FinCEN, and the states have only recently
           begun to implement the agreements in the MOUs.
			  
			  Appendix VI: Comments from the Financial Crimes Enforcement
			  Network and Internal Revenue Service
			  
			  Appendix VII: GAO Contact and Acknowledgments
			  
			  GAO Contact

           James R. White (202) 512-5594 or [email protected]
			  
			  Acknowledgments

           In addition to the above contacts Signora May, Assistant Director;
           Sean Bell; Brian James; Katrina Taylor; and Shamiah Woods made
           significant contributions to this report. Danny Burton, Evan
           Gilman, Timothy Hopkins, Shirley Jones, Barbara Keller, Jeffrey
           Knott, Donna Miller, and Sabine Paul also made key contributions.
			  
			  GAOï¿½s Mission

           The Government Accountability Office, the audit, evaluation and
           investigative arm of Congress, exists to support Congress in
           meeting its constitutional responsibilities and to help improve
           the performance and accountability of the federal government for
           the American people. GAO examines the use of public funds;
           evaluates federal programs and policies; and provides analyses,
           recommendations, and other assistance to help Congress make
           informed oversight, policy, and funding decisions. GAO's
           commitment to good government is reflected in its core values of
           accountability, integrity, and reliability.
			  
			  Obtaining Copies of GAO Reports and Testimony

           The fastest and easiest way to obtain copies of GAO documents at
           no cost is through GAO's Web site ( www.gao.gov ). Each
           weekday, GAO posts newly released reports, testimony, and
           correspondence on its Web site. To have GAO e-mail you a list of
           newly posted products every afternoon, go to www.gao.gov and
           select "Subscribe to Updates."
			  
			  Order by Mail or Phone

           The first copy of each printed report is free. Additional copies
           are $2 each. A check or money order should be made out to the
           Superintendent of Documents. GAO also accepts VISA and Mastercard.
           Orders for 100 or more copies mailed to a single address are
           discounted 25 percent. Orders should be sent to:

           U.S. Government Accountability Office 441 G Street NW, Room LM
           Washington, D.C. 20548

           To order by Phone: Voice: (202) 512-6000 TDD: (202) 512-2537 Fax:
           (202) 512-6061
			  
			  To Report Fraud, Waste, and Abuse in Federal Programs

           Contact:

           Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail:
           [email protected] Automated answering system: (800) 424-5454 or
           (202) 512-7470
			  
			  Congressional Relations

           Gloria Jarmon, Managing Director, [email protected] (202)
           512-4400 U.S. Government Accountability Office, 441 G Street NW,
           Room 7125 Washington, D.C. 20548
			  
			  Public Affairs

           Paul Anderson, Managing Director, [email protected] (202)
           512-4800 U.S. Government Accountability Office, 441 G Street NW,
           Room 7149 Washington, D.C. 20548

(450396)

www.gao.gov/cgi-bin/getrpt?GAO-07-212 .

To view the full product, including the scope
and methodology, click on the link above.

For more information, contact James R. White at (202) 512-5594 or
[email protected]..

Highlights of [50]GAO-07-212 , a report to congressional committees.

December 2006

BANK SECRECY ACT

FinCEN and IRS Need to Improve and Better Coordinate Compliance and Data
Management Efforts

In 2005, over 16 million Bank Secrecy Act (BSA) reports were filed by more
than 200,000 U.S. financial institutions. Enacted in 1970, BSA is the
centerpiece of the nation's efforts to detect and deter criminal financial
activities. Treasury's Financial Crimes Enforcement Network (FinCEN) and
the Internal Revenue Service (IRS) play key roles in BSA compliance,
enforcement, and data management. GAO was asked to describe FinCEN's and
IRS's roles and assess their effectiveness at ensuring BSA compliance and
efforts to reengineer BSA data management.

[51]What GAO Recommends

To strengthen BSA compliance, GAO recommends the Secretary of Treasury
direct FinCEN and IRS to develop a documented and coordinated strategy
that includes priorities, time frames, and resource needs. The strategy
should cover implementing specific GAO recommendations, such as clarifying
regulations and measuring the compliance rate. To strengthen BSA data
management reengineering, GAO is recommending FinCEN develop a long-term
plan that includes coordination with IRS.

In commenting on a report draft, the Director of FinCEN and the
Commissioner of Internal Revenue agreed with our recommendations.

FinCEN and IRS have distinct roles, but share some responsibilities in
implementing BSA. FinCEN's role is to oversee the administration of BSA by
numerous agencies including IRS. IRS's role is to (1) examine nonbank
financial institutions (NBFI), such as money transmitters and check
cashers, for compliance with BSA; (2) investigate potential criminal BSA
violations; and (3) collect and store BSA reported data by all financial
institutions.

IRS continues to face challenges in identifying NBFIs subject to BSA and
then using its limited resources to ensure compliance.

           o IRS has identified approximately 107,000 potential NBFIs, yet
           FinCEN, IRS, and others agree there is a portion of the NBFI
           population IRS has not identified. Identifying NBFIs is inherently
           challenging and made even more difficult because FinCEN
           regulations about who is covered are confusing, especially for
           smaller businesses.
           o IRS currently lacks, but is working to develop, a statistically
           valid risk-based approach for selecting NBFIs for compliance
           examinations. IRS only examines a small fraction of NBFIs, less
           than 3.5 percent in 2005, highlighting the need for building risk
           into the selection process. IRS is statistically validating a
           risk-based approach for targeting compliance examinations on
           certain NBFIs suspected of noncompliance. IRS's validation study
           is a step in the right direction, but IRS's approach will continue
           to have limitations because the study was not designed to be
           representative of all potential NBFIs.
           o IRS established a new office accountable for BSA compliance, and
           is working to improve examination guidance. However, IRS's
           management of BSA compliance has limitations, such as a lack of a
           compliance rate measure and a comprehensive manual that NBFIs can
           use to develop anti-money laundering programs compliant with BSA.

Addressing program challenges, such as identifying NBFIs and examining
those of greatest risk of noncompliance will take time and require
prioritizing actions and identifying resource needs. However, FinCEN and
IRS lack a documented and coordinated strategy with time frames,
priorities, and resource needs for improving NBFI compliance with BSA
requirements.

FinCEN has undertaken a broad and long-term effort to reengineer, and
transition from the IRS, all BSA data management activities. FinCEN,
however, missed opportunities to effectively plan this effort and to
coordinate its implementation with IRS. For example, FinCEN began making
significant investments in information technology projects before a
comprehensive plan to guide the reengineering effort was in place. When a
key project--BSA Direct Retrieval and Sharing--failed, it jeopardized the
future of the broader reengineering effort. After investing over $14
million (nearly $6 million over the original budget) in a failed project,
FinCEN is now reassessing BSA Direct but does not yet have a plan for
moving forward with the broader effort to reengineer BSA data management
activities.

References

Visible links
  36. http://www.gao.gov/cgi-bin/getrpt?GAO-06-947R
  37. http://www.gao.gov/cgi-bin/getrpt?GAO-05-251
  38. http://www.gao.gov/cgi-bin/getrpt?GAO-03-614
  39. http://www.gao.gov/cgi-bin/getrpt?GAO-06-91
  40. http://www.gao.gov/cgi-bin/getrpt?GAO/GGD-86-94
  41. http://www.gao.gov/cgi-bin/getrpt?GAO-06-386
  42. http://www.gao.gov/cgi-bin/getrpt?GAO-06-947R  
  50. http://www.gao.gov/cgi-bin/getrpt?GAO-07-212
*** End of document. ***