On February 17, Treasury’s OIG issued its third audit report as part of a series of reports on FinCEN’s management of BSA data access, finding multiple compliance and oversight deficiencies in the agency’s handling of sensitive financial records. As required under the BSA/AML, FinCEN maintains government-wide access to collected data to aid law enforcement efforts against illicit finance. The audit report specifically related to findings regarding FinCEN’s process for granting bulk data access, maintaining a system of records notice, and executing memoranda of understanding (MOUs) with agencies using BSA data.

Among other issues, the OIG audit found that FinCEN did not comply with applicable laws, standard operating procedures (SOPs), or government-wide standards regarding data access management in several respects. The OIG found FinCEN was not compliant in: (i) documenting assessments or conducting reevaluations of the need for bulk data access; (ii) updating its BSA system of records notice; (iii) executing a MOU with one of the eleven agencies receiving bulk data access; (iv) executing platform program MOUs with 11 agencies; (v) updating BSA data MOUs; (vi) accurately tracking agencies with BSA data MOUs; (vii) properly maintaining BSA data MOUs; and (viii) properly executing BSA data MOUs. Considering these findings, the OIG provided 14 recommendations to FinCEN’s director to remediate improper compliance with applicable law and SOPs governing BSA data access. The audit report stated that FinCEN management has implemented corrective actions in response to several recommendations and provided a plan to undertake corrective action for the remainder.