Show Us Your Money

The USA PATRIOT Act lets the feds spy on your finances. But does it help catch terrorists?


"This is really a bill which, if enacted into law, will be [a longer] step in the direction of stopping terrorism than any other we have had before this Congress in a long time," one of the bill's sponsors declared. The legislation authorized broad surveillance of financial transactions, bypassing the Fourth Amendment's normal protections against "unreasonable searches and seizures" by requiring businesses to collect and share information with the government. After the measure passed and was signed into law, the debate was far from over. The American Civil Liberties Union and other critics continued to rail against the law as an unnecessary breach of privacy.

"Under the act and regulations the reports go forward to the investigative or prosecuting agency…without notice to the customer," one civil libertarian wrote. "Delivery of the records without the requisite hearing of probable cause breaches the Fourth Amendment….I am not yet ready to agree that America is so possessed with evil that we must level all constitutional barriers to give our civil authorities the tools to catch terrorists."

But times have changed, one of the law's defenders countered. "While an act conferring such broad authority over transactions such as these might well surprise or even shock those who lived in an earlier era," he wrote, "the latter did not…live to see the heavy utilization of our domestic banking system by the minions of organized terrorism as well as by millions of legitimate businessmen." The author did not "think it was strange or irrational that Congress, having its attention called to what appeared to be serious and organized efforts to avoid detection of terrorist activity, should have legislated to rectify the situation."

These may sound like the arguments for and against the USA PATRIOT Act, passed immediately after the attacks of September 11, 2001. But they concern another piece of legislation, the Bank Secrecy Act (BSA) of 1970. The only change I made to these decades-old quotes was to substitute the word terrorist for criminal and terrorism for crime.

The congressman was Wright Patman, the populist Texas Democrat who pushed through the bill on the premise that it would help fight drug trafficking, tax evasion, and other crimes, including the then-prohibited ownership of gold as a commodity. The civil libertarian was Supreme Court Justice William O. Douglas. In the 1974 case California Bankers Association v. Shultz, Douglas wrote a dissent, joined by Justices William Brennan and Thurgood Marshall, concluding that the Bank Secrecy Act violated the Fourth Amendment. The final quote is from William Rehnquist, now the Court's chief justice, who wrote the majority opinion upholding the law.

Needle in a Haystack

The reason the arguments sound familiar is that the BSA set the precedent for much of the PATRIOT Act, not to mention government fishing expeditions such as the Pentagon's aborted Total Information Awareness program. The law authorized the government to require bank reports of all transactions over a dollar value set by the Treasury Department, even if there is no reason to suspect a criminal connection. For the first time, in the words of the U.S. District Court for the Northern District of California, "the government claim[ed] the legal right to maintain routine surveillance, without summons, subpoena, or warrant, over the details of citizens' financial transactions."

The district court struck down the BSA's reporting requirement, but its decision was reversed by the Supreme Court. In a complicated majority opinion, Rehnquist said that banks, as businesses, don't have the same Fourth Amendment rights as individuals. The opinion relied on the many post-New Deal cases that minimized economic liberties, including one that said "corporations can claim no equality with individuals in the enjoyment of a right to privacy." In this and in a subsequent BSA case, U.S. v. Miller (1976), the Court ruled that a bank's customers generally lack standing to challenge the law.

Law enforcement agencies thus found a convenient end run around the Fourth Amendment. They can access the details of a bank customer's transactions from the Treasury Department's Financial Crimes Enforcement Network (FinCEN) without showing probable cause—or any evidence at all. That is why the PATRIOT Act's defenders argue that the law is not a radical departure from what the government already had the power to do. Writing in the Summer 2003 issue of City Journal, the Manhattan Institute's Heather Mac Donald accuses the PATRIOT Act's opponents of trying to "invent new rights," because it has long been the case that "there is no Fourth Amendment privacy right in records or other items disclosed to third parties."

While Mac Donald may be partly right about the case law, she overlooks two important questions. One is whether surveillance programs like FinCEN are consistent with the principles of a free society. The other is how effective they've been: Have we gotten more security during the last 30 years in exchange for the privacy we've sacrificed? Looking specifically at the BSA and other bank surveillance measures, prominent experts in law enforcement, national security, and technology say the answer is no. The record of FinCEN, the agency that was charged with tracking terrorist financing prior to 9/11, seems to vindicate their arguments. The lack of success with the financial information that the government has long been collecting does not bode well for more-ambitious data dredging plans. Indeed, experience suggests that piling up more data could make it harder to zero in on terrorists.

"I consider all these measures to be highly counterproductive," says John Yoder, director of the Justice Department's Asset Forfeiture Office in the Reagan administration. "It costs more to enforce and regulate them than the benefits that are received. You're getting so much data on people who are absolutely legitimate and who are doing nothing wrong. There's just so much paperwork out there that it's really not a targeted effort. You have investigators running around chasing innocent people, trying to find something that they're doing wrong, rather than targeting real criminals."

The paperwork is indeed massive. Even before the PATRIOT Act, banks sent more than 12 million transaction reports to the government in 2000 alone. In a 2000 report for the Competitive Enterprise Institute, economist Lawrence Lindsey, who later became head of the Bush administration's National Economic Council, calculated that banks file more than 100,000 reports on innocent customers for every money laundering conviction. Oliver "Buck" Revell, a highly decorated 30-year veteran of the FBI who supervised the bureau's counterterrorism division in the 1980s and '90s, agrees that the sheer volume of data generated by these measures can overwhelm law enforcement efforts. "You can be buried in an avalanche of information," Revell says. "The total volume of activity makes it very difficult to track and trace any type of specific information….It's virtually impossible to look at millions and millions of CTRs [currency transaction reports] and make any sense out of them if you don't have some prior intelligence as to what might be occurring."

Yoder argues that the information overload from bank surveillance contributed to the intelligence failure before the September 11 attacks. "We already had so much information that we weren't really focusing on the right stuff," he says. "What good does it do to gather more paperwork when you're already so awash in paperwork that you're not paying attention to your own currently existing intelligence gathering system?"

While it did not cite the BSA directly, the recently published Joint Congressional Inquiry report on intelligence lapses before 9/11 did find that law enforcement and intelligence agencies faced a "huge volume of intelligence reporting," within which were "various threads and pieces of information that, at least in retrospect, are relevant and significant." The report concluded that "although relevant information…was available to the Intelligence Community prior to September 11, 2001, the Community too often failed to focus on that information and consider and appreciate its collective significance in terms of a probable terrorist attack." This was partly because analysts were trying to find a needle in a very large haystack of data created by laws like the BSA.

Banker or Spy?

Fears that the BSA would swamp law enforcement with data were expressed from the beginning. The federal court decision striking down the law's reporting requirement (issued, coincidentally, on September 11, 1972) called the BSA a "far-fetched" way to catch criminals and warned that it could be counterproductive. The court quoted an IRS commissioner as saying that "the creation of a mass of paper beyond our capacity to utilize could have the effect of submerging and making unobtainable information of special interest to us."

Despite such concerns, financial surveillance has been massively expanded during the last 30 years, while other intelligence-gathering techniques, such as the use of informants, have been sharply restricted. The Treasury Department's BSA regulations required banks, subject to some exemptions, to file a currency transaction report on every cash transfer of $10,000 or more. In the 1990s, the department established FinCEN, which expanded the regulations to require that banks file "suspicious activity reports" on all transactions of $5,000 or more if they have "no apparent lawful purpose or are not the sort in which the particular customer would normally be expected to engage." Banks are forbidden to notify customers about the reports. "In effect, bankers have been drafted as spies and snitches," wrote banking industry consultant Bert Ely in a 2002 paper for the conservative Free Congress Foundation.

"Know Your Customer" rules, proposed by FinCEN and the Federal Reserve in 1998, would have required banks to profile every customer's "normal and expected transactions" and report the slightest deviation to the feds. The rules were withdrawn after the Libertarian Party, the ACLU, and other groups helped generate 300,000 public comments in opposition.

But according to Wired magazine, as of 1999 more than 88 percent of U.S. banks already had "Know Your Customer" policies in place to satisfy regulators who looked at their suspicious activity reports. And after the September 11 attacks, regulators began openly using the phrase again. At an American Bankers Association conference in October 2001, Federal Reserve Bank of Atlanta Vice President Suzanna Costello told the audience her agency was "looking for…effective Know Your Customer" programs at the banks it regulates. "A year ago, I wouldn't have even said 'Know Your Customer,'" she said. "But I see that it's back."

The Citizen-Soldier Burden

Customer surveillance is not just at banks anymore. In his dissent in the California Bankers Association case, Justice Douglas made a sarcastic suggestion that turned out to be prophetic:

"It would be highly useful to government espionage to have reports from all our bookstores, all our hardware and retail stores, all our drugstores….What one buys at the hardware and retail stores may furnish clues to potential uses of wires, soap powders, and the like used by criminals."

Even before 9/11, FinCEN had put out a rule applying the "suspicious activity" reporting requirement to any establishment that processed money orders or sold smart cards, including convenience stores. The PATRIOT Act extended the requirement to many more businesses. FinCEN, pursuant to the act, recently put the "suspicious activity" reporting rules into effect for brokerage houses, and real estate transactions are next on the list. The law also specifically covers casinos, credit card agencies, and life insurers. In the next few months, the Broward Daily Business Review reports, "the Treasury Department will decide whether the act covers travel agents, automobile dealers, mutual funds and dealers in precious metals and stones." And under the law, virtually all businesses, including the "hardware and retail stores" mentioned by Douglas, now have to report to the government any cash purchases over $10,000.

Treasury Department General Counsel David Aufhauser explained the new reporting requirements this way in a 2002 interview with The Washington Post: "The Patriot Act is imposing a citizen-soldier burden on the gatekeepers of financial institutions." He justified this burden by arguing that "they are in the best position to police attempts by people who would do ill to us in the U.S. to penetrate the financial system."

Few politicians, even among those who have criticized other parts of the PATRIOT Act, are willing to challenge the proposition that businesses should be deputized to spy on their customers. The late Justices Douglas, Brennan, and Marshall might be shocked that liberal Democrats in Congress such as Sens. Carl Levin of Michigan and Paul Sarbanes of Maryland have been the biggest proponents of expanding the Bank Secrecy Act. They see it as a way of targeting wealthy people who pay less than their "fair share" in taxes by moving some of their investments overseas. The only member of Congress who has gone on record in support of repealing the BSA entirely is Rep. Ron Paul (R-Texas).

Yet given the BSA's track record, experts say there's no reason to believe the new financial surveillance measures will stop the next attack. They could simply swamp law enforcement with even more useless data. The critics say reporting mandates have flooded the government with massive volumes of irrelevant information, such as reports on the "suspicious activities" of law-abiding customers withdrawing large amounts of money for medical treatment or depositing thousands of dollars in casino winnings, and have not been effective in either attacking the drug trade or preventing terrorist attacks.

J. Michael Waller, vice president of the Center for Security Policy, a hawkish D.C. think tank, is usually not in sync with the ACLU. He fully supports Attorney General John Ashcroft's detention of Arab visitors and advocates targeted ethnic profiling. But he calls the BSA's routine mass surveillance measures "really, really dumb."

"To me, it's just a well-intentioned thing with no cojones behind it," says Waller, who is also a professor of international communications at the Institute of World Politics in Washington. "It's a huge burden on the banks. It could mean that every time somebody trades in some stock and just buys other stock with the same money, it's got to be reported to FinCEN. [FinCEN bureaucrats] are giving themselves millions of times more information than they can possibly handle or analyze….What if you get a $25,000 or $50,000 book advance? 'Oh, that's an anomaly; let's look at this guy.' Think of the probably millions of anomalies occurring every day. It's really stupid."

Hawala Bungle

Although it was not one of the agencies covered in the 9/11 report, FinCEN had its own intelligence failures, and they cast light on how effective the expanded financial reporting mandates might be. In the months prior to 9/11, FinCEN appeared to be choking on the flood of bank reports it received. In the March 25, 2002, issue of Insight, Jamie Dettmer reported that "Treasury sources say there is a two-year backlog of SARs [suspicious activity reports] still waiting to be entered into the agency's computers." In addition, several banking compliance officers told him "they were unaware of any SARs they'd filed being followed up by federal investigators."

FinCEN apparently was so busy processing paperwork that it ignored the valuable advice of one of its experts—advice that many say could have led to the Al Qaeda money trail. Patrick Jost, who came to FinCEN in the '90s with an atypical background as a jazz musician, linguistics instructor, and video game programmer, was an expert on hawala, the shadowy, informal system of money trading in South Asian and Middle Eastern countries that leaves a very faint paper trail. In a hawala transaction, someone from Pakistan living in America could send money back home by paying a U.S. vendor, who in turn would contact a trusted partner in Pakistan, who would give the money in local currency to its intended recipient. The money technically never leaves the U.S. It is a money transfer without money movement. Although hawala is often used for innocent purposes such as sending money to relatives, in the late '90s there was already evidence that it was being used by terrorists. As Jost documented in a 1998 paper he co-wrote for Interpol, terrorists used hawala to finance a series of bomb blasts in Bombay, India, in 1993.

William Wechsler, head of a White House working group on terrorist financing, met with Jost in 1999. Wechsler recalls that after hearing Jost's explanation of hawala, he spread the word to counterterrorism experts in the government, many of whom contacted Jost for help. Jost was also doing research on other aspects of terrorist financing, such as the countries terrorist money flows through. But FinCEN, even though it was charged with helping law enforcement track criminal money laundering, instructed him to decline Jost's offer of assistance and discouraged him from pursuing further research on terrorism financing. Jost told The Washington Post in 2001 that FinCEN Director James Sloan and Chief of Operations Connie Fenchel "didn't want FinCEN to pursue this line of work." According to the Post, after being "made to feel unwelcome, Jost left government in June 2000." (Jost and FinCEN officials declined to comment for this article.)

Wechsler recalls that the issue of terrorism did not seem to be a high priority for FinCEN, which appeared much more interested in processing data for the drug war. "FinCEN, along with the rest of the federal law enforcement community, for too long assigned far too low a priority to understanding the nature of and the threat from underground remittance systems, like the hawala network," he says.

Now that supposedly has changed. FinCEN has set up a toll-free number for banks to report transactions they truly think are suspicious, and the Treasury Department has a targeted "watch list" of suspected terrorists for banks to report on. But FinCEN and other agencies will still be inundated with an even bigger flood of reports about mostly legal financial transactions, thanks to the mandates of the BSA and the PATRIOT Act.

Wechsler, along with other Clinton administration officials such as Treasury Undersecretary Stuart Eizenstat, supported the expansion of "suspicious activity" reporting. (He proudly claims that "there are a lot of provisions of the PATRIOT Act that the Clinton administration had asked for.") He argues that new technology will be able to sift through the data. "We should spend the money that it takes to make sure we are able to use the information as effectively as possible, and that we are able to give back to the banking community the after-action reports, how it was used," he says. "But all of those are marginal questions compared to the overall statement that this is way too burdensome and useless. It's nonsense; it's very useful."

Yet for 30 years agencies have said technology eventually would be able to pinpoint the needle in this enormous haystack, and the elusive technology has yet to appear. The Pentagon's Total Information Awareness (TIA) project was aimed at developing methods to sift through huge volumes of data from public and private sources, looking for patterns that could indicate terrorist activity. After a loud public outcry about the privacy implications, Congress voted earlier this year to deny the project funding. Now the Pentagon is trying to revive it under a new name, Terrorism Information Awareness.

Missing Human Intelligence

Professional criminals often know the banking laws and how to get around them. And terrorist money, without prior intelligence, appears to be even harder to track than drug money. While large cash transfers can occasionally tip off authorities to drug activity, terrorists leave few telltale financial signs. As Jost pointed out in Senate testimony in late 2001, money used for terrorism often comes from legal businesses and charities. "With a certain amount of simplification, money laundering and terrorist financing are opposites," he said. "In money laundering, dirty money becomes clean; in terrorist financing, clean money become dirty."

Take the September 11 hijackers. The only way we know of that any of them broke the law prior to the attacks was by overstaying their visas. They gave no signs to the financial institutions they dealt with that they were plotting something sinister. "The terrorists didn't spend a whole lot," observes Richard Rahn, a senior fellow at the Seattle-based Discovery Institute and the author of The End of Money and the Struggle for Financial Privacy. "They stayed in cheap hotels, ate in cheap restaurants and rode in cheap rental cars….And so these measures that are promulgated to try to just collect financial information willy-nilly are not really very useful." Bert Ely, the banking consultant, noted in his Free Congress Foundation paper that "the FBI has estimated that the Sept. 11th hijackers spent just $500,000 over more than a year carrying out their diabolical acts. Payments moving through the U.S. financial system average $1.7 trillion per business day."

A SunTrust bank in Florida did file an internal report, as required for wire transfers of $3,000 or more, on money received by 9/11 ringleader Mohammad Atta, which came from the United Arab Emirates in 2000 and totaled more than $100,000. But "there was nothing unusual in the way those accounts and transactions were opened or maintained," says SunTrust spokesman Barry Koling. The only possible tipoff was that the money came from the UAE, which Jost had identified in his 1998 Interpol report as a hotbed of hawala and terrorism financing. But FinCEN apparently had not issued any warnings about the UAE, as it had about Colombia and other hot drug spots.

That oversight illustrates the importance of what's called "human intelligence." Both privacy and national security advocates say that since the advent of massive data- bases and laws like the BSA, the government too often has relied on technology as a savior and disregarded the importance of human sources, both experts in the field and snitches among the bad guys. FBI veteran Revell says that in his major cases, it was the informant who led to the financial data, not the other way around. "When we were investigating the skimming of the casinos by the mob in Las Vegas [in the late 1970s and early '80s], we had to have intelligence on how it was being done before we could really determine evidence of how it was being done," he recalls. "The development of informants within the mob's control structure of Las Vegas led us to be able to discover the money laundering and to bring charges and wipe the mafia out in Las Vegas."

Even data mining experts say the most advanced technology is useless without human intelligence. "The data won't do anything unless you ask the right questions," says Marc Epstein, CEO of Data Mining International, a Los Gatos, California, firm that makes software for the U.S. Customs Service and other law enforcement agencies. Epstein says that before the government starts collecting massive data for a TIA-style program, it should make better use of the data it has. He says there is much that can be gleaned simply from the customs data of goods going into and out of the country. "From a pure law enforcement point of view, putting aside privacy concerns, more information is better," Epstein says. "But we're not using the information that we have well."

30 Years of Failure

There are plenty in the tech world who would take issue with Epstein's assertion that more information is always better. Software engineer Bruce Schneier, for example, has written about the inevitable problem of "false positives" in a large database. Passengers at airports are already seeing the effect of false positives that mistakenly put them on "no fly" lists, presumably because their names are similar to those of terrorists or criminals. Recent press reports have chronicled the travails of several men named David Nelson, including the actor who played himself on the popular '50s TV show The Adventure of Ozzie and Harriet, who have been delayed or prevented from catching their flights because the name mysteriously set off an alarm in an airport computer.

"When you are scanning a population that is composed of hundreds of millions of people, and the class of criminal you're looking for is a couple hundred or a couple thousand, there are no tools available, and there are almost certainly never going to be tools available, with the sophistication to focus almost exclusively on the bad guys," says Bob Gellman, who in the '90s acted as chief counsel of a House subcommittee on privacy and technology. Gellman says data mining's success in the private sector will never translate to law enforcement because a different level of precision is required. "If direct marketing companies, with all the research they do, get a 3 percent response rate, they're ecstatic," Gellman says. "And these are smart people with lots of data and lots of motivation because they're making money, and they can't do much better than that."

In the debate over the PATRIOT Act and other broad surveillance measures, the Bank Secrecy Act should be thought of as a 30-year experiment in subverting the Fourth Amendment. The experiment has imposed tremendous costs on individual privacy and the economy (even before 9/11, the banking industry was estimating compliance costs of $10 billion a year), with few tangible results in stopping crime and even fewer in preventing terrorism. Getting back to the standards of the Fourth Amendment is a good idea, not just for securing privacy but for making law enforcement and intelligence agencies more focused and effective at stopping criminals and catching terrorists.

"Most police officers, I find, have very high regard for and deference to the Fourth Amendment," says Bob Barr, the former CIA agent and U.S. attorney who served as a Republican congressman from Georgia for eight years and is now a consultant on privacy issues for the ACLU and the American Conservative Union. "I think they understand, perhaps better than a lot of bigwigs, that it is there to protect them and to help keep them focused as well as to protect the individuals."