Staff Report to the Commission

scrutiny without legitimate basis, and could even extend to refusing to service customers

meeting a certain profile. Of course, religion, nation of origin, or ethnicity can and should

be taken into consideration, along with many other factors, in the subjective judgment as

to whether a certain transaction or account is suspicious. Our point is that profiling—by

itself—is both an unfair and an ineffective way for financial institutions to attack terrorist

financing.

52 FinCEN, SAR Bulletin, no. 4 (Jan. 2002). Typically, they included structuring multiple deposits or other

transactions to be below the $10,000 reporting threshold, collecting funds through a variety of financial

channels then funneling them to a small number of foreign beneficiaries, or a volume of financial activity

inconsistent with the stated purpose of the account.

National Commission on Terrorist Attacks Upon the United States

58

That being said, there may be utility in having financial institutions examine transactions

for indicia of terrorist financing. It certainly assists in preventing open and notorious

fund-raising and forces terrorists and their sympathizers to raise and move money

clandestinely, thereby raising the costs and risks involved. The deterrent value in such

activity is significant and, while it cannot be measured in any meaningful way, ought not

to be discounted.

Financial Institutions Have a Role in Combating Terrorist

Financing in the United States

The inability of financial institutions to detect terrorist operatives or terrorist fund-raising

does not relegate the private sector to the sidelines in the fight against terrorism. To the

contrary, there are a number of things that financial institutions can do right now. There

also are a number of things that could be done in the future, if current law or government

policies are changed. This section addresses what can be done now and assesses some

possibilities for the future.

Now: Helping the government find the terrorists

Financial tracking

Although financial institutions lack information that can enable them to identify

terrorists, they have information that can be absolutely vital in finding terrorists. If the

government can determine where a terrorist suspect banks, his account opening

documents can provide his address, and his ATM and credit card usage can show where

he is and what he is doing. Again, the 9/11 plot provides a good example. Had the U.S.

government been able in August 2001 to learn that hijackers Nawaf al Hazmi and Khalid

al Mihdhar had accounts in their names at small New Jersey banks, it could have found

them. The hijackers actively used these accounts, through ATM, debit card, and cash

transactions, until September 10. Among other things, they used the debit cards to pay for

hotel rooms—activity that would have enabled the FBI to locate them, had the FBI been

able to get the transaction records fast enough. Moreover, al Hazmi used his debit card on

August 27 to buy tickets on Flight 77 for himself, his brother, and fellow Flight 77

hijacker Salem al Hazmi.

If the FBI had found either al Mihdhar or Nawaf al Hazmi, it could have found the other.

They not only shared a common bank but frequently were together when conducting

transactions. After locating al Mihdhar and al Hazmi, the FBI could have potentially

linked them through financial records to the other Flight 77 hijackers. For example, as

noted, Nawaf al Hazmi used his debit card on August 27 to buy plane tickets for himself

and his brother, linking those two hijackers. Nawaf al Hazmi and Flight 77 pilot Hani

Hanjour had opened separate savings accounts at the same small New Jersey bank at the

same time and both gave the same address. On July 9, 2001, the other Flight 77 muscle

hijacker, Majed Moqed, opened an account at another small New Jersey bank at the same

Terrorist Financing Staff Monograph

59

time as Nawaf al Hazmi, and used the same address. Given timely access to the relevant

records and sufficient time to conduct a follow-up investigation, the FBI could have

shown that Hani Hanjour, Majed Moqed, and Salem al Hazmi were connected to

potential terrorist operatives al Mihdhar and Nawaf al Hazmi. No one can say where the

investigation would have gone from there, but financial records could potentially have

been used, along with other information—including perhaps information found in the

possession of or provided by the Flight 77 hijackers—to link the Flight 77 hijackers to

the others and, perhaps, disrupt the plot.

Unfortunately, this theoretical investigation would not have worked quite as smoothly in

the world that existed before September 11. First, an agent attempting to locate the

hijackers would have needed to know where to look. There are thousands of financial

institutions in the United States, and making an inquiry of each one of them, regardless of

the exigency of the situation, would not have been a realistic enterprise. Even an

experienced agent tasked to find al Mihdhar or al Hazmi would have been unlikely to

think to use financial tracking; and an agent who did probably would have first called

those institutions with which he or she had some personal relationship—probably big

banks.

Moreover, before 9/11 financial investigations almost always moved at a slow,

methodical pace. In a typical investigation, a financial institution received a grand jury

subpoena or a National Security Letter (NSL) from a federal prosecutor or agent. The

subpoena had a return date—the date by which the bank was required to produce the

records requested. In a typical investigation, the bank searched its records and produced

hard copies of the material requested. Banks and other financial institutions then needed

substantial time to locate and produce records, even in response to a lawful subpoena.

Financial institutions had been prohibited from giving law enforcement certain records

absent compulsory legal process.

Before 9/11, the U.S government did not think in terms of financial tracking, certainly

not systematically and on an urgent basis. The terrorist attacks changed this thinking.

Since 9/11, the government uses financial information to search out terrorist networks so

that a known suspect like al Mihdhar could be quickly located. There are now two

primary approaches for doing this: FBI outreach that has enhanced private sector

cooperation and Section 314(a) of the USA PATRIOT Act.

The FBI’s Terrorist Financing Operations Section (TFOS) has taken the existing legal

rules, which were developed within the context of traditional after-the-fact investigation

of financial crimes, and created a systematic approach to gain expedited access to

financial data in emergencies. To facilitate emerging situations, the FBI has compiled a

list of high-level contacts within the financial community—banks, brokerage houses,

credit card vendors, and money services businesses—to whom it can turn to get financial

information on an expedited basis at any time, including nights, weekends, and holidays.

The FBI serves them on an expedited basis with a subpoena or other legal process to get

the relevant data. In true emergencies, the FBI can get information quickly to locate an

individual or find links among co-conspirators.

National Commission on Terrorist Attacks Upon the United States

60

Applying the post-9/11 FBI approach to the pre-9/11 search for al Mihdhar and al Hazmi

strongly suggests the current system would have enabled the hijackers to be quickly

located. Indeed, the recently retired founder and chief of TFOS stated that given the same

circumstances today, the FBI would find al Mihdhar “in a heartbeat.”53 Corroborating this

contention, FBI has successfully used its system a number of times to locate terrorist

suspects and prevent terrorist attacks. For example, after the FBI received information

that certain potential terrorists had infiltrated the United States, TFOS put into practice

the process it had developed to track the suspects through their financial transactions. The

TFOS process proved successful in obtaining useful data in a very compressed time

frame. Although the subjects proved not to be terrorists, the system demonstrated its

capability. The FBI’s ability to do near real-time financial tracking has enabled it to

locate terrorist operatives in a foreign country and prevent terrorist attacks there on

several occasions. The system also helped crack a major criminal case, played a role in

clearing certain persons wrongly accused of terrorism, and has proved very valuable in

vetting potential threats.

The second approach to obtaining basic financial information on an expedited basis is

through a regulation issued under Section 314(a) of the USA PATRIOT Act. By this

regulation, the Department of Treasury requires financial institutions upon the

government’s request to search their records and determine if they have any information

involving specific individuals. Financial institutions must report any positive matches to

law enforcement within two weeks after the request for information. If there are matches,

law enforcement must follow up with a subpoena to obtain the actual transaction records

as discussed above. In an emergency, law enforcement can ask Treasury to require banks

to respond more quickly to the request, sometimes in two days, a procedure that they

have used on several occasions thus far.

In practice, this process enables law enforcement to find out if an individual of interest

has accounts or has conducted transactions in any one of thousands of financial

institutions across the country. It saves an investigator hundreds of hours that would have

otherwise been spent on a bank-by-bank inquiry—an inquiry that would not have been

done under the old system owing to time and resource constraints. One agent told the

Commission staff that the new procedure so far has produced “tremendous results.” She

cited an instance in which a terrorism investigation resulted in the discovery of two bank

accounts using conventional investigative techniques. Then, as a result of the Section 314

process, investigators were able to identify 19 other accounts across the country—

accounts that they would have never been able to find otherwise.54

53 By contrast, he said that while it would have been theoretically possible to use financial tracking to find

the hijackers before 9/11, the probability of doing so in a timely fashion would have been extremely low.

54 One concern about the Section 314 process is the possibility that a request to thousands of financial

institutions will cause the information to be leaked. In a Las Vegas criminal investigation in October 2002

and a New York terrorism case in March 2003, the media published the fact of the law enforcement

requests. In the New York case, the New York Post even called the subjects to ask them why the FBI was

making the request. As a result, the FBI conducts a risk-benefit analysis before making each request. There

are civil and criminal penalties in the event of a disclosure, and Treasury includes a warning with every

request. There is no guarantee, however, that such warnings will be sufficient to deter leaks.

Terrorist Financing Staff Monograph

61

Account opening and customer identification procedures/data

retention

Financial institutions play a critical role in any effort to find terrorists under either the

FBI’s system or Section 314. To fulfill this role properly in the life-and-death

emergencies that can arise, financial institutions must (1) know their customers by their

real names and possess other essential identifying information, (2) have the ability to

access this information in a timely fashion, and (3) quickly provide this information to

the government in a format in which it can be effectively used.

Section 326 of the USA PATRIOT Act requires that financial institutions “enhance the

financial footprint” of their customers by ensuring effective measures for verifying their

identity. Section 326 recognized that effective customer identification may deter the use

of financial institutions by terrorist financiers and money launderers and also assist in

leaving an audit trail that law enforcement can use to identify and track terrorist suspects

when they conduct financial transactions. In May 2003 the Department of the Treasury

issued regulations implementing the statute, setting forth the type of information that

must be collected as well as the acceptable methods for verifying identity.

The need for accurate identifying information puts a premium on financial institutions

having effective account opening procedures that vet the true identify of each customer,

to the extent possible. A name search for Khalid al Mihdhar will not find him if he is

banking under another name. Obviously, banks cannot be expected to detect perfectly

forged passports and other identification documents; but terrorists rarely are perfect, and

training in spotting false identification documents could help bank personnel catch the

most egregious examples. In addition, bank personnel must ensure that account

documents reflect the full and accurate name of the customer, even if that name is long.55

Equally important, banks must obtain and accurately record key identifying information

about their customers, including date of birth, Social Security number, and passport

number. Many names are so common that nationwide searches for them would generate

so many false positives as to be useless in an emergency. At times, however, the FBI can

obtain and provide other identifying information, such as a passport number, which can

be crucial in narrowing the search—provided that the institution where the subject is a

customer has that information.

The need to locate terrorist operatives in the most exigent circumstances means that

financial institutions must be able to access their data quickly. Quick retrieval can be a

problem for some financial institutions, where years of piecemeal information-system

upgrades have created a dysfunctional structure that greatly complicates the task of

determining if a particular person is a customer. For example, an official of one midsize

55 Shortening the name could mean that the account will be missed if the FBI is seeking a permutation

different than the one used. For example, Ali Abdul Aziz Ali, a.k.a. Ammar al Baluchi, a key facilitator of

the 9/11 attacks, would not be found if a bank listed him only as Abdul Aziz Ali and the FBI was looking

for Ammar al Baluchi.

National Commission on Terrorist Attacks Upon the United States

62

regional bank told Commission staff that his institution must email 28 different people to

respond to a Section 314(a) request. Some banks simply lack electronic searching

capability altogether. An FBI agent with a leading role in the Bureau’s financial-tracking

effort said that many financial institutions can search their data only manually, which is

both resource-intensive and painfully slow in an emergency. Ideally, financial

institutions should be able to do quick electronic searches by customer name, by other

identifying information such as Social Security number or date of birth, or even by

address or employment. Many financial institutions lack this ability today.

Once a financial institution has informed the government that a suspect is a customer and

has received appropriate legal process, it can assist law enforcement greatly by providing

continuous updates about the suspect’s transactions. For example, the information that

the suspect just used his credit card to rent a hotel room, book an airline flight, or rent a

Ryder truck can be essential in an emergency. Many sophisticated financial institutions

can provide the FBI with near “real-time”  information on a suspect’s activities, but other

institutions entirely lack this capability, owing to technical limitations.

Finally, upon receipt of legal process, financial institutions must be able to communicate

the relevant account information to the government officials quickly and efficiently. For

many types of information, this means in electronic format. Although the FBI has long

lagged behind the rest of the country in information systems technology, it has made

tremendous strides since 9/11 in using available technology to find terrorists suspects,

especially through TFOS’s financial-tracking efforts. In many cases, emergency tracking

can be streamlined if information is provided to TFOS in electronic format. Many

financial institutions lack this capability, however.

The FBI’s ability to find terrorist suspects in an emergency through financial tracking

depends in large part on the private sector’s voluntary cooperation. By all reports, the

financial sector’s cooperation has been immense since 9/11, but there is a risk that

cooperation will decrease as the terrorist attacks fade into history and antiterrorism efforts

become just another cost center for financial institutions. Government misuse of

emergency procedures in non-emergency situations could also substantially reduce the

likelihood that the private sector will respond when its help is truly needed to save lives.

To avoid this problem, it is critical that law enforcement and the financial community

maintain good lines of communication. This communication is important at all levels.

Industry groups and major national institutions must meet regularly with national law

enforcement leaders, such as the senior agents running FBI TFOS and the director of

FinCEN, to focus on larger strategic issues. At the same time, FBI field offices need to

reach out to smaller regional financial institutions, which they may need to contact in an

emergency.

This is not to say that financial institutions should become simply another appendage of

law enforcement. To the contrary, under either the FBI approach or Section 314(a),

without legal process financial institutions can answer only one basic question: does X

have an account at your bank? Everything beyond this question requires legal process

under current law. It is hard to see why any privacy or liberty concerns should be raised

Terrorist Financing Staff Monograph

63

about the private sector and financial institutions working together to develop streamlined

procedures for providing critical data quickly in an emergency—pursuant to a lawful

subpoena or other process.

The future: What more can be done?

A number of proposals have been made in recognition that the traditional BSA approach

is inadequate to address the challenges of terrorist financing.

Sharing classified information with bank personnel: A bad idea

The BSA model fails with respect to terrorist financing because the government—not the

financial institutions—has the information that can best identify the terrorist operatives or

fund-raisers. Some have proposed correcting that problem by providing security

clearances to financial institution personnel and then providing these cleared officials

with classified intelligence about terrorist financing. The idea is that the cleared bank

personnel, armed with intelligence to give them a better idea of what they are looking for,

will be able to ferret out the terrorists among their customers.56

The idea of clearing financial institution personnel may be attractive on its face,

particularly to those unfamiliar with the nature of financial intelligence. The proposal

would likely do little, however, to help banks combat terrorist financing and creates a

number of serious privacy and civil liberty concerns. Most intelligence on terrorist

financing is not actionable—it does not identify specific terrorist financiers and their

accounts with sufficient precision to allow actions to disrupt the activity. The intelligence

tends to be limited and speculative, and it frequently relies on dubious sources of

information. It can be valuable to trained intelligence experts, who can evaluate it in the

context of the broad spectrum of available information, but not to bank compliance

directors, who will necessarily lack the time and current knowledge to properly evaluate

it. Even if bank personnel have time and expertise, the intelligence rarely will yield

information that they would find useful, such as names of specific account holders.

To the extent that the intelligence community can generate specific names or accounts,

such information can usually be shared with banks in an unclassified way. Banks can be

told to be aware of person X from country Y without needing to know how that

information was obtained. If the intelligence community develops patterns or trends, this

information presumably also can be shared with financial institutions without need for

security clearances.

56 See, e.g., testimony of former National Security Council official Richard A. Clarke, Senate Banking,

Housing and Urban Development Committee (October 22, 2003) (clearing bank compliance personnel will

“bring us back great benefits because then they’ll know what to look for”). Representatives of financial

institutions made similar recommendations to Commission staff.

National Commission on Terrorist Attacks Upon the United States

64

Providing intelligence about terrorist financing to bank personnel raises serious privacy

and civil liberty issues. People may be named in intelligence reports, but many of the

allegations within these reports are unproven. Some reports prove to be entirely baseless.

Turning these reports over to private citizens like bank personnel runs the risk that

entirely unsubstantiated allegations may lead banks to shut customer accounts or take

other adverse action. Even assuming that the classified information itself is never leaked,

the names of people identified in the intelligence cannot be kept secret. When the bank

compliance officer who receives the secret intelligence asks for scrutiny of a customer’s

accounts for no apparent reason, other bank personnel will likely surmise that classified

information drove this request.

Supporters of giving security clearances to bank personnel point out that the U.S.

government regularly clears private citizens, such as employees of defense contractors.

There are, however, few if any instances in which the U.S. government provides

classified information potentially adverse to U.S. citizens to private actors for the specific

purpose of causing those private actors to subject the U.S. citizens to greater scrutiny.57

Creating such an unusual and potentially dangerous situation cannot be justified by the

minimal benefits that sharing classified information might produce.

Broad government access to private data: Perhaps someday

A more radical, but perhaps far more effective, proposal would give government

authorities direct unfettered access to private financial data for the limited purpose of