This is the accessible text file for GAO report number GAO-07-212 
entitled 'Bank Secrecy Act: FinCEN and IRS Need to Improve and Better 
Coordinate Compliance and Data Management Efforts' which was released 
on December 15, 2006. 

This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as part 
of a longer term project to improve GAO products' accessibility. Every 
attempt has been made to maintain the structural and data integrity of 
the original printed product. Accessibility features, such as text 
descriptions of tables, consecutively numbered footnotes placed at the 
end of the file, and the text of agency comment letters, are provided 
but may not exactly duplicate the presentation or format of the printed 
version. The portable document format (PDF) file is an exact electronic 
replica of the printed version. We welcome your feedback. Please E-mail 
your comments regarding the contents or accessibility features of this 
document to Webmaster@gao.gov. 

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately. 

Report to Congressional Committees: 

United States Government Accountability Office: 

GAO: 

December 2006: 

Bank Secrecy Act: 

FinCEN and IRS Need to Improve and Better Coordinate Compliance and 
Data Management Efforts: 

GAO-07-212: 

GAO Highlights: 

Highlights of GAO-07-212, a report to congressional committees. 

Why GAO Did This Study: 

In 2005, over 16 million Bank Secrecy Act (BSA) reports were filed by 
more than 200,000 U.S. financial institutions. Enacted in 1970, BSA is 
the centerpiece of the nation’s efforts to detect and deter criminal 
financial activities. Treasury’s Financial Crimes Enforcement Network 
(FinCEN) and the Internal Revenue Service (IRS) play key roles in BSA 
compliance, enforcement, and data management. GAO was asked to describe 
FinCEN’s and IRS’s roles and assess their effectiveness at ensuring BSA 
compliance and efforts to reengineer BSA data management. 

What GAO Found: 

FinCEN and IRS have distinct roles, but share some responsibilities in 
implementing BSA. FinCEN’s role is to oversee the administration of BSA 
by numerous agencies including IRS. IRS’s role is to (1) examine 
nonbank financial institutions (NBFI), such as money transmitters and 
check cashers, for compliance with BSA; (2) investigate potential 
criminal BSA violations; and (3) collect and store BSA reported data by 
all financial institutions. 

IRS continues to face challenges in identifying NBFIs subject to BSA 
and then using its limited resources to ensure compliance.
* IRS has identified approximately 107,000 potential NBFIs, yet FinCEN, 
IRS, and others agree there is a portion of the NBFI population IRS has 
not identified. Identifying NBFIs is inherently challenging and made 
even more difficult because FinCEN regulations about who is covered are 
confusing, especially for smaller businesses. 
* IRS currently lacks, but is working to develop, a statistically valid 
risk-based approach for selecting NBFIs for compliance examinations. 
IRS only examines a small fraction of NBFIs, less than 3.5 percent in 
2005, highlighting the need for building risk into the selection 
process. IRS is statistically validating a risk-based approach for 
targeting compliance examinations on certain NBFIs suspected of 
noncompliance. IRS’s validation study is a step in the right direction, 
but IRS’s approach will continue to have limitations because the study 
was not designed to be representative of all potential NBFIs. 
* IRS established a new office accountable for BSA compliance, and is 
working to improve examination guidance. However, IRS’s management of 
BSA compliance has limitations, such as a lack of a compliance rate 
measure and a comprehensive manual that NBFIs can use to develop anti-
money laundering programs compliant with BSA. 

Addressing program challenges, such as identifying NBFIs and examining 
those of greatest risk of noncompliance will take time and require 
prioritizing actions and identifying resource needs. However, FinCEN 
and IRS lack a documented and coordinated strategy with time frames, 
priorities, and resource needs for improving NBFI compliance with BSA 
requirements. 

FinCEN has undertaken a broad and long-term effort to reengineer, and 
transition from the IRS, all BSA data management activities. FinCEN, 
however, missed opportunities to effectively plan this effort and to 
coordinate its implementation with IRS. For example, FinCEN began 
making significant investments in information technology projects 
before a comprehensive plan to guide the reengineering effort was in 
place. When a key project—BSA Direct Retrieval and Sharing—failed, it 
jeopardized the future of the broader reengineering effort. After 
investing over $14 million (nearly $6 million over the original budget) 
in a failed project, FinCEN is now reassessing BSA Direct but does not 
yet have a plan for moving forward with the broader effort to 
reengineer BSA data management activities. 

What GAO Recommends: 

To strengthen BSA compliance, GAO recommends the Secretary of Treasury 
direct FinCEN and IRS to develop a documented and coordinated strategy 
that includes priorities, time frames, and resource needs. The strategy 
should cover implementing specific GAO recommendations, such as 
clarifying regulations and measuring the compliance rate. To strengthen 
BSA data management reengineering, GAO is recommending FinCEN develop a 
long-term plan that includes coordination with IRS. 

In commenting on a report draft, the Director of FinCEN and the 
Commissioner of Internal Revenue agreed with our recommendations. 

[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-07-212]. 

To view the full product, including the scope and methodology, click on 
the link above. For more information, contact James R. White at (202) 
512-5594 or whitej@gao.gov. 

[End of Section] 

Contents: 

Letter: 

Results in Brief: 

Background: 

FinCEN and IRS Have Distinct Roles in Implementing BSA, but Share Some 
Responsibilities: 

IRS Lacks an Effective BSA Compliance Program, Despite Several 
Improvements: 

CI Investigates BSA Criminal Violations and Uses BSA Information 
Extensively: 

Missed Opportunities for Effective Planning and Poor Project Management 
and Oversight Have Hampered FinCEN's Efforts to Reengineer BSA Data 
Management Activities: 

Conclusions: 

Recommendations for Executive Action: 

Agency Comments and Our Evaluation: 

Appendix I: Objectives, Scope, and Methodology: 

Appendix II: Reports Required by BSA Regulations: 

Appendix III: Responsibilities of MSBs under BSA: 

Appendix IV: Access to Taxpayer Information for BSA Examinations: 

Appendix V: MOUs on BSA Compliance: 

Appendix VI: Comments from the Financial Crimes Enforcement Network and 
Internal Revenue Service: 

Appendix VII: GAO Contact and Acknowledgments: 

Tables: 

Table 1: Types of Entities Qualifying as NBFIs Not Otherwise Regulated 
by a Federal Functional Regulator: 

Table 2: Summary of BSA Compliance Program Improvements and 
Limitations: 

Table 3: BSA Performance Measures Established to Track Program 
Activities in Fiscal Years 2005 and 2006 and Compared to Performance 
Information Available for Fiscal Year 2004: 

Table 4: CI's BSA Investigative Time, FTEs, and Costs for Fiscal Years 
2002 through 2006: 

Table 5: BSA Investigations Initiated, Investigations Completed, 
Recommendations for Prosecutions, and Convictions for Fiscal Years 2002 
through 2006: 

Table 6: Criteria Applied by Treasury and IRS When Evaluating Specific 
Proposals for Governmental Disclosures: 

Figures: 

Figure 1: BSA Framework: 

Figure 2: Key Moments in the Development of New BSA Data Management 
Systems: 

Abbreviations: 

BSA: Bank Secrecy Act: 
BSA Direct R&S: BSA Direct Retrieval and Sharing: 
CBRS: Currency and Banking Retrieval System: 
CFTC: Commodity Futures Trading Commission: 
CIMIS: Criminal Investigation Management Information System: 
CI: IRS Criminal Investigations Division: 
CIO: chief information officer: 
CTR: currency transaction report: 
DEA: Drug Enforcement Administration: 
DHS: Department of Homeland Security: 
ECC-DET: Enterprise Computing Center at Detroit: 
FBI: Federal Bureau of Investigation: 
FDIC: Federal Deposit Insurance Corporation: 
FFIEC: Federal Financial Institutions Examination Council: 
FinCEN: Financial Crimes Enforcement Network: 
FRB: Federal Reserve Bank: 
FTE: full-time equivalent: 
ICE: Immigration and Customs Enforcement: 
IRS: Internal Revenue Service: 
MITSIRS: Modernization and Information Technology Services: 
MOU: memorandum of understanding: 
MSB: money service business: 
NBFI: nonbank financial institution: 
NCUA: National Credit Union Administration: 
NRP: National Research Program: 
OCC: Office of the Comptroller of the Currency: 
OIG: Office of Inspector General: 
OMB: Office of Management and Budget: 
OTS: Office of Thrift Supervision: 
SAR: suspicious activity report: 
SB/SE: Small Business Self-Employed Division: 
SEC: Securities and Exchange Commission: 
TIGTA: Treasury Inspector General for Tax Administration: 
WebCBRS: Web-based Currency and Banking Retrieval System: 

United States Government Accountability Office: 
Washington, DC 20548: 

December 15, 2006: 

The Honorable Christopher Bond: 
Chairman: 
The Honorable Patty Murray: 
Ranking Minority Member: 
Subcommittee on Transportation, Treasury, the Judiciary, Housing and 
Urban Development and Related Agencies: 
Committee on Appropriations: 
United States Senate: 

The Honorable Joe Knollenberg: 
Chairman: 
The Honorable John W. Olver: 
Ranking Minority Member: 
Subcommittee on Transportation, Treasury, Housing and Urban 
Development, the Judiciary, District of Columbia, and Independent 
Agencies: 
Committee on Appropriations: 
House of Representatives: 

Criminals frequently use the financial system in attempts to conceal 
illegal or untaxed proceeds from a variety of activities, including 
narcotics trafficking, arms trafficking, extortion, and public 
corruption. Laundering money, evading taxes, and financing a terrorist 
plot can involve many of the same methods. For example, they may use 
third-party nominees, currency, wire transfers, multiple bank accounts, 
or international "tax havens" to avoid detection. Attempts to convert 
criminal income into legitimate assets or conceal the use of legitimate 
assets in criminal activity jeopardize not only the security of our 
financial system but also our national security. 

The Bank Secrecy Act (BSA) establishes the framework used to combat 
these activities and prevent the exploitation of our financial 
system.[Footnote 1] BSA requires financial institutions to report 
certain financial transactions made by their customers. For example, in 
2005, U.S. financial institutions filed over 16 million BSA reports. 
These reports provide information used by law enforcement to detect and 
prevent a wide range of financial crimes. 

At the federal level, many agencies have some responsibility for 
protecting our financial system, but a key role is played by the 
Department of the Treasury (Treasury). Within Treasury, the Financial 
Crimes Enforcement Network (FinCEN) oversees the administration of BSA 
and the Internal Revenue Service (IRS) has responsibility for ensuring 
non bank financial institutions (NBFI), not otherwise subject to 
examination by another federal functional regulator, comply with BSA 
requirements. NBFIs include, in part, casinos and state-chartered 
privately insured credit unions and money service businesses (MSB), 
such as money transmitters and check cashers. In addition, IRS's 
Criminal Investigation Division (CI) is responsible for the 
investigation of criminal BSA violations and money laundering crimes, 
including those related to taxes. 

In the Senate Appropriations Committee Report, the Committee expressed 
considerable concern over FinCEN's and IRS's management of BSA 
compliance efforts.[Footnote 2] As proposed by the Senate, the 
conference agreement mandated that we review the effectiveness of the 
roles played by FinCEN and IRS in those areas for which they share 
responsibility for carrying out the BSA legislation.[Footnote 3] As 
agreed with your Subcommittees this report: 

* describes IRS's and FinCEN's roles and responsibilities for BSA 
compliance, criminal investigations, and data management; 

* assesses IRS's effectiveness in managing its BSA compliance program 
and coordinating with FinCEN; 

* describes the BSA enforcement efforts of CI; and: 

* assesses the effectiveness of FinCEN's efforts to reengineer BSA data 
management activities. 

To address these objectives, we reviewed relevant legislative and 
regulatory authorities. We analyzed data on program performance and 
compared estimates of the NBFI population. We compared IRS's approach 
for selecting NBFIs for compliance examinations to the approach it uses 
for examining individual tax returns, as well as to guidance from the 
Office of Management and Budget (OMB), GAO, and others. We applied our 
criteria for internal controls to the Title 31 database IRS used to 
house and store data for BSA examination cases. We analyzed BSA Direct 
planning and implementation documents and compared cost, schedule, and 
performance plans against actual progress. We also compared FinCEN's 
approach to GAO's investment management framework. We examined the 
memorandums of understanding (MOU) established between FinCEN and IRS, 
FinCEN and the states, and IRS and the states. We interviewed FinCEN 
officials in Washington, D.C., and Vienna, Virginia, and IRS Small 
Business Self-employed Division (SB/SE) officials in Washington, D.C; 
New Carrollton, Maryland; and Detroit, Michigan. We also interviewed 
officials from the Treasury Office of Inspector General (OIG) and the 
Treasury Inspector General for Tax Administration (TIGTA), and 
officials from the Conference of State Banking Supervisors. Appendix I 
provides a more detailed scope and methodology for this review. We 
conducted our review from July 2005 through November 2006 in accordance 
with generally accepted government auditing standards. 

Earlier this year, we provided detailed briefings on the interim 
results of our work to the Subcommittee on Transportation, Treasury, 
the Judiciary, Housing and Urban Development, and related agencies, 
Senate Committee on Appropriations. Further, because FinCEN experienced 
problems with development and implementation of the retrieval and 
sharing component of BSA Direct, we provided our observations on this 
project in July of this year.[Footnote 4] 

Results in Brief: 

FinCEN and IRS have distinct roles in implementing BSA, but share some 
responsibilities. FinCEN's role is to oversee the administration of BSA 
by numerous agencies, including IRS. In this role, FinCEN develops 
policy and provides guidance to both federal financial regulators and 
financial institutions and also controls access to BSA data by law 
enforcement agencies. IRS has three roles. First, IRS is one of eight 
federal financial regulatory agencies that conduct BSA compliance 
examinations--in IRS's case, examinations of NBFIs. Second, CI 
investigates potential criminal BSA violations. Third, IRS collects and 
stores the reports of financial transactions required by BSA and filed 
by financial institutions. 

IRS lacks an effective BSA compliance program, despite several recent 
improvements. IRS faces challenges in identifying NBFIs subject to BSA 
and then using its limited resources to ensure compliance. 

* IRS is aware of approximately 107,000 potential NBFIs, yet one study 
commissioned by FinCEN estimates there are up to 200,000 of these 
businesses in the United States. Identifying NBFIs, and particularly 
MSBs, is difficult especially for businesses, such as grocery stores, 
where financial transactions are not the primary business activity. 
FinCEN and IRS could take additional steps to identify NBFIs, but some 
steps are of unproven benefit and would require adjusting priorities. 
Some IRS BSA officials told us that tax return information might help 
identify potential NBFIs, but IRS is prohibited by law from disclosing 
tax information for nontax purposes, with some exceptions. The 
disclosure provisions in the Internal Revenue Code do not currently 
include an exception for BSA compliance examinations. IRS does not have 
evidence about the value of tax return information for identifying 
NBFIs and has not made a decision about whether it would be worth 
pursuing a legislative change. Treasury's OIG found that FinCEN's 
regulations and guidance for MSBs can be confusing and easily 
misinterpreted. FinCEN agreed, but officials said verifying MSB 
registrations is a higher priority than revising these instructions. 

* IRS lacks a statistically valid risk-based approach for selecting 
NBFIs for compliance examinations but is working to make improvements. 
A risk-based approach is important because IRS has limited examination 
resources, highlighting the need for building risk into the audit 
selection process. In 2005, IRS completed 3,712 examinations--3.5 
percent of the approximately 107,000 potential NBFIs currently in its 
database. IRS is conducting a study to validate the risk factors it is 
using to select MSBs for examination by randomly sampling from a group 
of MSBs that have filed, are required to file, or are the subject of 
filed BSA reports. This study is a step in the right direction, but 
IRS's approach will continue to have limitations, in part, because the 
study only addresses a segment of NBFIs identified by IRS. In the 
future, IRS can improve its risk-based approach for targeting 
examinations of NBFIs by studying the compliance risks posed by the 
broader population of known NBFIs. 

* IRS has established a new Office of Fraud/BSA accountable for BSA 
enforcement, improved examination guidance, and tracking referrals to 
law enforcement agencies; however, management limitations remain. For 
example, IRS lacks a measure of NBFIs' rates of compliance with BSA and 
thus cannot track program effectiveness over time. IRS also lacks a 
comprehensive examination manual that NBFIs can use to develop anti- 
money laundering programs that satisfy BSA requirements. In addition, 
FinCEN and IRS lack a documented and coordinated strategy that lists 
priorities, time frames, and resource needs for addressing BSA 
compliance program limitations. 

As IRS's law enforcement arm, CI dedicates a portion of its resources 
to investigating criminal BSA and money laundering violations. CI's 
direct investigative time for BSA investigations has remained 
relatively constant for the past 5 years at about 12 percent of total 
investigative resources. BSA convictions have increased during the same 
period, from 240 in fiscal year 2002 to 296 in fiscal year 2006. 

FinCEN missed opportunities to effectively plan and coordinate early 
efforts to reengineer BSA data management activities and experienced 
poor project management and oversight of the BSA Direct Retrieval and 
Sharing (BSA Direct R&S) project. Specifically, FinCEN did not develop 
a comprehensive long-term plan for reengineering BSA data management 
responsibilities before investing in new information systems. Instead, 
FinCEN began development on BSA Direct R&S before a plan was in place. 
This project--on which work was eventually stopped, in part, because of 
poor project management and oversight--was expected to be the 
cornerstone of the broader reengineering effort. In addition, FinCEN 
did not do an adequate job of communicating and coordinating the 
reengineering effort with IRS, which resulted in the development of new 
systems with some duplicative capabilities. With the failure of BSA 
Direct R&S, FinCEN is now reassessing the future of BSA Direct, but 
does not yet have a plan for moving forward with the broader effort to 
reengineer BSA data management activities. 

We are recommending that FinCEN and IRS develop a documented and 
coordinated strategy for improving NBFI compliance with BSA. We are 
making a number of specific recommendations to be incorporated into 
this strategy, such as making a decision about whether to pursue 
accessing taxpayer data to identify NBFIs and developing a NBFI 
compliance manual. We are also recommending FinCEN develop a 
comprehensive plan to guide the effort to reengineer BSA data 
management activities. On December 11, 2006, the Director of FinCEN and 
the Commissioner of Internal Revenue agreed with all our 
recommendations. The Director and Commissioner also stated their 
appreciation that our report notes the steps that FinCEN and IRS have 
already taken to improve BSA compliance. 

Background: 

BSA, enacted by Congress in 1970, authorizes the Secretary of the 
Treasury to issue regulations requiring financial institutions to 
retain records and file reports useful in criminal, tax, and regulatory 
investigations. Following the September 11, 2001 terrorist attacks, 
Congress passed the USA PATRIOT Act, which, among other things, amended 
BSA and expanded the number of industries subject to BSA 
regulation.[Footnote 5] Title III of the act expanded BSA powers to 
combat terrorist financing and required financial institutions to 
establish proactive anti-money laundering programs. In addition, the 
act expanded reporting requirements and allowed the records and reports 
collected under BSA to be used in the conduct of intelligence or 
counterintelligence activities and to protect against international 
terrorism. 

The BSA framework focuses on financial institutions' record keeping and 
reporting requirements to create a paper trail of financial 
transactions that federal agencies can trace to deter illegal activity 
and apprehend criminals. Under the BSA framework, primary 
responsibility rests with the financial institutions themselves in 
gathering information and passing it to federal officials. "Financial 
institutions" include both banking institutions and NBFIs. Banking 
institutions include commercial banks and trusts, savings and thrifts, 
branches of foreign chartered banks doing business in the United 
States, and credit unions. NBFIs include MSBs, casinos, and some credit 
unions. MSBs include businesses that transmit money, cash checks, and 
engage in certain financial transactions. MSBs are the largest and most 
diverse group of entities that qualify as NBFIs. Table 1 describes the 
different types of entities that qualify as NBFIs not otherwise 
regulated by a federal functional regulator. 

Table 1: Types of Entities Qualifying as NBFIs Not Otherwise Regulated 
by a Federal Functional Regulator: 

NBFIs: Casinos; 
Description of institution: Nevada casinos, state/ territory licensed 
casinos; and gaming operations; tribal casinos; and other gaming 
organizations, such as card clubs. 

NBFIs: State chartered non-federally insured credit unions; 
Description of institution: Member-owned, member-controlled, not-for 
profit cooperative financial institutions formed to permit groups of 
people who share a "common bond" to save, borrow, and obtain related 
financial services and to participate in their management that are 
privately insured and state chartered and regulated. 

NBFIs: Credit card operators; 
Description of institution: Business in the United States that operates 
a system for clearing and settling transactions in which the operator's 
credit or debit card is used to purchase goods or services or to obtain 
cash advances. 

NBFIs: MSBs; 
Description of institution: Businesses that; 
* transmit money; 
* cash checks; 
* issue, sell, or redeem traveler's checks, money orders, or stored 
value; 
* deal or exchange currency; and; 
* conduct more than $1,000 in the activities mentioned with the same 
person on the same day, and provide money transfer services in any 
dollar amount; The U.S. Postal Service (transactions excluding the sale 
of postage and philatelic products). 

NBFIs: The USA PATROIT ACT Expanded The Types of Entities That Qualify 
As NBFIs. 

NBFIs: Dealers in precious metals and jewels; 
Description of institution: Manufacturers, refiners, wholesalers, 
certain retailers considered dealers, and any other entities engaged in 
the business of purchasing and selling jewels, precious metals, 
precious stones, or jewelry. Ranges from single artisan goldsmiths 
selling unique and rare gemstones on an individual basis to publicly 
traded commercial manufacturers producing millions of pieces each year. 

NBFIs: Insurance companies; 
Description of institution: Insurance companies that issue permanent 
life insurance policies, annuity contracts, and any other insurance 
products with features of cash value or investment. The companies are 
to integrate agents and brokers who sell these products under the 
insurance companies into their program requirements and ensure policies 
and procedures are followed. 

NBFIs: Loan/finance companies; 
Description of institution: FinCEN has not adopted any rules defining 
which businesses are to be included in these sectors. 

NBFIs: Travel agencies. 

NBFIs: Real-estate closing professionals. 

NBFIs: Sellers of vehicles. 

NBFIs: Unregistered investment companies. 

Sources: FinCEN and the Financial Action Task Force. 

[End of table] 

All financial institutions subject to BSA requirements must implement 
internal controls, policies, and procedures; maintain records of 
transactions; and file reports of cash transactions over the $10,000 
dollar threshold and suspicious activities. The USA PATRIOT Act 
required all financial institutions to develop written anti-money 
laundering compliance programs that detail internal policies, 
procedures and internal controls. Each program must designate a 
compliance officer, provide ongoing employee training of pertinent 
personnel, and provide for independent reviews whose scope and 
frequency is commensurate with the risk of the financial services 
provided. 

Registration, record keeping, and reporting are the core elements of 
anti-money laundering requirements for MSBs. Certain MSBs are required 
to register with the Secretary of the Treasury and renew those 
registrations every 2 years. In addition, MSBs that sell money orders, 
travelers' checks, or other instruments for cash must verify the 
identity of each customer and create and maintain a record of each 
purchase when the purchase is cash from $3,000 to $10,000.[Footnote 6] 
Also, financial institutions and certain types of businesses are 
required to submit reports on cash transactions over the $10,000 
threshold and transactions of a suspicious nature. Millions of these 
reports are filed each year. For example, in 2005 over 16 million BSA 
reports were filed by financial institutions. Certain civil and 
criminal penalties can be levied against financial institutions for 
violating BSA reporting requirements, with fines ranging from $500 for 
negligence to $500,000, 10 years in jail, or both for certain willful 
violations. [Footnote 7],[Footnote 8] Appendix III discusses the 
compliance reporting responsibilities in more detail. 

FinCEN and IRS Have Distinct Roles in Implementing BSA, but Share Some 
Responsibilities: 

FinCEN's role is to oversee administration of BSA government wide. In 
this role, FinCEN develops policy and provides guidance to other 
agencies, as shown in figure 1. However, FinCEN also relies on other 
agencies in implementing the BSA framework, including (1) ensuring 
compliance with BSA requirements to report certain financial 
transactions, (2) conducting investigations of criminal financial 
activity, and (3) collecting and storing the reported information IRS 
is involved in all three of these areas. 

Figure 1: BSA Framework: 

[See PDF for image] 

Source: GAO. 

[A] Agency names are listed in the list of acronyms located at the 
front of this report. 

[B] FinCEN collects some BSA information directly through its E-filing 
system; however, this information is then provided to IRS and stored 
with all other BSA information in IRS's WebCBRS system. 

[C] CTRs and SARs are only examples of the types of BSA reports stored 
on IRS's Web-based Currency and Banking Retrieval System (WebCBRS). See 
App. II for the complete list. 

[D] There are 215 agencies with access to IRS WebCBRS. This is only a 
partial list of these agencies. Additionally, some agencies have 
duplicate copies of the information that are incorporated into other 
data systems; therefore some agencies do not always have to access 
WebCBRS to review BSA data. 

[End of figure] 

FinCEN Oversees the Government wide BSA Compliance Program, While IRS 
Conducts Compliance Examinations of NBFIs: 

As administrator of BSA, FinCEN's compliance role is to develop 
regulatory policies for agencies that examine financial institutions 
and businesses for compliance with BSA laws, and when appropriate, 
assess civil penalties against noncompliant institutions. FinCEN 
develops and issues BSA regulatory requirements and provides guidance 
to financial institutions that are subject to those requirements. 
FinCEN is also responsible for overseeing agency compliance examination 
activities and provides these agencies with assistance in educating 
institutions on their BSA responsibilities. 

As highlighted in the compliance examiners section of figure 1, IRS is 
one of eight agencies that actually conduct the compliance examinations 
that FinCEN oversees. The Office of Fraud/BSA, within SB/SE, conducts 
examinations of NBFIs, including MSBs, which are not regulated by 
another federal agency. Appendix III discusses the compliance 
responsibilities of MSBs in more detail. 

FinCEN Is Responsible for Supporting and Networking the Law Enforcement 
Community, Including CI: 

FinCEN is responsible for supporting and networking law enforcement at 
the federal, state, and local levels. FinCEN's network exceeds 180 law 
enforcement agencies, and includes CI, the Federal Bureau of 
Investigation, the Drug Enforcement Administration, Immigration and 
Customs Enforcement, state and local police departments and 
investigative bureaus, attorney general and district attorney offices, 
and foreign authorities. FinCEN provides investigative leads to support 
financial criminal investigations and offers a variety of analytical 
products on trends and patterns that can be used by law enforcement to 
more effectively target their investigations. 

As the enforcement arm of IRS, CI has the authority to investigate 
criminal violations of BSA laws. Like other law enforcement agencies, 
CI uses financial intelligence, including data provided on BSA reports, 
to build investigations and prepare cases for prosecution. The law 
enforcement section of figure 1 highlights how FinCEN, IRS CI, and the 
broader law enforcement community fit into the BSA framework. 

FinCEN Relies Heavily on IRS for the Collection, Storage, and 
Maintenance of BSA Data: 

FinCEN has responsibility for overseeing the management of BSA data, 
but from an operational standpoint does not collect, store, or maintain 
the official data that are reported by financial institutions. IRS's 
Enterprise Computing Center at Detroit (ECC-DET), under a long-standing 
cooperative arrangement with FinCEN, has been the central point of 
collection and storage of these data. ECC-DET maintains the 
infrastructure needed to collect the reports, convert paper and 
magnetic tape submissions to electronic media, and correct errors in 
submitted forms through correspondence with filers. As illustrated in 
the data management section of figure 1, BSA data are processed and 
warehoused in IRS's Currency Banking and Retrieval System are accessed 
through a Web-based interface. The system is called WebCBRS. IRS 
examiners and investigations officials access WebCBRS directly through 
IRS's intranet. Non-IRS law enforcement users access BSA data through 
FinCEN's Gateway computer system. Secure Outreach functions as a portal 
through FinCEN's information technology infrastructure to BSA data 
housed at ECC-DET. 

IRS Lacks an Effective BSA Compliance Program, Despite Several 
Improvements: 

Despite many improvements, IRS does not yet have an effective BSA 
compliance program. An effective IRS compliance program would require 
identifying the population of NBFIs and then periodically testing 
whether these NBFIs are complying with their reporting and other BSA 
requirements. 

FinCEN and IRS Continue to Face Challenges in Identifying the 
Population of NBFIs Subject to BSA Requirements: 

Several efforts have been made to estimate the NBFI population, but all 
of these estimates have weaknesses. However, IRS and other 
knowledgeable observers agree that IRS has only identified a portion of 
the population. No recent studies have been conducted that estimate the 
total population of NBFIs; however, a number of efforts have been made 
to estimate the number of MSBs, the largest group of NBFIs subject to 
BSA requirements. A 1997 study conducted by a FinCEN consultant 
estimated the existence of approximately 158,000 MSBs.[Footnote 9] One 
IRS official within the Office of Fraud/BSA estimates there may be 
approximately 160,000 MSBs. In 2005, another FinCEN study estimated the 
population to be as high as 200,000.[Footnote 10] Officials from 
FinCEN, IRS, Treasury, TIGTA, and Treasury's OIG agree that IRS has 
only identified part of the NBFI population. 

Several factors contribute to IRS's difficulty in identifying NBFIs. 
NBFIs, especially MSBs, are inherently difficult to identify because of 
the wide range of sizes, structures, and financial activities they 
conduct. Unlike traditional financial institutions, such as federally 
insured banks, many MSBs are small, independently owned businesses in 
which financial services are offered as a secondary business activity. 
For example, many grocery stores, convenience stores, gas stations, and 
liquor stores would be considered MSBs because they offer check 
cashing, money order, or wire transfer services, even though the 
primary activity of these businesses is the sale of consumer goods. In 
a 2005 report, the OIG cited language barriers and the limited 
financial proficiency of some business owners as reasons many MSBs are 
not registered, [Footnote 11] and therefore have not been 
identified.[Footnote 12] 

The OIG also found that regulations and guidance for MSBs can be 
confusing and easily misinterpreted, thus contributing to the challenge 
of identifying MSBs. The report states that the distinction FinCEN 
makes between a MSB principal and an agent of that principal is not 
always understood by the MSB population and is difficult to verify 
other than through an on-site examination. Some BSA rules, such as the 
registration requirement, are applicable to principals--the entities 
issuing financial instruments--and some are applicable to agents-- 
businesses authorized to sell the issuers' financial instruments. 
Another confusing aspect of the MSB requirements is that businesses 
whose daily money services transactions are less than $1,000 per day 
per person are generally not considered MSBs. As with the agent 
exemption, the dollar threshold is difficult to verify other than 
through an on-site examination. The OIG found that FinCEN had plans to 
assess whether agents of MSBs should be required to register; however, 
FinCEN has not taken action to implement these plans. IRS officials in 
the Office of Fraud/BSA support a change that requires all MSBs to 
register, regardless of whether they are principals or agents, because 
it would make identification easier. FinCEN officials, however, said 
that their first priority is to ensure that the current list of MSB 
registrations is accurate. Therefore, FinCEN does not have a time-frame 
for revising MSB regulations and guidance, including registration 
requirements. 

Identifying NBFIs, and particularly MSBs, is challenging and resource 
intensive--both FinCEN and IRS have responsibility in this area. IRS 
uses CBRS, public and commercial databases, Internet searches, and the 
yellow pages to identify potential MSBs. FinCEN searches past BSA 
reports and gets referrals from other law enforcement officials about 
potential NBFIs and MSBs. However, not all businesses identified from 
these sources as potential NBFIs are actually subject to BSA 
requirements. IRS has identified 107,000 potential NBFIs, but has not 
been able to determine how many of these businesses are subject to BSA. 
Whenever IRS identifies a new business it believes may be an NBFI, it 
sends the business a letter. This letter explains that IRS believes the 
business is engaged in an activity that qualifies it as an NBFI subject 
to BSA requirements. IRS officials said they are uncertain about the 
effectiveness of this letter and that some businesses do not reply. 
Further, these officials said often the only way to confirm whether a 
business is subject to BSA requirements is to conduct an on-site 
examination, a labor-intensive and time-consuming process. 

IRS officials in the Office of Fraud/BSA told us that accessing IRS's 
tax return databases might help identify additional potential NBFIs. 
The Office of Fraud/BSA is currently unable to use tax return 
information to identify businesses that may be subject to BSA 
requirements because IRS is prohibited by law from using tax return 
information for nontax purposes, with only a few exceptions.[Footnote 
13] The confidentiality of tax information is considered crucial for 
promoting voluntary compliance by taxpayers, and legislative proposals 
for exceptions have been strictly scrutinized by Treasury before 
submission to Congress. IRS currently lacks empirical evidence that 
would support making a case to grant an exception (for example, 
evidence on the number of potential NBFIs that could be identified from 
tax data but not from other sources), and IRS has not decided whether 
it should pursue obtaining access in an effort to develop this 
evidence. Appendix IV provides more detail on taxpayer disclosures and 
the criteria the executive branch considers before submitting a 
proposal to Congress for granting exceptions. 

In another effort to identify potential NBFIs, FinCEN and IRS have 
recently agreed to a number of MOUs with state financial regulators to 
improve coordination and information sharing.[Footnote 14] Almost all 
MOUs are less than 2 years old, and according to IRS, FinCEN, and 
officials representing the states that have signed MOUs, it is still 
too early to tell how effectively they will be carried out. 
Successfully implementing these MOUs and sustaining the partnerships 
they establish will be an ongoing challenge for IRS, FinCEN, and the 
states involved. For example, states have differing definitions and 
licensing requirements for MSBs, which can make it difficult to ensure 
consistency in the reporting of information. Additionally, IRS 
officials said that meeting the information-sharing requirements in the 
MOUs is time intensive because it requires manually gathering large 
amounts of information from different parts of the organization. The 
benefits to IRS and the states, thus far, have not been determined. 
IRS, FinCEN, and the states have only recently begun to implement the 
agreements in the MOUs. Therefore, little has been done to evaluate the 
usefulness of the information that is being shared. Appendix V provides 
additional information on the MOUs. 

IRS Is Developing a Statistically Valid Risk-Based Approach to 
Selecting Businesses for Compliance Examinations, but Limitations Will 
Continue to Exist: 

IRS does not have a statistically valid risk-based approach for 
targeting NBFIs for BSA compliance examinations, but it is working on 
developing such an approach for a segment of MSBs. A risk-based 
approach is important for selecting NBFIs for compliance examinations 
because IRS only has resources to examine a small fraction of NBFIs 
each year. For example, in 2005, IRS completed 3,712 examinations--3.5 
percent of the 107,246 potential NBFIs in its database. 

A risk-based approach uses statistically valid risk factors to select 
NBFIs for compliance examinations. Statistically valid risk factors can 
be used to better target examinations on those businesses that pose the 
greatest risk for noncompliance with BSA requirements. As a result, IRS 
would devote fewer of its scarce resources to examining compliant 
NBFIs. One approach to statistically validating the risk factors 
involves testing them on a sample of NBFIs representative of the 
population and determining the extent to which the results correlate 
with businesses' actual noncompliance with BSA requirements.[Footnote 
15] IRS already uses a risk-based approach when selecting individual 
tax returns for audit. Its approach involved statistically validating a 
set of risk factors using a relatively small but representative sample 
of individual tax returns.[Footnote 16] IRS now uses those risk factors 
to select individual tax returns for audit from the entire population. 

We, as well as OMB and TIGTA, have recognized the value of risk-based 
approaches. Earlier this year, we reported that risk management, 
including risk assessment, is a widely endorsed strategy for helping 
managers and policymakers make decisions about allocating finite 
resources and taking actions under conditions of uncertainty.[Footnote 
17] OMB also recommends making decisions based on risk assessments. As 
far back as 1986, we concluded that BSA regulators would use their 
resources better by targeting examinations on entities with a high 
potential for problems.[Footnote 18] In 2004, TIGTA reported that a 
risk-based, data-driven process to select the potentially most 
noncompliant MSBs for compliance checks could be a more effective 
selection method than IRS's existing process.[Footnote 19] 

IRS's approach for selecting NBFIs for examination is based mainly on 
the judgment and experience of IRS managers and examiners. Based on 
that judgment and experience, IRS's Office of Fraud/BSA has developed a 
set of risk factors that assist in prioritizing and selecting NBFIs for 
examination. However, the judgment and experience of managers and 
examiners is based on past compliance cases that are not a 
representative sample of NBFIs. Further, IRS studied the risk factors 
to help develop rules for case selection and used experienced examiners 
to score these factors based on their potential for producing cases 
involving noncompliant businesses. IRS has not conducted a test to 
statistically validate these risk factors. 

IRS recognizes that its risk factors have not been tested and 
validated. It has a research project under way to test whether the 
current risk factors are more effective than chance at identifying 
noncompliant MSBs. IRS selected a random sample of potential MSBs from 
CBRS. Then each MSB in the sample was scored for risk of noncompliance 
using the risk factors. Beginning in January 2007, IRS will examine 
each MSB in the sample to determine whether actual noncompliance 
exists. The examination results will be compared to the risk scores to 
determine the effectiveness of the risk factors at predicting 
noncompliance. The results could also be used to make improvements to 
the factors. The research project is slated for completion in December 
2007. If the project is completed on time, IRS officials expect any 
changes made to the risk factors would go into effect in time to guide 
the selection of cases for examination in calendar year 2008. 

IRS's research project is a step in the right direction. For MSBs in 
CBRS, it will provide empirical validation for IRS's current risk 
factors or a basis for improving them. However, this risk-based 
approach will continue to have limitations, including the following. 

IRS's research study was not designed to be representative of all the 
potential MSBs identified by IRS. IRS is testing the validity of the 
risk-based selection process by sampling from a subpopulation of 
potential MSBs, not the entire population. The study samples from a 
list of 59,701 potential MSBs entered into CBRS in 2004 or 2005 because 
they either filed BSA-required reports, such as MSB registrations, 
CTRs, and SARs, or were named in such reports by third parties. 
However, the population of potential MSBs that IRS has identified is 
larger. IRS has approximately 105,710 potential MSBs in the Title 31 
database and is responsible for determining whether all of them are 
complying with BSA.[Footnote 20] According to IRS officials, IRS did 
not draw from the Title 31 database to conduct this study because 
inconsistency in the quality and completeness of the information it 
contains on NBFIs limited its usefulness as a reliable source. IRS's 
decision to use CBRS as the source of the study is a valid one. 
However, because the research study does not address the entire known 
population, IRS will not know how useful the risk factors are for 
producing cases within the segment of the population it did not study. 
IRS does not have plans for validating the risk factors for the entire 
known population of MSBs. 

IRS's risk-based approach to selecting MSBs for compliance examinations 
necessarily ignores the unknown part of the population. As discussed 
previously, there is widespread agreement that despite its efforts to 
date, IRS has not identified all MSBs. As IRS uses new information 
sources and methods to identify additional MSBs, the risk factors may 
not take into account the characteristics of these previously 
unidentified MSBs. The only way to ensure IRS is adapting its risk- 
based selection process to reflect changes in the identified population 
of MSBs is to continue updating its risk assessments. IRS does not have 
plans for reassessing the validity of the risk factors as additional 
MSBs are identified. 

IRS's study and the risk factors applied are only applicable to MSBs 
and do not take into account the risks of other NBFIs. IRS does not 
have a statistically validated risk-based approach for selecting 
casinos, wholesale jewelers, or insurance agents for examination. In 
addition, as more types of NBFIs are required to comply with BSA 
requirements, IRS will be required to incorporate those businesses into 
its compliance examination efforts. From a long-term perspective, a 
risk-based approach that looks across the different segments of the 
NBFI population could result in a more effective use of resources for 
compliance examination. IRS does not have plans for a risk assessment 
of the full range of NBFIs. 

Addressing the limitations in IRS's current risk-based approach for 
targeting NBFIs for examination will require time and resources. 
Identifying unknown NBFIs is inherently challenging and gradual--no 
easy solution exists for addressing this problem. Compliance research 
is costly; IRS estimates the research that is currently under way will 
cost approximately $1.7 million. Furthermore, IRS's ability to mount 
separate efforts to deal with the range of limitations will be 
constrained by management capacity and research capacity. 

The benefits of a statistically valid risk-based approach to ensuring 
compliance are potentially very great. The nation would have data-based 
assurance that the NBFI compliance examination program is targeting its 
resources where the risks of NBFI noncompliance, and the resulting lack 
of reporting about suspicious financial transactions, are known to be 
greatest. 

Although Compliance Challenges Continue to Exist, the Establishment of 
an Office of Fraud/BSA Has Resulted in Some Improvements: 

In October 2004, IRS established the Office of Fraud/BSA within SB/SE. 
This office is responsible for ensuring NBFIs comply with BSA 
requirements. IRS appointed an executive to oversee the office. This 
executive reports directly to the SB/SE Commissioner. The establishment 
of this office came, in part, in response to TIGTA findings that IRS 
needed to strengthen oversight of the BSA compliance program.[Footnote 
21] For example, prior to reorganizing, IRS did not have examiners 
dedicated specifically to conducting BSA compliance examinations. 
Instead, according to IRS officials, examinations were conducted by tax 
examiners who split their time among tax examinations, BSA 
examinations, and collections activities. 

With the establishment of the Office of Fraud/BSA, IRS dedicated over 
300 staff in 33 field offices specifically to conducting BSA compliance 
examinations. The dedication of these staff reflects IRS's decision to 
place a greater priority on meeting its BSA examination 
responsibilities. Since establishing the Office of Fraud/BSA and 
dedicating staff specifically to BSA issues, IRS has centralized and 
increased uniformity of BSA compliance examinations. However, the 
program still has management limitations and the improvements do not 
address the significant problems that IRS has in identifying NBFIs and 
targeting compliance examinations. Table 2 shows the improvements IRS 
management has made and some remaining management limitations. 

Table 2: Summary of BSA Compliance Program Improvements and 
Limitations: 

Program area: Compliance examination policies and procedures; 
Improvements: IRS has centralized, more fully documented, and better 
implemented policies and procedures for conducting examinations of 
NBFIs for compliance; 
Limitations: IRS's Internal Revenue Manual, the resource for IRS's 
official policies and procedures, has not been amended since January 
2003. 

Program area: Education and outreach to NBFIs; 
Improvements: FinCEN and IRS have expanded and better coordinated 
education and outreach efforts directed to the NBFI community; 
Limitations: Unlike the agencies that examine banks for BSA compliance, 
IRS lacks a comprehensive manual that NBFIs can use to develop anti-
money laundering programs that are compliant with BSA requirements. 

Program area: Information management; 
Improvements: IRS has centralized and taken steps to improve the 
accuracy and reliability of all data on NBFIs and information used to 
manage examination resources; 
Limitations: IRS's Title 31 database, which contains IRS's information 
on NBFIs, is labor intensive to maintain and has limited functionality 
and security and stability concerns. 

Program area: Performance measurement; 
Improvements: IRS has established and benchmarked a number of 
performance measures of program activities;
Limitations: IRS lacks a way of measuring the extent to which known 
NBFIs comply with BSA requirements. 

Source: GAO. 

[End of table] 

Compliance Examination Policies and Procedures: 

Before establishing the Office of Fraud/BSA, IRS did not have centrally 
managed, or consistently implemented, BSA examination policies and 
procedures. IRS lacked formal guidance for documenting BSA compliance 
examinations and determining whether a case warranted referral for 
civil or criminal enforcement by FinCEN or CI, respectively. Since 
establishing the Office of Fraud/BSA, IRS has established uniform 
instructions that compliance examiners use for requesting records and 
examining institutions for compliance with BSA requirements. 
Additionally, IRS has developed better procedures for determining 
whether a case has enough support to warrant a referral for civil 
enforcement by FinCEN or criminal enforcement by CI. According to 
FinCEN officials, the documentation for cases referred for civil 
penalty assessment has improved significantly as a result of these 
changes. CI officials have also noticed improvements in case 
documentation and referrals that they attribute to the establishment of 
the new organization. 

However, many of the changes to the processes and guidance have not 
been incorporated into the Internal Revenue Manual--IRS's official 
internal policies and procedures document resource. Instead, many of 
IRS's new or revised policies and procedures are distributed to 
compliance examiners via memorandums and electronic mail. Distributing 
guidance in this manner makes it difficult to keep track of the changes 
and ensure consistent understanding and implementation over the long 
term. IRS recognizes these challenges and has slowly made progress in 
generating an update, but this process began in 2004 and was not 
complete as of November 2006. IRS could not provide a definitive 
deadline for when the updated Internal Revenue Manual would be 
published. 

Education and Outreach to NBFIs: 

IRS's outreach is conducted by the SB/SE Stakeholder Liaison Office. 
The liaison office works with FinCEN in coordinating the development 
and distribution of standardized and consistent information through 
brochures, newsletters, presentations, and other materials. 

However, IRS has not provided the NBFI community with a comprehensive 
source of information that can be used to guide efforts to develop a 
program that meets BSA requirements. In June 2005, the Federal 
Financial Institutions Examination Council (FFIEC) addressed this issue 
for the agencies responsible for conducting BSA examinations of banks 
and similar financial institutions.[Footnote 22] FFIEC, with support 
from FinCEN, developed the Bank Secrecy Act/Anti-Money Laundering 
Examination Manual.[Footnote 23] Although this manual is intended to 
guide examiners when examining financial institutions for compliance 
with BSA requirements, the banking industry has applauded its 
development and publication because it makes examination procedures 
transparent and provides excellent guidance on what is expected of 
banks. 

Despite agreement by FinCEN and IRS that a similar manual is needed for 
the NBFI community, such a manual has not been developed. According to 
IRS officials, they have recently hired a training coordinator who will 
be responsible for developing this manual. However, no timeline has 
been established for when the process for developing this manual will 
begin. 

Information Management: 

Prior to the establishment of the Office of Fraud/BSA, the management 
of BSA compliance program information was decentralized. Each of the 16 
field offices maintained its own, separate lists of potential NBFIs and 
information on the examinations it was conducting. Once the new office 
was established, IRS took steps to combine all of this information into 
one centralized database, the Title 31 database. 

The Title 31 database, however, was not built using a disciplined 
systems development process and is not supported by IRS Modernization 
and Information Technology Services (MITS). As a result, the database 
potentially contains duplicate, outdated, and sometimes inaccurate 
information from the 16 merged systems. IRS officials believe it has 
addressed many of these issues but could not validate that all have 
been addressed. Further, IRS officials stated that the database has 
other limitations, including (1) limited capacity to handle the number 
of fields required to maintain and close cases, (2) issues with 
connectivity across field locations, (3) limited controls to prevent 
the entry of invalid information, and (4) system instability. IRS has 
obtained MITS support in creating a new system to maintain the 
information in the Title 31 database. However, IRS will continue 
operating within existing system constraints until the new system is 
fully operational. 

Performance Measurement: 

IRS has made progress in tracking and measuring program activities, but 
lacks a measure of the extent to which NBFIs comply with BSA 
requirements. Prior to the new organization, IRS had only one 
consistently measured performance goal for the BSA compliance program-
-delivery of direct examination staff years. In a 2004 review, TIGTA 
found that IRS needed to establish performance indicators that measure 
case results and their cumulative impact on compliance. For fiscal year 
2005, IRS established a suite of measures that it is using to track and 
assess program performance. Table 3 lists these measures and the fiscal 
year 2005 results and fiscal year 2006 goals and results. 

Table 3: BSA Performance Measures Established to Track Program 
Activities in Fiscal Years 2005 and 2006 and Compared to Performance 
Information Available for Fiscal Year 2004: 

BSA performance measure: Number of closures; 
Fiscal year 2004: 3,481; 
Fiscal year 2005: 3,712; 
Fiscal year 2006 through May: 3,681; 
Fiscal year 2006 target/goal: 6,427. 

BSA performance measure: Hours per case; 
Fiscal year 2004: [A]; 
Fiscal year 2005: 49; 
Fiscal year 2006 through May: 44; 
Fiscal year 2006 target/goal: 50. 

BSA performance measure: Cycle time; 
Fiscal year 2004: [A]; 
Fiscal year 2005: 218; 
Fiscal year 2006 through May: 219;
Fiscal year 2006 target/ goal: [B]. 

Cases in inventory. 

BSA performance measure: Assigned to examiner--examination not started; 
Fiscal year 2004: [C]; 
Fiscal year 2005: [C]; 
Fiscal year 2006 through May: 2,593; 
Fiscal year 2006 target/goal: [B]. 

BSA performance measure: Assigned to examiner--examination started; 
Fiscal year 2004: [C]; 
Fiscal year 2005: [C]; 
Fiscal year 2006 through May: 2,754; 
Fiscal year 2006 target/goal: [B]. 

BSA performance measure: Net number of new starts; 
Fiscal year 2004: [C]; 
Fiscal year 2005: [C]; 
Fiscal year 2006 through May: 4,837; 
Fiscal year 2006 target/goal: [B]. 

BSA performance measure: Referrals to CI; 
Fiscal year 2004: 9; 
Fiscal year 2005: 21; 
Fiscal year 2006 through May: 10; 
Fiscal year 2006 target/goal: [B]. 

BSA performance measure: Referrals to FinCEN; 
Fiscal year 2004: 8; 
Fiscal year 2005: 10; 
Fiscal year 2006 through May: 4; 
Fiscal year 2006 target/goal: [B]. 

BSA performance measure: Referrals to tax examiners; 
Fiscal year 2004: 1,663; 
Fiscal year 2005: 1,572; 
Fiscal year 2006 through May: 471; 
Fiscal year 2006 target/goal: [B]. 

Source: IRS Office of Fraud/BSA. 

[A] Information on hours per case and cycle time was not captured until 
January 2005. 

[B] No targets and goals have been identified. 

[C] Information not provided for fiscal years 2004 and 2005. 

[End of table] 

IRS performance measures in table 3 do not provide information on the 
rate of NBFI compliance. Although measuring compliance rates can be 
challenging, IRS has done so for taxpayer compliance of individuals 
under Title 26. IRS's research to validate the risk factors it uses to 
target MSB examinations could also be used to estimate a compliance 
rate for MSBs in CBRS. This compliance rate would not be generalizable 
to the entire MSB or NBFI population; however, it would allow IRS to 
get a better understanding of the extent to which the MSB population 
captured within CBRS complies. Without a measure of the compliance 
rate, IRS and external parties such as Congress will not know the 
effect, over time, of IRS's efforts to ensure compliance. IRS has no 
plans to measure the NBFI compliance rate. 

FinCEN and IRS Lack a Documented and Coordinated Strategy for Improving 
NBFI Compliance with BSA Requirements: 

FinCEN and IRS have taken a number of steps to improve efforts to 
ensure that NBFIs comply with BSA, but they lack a documented and 
coordinated strategy for moving forward. Our previous discussion shows 
that many additional steps could be taken to identify the population of 
NBFIs, ensure compliance of those NBFIs that have been identified, and 
strengthen management of IRS's BSA compliance program. Addressing these 
limitations will be challenging and will take time. The challenges are 
compounded by the fact that the types of NBFIs that are IRS's 
responsibility under the law are growing. Some actions to address these 
challenges could be taken by the agencies individually, but others will 
require a coordinated approach to be effective. Further, limited 
resources and time constraints mean that additional actions will have 
to be prioritized, alternatives will need to be considered, and trade- 
offs may need to be made. FinCEN and IRS do have some elements of a 
strategy to guide future efforts.[Footnote 24] However, FinCEN and IRS 
do not have a documented and coordinated strategy that prioritizes 
actions, lists time frames, and explains resource needs over multiple 
years. 

Without a strategy that prioritizes and guides IRS and FinCEN's 
collective efforts to improve NBFI compliance, the risk is greater that 
noncompliance will go undetected and uncorrected. Noncompliance by 
NBFIs means that suspicious financial transactions, such as money 
laundering and terrorist financing that occur at these institutions, 
might go undetected. 

CI Investigates BSA Criminal Violations and Uses BSA Information 
Extensively: 

CI investigates individuals and businesses, including financial 
institutions, for BSA and money laundering violations, usually in 
conjunction with other tax law violations. 

CI Dedicates a Portion of Its Resources to Investigate Criminal BSA 
Violations: 

BSA investigations constituted roughly 12 percent of CI's direct 
investigative time in fiscal year 2006. Full-time equivalents (FTE) 
dedicated to BSA enforcement from 2002 to 2006 remained relatively 
unchanged, as shown in table 4. 

Table 4: CI's BSA Investigative Time, FTEs, and Costs for Fiscal Years 
2002 through 2006: 

Direct investigative time; 
Fiscal year 2002: 11.1%; 
Fiscal year 2003: 12.3%; 
Fiscal year 2004: 12.4%; 
Fiscal year 2005: 12.0%; 
Fiscal year 2006: 11.8%. 

Total FTEs; 
Fiscal year 2002: 450; 
Fiscal year 2003: 478; 
Fiscal year 2004: 474; 
Fiscal year 2005: 453; 
Fiscal year 2006: 451. 

BSA costs; 
Fiscal year 2002: $56,684,148; 
Fiscal year 2003: $63,760,525; 
Fiscal year 2004: $69,183,775; 
Fiscal year 2005: $66,516,938; 
Fiscal year 2006: $68,286,292. 

Source: IRS's Criminal Investigation Management Information System. 

[End of table] 

CI highlighted enhancing BSA compliance in its strategy and program 
plan for fiscal years 2005 through 2006. In the plan, CI outlines its 
strategies to support IRS's strategic plan goal to enhance enforcement 
of tax laws. One of CI's major compliance strategies involves 
effectively working with Treasury, the Department of Justice and other 
law enforcement partners among other things, to enhance BSA compliance 
efforts.[Footnote 25] CI recently introduced new performance measures 
based, in part, on a previous TIGTA report and an OMB review. During 
the OMB review, Treasury, CI, and OMB jointly determined that the old 
measure of completed investigations was insufficient to measure program 
effectiveness. As a result, CI introduced three new annual performance 
measures: the number of convictions (a measure of impact on 
compliance), the conviction rate (a measure of quality of 
investigations), and conviction efficiency (a measure of cost 
efficiency). CI reported 296 convictions for BSA violations during 
fiscal year 2006. From fiscal years 2002 through 2006, convictions 
increased about 23 percent. 

CI investigates individuals and businesses for BSA or money laundering 
violations, but according to CI officials, agents do not typically 
investigate many financial institutions for Title 31 violations. 
Generally, if an institution is the subject of an investigation, it is 
for failure to have an anti-money laundering program in place or 
because an individual within the institution is causing the institution 
to not file required forms. According to CI officials, structuring is 
the most common type of BSA violation CI investigates among 
individuals. Structuring occurs when a person conducts or attempts to 
conduct currency transactions at financial institutions for the 
purposes of evading the reporting requirements of BSA. Many BSA 
investigations involve structuring, failure to file reports on 
transactions or bulk cash, and smuggling activities, according to CI 
officials. 

BSA criminal violations are usually investigated in conjunction with 
other tax violations, according to CI officials. In one recent case, a 
sales executive for an international telecommunications company was 
sentenced to 24 months in prison and fined $20,000 in a money 
laundering case involving cash deposits. The sales executive structured 
bank deposits and made 31 cash deposits totaling over $250,000 to 
accounts in two different banks to avoid currency transaction reports 
being filed to IRS. The sales executive forfeited $59,400 and filed 
amended income tax returns to report an additional $250,000 in income 
that he was attempting to hide with his structuring activity. The case 
was developed from information reported in SARs. 

CI Statistics Show Increases in Enforcement Activity for BSA 
Violations: 

BSA convictions increased from fiscal years 2002 through 2006. 
Likewise, investigations completed and prosecutions recommended 
increased during the same period. Table 5 shows CI's BSA investigations 
initiated, investigations completed, prosecutions recommended, and 
convictions. 

Table 5: BSA Investigations Initiated, Investigations Completed, 
Recommendations for Prosecutions, and Convictions for Fiscal Years 2002 
through 2006: 

Investigations initiated; 
Fiscal year 2002: 563; 
Fiscal year 2003: 525; 
Fiscal year 2004: 523; 
Fiscal year 2005: 546; 
Fiscal year 2006: 554. 

Investigations completed; 
Fiscal year 2002: 418; 
Fiscal year 2003: 513; 
Fiscal year 2004: 700; 
Fiscal year 2005: 546; 
Fiscal year 2006: 628. 

Prosecutions recommended; 
Fiscal year 2002: 292; 
Fiscal year 2003: 322; 
Fiscal year 2004: 501; 
Fiscal year 2005: 379; 
Fiscal year 2006: 437. 

Convictions; 
Fiscal year 2002: 240; 
Fiscal year 2003: 239; 
Fiscal year 2004: 310;
Fiscal year 2005: 343; 
Fiscal year 2006: 296. 

Source: IRS's Criminal Investigation Management Information System. 

[End of table] 

CI Is a Large Consumer of BSA Data: 

CI is a big user of BSA data and IRS's database that stores the data-- 
CBRS. CI's enforcement mission coupled with being organizationally 
located within IRS places it in a unique position for utilizing BSA 
data. CI queries CBRS more than any other federal, state, or local 
agency. During fiscal year 2005, CI made about 57 percent of the over 
1.5 million queries made of the system. Additionally, CI was 
responsible for more than 66 percent of the document viewing activity 
in CBRS. 

During 2006, CI transitioned to a new Web-based version of CBRS. CI 
officials reported the system has advantages for improving CI's ability 
to develop investigative leads. One advantage is the ability to conduct 
searches within narratives on BSA reports. Analysts and investigators 
can now search narratives on SARs, for instance, for specific words and 
were unable to do so under the old CBRS system. Another advantage cited 
is the ability to better use downloads of SAR data. With the Web-based 
system, an analyst or investigator can put downloads in Access or 
Excel. Once the data are in a spreadsheet or database management 
applications program, analysts or investigators can easily look for 
trends in certain addresses or occupations. With the old CBRS system, 
the analyst had to print out downloads and manually look at the 
different fields of information from SARs. 

Missed Opportunities for Effective Planning and Poor Project Management 
and Oversight Have Hampered FinCEN's Efforts to Reengineer BSA Data 
Management Activities: 

In 2003 FinCEN began an effort to reengineer BSA data management 
activities However, the cornerstone of FinCEN's reengineering effort, 
BSA Direct R&S, was permanently halted because of a multitude of 
problems. 

FinCEN Missed Opportunities to Effectively Plan, and Coordinate with 
IRS, Early Efforts to Reengineer BSA Data Management: 

FinCEN made two mistakes in the early stages of its effort to 
reengineer BSA data management activities: it began reengineering 
without a comprehensive implementation plan and did not adequately 
communicate and coordinate with IRS. 

FinCEN Began Reengineering BSA Data Management Activities without a 
Comprehensive Implementation Plan: 

According to our Business Process Reengineering Assessment Guide, 
before an agency initiates business process reengineering, a 
comprehensive implementation plan should be developed that spells out 
the work that needs to be done.[Footnote 26] This plan should include 
time frames, milestones, decision points, and resource allocations. 
Although FinCEN commissioned a series of studies to examine and 
recommend an approach to reengineering BSA data management activities, 
these studies were only recommendations and did not constitute a 
comprehensive plan for conducting the reengineering effort. Instead, 
FinCEN made the decision to move forward with one aspect of the broader 
reengineering effort, BSA Direct R&S, before establishing a 
comprehensive plan. FinCEN commissioned the MITRE Corporation to 
develop a comprehensive reengineering plan that would serve as a road 
map for the reengineering effort after the BSA Direct R&S project was 
well under way. Further, this plan was developed under the assumption 
that BSA Direct R&S would be completed successfully. FinCEN expected 
BSA Direct R&S to be the center of FinCEN's broader reengineering 
effort and serve as the catalyst for its execution. 

FinCEN intended to establish the technology for implementing the 
reengineering effort before establishing the reengineering plan itself. 
We have found in examining reengineering and technology acquisition 
efforts that technology is an enabler of process reengineering, not a 
substitute for it. We have also found that acquiring technology in the 
belief that its mere presence will somehow lead to process innovation 
is a root cause of bad investments in information systems. FinCEN's 
decision to implement one aspect of the reengineering effort, BSA 
Direct R&S, before developing a comprehensive plan for conducting the 
broader effort exemplifies this problem. FinCEN viewed BSA Direct R&S 
as a strategic initiative, as it was intended to eventually interface 
with other systems in order to facilitate all BSA reporting and data 
related processes from IRS to FinCEN over time. 

FinCEN Did Not Adequately Communicate and Coordinate Reengineering 
Efforts with IRS: 

FinCEN did not adequately communicate and coordinate its BSA data 
management reengineering efforts with IRS, namely efforts to develop 
new information systems used to house and disseminate BSA data. Had 
better communication and coordination occurred, a more effective 
technology and business solution might have been achieved. The 
cornerstone of FinCEN's effort to take control of all BSA data 
management responsibilities was the development of BSA Direct R&S, a 
new information system that was to store and disseminate all BSA data. 
At the same time, IRS developed its own system, WebCBRS, with many of 
the same capabilities. FinCEN did not actively engage in discussions 
with IRS about WebCBRS as it was being developed. FinCEN, IRS, and 
Treasury all have a role in the reengineering effort. However, FinCEN's 
goal is to take over all BSA data management responsibilities currently 
conducted by IRS. Therefore, FinCEN is driving the reengineering effort 
and has responsibility for communicating and coordinating its 
activities to the other agencies. Key moments in the development of 
these two systems are documented in figure 2. 

This page is left intentionally blank. 

Figure 2: Key Moments in the Development of New BSA Data Management 
Systems: 

[See PDF for image] 

Source: GAO. 

[End of figure] 

In examining the above timeline, we identified at least three missed 
opportunities early in the implementation of the two projects where 
better planning and coordination might have resulted in more effective 
and efficient systems development efforts: 

* In April 2002, Treasury, with FinCEN's input, recommended IRS 
maintain its role in BSA data management; yet over the next 2 years 
FinCEN decided to pursue alternative approaches while IRS initiated the 
transfer of BSA data to WebCBRS, a new system. 

* In the fall of 2003, FinCEN decided to launch the BSA Direct project 
just a month before ECC-DET at IRS secured additional funding and 
accelerated the development of WebCBRS with an anticipated completion 
of 2006 instead of 2009. FinCEN, however, justified the need for BSA 
Direct without fully accounting for (1) the expected capabilities that 
IRS's WebCBRS system would provide and (2) IRS's revised and more 
aggressive conversion schedule. For example, part of FinCEN's 
justification to OMB for BSA Direct was that it would allow IRS to 
discontinue the development of WebCBRS, potentially resulting in 
financial savings for the agency. However, officials at both FinCEN and 
IRS said no discussion on discontinuing IRS's effort ever took place 
before this justification was presented. 

* In December 2004, the Chief Information Officer (CIO) of Treasury 
issued a memorandum documenting key agreements between the department, 
IRS, and FinCEN on the future of BSA data management, but it is unclear 
how some of these agreements were actually implemented. For example, an 
agreement stated that IRS would be a preferred user of FinCEN's system, 
yet IRS officials stated that they remained uninformed throughout the 
process about their current and future access to BSA data. 
Additionally, an agreement stated that the Treasury CIO would lead a 
joint effort to identify, eliminate, and prevent any potential 
duplication of efforts. However, no information was provided to 
demonstrate how this agreement was to be carried out. 

Poor Project Management and Oversight Contributed to the Failures of 
BSA Direct R&S: 

BSA Direct R & S failed, in part, because project management issues 
continued throughout the project's life and were not adequately 
addressed by agency executives. On March 15, 2006, the Director of 
FinCEN placed the BSA Direct R & S project under a temporary "stop 
work" order because of significant cost, schedule, and performance 
issues. Over the following 4 months, FinCEN reassessed the project with 
the assistance of two outside consultants. Then, on July 12, 2006, the 
Director decided to permanently halt the project because of a multitude 
of problems. Among these were inadequate project governance and a lack 
of demonstrated project management expertise by the project contractor 
and FinCEN. 

In a previous review we found that FinCEN did not always apply 
effective investment management processes to oversee the BSA Direct R&S 
project.[Footnote 27] This, in part, contributed to the problems 
experienced by the project, because issues that occurred at the project 
management level continued and were compounded, yet were not addressed 
at the executive level. For example, the MITRE Corporation--the 
organization assisting FinCEN with project monitoring--identified 
multiple occasions where FinCEN did not take action to mitigate project 
risks or address significant descoping of project functionality. 

BSA Direct R&S repeatedly missed program milestones and performance 
objectives and exceeded the project budget. The original cost estimate 
of $8.9 million for the prime contract increased to $15.1 million. Of 
that amount, $14.4 million was spent. FinCEN estimates that an 
additional $8 million would be required for operations and maintenance. 
Also FinCEN could not ensure that any additional investment would 
achieve the desired product. Therefore, FinCEN terminated the project 
and is currently: 

* formalizing a replanning effort for BSA Direct R&S, to include 
strategic, technical, and resource planning issues, as well as 
stakeholder analysis; 

* evaluating the discrete elements of BSA Direct R&S for 
salvageability; and: 

* developing a road map to achieve BSA Direct R&S in steps, as a 
program with multiple projects, both business and technology oriented. 

In our previous review we noted that the problems with BSA Direct R&S 
indicate systemic problems with FinCEN's management and oversight of 
information technology projects. As a result, the Subcommittee on 
Transportation, Treasury, Housing and Urban Development, the Judiciary, 
and Related Agencies, Senate Committee on Appropriations, directed 
FinCEN to ensure it has an executive-level review process for 
information technology projects.[Footnote 28] We also recommended that 
FinCEN develop a plan for managing BSA Direct that focuses on 
establishing policies and procedures for executives to regularly review 
investments progress against commitments and take corrective actions 
when these commitments are not met. In October 2006, FinCEN developed 
an interim information technology management improvement plan that 
acknowledges that these and other actions are needed to build its 
information technology management capabilities. However, the plan 
focuses on improving FinCEN's information technology management 
capabilities but does not address FinCEN's broader efforts to 
reengineer BSA data management activities. 

Based on past issues, FinCEN will continue to face challenges in 
building information technology management capability, while at the 
same time continuing efforts to reengineer and transition BSA data 
management processes. The MITRE Corporation, prior to the failure of 
the BSA Direct project, characterized reengineering of BSA data 
management as a daunting effort, in part, because it involved highly 
interdependent tasks that must be conducted under short implementation 
time frames. The decision to discontinue the BSA Direct R&S project 
provides FinCEN with an opportunity to take a more deliberate and 
disciplined approach to implementing the effort to reengineer BSA data 
management activities. 

Conclusions: 

FinCEN and IRS play important roles in the national effort to combat 
money laundering and terrorist financing activity. Both have recently 
taken significant steps to make their efforts more effective; however, 
a great deal more could and should be done. 

FinCEN and IRS have taken action to improve NBFI compliance with BSA 
requirements, but making significant progress in identifying NBFIs and 
ensuring that they comply with BSA requirements is a long-term effort 
with no simple solutions. In some cases, IRS, FinCEN, or both have 
actions under way but no timetable for finishing. In other cases, 
action has yet to begin. Some of these actions include deciding whether 
to pursue gaining access to taxpayer information, clarifying the 
definition of an MSB, updating the Internal Revenue Manual, developing 
an NBFI compliance examiner's manual, creating a more functional and 
secure mechanism for storing NBFI data, and developing a NBFI BSA 
compliance measure. These actions have not been completed, in part, 
because of competing priorities. However, without a coordinated, 
documented strategy that guides the agencies' approach over time, the 
agencies do not have assurance they are moving in the right direction 
and are limited in their ability to measure progress in achieving 
improvements. Furthermore, Congress and the public will have difficulty 
understanding the overall approach that IRS and FinCEN are taking to 
ensure that NBFIs are complying with BSA. 

To date, FinCEN's effort to reengineer and transition BSA data 
management activities has not been successful. The failure of BSA 
Direct R&S was a considerable setback in this effort. However, FinCEN 
is now in a position to reassess the goals of the reengineering effort 
and develop a comprehensive long-term strategy. FinCEN and IRS must 
also find ways to improve communication and coordination as FinCEN 
proceeds with its effort to reengineer BSA data management activities. 
Moving forward, FinCEN will need to take a measured and disciplined 
approach to strengthening its ability to oversee and manage information 
technology projects. Significant changes, such as FinCEN's data 
management reengineering effort, are complex and slow to implement, 
requiring a long-term, but flexible, strategy and a strong and 
consistent focus to be successful. 

Recommendations for Executive Action: 

To improve BSA compliance, we are making the following 8 
recommendations. 

The Secretary of the Treasury should direct the Director of FinCEN and 
the Commissioner of Internal Revenue to develop a documented and 
coordinated strategy that outlines priorities, time frames, and 
resource needs for better identifying and selecting NBFIs for 
examination. This strategy should include the full complement of 
actions that FinCEN and IRS can take to build a more effective BSA 
compliance program, including the specific compliance program 
recommendations we make below. 

The Director of FinCEN should establish a time frame for revising MSB 
regulations and guidance, including registration requirements. 

The Commissioner of Internal Revenue should decide whether to pursue 
gaining access to taxpayer data for better identifying NBFIs. 

The Commissioner of Internal Revenue should direct the Office of Fraud/ 
BSA to: 

* build upon the study to validate compliance risk factors by 
developing a plan to assess the noncompliance risks posed by all NBFIs; 

* establish time frames for finalizing and publishing the Internal 
Revenue Manual with updated BSA compliance program policies and 
procedures; 

* develop a NBFI compliance examiner's manual that examiners can use to 
guide examinations and businesses can use to ensure they are in 
compliance with BSA requirements, and establish time frames for its 
publication; 

* create a more functional and secure mechanism for storing and 
accessing the information contained in the Title 31 database; and: 

* use the results of the forthcoming risk factor validation study to 
estimate the compliance rate for the population of MSBs from which the 
study sample was drawn. 

To improve BSA data management, we recommend the following: 

The Director of FinCEN, in cooperation with the Commissioner of 
Internal Revenue, should develop and implement a comprehensive and long-
term plan for reengineering BSA data management activities before 
moving forward with the BSA Direct R&S project. This plan, at a 
minimum, should: 

* take a broad and crosscutting approach to the reengineering effort, 
and not focus solely on one component, such as BSA Direct; 

* include short-and intermediate-term goals for reengineering BSA data 
management processes, including the transition of IRS's data management 
responsibilities to FinCEN; and: 

* incorporate collaboration strategies into the plan by clearly 
defining the role of IRS's ECC-DET in the transition process and more 
actively involving it as a key stakeholder in the reengineering effort. 

Agency Comments and Our Evaluation: 

The Director of FinCEN and the Commissioner of Internal Revenue jointly 
provided written comments on a draft of this report in a letter dated 
December 11, 2006 (which is reprinted with its enclosures in app. VI). 
FinCEN and IRS agreed with all our recommendations. The Director and 
Commissioner also stated their appreciation that our report notes the 
steps that FinCEN and IRS have already taken to improve BSA compliance. 
They highlighted staff attrition as another challenge faced by the 
program. The Director and Commissioner also raised some issues about 
the difficulty in drawing a correlation between IRS's process for 
selecting tax returns for audit and selecting NBFIs for BSA compliance 
examination, but we view IRS's tax audit case selection process as a 
potentially useful model for selecting cases--even if the audits are 
for other purposes. 

While agreeing with our first recommendation, the Director and 
Commissioner expressed concern that we did not recognize the efforts 
that they have already taken to better identify and select NBFIs for 
examination. However, IRS's Workload Identification Process, which they 
cite, has not yet been funded. Further, our report recognizes the use 
of BSA information in the CBRS system--which includes SARs. 
Additionally, we acknowledge efforts to improve coordination of BSA 
activities with the states through MOUs. 

If you or your staff has any questions, please contact me at (202) 512- 
5594 or whitej@gao.gov. Contact points for our Offices of Congressional 
Relations and Public Affairs may be found on the last page of this 
report. Key contributors to this report are listed in appendix VII. 

Signed by: 

James R. White: 
Director, Tax Issues Strategic Issues Team: 

[End of section] 

Appendix I: Objectives, Scope, and Methodology: 

To describe the Internal Revenue Service's (IRS) and the Financial 
Crimes Enforcement Network's (FinCEN) Bank Secrecy Act (BSA) related 
roles and responsibilities, we reviewed and summarized relevant 
legislative and regulatory authorities. We also reviewed BSA rules and 
guidance, agency reports, and strategic planning documents. Further, we 
interviewed officials at FinCEN and IRS Small Business Self-Employed 
Division (SB/SE) and IRS Criminal Investigations Division (CI), and the 
IRS Enterprise Computing Center at Detroit (ECC-DET). We examined the 
information obtained to determine the BSA roles and responsibilities at 
FinCEN and IRS, changes to these roles over time, and the potential for 
overlap and duplication of responsibilities. 

To determine the extent to which IRS has been effective in managing its 
BSA compliance program and coordinating with FinCEN, we reviewed 
relevant legislative and regulatory authorities. We analyzed data on 
program performance and compared estimates of the nonbank financial 
institutions (NBFI) population. We compared IRS's approach for 
selecting NBFIs for compliance examinations to the approach it uses for 
examining individual tax returns, as well as to guidance from the 
Office of Management and Budget, GAO, and others. We applied our 
criteria for internal controls to the Title 31 database IRS used to 
house and store data for BSA examination cases. We reviewed strategic 
planning documents related to BSA compliance examination and program 
management, including the Internal Revenue Manual, FinCEN and IRS 
strategy and program plans, and expenditure documents. We reviewed 
Treasury Inspector General for Tax Administration (TIGTA) and the 
Department of the Treasury (Treasury) Office of Inspector General (OIG) 
reports and Treasury's response and disposition on recommendations 
made. We also reviewed the Federal Financial Institutions Examination 
Council manual established for federal banking supervisors to ensure 
that the banks have consistent application of BSA requirements. To 
obtain information on the total population of NBFIs in the United 
States for which IRS has BSA compliance examination responsibility, we 
reviewed reports from Coopers & Lybrand, KPMG, and Treasury's OIG and 
Federal Register notices of the interim and final reports that 
contained information on the additional BSA industries IRS will be 
responsible for regulating. We also reviewed documentation on IRS's 
examination and referral processes and IRS's performance measures, 
including the number of cases closed, number of referrals, cycle time, 
hours per case, number of new cases initiated, and cases in inventory. 
We examined IRS's BSA case selection criteria and the Title 31 database 
used to house and store data for BSA examination cases. We examined the 
memorandums of understanding (MOU) established between FinCEN and IRS, 
FinCEN and the states, and IRS and the states. We used our report on 
key collaboration practices as criteria for assessing IRS's and 
FinCEN's efforts to collaborate with each other and the states. We 
interviewed IRS SB/SE officials involved with BSA examinations; BSA 
case selection; and the SB/SE Stakeholder Liaison office involved in 
outreach and education for NBFIs, FinCEN regulatory policy officials, 
officials from Treasury's OIG and TIGTA, and officials from the BSA 
Advisory Group and the Conference of State Banking Supervisors. 

To describe CI's BSA role, we reviewed legislative and regulatory 
authorities, agency reports, strategic planning documents, internal 
policies and processes for conducting investigations and making BSA 
case referrals, and the 1999 Webster Commission Report. We also 
reviewed CI's statistics for BSA-related staffing resources and 
caseload, including full-time equivalents, closed cases, cases with 
violations, and referrals to FinCEN. We interviewed officials from CI, 
SB/SE, FinCEN, the Department of Justice Asset Forfeiture and Money 
Laundering Section, and the Department of Homeland Security Immigration 
and Customs Enforcement on use of BSA data and access to BSA data. We 
assessed the reliability of IRS's Criminal Investigation Management 
Information System--a database containing nationwide data on the status 
of CI investigations: how CI agents use direct investigative time; the 
number and type of staff on board; and the inventory of equipment. Our 
assessment included reviewing existing information about the data and 
the system that produced them and interviewing agency officials 
knowledgeable about the data. We determined that the data were 
sufficiently reliable for the purposes of this report. 

To assess the effectiveness of FinCEN's efforts to reengineer BSA data 
management activities, we reviewed and analyzed BSA Direct planning and 
implementation documents and interviewed agency officials at IRS and 
FinCEN and some users of BSA information, such as federal law 
enforcement agencies. We also reviewed project documents such as the 
Office of Management and Budget Exhibit 300, the original BSA Direct 
contract and revisions, progress reports, interim briefings, and 
project assessments conducted by the MITRE Corporation. We also 
interviewed FinCEN officials responsible for investment management and 
the BSA Direct project, the contractor conducting the BSA Direct 
project, and MITRE Corporation officials involved in the project. In a 
previous review, we also examined FinCEN's application of information 
technology investment management processes to the retrieval and sharing 
component of the BSA Direct project using our guide, Information 
Technology Investment Management: A Framework for Assessing and 
Improving Process Maturity. We did not conduct a comprehensive review 
of FinCEN's investment management practices. We focused on critical 
processes associated with stage 2 of the five-stage framework because 
they represent the practices needed for basic project-level control. 

We performed our review from July 2005 through November 2006 in 
accordance with generally accepted government auditing standards. 

[End of section] 

Appendix II: Reports Required by BSA Regulations: 

Report: Money Service Business Registrations (RMSB); 
Description: Form used by certain MSB to register with FinCEN; 
Who is required to file: Businesses that offer money orders, traveler's 
checks, check cashing, currency dealing or exchange, and stored value, 
and such businesses that conduct more than $1,000 in MSB activity with 
the same person on the same day, or money transfers in any amount.[A]; 
Reports filed in 2005: 16,329. 

Report: Bank Suspicious Activity Reports (SAR-DI); 
Description: Reports that describe insider abuse of financial 
transactions of any amount and type that financial institutions suspect 
may be unusual or irregular, violations of $5,000 or more where a 
suspect can be identified or involve potential money laundering, 
violations aggregating $25,000 or more regardless of a potential 
suspect, and computer intrusion; 
Who is required to file: Financial/depository institutions; 
Reports filed in 2005: 525,750. 

Report: MSB Suspicious Activity Reports (SAR-MSB); 
Description: Reports that describe financial transactions that are 
conducted or attempted by, at, or through an MSB, involve or aggregate 
funds or other assets of at least $2,000, and the MSB knows, suspects, 
or has reason to suspect that the transaction (or pattern of 
transactions of which the transactions are a part) involves funds 
derived from an illegal activity, is designed to evade reporting 
requirements, has no reasonable purpose or explanation, or involves the 
use of the MSB to facilitate criminal activity; 
Who is required to file: Money transmitters; issuers, sellers, and 
redeemers of traveler's checks and money orders; and the U.S. Postal 
Service; 
Reports filed in 2005: 381,304. 

Report: Casino Suspicious Activity Reports (SAR-C); 
Description: Reports that describe financial transactions conducted by, 
at, or through a casino involving at least $5,000 if they are suspected 
to derive from illegal activity, are conducted to hide or disguise 
funds, are designed to evade reporting requirements, have no reasonable 
purpose or explanation, or involve the use of the casino to facilitate 
criminal activity; 
Who is required to file: Casinos and card clubs; 
Reports filed in 2005: 5,865. 

Report: SAR Securities and Futures Industries; (SAR-SF); 
Description: Reports that describe financial transactions conducted by, 
at, or through a broker or dealer in securities involving at least 
$5,000 if they are suspected to derive from illegal activity, are 
designed to evade reporting requirements, have no reasonable purpose or 
explanation, or involve the use of the broker or dealer in securities 
to facilitate criminal activity; 
Who is required to file: Brokers and dealers in securities, futures 
commission merchants, and futures introducing brokers; 
Reports filed in 2005: 6,897. 

Report: Currency Transaction Report (CTR); 
Description: Reports that describe each deposit, withdrawal, exchange 
of currency, or other payment or transfer by, through, or to a 
financial institution, which involves a transaction in currency of more 
than $10,000. Transactions reported include those conducted by, or on 
behalf of the same person, conducted on the same business day, and 
either a single or multiple currency transaction; 
Who is required to file: Financial and nonfinancial institutions; 
Reports filed in 2005: 14,228,961. 

Report: Casino Currency Transaction Report (CTR-C) and Nevada Casino 
(CTRC-N); 
Description: Reports that describe transactions greater than $10,000 in 
currency as well as suspicious transactions. In addition, casinos must 
report suspicious transactions and activities on FinCEN SAR-C. Nevada 
casinos must file Form 103N, Currency Transaction Report by Casinos - 
Nevada (CTRC-N)--reports that describe transactions involving more than 
$10,000 in cash. Also, smaller transactions occurring within a 
designated 24-hour period that; aggregate to more than $10,000 in cash; 
are reportable if the transactions are the same types of transactions 
within the same monitoring area or if different types of transactions 
occur within the same visit at one location; 
Who is required to file: Casinos and card clubs; and Nevada casinos 
with greater than $10,000,000 in annual gross gaming revenue and with 
over $2,000,000 of; table games statistical winnings; 
Reports filed in 2005: 634,912. 

Report: Form 8300; 
Description: Reports of cash payments over $10,000 received in a trade 
or business; 
Who is required to file: Individuals involved in trades or businesses 
that are not financial institutions; 
Reports filed in 2005: 157,920. 

Report: Foreign Bank and Financial Account Report (FBAR); 
Description: Annual reports of financial interest in foreign accounts 
if the aggregated value of a foreign financial account exceeds $10,000 
at any time during the calendar year; 
Who is required to file: Individuals or depository institutions having 
an interest in, and signature or other authority over, one or more 
bank, securities, or other financial accounts in a foreign country; 
Reports filed in 2005: 281,762. 

Report: Designation of Exempt Person (DOEP); 
Description: Reports banks file to exempt eligible customers from 
currency transaction report reporting requirements. Exempt customers 
include banks, government agencies/authorities, listed companies and 
subsidiaries, eligible nonlisted businesses with a history of frequent 
currency transactions, and payroll customers; 
Who is required to file: Depository institutions; 
Reports filed in 2005: 105,775. 

Report: Report of International Transportation of Currency or Monetary 
Instrument (CMIR); 
Description: Reports the transportation (physically, or mailing and 
shipping or receipt) of currency into or out of the United States and 
certain other monetary instruments on any one occasion in excess of 
$10,000; 
Who is required to file: Individuals, corporations, partnerships, 
trusts or estates, and associations; 
Reports filed in 2005: NA[B]. 

Source: GAO analysis. 

[A] Exceptions include (1) businesses serving as agents of another MSB; 
(2) businesses whose only MSB activity is the issuance, sale, or 
redemption of stored value; (3) the U.S. Postal Service or agencies of 
the United States, a state, or a political subdivision of any state; 
and (4) MSB branch offices. 

[B] Information is processed and kept by Immigration and Customs 
Enforcement. 

[End of table] 

[End of section] 

Appendix III: Responsibilities of MSBs under BSA: 

Included within the BSA reporting and record-keeping requirements are 
MSBs. A business is generally considered to be an MSB if (1) it offers 
one or more of the following services: money orders, traveler's checks, 
check cashing, currency dealing or exchange, and stored value and (2) 
the business either conducts more than $1,000 in these activities with 
the same person in one day or provides money transfer services in any 
amount. 

Each business (not including branches) that fits within the definition 
of an MSB is required to register with FinCEN, except for the U.S. 
Postal Service and other agents of the federal, state, or local 
governments, and those businesses that are considered MSBs only because 
they (1) act as agents for other MSBs or (2) act as issuers, sellers, 
or redeemers of stored value. Certain MSBs are required to file 
suspicious activity reports for transactions involving at least $2,000 
in which the MSB believes or has reason to believe that the transaction 
(1) involves funds derived from illegal activity or is intended to hide 
such activity; (2) is otherwise designed to evade the reporting 
requirements under BSA; (3) has no business or apparent lawful purpose 
or is not the type of transaction in which the customer would normally 
be expected to engage; or (4) involves the use of an MSB to facilitate 
criminal activity. 

All MSBs are required to develop and implement risk-based BSA 
compliance programs. MSBs are also required to file currency 
transaction reports for cash transactions of over $10,000, and must 
maintain information pertaining to the sale of and verify the identity 
of those purchasing certain monetary instruments (e.g., money orders 
and traveler's checks) valued from $3,000 to $10,000. MSBs must also 
maintain information on funds transfers of $3,000 or more. 

[End of section] 

Appendix IV: Access to Taxpayer Information for BSA Examinations: 

One way to improve the IRS's knowledge of the NBFI population subject 
to BSA requirements would be to access specific identifying information 
reported on income tax returns. However, the IRS Office of Fraud/BSA is 
unable to use taxpayer information to identify businesses that may be 
subject to BSA requirements. Section 6103 of the Internal Revenue Code, 
which prohibits IRS from disclosing returns or return information 
unless a statutory exception applies, does not currently specifically 
allow disclosure for Title 31 examinations. Over the years, however, 
Congress has amended section 6103 to allow access to taxpayer 
information for specific purposes, including disclosure to federal 
officials for the administration of certain federal laws not relating 
to tax administration. According to Treasury, the burden of supporting 
an exception to the section 6103 prohibition should be on the 
requesting agency, in this case IRS, to make the case for disclosure 
and provide assurances that the information will be safeguarded 
appropriately. To date, IRS has not done so. Table 6 lists the criteria 
Treasury and IRS have applied when evaluating specific legislative 
proposals. 

Table 7: Criteria Applied by Treasury and IRS When Evaluating Specific 
Proposals for Governmental Disclosures: 

Criteria to be addressed by the requesting agency; 
Is the requesting information highly relevant to the program for which 
it is to be disclosed?; 
Are there substantial program benefits to be derived from the requested 
information?; 
Is the request narrowly tailored to the information actually necessary 
for the program?; 
Is the same information reasonably available from another source?. 

Criteria to be addressed by the requesting agency and Treasury/IRS; 
Will the disclosure involve significant resource demands on IRS?; 
Will the information continue to be treated confidentially within the 
agency to which it is disclosed, pursuant to standards prescribed by 
IRS?; 
Other than I.R.C. § 6103, are there any statutory impediments to 
implementation of the proposal?. 

Criteria to be addressed by Treasury/IRS; 
Will the disclosure have an adverse impact on tax compliance or tax 
administration?; 
Will the disclosure implicate other sensitive privacy concerns?. 

Source: Office of Tax Policy, Department of the Treasury. 

[End of table] 

[End of section] 

Appendix V: MOUs on BSA Compliance: 

FinCEN and IRS are forging a more collaborative approach to 
implementing BSA compliance efforts. FinCEN and IRS recognize that a 
more collaborative approach to BSA compliance will allow them to better 
leverage interagency and intergovernmental resources. Since 2005, 
FinCEN and IRS have begun to formalize more collaborative relationships 
with each other and a number of state regulatory/banking agencies that 
examine NBFIs for BSA compliance. The principle vehicle for developing 
these relationships has been the MOUs. These MOUs provide formalized 
procedures for coordinating BSA activities and sharing information. 
Separate MOUs between FinCEN and IRS, FinCEN and 42 state regulatory/ 
banking agencies and Puerto Rico, and IRS and 34 state regulatory/ 
banking agencies and Puerto Rico have been signed. 

* The MOU between FinCEN and IRS establishes procedures for the 
exchange of information between the two agencies with the goal of 
enforcing BSA compliance. The MOU dictates that IRS provide a wide 
range of information to FinCEN through quarterly and annual reports, 
including new or revised examination policies, procedures, or guidance 
and quantitative data on examinations conducted, violations discovered, 
and referrals made. The MOU dictates that FinCEN will provide IRS with 
information on enforcement actions and analytical products on patterns 
and trends as well as provide technical and analytical assistance in 
overseeing industry compliance. 

* MOUs between FinCEN and 42 states and Puerto Rico have been signed in 
an attempt to advance the sharing of information and enhance uniform 
application of BSA. FinCEN expects to receive information on businesses 
examined and enforcement actions taken. In exchange, the states expect 
to receive analytical tools from FinCEN that will maximize resources 
and highlight areas and businesses with higher risk for money 
laundering. Both FinCEN and the states expect the agreements to help 
them improve the coordination of collective actions and concerns by 
providing a clearer picture of the various financial industries 
regulated. 

IRS has signed MOUs with 34 states and Puerto Rico to establish 
information sharing to assist in the examination of MSBs and other 
NBFIs. The IRS/State MOUs involve the coordination of examination 
activities and the sharing of examination procedures, schedules, and 
lists of MSBs. These MOUs are different from the MOUs between FinCEN 
and the states because FinCEN's agreement involves FinCEN sharing 
analytical information gathered from various regulators. By 
collaborating with the states, IRS hopes to improve the quality and 
coverage of compliance examinations and make better use of examination 
resources. The agreements established in the MOUs are intended to 
eliminate duplicative examination efforts and regulatory requirements, 
and build greater quality and consistency through training. IRS, 
FinCEN, and the states have only recently begun to implement the 
agreements in the MOUs. 

[End of section] 

Appendix VI: Comments from the Financial Crimes Enforcement Network and 
Internal Revenue Service: 

Department Of The Treasury: 
Washington, D.C. 20220: 

December 11, 2006: 

Mr. James R. White: 
Director, Tax Issues Strategic Issues Team: 
United States Government Accountability Office: 
Washington, DC 20548: 

Dear Mr. White: 

Thank you for the opportunity to respond to your draft report entitled 
"Bank Secrecy Act: FinCEN and IRS Need to Improve and Better Coordinate 
Compliance and Data Management Efforts" (GAO-07-212). 

Your report offers two primary recommendations: 1) that the Financial 
Crimes Enforcement Network (FinCEN) and IRS develop a documented and 
coordinated strategy for improving Non-Bank Financial Institutions' 
(NBFIs') compliance with Bank Secrecy Act (BSA) requirements; and 2) 
that FinCEN strengthen its BSA data management reengineering by 
developing a long-term plan that includes coordination with the IRS. As 
your report notes, most of these efforts are already underway. 

The IRS BSA Program, established in 2005, has built a business process 
for assessing Title 31 noncompliance. The IRS is dedicated to seeking 
enhancements to this new program and welcomes the recommendations 
outlined in this report for improvements in training, procedural 
guidance, case identification and selection capabilities, as well as 
database capacity and program measures. 

One of the challenges facing the IRS BSA Program that was not 
identified in the draft report is staffing attrition. As of October 1, 
2005, the IRS employed 305 BSA field examiners with a goal of employing 
385 examiners by September 30, 2006. The IRS hired an additional 101 
BSA field examiners during FY 2006, but due to attrition retained only 
349 examiners as of October 1, 2006. In order to address the staffing 
challenge, the IRS has increased its staff recruitment efforts for FY 
2007 by collaborating closely with recruiters, participating in an 
internship program, and offering recruitment bonuses in certain hard to 
fill locations. 

Similar to your July 2006 report, "Observations on the Financial Crimes 
Enforcement Network's (FinCEN's) BSA Direct Retrieval and Sharing 
Project" (GAO-06-947R), this report concludes that FinCEN's failed 
attempt at reengineering BSA data management was due to poor project 
management and oversight. FinCEN acknowledges these project management 
deficiencies and, as a result, has developed a comprehensive 
Information Technology (IT) Management Improvement Plan that emphasizes 
continued maturation of the bureau's IT governance processes and 
project management capabilities. In addition, FinCEN and the IRS also 
agree with the report's recommendation to develop a long-term plan that 
includes coordination between FinCEN and the IRS while the future of 
BSA Direct is reevaluated. 

We appreciate that your report notes the significant steps that FinCEN 
and the IRS have taken to improve Bank Secrecy Act compliance by NBFIs. 
As your report correctly states, the actions needed to improve 
compliance will require a long-term effort. Accordingly, we concur with 
your recommendation that FinCEN and the IRS work jointly to develop and 
document a coordinated strategy to improve BSA compliance by NBFIs. 

While we share your concern with the current approach to selecting 
individual NBFIs for compliance examinations, we believe that it is 
difficult to draw a correlation to the IRS process for selecting 
individual income tax cases for examination, due to the differing 
missions of the individual taxpayer examination program and that of the 
BSA compliance program. The IRS BSA program does not enforce tax filing 
or payment compliance and does not usually generate federal revenue; 
instead, its purpose is to safeguard the financial system from the 
abuses of financial crime, including terrorist financing, money 
laundering, and other illicit activity. As we move forward, the IRS 
will continue to work on a better selection process for BSA compliance 
examinations while FinCEN continues to evaluate the appropriateness of 
current regulations for the money services business industry and 
considers potential changes to the regulatory framework. 

Responses to specific recommendations are enclosed. If you have any 
questions, please call us or a member of your staff may contact Eileen 
Mayer, Director for BSA/Fraud, Small Business/Self-Employed Division, 
Internal Revenue Service, at (202) 283-2426 or Jamal EI-Hindi, 
Associate Director for Regulatory Policy and Programs, Financial Crimes 
Enforcement Network, at (703) 905-6414. 

Sincerely, 

Signed by: 

Mark W. Everson: 
Commissioner of Internal Revenue: 

Signed by: 

Robert W. Werner: 
Director, Financial Crimes Enforcement Network: 

Enclosure: 

Enclosure: 

To improve BSA compliance, GAO recommends: 

Recommendation: 

The Secretary of Treasury direct the Director of Financial Crimes 
Enforcement Network (FinCEN) and the Commissioner of the Internal 
Revenue Service (IRS) to develop a documented and coordinated strategy 
outlining priorities, timeframes, and resource needs for better 
identifying and selecting NBFIs for examination. This strategy should 
include the full complement of actions that FinCEN and IRS can take to 
build a more effective BSA compliance program, including the specific 
compliance program recommendations we make below. 

Response: 

While we agree that development and coordination of plans between 
FinCEN and IRS would be beneficial in maximizing compliance with the 
BSA and USA PATRIOT Act, the report fails to recognize significant 
efforts IRS and FinCEN have taken to better identify and select Non- 
Bank Financial Institutions (NBFIs) for examination. The IRS's 
initiative to secure funding for the BSA Workload Identification 
Process (WIP), as explained below, is representative of IRS efforts. In 
addition, FinCEN and IRS are using Suspicious Activity Report (SAR) 
information to assist in identifying unregistered Money Services 
Businesses (MSBs). FinCEN and IRS are also coordinating with various 
law enforcement and state regulatory agencies to identify these 
unregistered entities through a variety of means. Once identified, IRS 
is providing outreach activities which include educating these 
unregistered MSBs on their potential obligations under the BSA. 

In October 2005, the IRS BSA Program participated in the IRS's 
Modernization Vision and Strategy (MV&S) process to identify and fund 
critical business automation needs. The BSA WIP Project request was 
submitted for FY 2008 funding. This project has two components - 
workload identification and an electronic case file. WIP would provide 
automated risk-based classification of IRS BSA Title 31 and Title 26 
inventory and use third party data from federal, state, and commercial 
sources to identify entities operating outside of federal regulatory 
programs. Electronic case files would automate the reengineered BSA 
examination process and reduce case building and cycle time. 

Since the WIP request for $2.65 million from the FY 2008 IRS 
Modernization account was not among the 24 funded projects, a revised 
WIP proposal was submitted in October 2006, requesting funding for FY 
2009 and FY 2010. The needs are estimated at $2.937 million for FY 2009 
and $1.743 million for FY 2010. WIP Release #1 would include workload 
identification features and Release #2 would include an electronic case 
file process. Later releases might also provide the ability to attach 
scanned documents to an electronic case file. If this project is funded 
as a Modernization initiative in FY 2009 and FY 2010, a request will be 
submitted for additional IRS BSA funds to support a full-time project 
manager, refine requirements, plan security needs, and begin Enterprise 
Life Cycle documentation before modernization money becomes available 
in FY 2009. A decision is expected on modernization funding in February 
2007. 

Recommendation: 

The Director of FinCEN establish a timeframe for revising MSB 
regulations and guidance, including registration requirements. 

Response: 

As stated in your report, FinCEN's first priority is to make 
improvements in ensuring the current list of MSB registrants is 
accurate. IRS and FinCEN are, however, in the process of evaluating the 
current regulatory regime as it applies to the MSB industry taking into 
consideration the impact of any proposed rule change on all relevant 
entities. For example, the IRS supports a regulatory change that will 
increase information available to them for the purpose of identifying 
and examining NBFIs. One alternative might be requiring the 
registration of MSB agents who are not presently required to register. 
Although this is one of many regulatory options currently being 
explored, FinCEN continues to receive feedback on other alternatives 
that require careful consideration before a definitive timeframe is 
established as to how we will proceed. 

Recommendation: 

The Commissioner of the IRS decide whether to pursue gaining access to 
taxpayer data for better identifying NBFIs. 

Response: 

We agree that access to some taxpayer data may be beneficial in 
assisting IRS to more effectively and efficiently identify NBFIs. 
Because the confidentiality of tax data is critical to voluntary 
compliance, Treasury policy requires a business case to support 
exceptions to disclosure. IRS will take actions in order to determine 
whether a business case exists for pursuing legislative change to allow 
Title 26 information to be used for Title 31 purposes. IRS will 
establish a working group to determine the merit of the initiative. IRS 
Office of Disclosure will provide oversight and guidance in this 
effort. 

Recommendation: 

The Commissioner of the IRS directs the Office of BSA/Fraud to build 
upon the study to validate compliance risk factors by developing a plan 
to assess the noncompliance risks posed by NBFIs. 

Response: 

We agree that this recommendation would benefit the IRS BSA Program. 
After evaluating the results of the current study, IRS will consider 
the feasibility of preparing the recommended plan. 

Recommendation: 

The Commissioner of the IRS directs the Office of BSA/Fraud to 
establish timeframes for finalizing and publishing the Internal Revenue 
Manual with updated BSA compliance program policies and procedures. 

Response: 

IRS is finalizing an update of the Internal Revenue Manual (IRM). IRM 
4.26 Sections 1, 2, 4, 6, 7, 13, 14 and 15 were published on November 
17, 2006. IRM 4.26 Sections 8 through 12 have been update and forwarded 
for publishing. The IRM 4.26 Sections 3, 5 and 17 are undergoing final 
internal review and will be forwarded for publishing within the next 30 
days. Section 4.26.16, FBAR Law, is currently being revised and will be 
forwarded for publishing within the next 90 days. 

Recommendation: 

The Commissioner of the IRS directs the Office of BSA/Fraud to develop 
a NBFI compliance examiner's manual that examiners can use to guide 
examinations, and businesses can use to ensure they are in compliance 
with BSA requirements, and establish timeframes for its publication. 

Response: 

We agree with this recommendation. This task has been assigned to an 
IRS BSA Senior Manager. By December 31, 2006, IRS BSA management will 
issue a plan to develop and deliver a compliance examiner's manual. 

Recommendation: 

The Commissioner of the IRS directs the Office of BSA/Fraud to create a 
more functional and secure mechanism for storing and accessing the 
information contained in the Title 31 database. 

Response: 

We agree with this recommendation and have taken significant steps to 
implement a functional and secure mechanism for information contained 
in the Title 31 database. IRS's Modernization and Information 
Technology Services (MITS) began developing a new Title 31 database in 
September 2006 and will enter the test production stage in December 
2006. The new database will continue to be fully supported by MITS. The 
server on which the new database will reside has been in operation for 
the past two years, handling various other IRS applications which are 
considerably larger than the new Title 31 database. The server capacity 
is three terabytes. Current users of the server have not experienced 
any connectivity problems to date. 

Recommendation: 

The Commissioner of the IRS directs the Office of BSA/Fraud to use the 
results of the forthcoming risk factor validation study to estimate the 
compliance rate for the population of MSBs from which the study sample 
was drawn. 

Response: 

We concur with this recommendation. After concluding the current risk 
factor validation study, the IRS BSA management and Research functions 
will work to estimate a compliance rate for the MSB population. 

Recommendation: 

To improve BSA data management, GAO recommended that the Director of 
FinCEN, in cooperation with the Commissioner of IRS, develop and 
implement a comprehensive, long-term plan for reengineering BSA data 
management activities before moving forward with the BSA Direct R&S 
project. This plan, at a minimum should: 

* Take a broad and cross-cutting approach to the reengineering effort, 
and not focus solely on one component, such as BSA Direct; 

* Include short-and-intermediate-term goals for reengineering BSA data 
management processes, including the transition of IRS's data management 
responsibilities to FinCEN; and: 

* Incorporate collaboration strategies into the plan by clearly 
defining the role of IRS's Enterprise Computing Center at Detroit in 
the transition process and more actively involving them as key 
stakeholders in the reengineering effort. 

Response: 

We concur with the report's recommendation to develop a long-term plan 
that includes coordination between IRS and FinCEN as they reevaluate 
the future of BSA Direct. In fact, preliminary planning is already 
underway and IRS and FinCEN anticipate meeting within the next 60 days 
to begin developing a comprehensive strategy for BSA data management 
that takes into consideration the new capabilities of the web-based 
Currency and Banking Retrieval System (WebCBRS). 

[End of section] 

Appendix VII: GAO Contact and Acknowledgments: 

GAO Contact: 

James R. White (202) 512-5594 or whitej@gao.gov: 

Acknowledgments: 

In addition to the above contacts Signora May, Assistant Director; Sean 
Bell; Brian James; Katrina Taylor; and Shamiah Woods made significant 
contributions to this report. Danny Burton, Evan Gilman, Timothy 
Hopkins, Shirley Jones, Barbara Keller, Jeffrey Knott, Donna Miller, 
and Sabine Paul also made key contributions. 

FOOTNOTES 

[1] Bank Secrecy Act, titles I and II of Pub. L. No. 91-508, 84 Stat. 
1114 (1970), as amended, codified at 12 U.S.C. §§ 1829b, 1951-1959, and 
31 U.S.C. §§ 5311-5322. 

[2] S. Rep. No. 108-342 (2004) and Consolidated Appropriations Act, 
2005. Pub. L. No. 108-447. 

[3] H.R. Rep. 108-792 (2004). 

[4] See GAO, Information Technology Management: Observations on the 
Financial Crimes Enforcement Network's (FinCEN's) BSA Direct Retrieval 
and Sharing (BSA Direct R&S) Project, GAO-06-947R (Washington, D.C.: 
July 14, 2006). 

[5] USA PATRIOT ACT, Pub. L. No. 107-56, 15 Stat. 272 (2001). 

[6] 31 C.F.R. § 103.29. 

[7] 31 C.F.R. § 103.57(h). 

[8] 31 U.S.C. § 5322(b). 

[9] The study reported the total number of NBFIs is estimated at 
158,000. The study conducted a discovery process to identify businesses 
that provided services involving (1) check cashing, (2) money orders, 
(3) money transmission, (4) retail foreign currency exchange, and (5) 
travelers checks. 

[10] The study reported the total number of MSBs nation wide is 
estimated to be 203,207 with a 95% confidence interval. The study 
conducted a survey of a representative sample of 24,000 potential MSBs 
and got a 10 percent response rate. The MSBs provided services 
involving (1) check cashing, (2) money orders, (3) money transmission 
(domestic and international), (4) foreign currency exchange, (5) stored 
value, and (6) traveler's checks. 

[11] Each business (not including branches) that fits within the 
definition of an MSB is required to register with FinCEN, except for 
the U.S. Postal Service and other agents of the federal, state, or 
local government and those businesses that are considered MSBs only 
because they (1) act as agents for other MSBs or (2) act as issuers, 
sellers, or redeemers of stored value. 

[12] Department of the Treasury, Office of the Inspector General, Bank 
Secrecy Act: Major Challenges Faced by FinCEN in Its Program to 
Register Money Service Businesses, OIG-05-050 (Washington, D.C.: Sept. 
27, 2005). 

[13] I.R.C. § 6103 provides that tax returns and return information are 
confidential and may not be disclosed by IRS, other federal employees, 
state employees, and certain others having access to the information 
except as provided in I.R.C. § 6103. I.R.C. § 6103 allows IRS to 
disclose taxpayer information to federal agencies and authorized 
employees of those agencies for certain specified purposes. 

[14] Some states incorporate BSA compliance reviews as part of safety 
and soundness examinations they conduct on certain MSBs. 

[15] Successfully completing a validation study offers assurance that 
the final results are sufficiently robust and that the method can be 
relied on for reproducible results. For an example, see GAO, Anthrax 
Detection: Agencies Need to Validate Sampling Activities in Order to 
Increase Confidence in Negative Results, GAO-05-251 (Washington. D.C.: 
Mar. 31, 2005). 

[16] The most recent such assessment was called the National Research 
Program. See GAO, Tax Administration: IRS Is Implementing the National 
Research Program as Planned, GAO-03-614 (Washington, D.C.: June 16, 
2003). 

[17] GAO, Risk Management: Further Refinements Needed to Assess Risks 
and Prioritize Protective Measures at Ports and Other Critical 
Infrastructure, GAO-06-91 (Washington, D.C.: Dec. 15, 2005). 

[18] GAO, Bank Secrecy Act: Financial Institution Regulators' 
Compliance Examinations, GAO/GGD-86-94 (Washington, D.C.: Aug. 1, 
1986). 

[19] See Treasury Inspector General for Tax Administration, Additional 
Efforts Are Needed to Improve the Bank Secrecy Act Compliance Program, 
2004-30-068 (Washington, D.C.: Mar. 12, 2004). 

[20] The Title 31 database is the primary source of data for building 
cases for BSA examination because it contains all the information IRS 
has on NBFIs and potential NBFIs. The database includes business names, 
owners, employees, addresses, and types of financial services offered. 
It is also where IRS documents the status of compliance examination 
activity, such as case summaries and results of past examinations. 
Therefore, there is the potential for the same NBFIs to be identified 
in both the Title 31 database and CBRS. 

[21] Treasury Inspector General for Tax Administration. 

[22] FFIEC's five member agencies are the Board of Governors of the 
Federal Reserve System, Federal Deposit Insurance Corporation, National 
Credit Union Administration, Office of the Comptroller of the Currency, 
and Office of Thrift Supervision. 

[23] This FFIEC Bank Secrecy Act/Anti-Money Laundering Examination 
Manual was published on June 30, 2005. It provides guidance to 
examiners for carrying out compliance and Office of Foreign Assets 
Control examinations. An effective compliance program requires sound 
risk management; therefore, the manual also provides guidance on 
identifying and controlling risks associated with money laundering and 
terrorist financing. The manual contains an overview of compliance 
program requirements, risks and risk management expectations, industry 
sound practices, and examination procedures. 

[24] Both FinCEN and IRS have developed some elements of a strategy. 
IRS has a Concept of Operations for the Office Fraud/BSA that describes 
the strategic objectives, goals, and outcomes of the program, as well 
as an annual program letter that describes the program priorities for 
the fiscal year. FinCEN has a strategy to improve MSB compliance. 

[25] In GAO, Bank Secrecy Act: Opportunities Exist for FinCEN and the 
Banking Regulators to Further Strengthen the Framework for Consistent 
BSA Oversight, GAO-06-386 (Washington, D.C.: Apr. 28, 2006), we 
reported on some of the BSA criminal cases pursued by the Justice 
Department. 

[26] GAO, Business Process Reengineering Assessment Guide, GAO/AIMD- 
10.1.15 (Washington, D.C.: May 1997), provides a general framework for 
assessing a reengineering project, from initial strategic planning and 
goal setting to post-implementation assessments. 

[27] GAO-06-947R. 

[28] S. Rep. No. 109-293 (2006). 

GAO's Mission: 

The Government Accountability Office, the audit, evaluation and 
investigative arm of Congress, exists to support Congress in meeting 
its constitutional responsibilities and to help improve the performance 
and accountability of the federal government for the American people. 
GAO examines the use of public funds; evaluates federal programs and 
policies; and provides analyses, recommendations, and other assistance 
to help Congress make informed oversight, policy, and funding 
decisions. GAO's commitment to good government is reflected in its core 
values of accountability, integrity, and reliability. 

Obtaining Copies of GAO Reports and Testimony: 

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through GAO's Web site (www.gao.gov). Each weekday, GAO posts 
newly released reports, testimony, and correspondence on its Web site. 
To have GAO e-mail you a list of newly posted products every afternoon, 
go to www.gao.gov and select "Subscribe to Updates." 

Order by Mail or Phone: 

The first copy of each printed report is free. Additional copies are $2 
each. A check or money order should be made out to the Superintendent 
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or 
more copies mailed to a single address are discounted 25 percent. 
Orders should be sent to: 

U.S. Government Accountability Office 441 G Street NW, Room LM 
Washington, D.C. 20548: 

To order by Phone: Voice: (202) 512-6000 TDD: (202) 512-2537 Fax: (202) 
512-6061: 

To Report Fraud, Waste, and Abuse in Federal Programs: 

Contact: 

Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail: fraudnet@gao.gov 
Automated answering system: (800) 424-5454 or (202) 512-7470: 

Congressional Relations: 

Gloria Jarmon, Managing Director, JarmonG@gao.gov (202) 512-4400 U.S. 
Government Accountability Office, 441 G Street NW, Room 7125 
Washington, D.C. 20548: 

Public Affairs: 

Paul Anderson, Managing Director, AndersonP1@gao.gov (202) 512-4800 
U.S. Government Accountability Office, 441 G Street NW, Room 7149 
Washington, D.C. 20548: