The Case for Financial Crime Bounty Hunters
Our existing systems for detecting financial crime are failing. In a new article, I propose an alternative solution: create a market for detection.
This post is based on my forthcoming article in the Berkeley Business Law Journal, titled “Licensed Detection Agents: The Case for Financial Crime Bounty Hunters.”
It was just the type of document I was hoping to find.
Buried beneath endless layers of digital files, each poorly labelled and filled with unsearchable PDFs, was an organizational structure chart. The presence of this chart was not, in itself, surprising. It is one of the many documents financial institutions are required to collect when performing due diligence on new customers. What made this chart notable was who it named as the company’s owner. Namely: an individual with alleged ties to a ruthless terrorist group.1
I was not reviewing these files as a regulator. Nor was I a journalist chasing down some lead. Rather, I was supporting a corporate monitorship, an obscure but highly consequential tool of criminal enforcement. Monitorships arise when prosecutors determine that a company has broken the law at scale. Perhaps a bank has been failing to perform due diligence for years, allowing North Korean agents to launder stolen funds through riverboat casinos. Or maybe it’s a mining conglomerate bribing officials across central Africa. You know, that kind of thing.
Rather than bring criminal charges immediately, prosecutors can strike a deal with these companies. Specifically, they can defer criminal charges on the condition that the firm makes certain improvements to its internal controls. In the U.S., these are called Deferred Prosecution Agreements. Prosecutors have various motivations to offer these DPAs. One is strategic. Taking on powerful, well-heeled corporations in court is an expensive proposition, one that prosecutors may lose. DPAs avoid these risks and offer a quicker PR victory.2
Another motivation is more practical. Governments around the world have outsourced financial crime detection to the private sector, an approach that is often referred to as the “gatekeeper” model. Like bodyguards at a nightclub, these firms are expected to monitor every client and, where necessary, report suspicious activity. This is no small thing. Gatekeeper surveillance is the primary mechanism by which states obtain leads on money laundering, sanctions evasion, and other financial crimes. Therefore, when gatekeeper controls fail, states have an interest in fixing those controls rather than simply winning a short-term court battle.
But how do you know if the company is holding up its end of the deal? Enter the corporate monitor. This private individual — usually a former prosecutor — is selected to oversee the process and file progress reports. The monitor is not, however, merely observing. They will also dispatch teams of consultants around the world to perform onsite inspections. I was one of those consultants. And, sitting in a drab conference room late one night during one of my first monitorships, I was staring with excitement at what was surely a major discovery.
Well, maybe not. When I presented my findings the next morning, my boss, hardened through years of experience, simply rolled their eyes and shrugged. This kind of thing happens all the time, they explained through slurps of hazelnut-flavored coffee and rushed bagel bites. Sure, we’ll add it to the excel sheet. But this is pretty standard stuff. I mean you should have seen the last bank. Anyways, what do you think they’re going to serve for lunch? I hope it’s not the tuna wraps…
A Broken System
Unfortunately, my former boss was correct on both counts. Tuna wraps were indeed the lunch platter of the day (faux cheese for the vegans). And the type of oversight I observed, in which a gatekeeper failed to spot that it was onboarding a client with potential ties to terrorist financing, is disturbingly common.
This is not for want of investment. Gatekeepers spend more than $200 billion per year on their Anti-Money Laundering obligations.3 That is twice the annual budget of the U.S. State Department.4 Or 6.5 USAIDs.5 And if we consider the additional billions spent to detect insider trading and market manipulation, the total cost of gatekeeper surveillance probably exceeds the entire annual budget of the UK’s National Health Service.6 Here in the Netherlands, 20% of the entire banking workforce is dedicated to financial crime compliance.7 Read that again! And those costs are often passed on to consumers in the form of higher banking fees.8
And what is the return on that investment? Well, it’s difficult to measure. But our best available estimates suggest we identify less than 1% of global money laundering. As one scholar has adeptly summarized, AML may be “the world’s least effective policy experiment.”9 But it’s not just ineffective. It is also motivating banks to cease offering cross-border services to “high-risk” countries, a trend that disproportionately hurts developing countries.10 And as we have previously discussed, AML rules effectively force banks to engage in discrimination, making it harder for certain nationalities to access basic banking services.
Nor is it just AML. We rely on exchanges, brokers, and other market actors to identify insider trading and manipulation. Yet we fail to detect 99.7% of cases where criminals manipulate the closing price of stocks.11 I could keep citing statistics, but I think you get the idea. What the evidence suggests, in aggregate, is that gatekeeper models for financial crime detection are woefully inefficient.
So what’s the problem? There are, of course, many factors. Gatekeeper expectations are not always clearly specified. And sometimes regulators lack sufficient resources to follow up on legitimate tips. But the real issue is that we are relying on private firms to monitor their own clients. It is an obvious conflict. And there is substantial evidence that gatekeepers underinvest in compliance, look the other way, or, in extreme cases, assist criminal schemes to maintain client relationships.
Take enforcement data. Gatekeepers have incurred more than $62 billion in civil fines for compliance failures since 2007.12 And once an institution is fined, there is a high likelihood it will be fined again. Deutsche Bank received AML-related civil penalties in 2003, 2004, 2013, 2015, 2017, 2020, and 2023.13 This is typical. And it is not hard to find scandalous cases of non-compliance. The first post of this Substack examined, for example, the indictment of Binance. The crypto exchange admitted that it failed to report more than 100,000 suspicious transactions.14 And it had a process for tipping off VIP clients if they were the subject of a law enforcement inquiry.15 A case that the Trump administration now calls “overly prosecuted.”16
What we have, in other words, is a global system for financial crime detection built on conflicts of interest. But in a forthcoming article, I present an alternative solution. One that leverages the power of self-interest to fight financial crime. I call it the Licensed Detection Agent, or LDA, program. While the analogy is somewhat skewed, you can usefully think of LDAs as financial crime bounty hunters. And they are inspired by a long history of paying private actors to report criminal activity.
The Power of the Purse
The year is 1863. Abraham Lincoln has just signed the Emancipation Proclamation as the Civil War enters its third year. The Union Army is facing a multitude of challenges both on and off the battlefield. A demoralizing defeat at Chancellorsville. Riots in New York against the draft. The launch of Robert E. Lee’s Gettysburg march. But amidst all the noise, there was another challenge facing the army, one that posed a dire threat to its capacity to sustain the war effort: supply chain fraud.
The Union Army, like most armies, did not manufacture its own supplies. Instead, it relied on contractors. But in the early days of the Civil War, those contractors were constantly defrauding the government. The Army was receiving sickly horses, guns that didn’t work, and artillery shells filled with sawdust. Harper’s Weekly, a Northern newspaper, mocked “Albany” contractors tricking the army, critiques that sadly also carried a heavy dose of anti-Semitism:
Fixing this problem wasn’t easy. The U.S. government, already strained, did not have the capacity to investigate every shipment. So they turned to the public. Specifically, Senator Jacob M. Howard introduced a bill that would effectively reward citizens for reporting contractor fraud. He called it the False Claims Act. And as he explained in Congress in 1863, the FCA was based on the power of self-interest:
In short, sir, I have based [the False Claims Act] upon the old-fashioned idea of holding out a temptation, and ‘setting a rogue to catch a rogue,’ which is the safest and most expeditious way I have ever discovered of bringing rogues to justice.17
The FCA allows private persons, known as ‘relators,’ to sue other private persons they suspect of defrauding the U.S. government. If the lawsuit is successful, relators are entitled to a proportion of any successfully recovered funds (15-30%). I analyzed the program’s performance following the passage of certain legislative improvements in 1986. Since that year, and adjusting for inflation, the government has awarded relators about $13.1 billion in return for $76.6 billion in successfully obtained settlements and judgments. That’s an ROI of ~486%.
This is not the only program of its kind. The Internal Revenue Service, for example, has long offered rewards for blowing the whistle on tax evasion. From 2003-2024, the IRS awarded $1.6 billion to whistleblowers in return for tips that allowed them to recover $9.8 billion of unpaid taxes.18 The SEC and CFTC, America’s market regulators, run similar programs with equally positive returns. That includes a case in which the SEC awarded $279 million to a single whistleblower.19
Nor is this a uniquely American phenomenon. South Korea has paid whistleblowers for reporting tax evasion since 1951.20 Other countries offering whistleblower reward programs include Brazil, Canada, Ghana, Hungary, Lithuania, Malaysia, Montenegro, Pakistan, Peru, and Vietnam.21 And there are all sorts of private sector initiatives that operate on a similar basis. Tech companies, for example, have “bug bounty hunting” programs, in which they will pay individuals — white-knight hackers — who identify and report security vulnerabilities in their software.22
The evidence, in sum, is clear: monetary incentives work.23 And there is precedent for paying private citizens to blow the whistle on financial crime. But we can’t just rely on whistleblowers to solve all our problems. Very few people are willing to undertake the tremendous personal risk of reporting their own employers. We need an alternative system. One that transforms whistleblowing from a secret exercise to a professional occupation. What we need, in other words, is LDAs.
Licensed Detection Agents
The LDA program would create a new class of private firms that are licensed to surveil transactions and financially rewarded for reporting suspicious activity. There are many types of firms that could act as LDAs. But the most likely candidates are consultancies and software providers. Forensic consultancies, like the ones I used to work for, have direct experience performing these tasks. And companies that provide financial crime detection software would have the opportunity to apply their own products to real-world data in return for monetary rewards.
The first step is licensing. Firms would submit applications to regulators for the right to operate as LDAs. This would involve demonstrating that the firm has the resources, expertise, and experience to perform the task. That licensing would be conditional on maintaining certain operational standards, including, crucially, those pertaining to the protection of client data. Regulators would incur some costs to set this up. But they have plenty of experience overseeing similar processes.
The second step is data provision. Regulators would provide LDAs with direct access to transactional data where possible. In U.S. securities markets, for example, the SEC could grant LDAs access to the CAT database. Another example is situations where banks contribute to a shared database of client transactions. Until recently, the largest Dutch banks ran precisely such a system.24 LDAs could access these pools of data for the purpose of performing cross-bank surveillance.
If those systems do not exist, regulators would obligate banks, exchanges, and other gatekeepers to make their data available to LDAs. They may not like this. And it would likely be necessary to provide gatekeepers with guarantees that it is only their clients, rather than themselves, whom LDAs are monitoring. But surely no self-respecting bank would object to finding criminal clients, right? Indeed, no one wants to identify these bad actors more than industry leaders like Jamie Dimon or Brian Moynihan. At least that’s the talking point I would push on Capitol Hill.
Once LDAs identify suspicious transactional activity, they would be asked to submit in-depth reports to regulators. If those reports lead to recoveries, LDAs would be entitled to a non-capped percentage (perhaps in the region of 30%). These large payouts are the primary motivation to act as LDAs. But they also take time. To ensure acting as an LDA is a viable business proposition, I would also propose paying LDAs a nominal fee for each in-depth report. The requirements for these payouts would be extensive and strictly enforced to avoid the risk of spurious overreporting.
What the LDA program would do, in other words, is create a competitive market for detecting financial crime. It would also pay for itself, generating revenue for the state that would greatly exceed its implementation costs. Like any policy proposal, the LDA program features risks. And I talk at length in the article about how these risks can be mitigated. But, if carefully implemented, LDAs would improve an essential component of the enforcement process. Namely, it would provide regulators with a crucial new source of information on criminal activity.
Take it Easy Hayek
Is this a radical proposal? It has occurred to me throughout the research process that I may sound to some like a rabid capitalist. “Greed, for lack of a better word, is good,” so proclaimed Gordon Gekko. And I suppose I’m saying something similar. But this is not about blind faith in the power of markets. Nor is it a libertarian diatribe against the state. It is, instead, about finding a way to more effectively detect financial crime while also respecting personal privacy.
Because the problem is not just about incentives. If that were the only issue, we could just let the state perform surveillance on our transactions. But state surveillance is, for many, a step too far. It arouses deep concerns about personal privacy and the dangers of Big Brother-style totalitarianism. One might think that corporate monitors offer a solution to this tension. But monitors only possess access to small samples of data and thus cannot perform comprehensive surveillance.
What we face, in other words, is a Detection Trilemma. No existing form of detection can, I contend, offer more than two of the following three desirable policy attributes: data access, positive incentives, and privacy protection. This argument is graphically depicted in the figure below. Each form of detection features the two adjoining policy attributes while lacking the one opposite.
LDAs offer a solution to this trilemma. Unlike corporate monitors, they would possess access to the necessary data. And unlike gatekeepers, they would be incentivized to detect financial crime. Would they also offer privacy protection? Yes. LDAs would act as a barrier between citizens and the state, only sharing the former’s personal data with the latter when specific conditions are satisfied. This is not perfect. But it offers greater protections than those offered by direct state surveillance.
What the LDA program is trying to do, in sum, is navigate a complex set of competing priorities. And it achieves that through the power of self-interest. Because as Jacob M. Howard once said, sometimes you need a rogue to catch a rogue. All that’s missing is a market where the rogues can be unleashed.
For obvious reasons, I am not disclosing here any identifiable details regarding this case, the bank, my former employer, or the specific engagement. Nothing in this anonymized anecdote should be construed as referring to any particular person or firm.
FORRESTER, TRUE COST OF FINANCIAL CRIME COMPLIANCE STUDY, 2023 (2023), https://risk.lexisnexis.com/global/en/insights-resources/research/true-cost-of-financial-crimecompliance-study-global-report.
See Kellerman, Licensed Detection Agents: A New Approach to Financial Crime.
Rice et al., On the global retreat of correspondent banks.
Calculated based on Carole Comerton-Forde, Tālis J. Putniņš, Stock Price Manipulation: Prevalence and Determinants, Review of Finance, Volume 18, Issue 1, January 2014, Pages 23–66, https://doi.org/10.1093/rof/rfs040.
Data obtained from Good Jobs First, Violation Tracker, (2024), https://violationtracker.goodjobsfirst.org/. And similarly referenced in Kellerman, Licensed Detection Agents: The Case for Financial Crime Bounty Hunters.
Financial Crimes Enforcement Network, In the Matter of Binance Holdings Limited, (2023), https://www.fincen.gov/sites/default/files/enforcement_action/2023-11- 21/FinCEN_Consent_Order_2023-04_FINAL508.pdf (last visited Jul 4, 2024).
Ibid.
Jacob M Howard, ‘Frauds in Military Claims’ (37th US Congress 3 D S ESS 955-56, 1863) The Congressional Globe , quoted in Ryan Winkler, ‘The Civil False Claims Act and Its Unreasonably Broad Scope of Liability: The Need for Real “Clarifications” Following the Fraud Enforcement and Recovery Act of 2009’ (2012) 60 Cleveland State Law Review, at 537.
U.S. Securities and Exchange Commission, SEC Issues Largest-Ever Whistleblower Award, (2023), https://www.sec.gov/news/press-release/2023-89.
Ibid.
Ibid.
For a review of the academic literature, see Kellerman, Licensed Detection Agents: The Case for Financial Crime Bounty Hunters.
Well done!!