Shostack + Friends Blog Archive


"The Arthur Andersen Of Banking?"

Over at The CounterTerrorism Blog, Andrew Cochran accuses Riggs Bank of being “the Arthur Andersen of banking.” Riggs is apparently pleading guilty to violating the Bank Secrecy Act, by “failing to file reports to regulators on suspicious transfers and withdrawals by clients.”

I’d like to address the comparison to Arthur Andersen, and through that lens, look at the Orwellian nature of US bank secrecy laws, which actively require banks to spy on their customers. Arthur Anderson was an auditing firm, one of the “big five” accounting firms that audited most companies allowed to sell their stock to the public. Arthur Anderson was auditor to companies including Enron, Worldcom and Sunbeam, all of whom had massive fraud scandals concerning their accounting. Now, auditors play a special role in public companies. They are (nominally) hired by the board of directors to audit the company’s books, and ensure that they are in compliance with generally accepted accounting practices. The board works for the shareholders of a company, and exists to protect the shareholders, and ensure the company is well run.

The duties and responsibilities that auditors have have a special legal name, fiduciary, because of the legal role that these folks have in our system of shareholder capitalism.

Arthur Andersen ignored that duty, and actively hid their history with Enron, by shredding documents. That breach of trust is what destroyed the company, and for good reason. If you buy 100 shares of IBM, IBM isn’t going to let you come in and look at the books. You’re required to rely on the board to select auditors who will do that for you. And when the auditors fail, the consequences are severe. Companies, like Enron, Worldcom, and Sunbeam, can commit fraud because their auditors are failing to do the job they’re hired to do.

Now lets take a look at Riggs bank. To the best of my knowledge, no one is accusing Riggs of violating fiduciary duties. In fact, I can’t recall a bank breaching their fiduciary duties lately. What Riggs is accused of doing is failing to file forms under the BSA. Even if the BSA was good law, this would not be in the class of Andersen’s failings. BSA isn’t even good law.

I say that not (even) from a privacy perspective, but from the perspective of someone who tried to help customers implement it. When I was a consultant, I worked with a number of banks who were concerned about compliance. We sweated over what words in the law meant. There were some obvious cases: If someone was on the OFAC list of bad people, they shouldn’t be allowed to do things. But what was ‘suspicious’ behavior over the internet? What set of behaviors should cause us to file reports? There were no clear answers. The answers that we, like most banks, came to, was to toss customer privacy to the wind, and file forms often. And now, banks are concerned about compliance costs. These costs aren’t really paid by banks; they’re paid by bank customers in the form of higher fees and interest payments on loans.

There’s a way in which these bank regulations are like the drug war: The laws that Congress passes are ineffective, but all Congress can really do is pass laws, and so they pass more and more laws, imposing higher and higher costs, without ever really having any effect on terrorist finance or money laundering or drug dealers.

Riggs failed to comply with the law, and is paying a high cost. But if they had complied, spirit and letter, would the world be a better place? I don’t think so. And in that, they are very, very different from Arthur Andersen.

One comment on ""The Arthur Andersen Of Banking?""

  • The Authur Anderson Factor – Riggs Bank

    In the governance section, often seen as squeezed between economics and grass growing in the stakes of dismality, we see an emerging trend to compare everything to Arthur Anderson (2). Of course, the collapsed audit house was a big (!)…

Comments are closed.