Since the Bank Secrecy Act (BSA) came into force in 1970, banks and other financial institutions have been subject to extensive reporting requirements on the transactions they perform on customers' behalf. In subsequent years, notably after 9/11 with passage of the USA PATRIOT Act, Congress has expanded the range of firms subject to these rules and the information that they must collect. In the nearly half-century since the BSA's passage, so-called anti-money laundering/ know your customer (AML/ KYC) reporting duties have also expanded fortuitously, as the dollar thresholds – typically, $5,000 or $10,000 – for reporting transactions have not been adjusted with inflation.

Law enforcement agencies have encouraged this expansion, warning that, without copious access to transaction activity, they cannot effectively prosecute criminal networks and terrorist groups. National security and the fight against crime are major public policy concerns, so it's no surprise that politicians from both sides of the aisle tend to support financial regulation aimed at making it harder for the bad guys to engage in nefarious activities. Just last week, the House of Representatives passed a resolution affirming its resolve to "close loopholes that allow corruption, terrorism, and money laundering to infiltrate our country's financial system."

Whether AML/ KYC rules are cost-effective, or even just effective, is a different question. A 2016 study by David Burton and Norbert Michel of the Heritage Foundation showed an inverse relationship between the number of BSA-related reports from financial institutions, on one hand, and money-laundering investigations and convictions by the FBI and IRS, on the other. Indeed, of the 5,241,847 suspicious activity reports (SARs) that financial institutions filed with the Treasury's Financial Crimes Enforcement Network (FinCEN) in 2018, just 1,044,495 are tagged "cyber event," "money laundering," or "terrorist financing" – the kind of security threats that BSA regulations are meant to tackle.

By contrast, 1,860,087 SARs (35.5 percent of the total) are labeled "other suspicious transactions," with almost equally vague sub-labels such as "suspicious use of multiple transaction locations" and "other other suspicious activities" (the double "other" is not a typo). While financial institutions are reluctant to criticize the BSA framework on record, for fear of antagonizing regulators and politicians, this author and other policy analysts have had bankers explain that much BSA reporting is defensive, that is, filed "to be on the safe side" rather than to address legitimate suspicions.

Such overreporting might not be a concern if BSA compliance costs were low. However, that is emphatically not the case: Burton and Michel conservatively estimate the annual compliance burden of AML/ KYC requirements – including both private and government agency costs – at $4.8 to $8 billion. For comparison, 5,259 depository institutions regulated by the Federal Deposit Insurance Corporation (FDIC) have assets below $10 billion, most of them below $1 billion. With such a weighty compliance burden to bear relative to the size of their portfolios, it's no wonder that community banks, in a 2018 survey conducted by the Federal Reserve Bank of St. Louis, cited the BSA as the costliest of all financial legislation to comply with, accounting for 22.3 percent of their total compliance expenses.

Despite evidence of escalating costs and diminishing returns, AML/ KYC requirements continue to grow. Last year, FinCEN's new customer due diligence (CDD) rule came into force. It requires financial institutions to collect and submit to the agency information about who owns their corporate clients when they open new accounts. While financial institutions need only report individuals with an ownership stake equal to or greater than 25 percent, indirect owners and individuals "with significant responsibility to control, manage, or direct a legal entity" must also be reported. Where one legal entity is owned by another, the CDD rule requires banks to identify the ultimate owners, a potentially time-consuming process, or else face stiff penalties.

The expected compliance costs from the CDD rule, like those for other BSA-related reporting requirements, are considerable. FinCEN's own impact assessment – which takes an optimistic view of the benefits to be had from the rule – gives an upper bound for compliance costs equal to $1.5 billion over 10 years. FinCEN estimates the IT costs related to the rule at $20 million for a large bank, $3 million to $5 million for a medium-sized bank, and $50,000 to $70,000 for a small credit union. Considering that the assets of the median credit union are $33 million and that its return on assets is 0.96 percent, the one-off IT costs from the CDD rule alone could wipe out 20 percent of its annual net income.

In response to concerns about the additional reporting burden placed on financial institutions by the CDD rule, both Democratic and Republican representatives in the last Congress introduced bills that would place beneficial ownership reporting requirements on legal entities themselves. The current discussion draft in the Democratic-controlled House is New York Congresswoman Carolyn Maloney's "Corporate Transparency Act (CTA)," which would require newly formed corporations and limited liability companies to report their beneficial owners to FinCEN directly, and existing ones to do so within two years of the regulations' coming into force. However, the CTA would not reverse the CDD rule, even though their respective reporting mandates overlap considerably.

The CTA would apply to firms with fewer than 20 employees and less than $5 million in annual sales – ostensibly because those are the characteristics of "shell companies" set up to facilitate criminal activity. Banks, credit unions, broker-dealers, insurance companies, and other large firms would be exempt, as would non-profit organizations. However, all must file with FinCEN to benefit from the exemption, which could prove to be a major burden. Many of the people running these small exempt organizations – charities and religious congregations – would likely be unaware of the new requirements, inadvertently becoming felons subject to penalties of up to $10,000 and up to three years' imprisonment.

That is not the only problem with the CTA. It defines a beneficial owner as someone who "exercises substantial control," or who "has a substantial interest in or receives substantial economic benefits from" a legal entity. Establishing the legal reach of the Corporate Transparency Act would likely take many years of litigation, consuming the resources of small businesses that simply cannot afford it.

Indeed, the firms that the bill targets employ 20 million Americans and form a sizable proportion of the total 30.9 million small businesses in the United States. The fact that most "shell corporations" meet the characteristics of a small business does not imply that most small businesses engage in suspect activities. In fact, the vast majority of them not only lack any nefarious intent, but also any skill or opportunity to engage in serious criminal activity. Yet it is they, more than the bad guys, who would be hit by the CTA. Malicious financial operators, on the other hand, could still form partnerships or trusts and escape the bill's requirements. It's questionable whether any beneficial ownership reporting regime can improve the enforcement of money-laundering and illicit finance laws at reasonable cost. But all evidence suggests that the CTA would involve a high compliance burden for little public-interest benefit.

Most people agree that national security is a chief task of government. Political representatives take it seriously and are sensitive to enforcement gaps that might constitute security risks. Yet, for too long, we have assessed the Bank Secrecy Act and related legislation by its stated intent and promise, not by whether it leads to net positive outcomes. So onerous has the compliance burden on financial institutions become over the years that those institutions finally shrieked when FinCEN introduced its CDD rule. The solution, however, is not to duplicate that burden by placing it on non-financial firms as well as financial ones. Rather, policymakers should find ways to narrow down reporting requirements to the most pressing concerns – to begin with, by raising reporting thresholds in line with inflation – and to use existing information more productively across different arms of the government.

In fact, much of the information that the CTA attempts to collect for FinCEN is already in the hands of the Internal Revenue Service, which could share it with other agencies for enforcement purposes. While there are legitimate privacy concerns around the IRS' sharing of private taxpayer information, the CTA raises the same issues and would involve a much greater compliance burden on small firms. Such information-sharing would not set a precedent, either: The Internal Revenue Code contains numerous disclosure provisions in specific cases.

Even the most important and delicate matters of public policy should be subject to cost-benefit analysis. While this approach is gradually becoming the norm within government agencies, it does not seem to have much influenced policymaking on national security issues. Yet calmly assessing the net gains from additional BSA-related regulations will not only help to reduce their compliance burden – it can improve outcomes by allowing public authorities and the private sector to allocate resources to the most pressing concerns.