It could take only a news report of alleged terrorist financing to send compliance teams at financial institutions scrambling. Particularly when the source of the allegations is the U.S. government.

The Wall Street Journal on Thursday, citing confidential CIA documents, said that the U.S. government has internally voiced concerns that Saudi Arabia-based Al Rajhi Bank maintained accounts and processed transactions for entities designated by the U.S. as fronts for terrorist groups. As a result, U.S. officials have been debating whether to take action against the bank, the newspaper reported.

A spokesperson for the CIA acknowledged the leak of the report but declined to confirm its contents. He said the publication of classified information could undermine government efforts to combat terrorist financing.

The report of an internal debate among U.S. agencies over dealing with Al Rajhi Bank points to a perennial problem for banking compliance professionals: should financial institutions take such reports, even unconfirmed, as a signal to cut off or limit ties with a financial institution not blacklisted by the U.S.?

Because the U.S. government has never designated Al Rajhi Bank as a compliance risk, financial institutions are ostensibly free to do business with the bank. And Al Rajhi Bank, one of the largest in Saudi Arabia, which reported assets of $28 billion in 2006, has repeatedly denied financing extremists, according to the Wall Street Journal.

The leaks of CIA reports and other government documents could be the result of an internal policy dispute in the Bush administration, said said Craig Hymowitz, a lawyer for Philadelphia-based Blank Rome LLP who follows AML regulation. One side takes its case to the public to get results it may not have been able to win internally, he said.

But leaks of such concerns to a high-profile publication like the Journal indicates that regulators “will fully expect” financial institutions to modify their risk assessment, said Caruso, chief executive officer of Washington, D.C.-based Dominion Advisory Group, which offers anti-money laundering (AML) consultations.

“If [financial institutions] can’t mitigate the risks, they just have to say, ‘We’re not going to do business with Al Rajhi,’” said Caruso.

Taking in Media Reports

In guidance on enhanced scrutiny of foreign entities, the U.S. Treasury Department recommended that financial institutions monitor and factor media reports into their compliance programs. But when government officials won’t confirm reports such as Thursday’s, financial institutions are left reading the tea leaves to determine their importance, said Hymowitz.

Compliance officers should start by considering the reputation of the publication, as well as the reliability of the sources cited, he said.

“Not all published reports or confidential sources cited in an article have to be treated equally,” said Hymowitz. Compliance officers should take into consideration whether a report relies on government officials, thus making a stronger case, or unnamed sources, which may weaken the impact of stories.

In the case of Al Rajhi Bank, the report “is primarily based on confidential sources or leaked memoranda, but there’s a significant number of them,” said Hymowitz. Little clarification should be expected in the Al Rajhi case, he said. “Financial institutions are in sort of a gray area here where the government doesn’t say clearly, ‘You may not do business with these institutions,’” said Hymowitz. “And it gets grayer where they refuse to provide comment, except where government institutions are commenting confidentially.”

Even when the government makes no official comment about public allegations against a company, banks that do business with that institution should “do something demonstrable” that shows enhanced due diligence, said John Reynolds III, a lawyer who follows AML and economic sanctions regulations for Washington, D.C.-based law firm Wiley Rein LLP.

‘Call Your Regulator’

In the case of Al Rajhi Bank, AML officers of large banks should prioritize resolving any new compliance concerns “for the next several weeks,” said Caruso, adding that institutions should be sure to work with U.S. officials as well. “I would be calling my regulator,” he said.

Financial institutions may choose to limit certain types of transactions with the Saudi bank, but are unlikely to stop funds transfers, such as processing dollar transactions, said Reynolds.

Banks may decide to okay intra-company transfers for multinational businesses with accounts both in the U.S. and in Al Rajhi Bank, or processing a pension fund investment through the Saudi bank because the risk of money laundering or terrorist financing would be limited, said Hymowitz.

Firms are less likely to process small-dollar transactions to charitable organizations, however, because institutions might be less able to discern the purpose and beneficiary of the donations, he said.

Those that deal with the Saudi bank should more closely question the institution on the originators and beneficiaries of funds transfers, a task that can be difficult to complete in the Middle East, particularly as compliance officers often have trouble finding out information on local organizations, said Caruso.

“If the beneficiary is British Petroleum, that makes me a lot more comfortable than if the beneficiary is a social service organization in the Middle East,” he said.

Terrorist, or Social Services Provider?

Because some groups designated as terrorists, such as Hamas and Hizballah, provide schools and healthcare for the areas that work in, social service organizations can be a point of confusion for compliance officers.

In a case currently being tried in Dallas, U.S. prosecutors have accused Richardson, Texas-based Muslim charity Holy Land Foundation for Relief and Development of funneling $36 million to Hamas, an organization blacklisted by the U.S. government since 1995 as a terrorist organization.

Lawyers representing the foundation have argued that, because none of the organizations Holy Land gave money to, including other charities and a hospital, were officially designated as terrorists, the transfer of funds was legal.

A Justice Department spokesman said he could not comment on the Holy Land trial, and at press time had not answered questions about how institutions should be able to identify groups tied to terrorism when they have not been formally designated as such by the government.

In cases where foreign entities tied to terrorism aren’t officially named by the government, the responsibility lies with the government to more clearly define regulatory expectations, said Reynolds.

“U.S.-based institutions usually seek to cooperate with the U.S. government, but they frequently face legal requirements of non-discrimination in other jurisdictions where they operate, so the official designation may be crucial to their ability to act overseas,” said Reynolds.

Because the government controls information and designation, it should not put financial institutions in a position where they need to guess what the government wants or face enforcement action for guessing incorrectly, said Reynolds.

But institutions will have to weigh their risks regionally.

“Dealing with higher-risk areas of the world is going to require a higher compliance burden to do reasonable investigations,” said Hymowitz. Larger multinational institutions are more likely to be able to bear those risks than smaller institutions, which may be put out of business by a single enforcement action, he said.

“It’s the same as what they say about terrorism attacks: in preventing them, you have to be right 100 percent of the time, but a terrorist only has to get it right once,” said Hymowitz. “A bank that ends up dealing with an alleged terrorist front is dealing with a similar paradigm.”