Little-Known Surveillance Program Captures Money Transfers Between U.S. and More Than 20 Countries

Me: Big Brother is watching you

Little-Known Surveillance Program Captures Money Transfers Between U.S. and More Than 20 Countries

Law-enforcement agencies across the U.S. have direct access to over 150 million transactions housed at an Arizona nonprofit

ByDustin Volz andByron Tau

Updated Jan. 18, 2023 7:30 pm ET

WASHINGTON—Hundreds of federal, state and local U.S. law-enforcement agencies have access without court oversight to a database of more than 150 million money transfers between people in the U.S. and in more than 20 countries, according to internal program documents and an investigation by Sen. Ron Wyden.

The database, housed at a little-known nonprofit called the Transaction Record Analysis Center, or TRAC, was set up by the Arizona state attorney general’s office in 2014 as part of a settlement reached with Western Union to combat cross-border trafficking of drugs and people from Mexico. It has since expanded to allow officials of more than 600 law-enforcement entities—from federal agencies such as the Federal Bureau of Investigation, the Drug Enforcement Administration, and Immigration and Customs Enforcement to small-town police departments in nearly every state—to monitor the flow of funds through money services between the U.S. and countries around the world. 

TRAC’s data includes the full names of the sender and recipient as well as the transaction amount. Rich Lebel, TRAC’s director, said the program has directly resulted in hundreds of leads and busts involving drug cartels and other criminals seeking to launder money, and has revealed patterns of money flow that help law-enforcement agencies get a broader grasp on smuggling networks. 

“It’s a law-enforcement investigative tool,” Mr. Lebel said. “We don’t broadcast it to the world, but we don’t run from or hide from it either.”

After this article was published, a spokesman for the Arizona attorney general said: “Courts have held that customers using money transmitter businesses do not have the same expectation of privacy as traditional banking customers.”

Mr. Wyden, an Oregon Democrat, said TRAC allows the government to “serve itself an all-you-can-eat buffet of Americans’ personal financial data while bypassing the normal protections for Americans’ privacy.” 

Internal records, including TRAC meeting minutes and copies of 140 subpoenas from the Arizona attorney general, were obtained by the American Civil Liberties Union and reviewed by The Wall Street Journal. They show that any authorized law-enforcement agency can query the data without a warrant to examine the transactions of people inside the U.S. for evidence of money laundering and other crimes. One slideshow prepared by a TRAC investigator showed how the program’s data could be used to scan for categories such as “Middle Eastern/Arabic names” in bulk transaction records. 

“Ordinary people’s private financial records are being siphoned indiscriminately into a massive database, with access given to virtually any cop who wants it,” Nathan Freed Wessler, deputy director of the ACLU’s Speech, Privacy, and Technology Project, said. “This program should never have been launched, and it must be shut down now.”

TRAC captures details on money transferred through companies such as MoneyGram, DolEx, Ria and Western Union, an office of which is pictured in Beirut.Photo: Francesca Volpi/Bloomberg News

To obtain material such as bank records or emails, law enforcement typically needs to show that documents are relevant to an investigation and secure them through a subpoena or a warrant.

TRAC captures money transfers occurring through companies such as Western Union, MoneyGram, DolEx and Euronet through its Ria brand. These services are used by millions of people—especially those without bank accounts—to transfer funds between friends and family. They are an especially popular way for Mexican migrants to remit money earned in the U.S. to family members across the border.

Money-services companies are more loosely regulated than banks, often at the state level. Under federal regulations, banks must monitor transactions for suspicious activity, report those over $10,000 in cash and conduct due diligence on customers. Congress also requires federal agencies to get a subpoena for bank records and notify customers when their records are being seized.

Fed Talks

A Conversation With St. Louis Fed President James Bullard

St. Louis Fed President James Bullard sits down with Nick Timiraos, The Wall Street Journal’s chief economics correspondent, to discuss his outlook for the economy, inflation and interest rates in 2023.

Money-services companies have drawn scrutiny from law enforcement over the years because of concerns about terrorist financing, drug smuggling and other illicit activities. Customers using money-services companies such as Western Union and MoneyGram aren’t told that their transactions will be available to government entities.

Mr. Lebel said that because money-services companies don’t have the same know-your-customer rules as banks, bulk data needs to be captured to discern patterns of fraud and money laundering. He said TRAC put a $500 minimum threshold in place to avoid collecting the overwhelming majority of family remittances back to Mexico and other countries, which typically fall below that threshold. 

Mr. Wyden determined last year that the federal government participated in TRAC, and specifically that Homeland Security Investigations, an arm of the U.S. Immigration and Customs Enforcement, used customs summonses, a type of subpoena, to collect about six million records of money transfers from Western Union and Maxitransfers since 2019. All those records ended up stored in the TRAC system, Mr. Wyden said. 

“The scope of this surveillance program and federal agencies’ role is far greater than initially revealed,” Mr. Wyden said this week in a letter asking the Justice Department inspector general to investigate the FBI and DEA’s relationship with the program. 

The Department of Homeland Security watchdog informed Mr. Wyden’s office last year that it was reviewing the activities of ICE’s investigative arm to combat drug trafficking in response to his questions about TRAC. ICE didn’t respond to a request for comment.  

Sen. Ron Wyden determined last year that the federal government participated in TRAC.Photo: Drew Angerer/Getty Images

Mr. Wyden’s office said its continuing investigation had found three money-services companies—MoneyGram, Euronet and Viamericas—sent TRAC bulk tranches of customer data in response to subpoenas issued by a U.S. Immigration and Customs Enforcement office in San Juan, Puerto Rico. 

Euronet and Viamericas had received customs summonses from that office seeking data for transactions between anywhere in the U.S. and countries including many in the Caribbean and Latin America as well as Canada, France, Spain, Ukraine and China, the companies told Mr. Wyden. Those subpoenas ordered the money-services companies to turn the data over to TRAC. 

Euronet said the demands came in 2021 for data back to 2019; Viamericas said data disclosures were ongoing but declined to specify dates. MoneyGram said the ICE office had demanded data between 2019 and 2021 about transactions from 21 U.S. states to Colombia, the U.S. Virgin Islands, the Dominican Republic and Venezuela.

SHARE YOUR THOUGHTS

What should be the response to the surveillance program that hundreds of local and federal law-enforcement offices have access to? Join the conversation below.

MoneyGram said it doesn’t voluntarily share data about transfers with third parties except when required by law and that it “responded to subpoenas that it received under the TRAC program in the same manner as it responds to any other valid subpoena.”

Euronet said the subpoenas at issue were subject to ongoing litigation and declined to comment further. Viamericas said it was committed to consumer privacy and adhering to compliance obligations. DolEx didn’t respond to requests for comment. 

On the web portal to the TRAC database, publicly available online, a sign-up page states that TRAC is “a law enforcement-only site” and warns visitors that their requests for access will be denied if they aren’t in law enforcement and don’t provide an active government email address.

Mr. Lebel said TRAC has never identified a case in which a law-enforcement official has accessed data improperly or the database has been breached by outsiders. The program has seen an increase in use in recent years because of the surging opioid crisis in the U.S., he said. 

Law-enforcement agencies use TRAC’s data to establish patterns in the flow of funds suspected of being linked to criminal activity, Mr. Lebel said, and the more comprehensive the data, the better the analysis. TRAC manages data that law enforcement provides, he said, and what it is receiving and storing is often in flux.

While declining to discuss TRAC’s funding, Mr. Lebel said the nonprofit was originally stood up with money from the Western Union settlement that has since been exhausted. Mr. Wyden and others have said TRAC is federally funded. 

Euronet said it received a subpoena in 2021 demanding that data on some international money transfers be turned over to TRAC.Photo: Beata Zawrzel/NurPhoto/Getty Images

Many of the subpoenas through which TRAC acquires data are drafted broadly, often requiring the money-transfer companies to turn over data on all transactions between certain places above the $500 threshold, the documents show. 

Even wholly domestic money transfers are captured in TRAC’s database—such as when an American living in a border state sends or receives $500 or more from another American living elsewhere in the country. Surveillance programs that capture fully domestic records get heightened scrutiny from courts because of the privacy issues they raise.

U.S. courts have rarely blessed bulk law-enforcement collection of records for ordinary criminal activities—usually requiring criminal investigations to be narrowly targeted at individuals, not entire populations. Intelligence agencies operate under different rules, but Mr. Lebel said TRAC has denied requests from intelligence agencies and the defense industry for access to the data. 

Privacy advocates have long argued against collecting records in bulk, saying that approach is ineffective and runs afoul of constitutional and statutory privacy expectations.

Western Union, the largest and oldest money-transfer company in the U.S., tried to fight a bulk subpoena for its customer records. In 2006, at the dawn of the Arizona attorney general’s interest in acquiring this data, the company challenged a state subpoena that demanded that Western Union produce all transaction records between Arizona and the Mexican state of Sonora. At the time, Arizona was concerned about sophisticated criminal enterprises using the company to launder money. An Arizona appeals court ruled that bulk subpoenas to Western Union were overly broad under Arizona law. 

Despite prevailing in court, Western Union later found itself part of an investigation by the Arizona attorney general into whether its services facilitated money laundering. In a $94 million settlement that resolved differences between Arizona and the company in 2010, Western Union agreed to give over the transaction data that the Arizona attorney general requested and help fund more effective law-enforcement measures against money laundering. A few years later, the settlement was modified to house the transaction records in a nonprofit organization and TRAC was born.

Even though the appeals court ruled that asking for large numbers of transaction records was overbroad, state officials continued to send subpoenas to more than a dozen other money-transfer companies. No such company except Western Union challenged the subpoenas in court.

Following publication of this article, Oscar Herasme, a lawyer who said he worked with the Arizona attorney general’s office in 2008 to help establish what later became TRAC, said he was surprised to learn that it had “metamorphosed” into something not originally contemplated.

“It was never the intent of the parties I worked with to summarily allow for the sharing of personal financial data of individuals with law enforcement,” Mr. Herasme said. “Wholesale access to customer data…runs counter to the expectation of privacy afforded to financial service consumers.”

Corrections & Amplifications

Some of the regulations on due diligence and monitoring of suspicious activities that apply to banks also apply to money-services companies. An earlier version of this article incorrectly said such laws don’t apply to those companies. (Corrected on Jan. 18)

The Wall Street Journal

Me: Big Brother is watching you