Secret Service Gets Wider Net, FinCEN Data Stays for 10 Years Under New Cyber Crime Law

The “Combatting Money Laundering in Cyber Crime Act of 2025” is basically a regulatory tune-up, giving federal agencies better tools to track the money trail left by hackers and financial criminals. The biggest changes involve expanding the Secret Service's investigative reach, broadening the definition of who counts as a financial institution, and doubling the amount of time the government holds onto sensitive financial data.

Specifically, the bill amends Section 3056(b) of title 18, United States Code, to give the Secret Service new authority over certain money laundering violations—especially those involving structured transactions tied to documents or devices. Think of it as plugging gaps in their jurisdiction so they can follow the digital breadcrumbs left by cyber thieves who are trying to wash their illegal gains.

The Data Retention Double-Up

One provision that hits closer to home for anyone who uses a bank or financial service is the change to FinCEN (the Financial Crimes Enforcement Network). Currently, FinCEN is required to retain certain financial information for five years. This bill mandates that FinCEN must now hold onto that information for 10 years (Section 3).

Why does this matter? For law enforcement, a longer retention period is gold. Money laundering schemes, especially those involving cyber-enabled crime, can take years to fully unravel. Doubling the retention window gives investigators more time to connect the dots. However, for everyday people and the financial institutions they use, this means a massive amount of sensitive transactional data—your data—will be stored by the government for twice as long. While the intent is to catch criminals, the longer the data sits, the higher the risk of a breach or misuse, which is a practical concern for anyone worried about digital privacy.

Who Counts as a 'Bank' Now?

The bill also subtly but significantly broadens the regulatory net for financial crime enforcement (Section 2). Previously, certain financial crime statutes applied only to “federally insured” institutions. This bill removes the “federally insured” requirement and instead adopts the much broader definition of “institution” laid out in section 5312 of title 31, United States Code.

This is a big deal for non-traditional financial services. If you run a money transfer business, a check-cashing service, or potentially certain fintech operations that weren't explicitly covered before, you're now firmly under the regulatory umbrella for these financial crime investigations. The goal is clear: stop criminals from exploiting regulatory loopholes by using institutions that aren't traditional banks to move dirty money.

Checking the Homework

Finally, the legislation mandates that the Government Accountability Office (GAO) conduct a study within one year of the bill becoming law (Section 5). This report must evaluate how effective current law enforcement efforts are at identifying and stopping money laundering connected to cybercrimes. Essentially, Congress wants the GAO to check if the existing tools—like those in the Anti-Money Laundering Act of 2020—are actually working against the rapidly evolving threat of cybercriminals. This required report is a smart move, ensuring that these new powers and data requirements are based on what actually works in the real world, not just what sounds good on paper.