TOPICS

Thursday, January 25, 2024

Filing the Suspicious Activity Report

QUESTION 

Recently, we had training in our anti-money laundering program. I have to say, it wasn't very good. We went to our compliance officer to request another training because the trainer kept skirting our questions. He listened to the recording and agreed with us. So, now he's looking for a new trainer for the anti-money laundering training.

In the meantime, we still don't have clear answers to several questions. We want to know more about SAR filings, like when they're required and the timing to file. My teammate wants to see if we can discuss the filing of a SAR with the person we're reporting on. You would think these are obvious questions, but our trainer did not know the answers! So, we hope you can provide answers for us. By the way, we love your weekly newsletter! 

When is a SAR required? 

Can we question the individual we're reporting the SAR on? 

What goes into SAR decision-making? 

What is the timing to file the SAR? 

ANSWER 

Thank you for your kind words. We are grateful! 

We provide Anti-Money Laundering (AML) testing and training. In fact, we were the first compliance firm in the country to offer testing, training, and a highly esteemed, written AML Program. If you want information about our AML compliance support, contact us here. 

Because money is the basis for criminal activity or, in the case of terrorism, is an integral part of the activity, the United States government has prioritized pursuing the funds generated or used in these activities. Since financial institutions occupy a critical position in the U. S. financial system, the government not only requires financial institutions to report information, it requires them to be proactive in looking for transactions that may be part of a criminal activity. 

In particular, this responsibility takes the form of the Suspicious Activity Report (SAR). This report is required as part of the Bank Secrecy Act (BSA).[i] The banking regulatory agencies and the NCUA have adopted identical regulations to implement this requirement.[ii] 

The law and regulations make it clear that an effective BSA compliance program includes controls and measures to identify and report suspicious transactions in a timely manner. A financial institution must apply due diligence to make an informed decision about the suspicious nature of a particular transaction and whether to file a suspicious SAR. 

I will provide some guidelines to consider in response to your questions. The applicable statutes are quite complicated, and there's plenty of case law. However, I think a general answer is certainly important for you to consider. 

I will take your questions in order. 

When is a SAR required? 

The SAR is the primary method by which financial institutions are to report suspected criminal activity. However, it is not the only means. There are instances requiring more immediate attention, such as when a reportable violation occurs, the financial institution must immediately notify, by telephone, appropriate law enforcement and financial institution supervisory authorities. 

One area that is not specifically addressed in the regulation but – which has become extremely important since September 11, 2001 – is terrorism. To facilitate the reporting of suspected terrorist activities, the Financial Crimes Enforcement Network (FinCEN) established a Financial Institutions Hotline, (866) 556-3974, for financial institutions to voluntarily report to law enforcement suspicious transactions that may relate to terrorist activity against the United States. This hotline is operational seven days a week, 24 hours a day. 

However, financial institutions must be aware that contacting law enforcement directly, whether about terrorism or anything else, does not eliminate the need to file a SAR. A SAR must be filed when required, even if law enforcement was contacted by telephone. 

The agencies' SAR regulations mandate that a SAR must be filed for: 

·       Insider abuse involving any amount. 

·       Violations of federal law aggregating $5,000 or more when a suspect can be identified. 

·       Violations of federal law aggregate $25,000 or more regardless of a potential suspect. 

·       Transactions aggregating $5,000 or more that involve potential money laundering or violations of the BSA if the institution knows, suspects, or has reason to suspect that the transaction: 

o   Involves funds from illegal activities or is intended or conducted to hide or disguise illicit funds or assets as part of a plan to violate or evade any law or regulation or to avoid any transaction reporting requirement under federal law; 

o   Is designed to evade any of the BSA regulations; or 

o   Has no business or apparent lawful purpose or is not the sort in which the particular customer would normally be expected to engage, and the institution knows of no reasonable explanation for the transaction after examining the available facts, including the background and possible purpose of the transaction. 

Can we question the individual we're reporting the SAR on? 

Questioning individuals about potentially suspicious activity requires considerable discretion. When determining suspicious activity, institutions are responsible for "examining all the facts, including the background and possible purpose of the transaction." 

Thus, as part of an institution's due diligence to determine whether suspicious activity has occurred, a reasonable investigation into the nature and purpose of the activity may be necessary. Institutions have expressed concern over the perceived tension between questioning a customer about potentially suspicious activity and the institution's responsibility to maintain the confidentiality of SARs. 

FinCEN recognizes that under certain circumstances, institutions may discreetly question a customer about the nature and purpose of a transaction without revealing their intention to file a SAR. For example, to determine whether a customer's transactions are "designed to evade any [reporting] requirements," an institution may wish to ask a customer why they are making frequent cash deposits slightly below a certain reporting or recordkeeping threshold. If the customer provides an answer that reasonably satisfies the institution that the transaction is not designed to evade reporting requirements (i.e., their business has a verifiable insurance policy that covers up to $10,000 in currency in the event of a burglary), no SAR would be required. 

However, it is important to keep in mind that any questioning should not risk "tipping off" the customer or otherwise disclose that a SAR is being filed. In short, institutions will need to exercise discretion and judgment when determining how and when to inquire of customers about unusual activity. 

What goes into SAR decision-making? 

Our auditors and reviewers get this question often. Sometimes, many variables and nuances go into deciding to file a SAR. The financial institution should have policies, procedures, and processes for referring unusual activity from all business lines to the personnel or department responsible for evaluating unusual activity. The process should effectively evaluate all applicable information (i.e., criminal subpoenas, NSLs, or section 314(a) requests). 

You should document SAR decisions, including final decisions not to file a SAR. Thorough documentation provides an essential record of the SAR decision-making process (viz., what determines whether or not a SAR would be filed). The decision to file a SAR is an inherently subjective judgment. 

Examiners usually focus on whether the institution has an effective SAR decision-making process, not individual SAR decisions. Examiners also may review individual SAR decisions to test the effectiveness of the SAR monitoring, reporting, and decision-making process. If the financial institution has an established SAR decision-making process, followed existing policies, procedures, and processes, and determined not to file a SAR, it should not be criticized for failing to file the SAR unless the failure is significant or accompanied by evidence of bad faith. 

What is the timing to file the SAR? 

A financial institution must file a SAR within 30 calendar days after the date of the initial detection of facts that may constitute a basis for filing a SAR. If no suspect was identified on the date of detection of the incident requiring the filing, the financial institution could delay filing a SAR for an additional 30 calendar days to identify a suspect. However, that is the maximum length of time the institution can delay the reporting. In no case can the reporting be delayed more than 60 calendar days after the date of initial detection of a reportable transaction. If no suspect can be identified by the end of the 60 days, a SAR must be filed without the identity information. 

The phrase "initial detection" should not be interpreted as meaning the moment a transaction is highlighted for review. Various legitimate transactions could raise a red flag simply because they are inconsistent with an account holder's normal account activity. For instance, a real estate investment (purchase or sale), the receipt of an inheritance, or a gift may cause an account to have a significant credit or debit inconsistent with typical account activity. The institution's automated account monitoring system or initial discovery of information, such as system-generated reports, may flag the transaction; however, this should not be considered initial detection of potential suspicious activity. 

The 30-day (or 60-day) period does not begin until an appropriate review is conducted and a determination is made that the transaction under review is "suspicious" within the meaning of the SAR regulations. 

You should promptly initiate a review upon identifying unusual activity that warrants investigation. The timeframe required for completing the review of the identified activity, however, may vary given the situation but should be completed in a reasonable period of time. 

Naturally, you’ll want to know what constitutes a reasonable period of time. The timeframe will vary according to the facts and circumstances of the particular matter being reviewed and the effectiveness of each institution's SAR monitoring, reporting, and decision-making process. The key factor is that an institution has established adequate procedures for reviewing and assessing facts and circumstances identified as potentially suspicious and that those procedures are documented and followed. 

Jonathan Foxx, Ph.D., MBA
Chairman & Managing Director 
Lenders Compliance Group


[i] 31 USC § 5318(g)

[ii] The regulations can be found at: OCC (national banks; federal savings associations): 12 CFR 21, 12 CFR 163.180; Federal Reserve (state member banks): 12 CFR 208.62; FDIC (state nonmember banks and savings banks; state savings associations) 12 CFR 353, 12 CFR 390.355; NCUA (credit unions) 12 CFR 748.1(c).