As anti-money laundering laws and regulations expand to new entities, compliance officers need to focus on the design and implementation of suspicious activity reporting systems.
SARs are at the center of every AML compliance program, and are used to identify and report potential terrorist financing, money laundering, and other financial crimes. The quality of the SAR content is critical to the adequacy and effectiveness of any reporting system.
We all know that it is not possible for a bank or other financial entity to report all potentially illicit transactions. SARs are required to be filed when a bank (or other entity) identifies potential criminal violations where the bank knows or has “reason to suspect” the transaction relates to criminal violations (the triggering amounts and predicate crimes vary depending on the situation).
A bank’s internal controls must have a system for monitoring and reporting suspicious activity. The bank’s risk profile or risk assessment will dictate the reporting controls which are implemented. In this regard, the higher the risk profile (customers, geography, products and services), the more monitoring and reporting should occur.
Banks get into trouble when they do not allocate adequate staff to identify, research and report suspicious activity. Every monitoring system should include some basic components such as:
- Identification or alert of unusual activity (which usually result from employee identification, law enforcement inquiries, other referrals, and transaction and surveillance monitoring systems).
- Managing and reviewing alerts.
- SAR decision making.
- SAR completion and filing.
The amount of resources dedicated to these components will vary depending on risk profile and bank size. AML compliance programs need to outline specific policies and protocols for handling these functions.
Banks should establish policies and protocols for identifying law enforcement subjects, monitoring the transaction activity of those subjects when appropriate, identifying unusual or potentially suspicious activity related to those subjects, and filing SARs.
One area of particular concern is the use of automated systems for monitoring accounts in order to identify potentially suspicious activity. Computer systems can be programmed to monitor transactions, and even account for historical activity and trends. These computer systems often review a variety of transactions and account activity by using large amounts of bank data.
Every compliance program needs to appoint a specific decision maker (committee or individual) who is responsible for reviewing all the information across the company and then determining whether or not to file a SAR. The escalation process and evaluation criteria should be outlined, and most importantly, the decision should be well documented.
Banks should document SAR decisions, including the specific reason for filing or not filing a SAR, and prepare a record of the information gathered and the decision making process. It is not a completely objective process – there are a number of subjective factors. In the absence of bad faith, banks should not be criticized for failing to file a SAR which later turns out to be connected to criminal activity.