Creating an Effective Suspicious Activity Reporting Program
Effectiveness is an elusive term that is applicable across any part of an AML/Sanctions Program. Having an effective suspicious activity monitoring program is the most important part of any AML/Sanctions Program as detecting and reporting suspicious activity is the entire purpose for all our actions in AML/Sanctions compliance programs.
An effective suspicious activity monitoring program has many avenues that contribute to it and in turn, it should impact many areas of an institution.
In this webinar suspicious activity monitoring programs are reviewed to determine what makes them effective or ineffective.
Topics covered during the webinar include:
- Framing what makes an effective suspicious activity monitoring program
- How to use global and national advisories to directly impact the suspicious activity monitoring program
- Common signs of ineffective suspicious activity monitoring programs
- Where KRIs and KPIs should and should not be used as a metric for success
- How to test your program to ensure any gaps are detected
Here are the questions and answers from the event.
Q: In terms of SAR types, what would be the difference when you compare a well-established fintech versus a startup fintech?
A: I would assume that the person who is asking is a fintech, asking what’s the difference between an early and a mature version of a suspicious activity monitoring program. I have been working with global fintechs for many years and I have worked with them pre-launch, mid-launch, and then also when they are mature, and they are quite different. Yes, the volume obviously is going to be different, as you ramp up your volume at your Fintech.
Aside from volume, fintechs should always be learning about typologies. How can this person exploit my payment methodology?
But the biggest change really should be in how executive management and board of the fintech should become more engaged and knowledgeable over time. I had a fintech, a rather large company bought them out, but at the time they were a new Fintech. They were born as a technology company for a few years and they rolled over the fintech side. And throughout the years that I worked with them there was really no change. There was no change in how executive management and the board viewed not just the importance of what the anti-money laundering team was doing, but the production of what they were doing. They had zero interest. And so that’s something I would keep an eye on.
If you are growing and you’re saying, “Yeah. We have more SARs. Yeah, we’re filing more on different types of typology”, but you are getting the same feedback or zero feedback from executive management and board, that would be something I would be cautious of.
You do not really see that in the bank world a lot. Once you capture that human element in the bank world, they go, “Oh, wait. There’s human trafficking going on.” On the fintech side its like, “I’m not a bank. I’m a technology company.” So I mean, that’s probably a little bit more than what the person asked, but that’s my take.
Q: What if there is training, but the bank culture does not support the accountability for branch staff to support compliance through their day-to-day activities? How can this person change that culture?
A: Okay. So, one of the things that has worked well for me when I was an anti-money laundering officer and I fought the same battle was this thing called a risk acceptance form. So not expectance, E-X, but A-C-C, acceptance form, and it is a form really that puts the readers on notice that we as the institution, we will be assuming the risks attached to non-compliance or apathy towards compliance rather of various areas of the institution. And because we’re going to be assuming this risk, I need to have it written down and I need to have people who have actual authority since the person who’s submitting it doesn’t have actual authority, they have the illusion authority usually.
Since you do not have actual authority, you need to send this risk acceptance form to the individuals who are making the decision do not support compliance at the front end and you can cover yourself. That’s the type of approach that a risk acceptance form provides for you, that documents the fact that you’re aware of this risk, that you have other people that are making decisions. Since you don’t have the right authority to make this decision, you have other people, it’s out of your hands, but it’s documented, and the executive management team is made aware of it. They don’t have to sign it, they don’t have to do anything, you can just send it to them. And then I would write a memo to cover the fact that you wrote this and that you made executive management, or the board, or whoever aware of this gap or this risk. That for me is the quickest way to deal with that.
Q: Should you really be repeating the information held in other parts of the SAR? And I think it was specifically looking at the social security number.
A: You do not have to repeat that information. I think it helps especially if you are dealing with multiple parties. If you were just filing a SAR on one per person or maybe two people. But at least in the U.S. the way that the SAR information comes in, it’s a lot easier to have all of that information in the actual narrative in the SAR body than it is to only have it in the suspect information in the actual form part. But as far as repeating things, the only thing I would make sure to repeat in the narrative would be your reason why you’re filing, your why, your stab at what you think is going on.
Q: If we file a STR/SAR for a customer and he visits the branch again for another transaction. So for this particular case, do you let this person do another transaction in terms of remittance or do you add them to the deny list?”
A: There is no magic formula for that. If you have a customer where it’s a fraud issue where the institution could be on the hook for fraud losses, that’s a different situation than suspicious activity. So if it’s going to come down to a fraud or loss claim, I would always err on the side of protecting the institution from fraud or losses or the customer for that matter as well.
If it is an older customer and you know that some princess in is fleecing them, then I would always take whatever steps are necessary, whatever your institution allows you to not send that. I remember back in the day we had this older person who kept all of his cash in his house, he just kept coming in and sending these wires, and we tried to talk to him. Finally, I asked my friend in the secret service, I am like, “Look, he is going to come in today, can you come in and talk to him?” And so they did. They came in, they were nice to him, and they just explained what was going on, they explained the information they had on the receiving party of the wire.
So if you are looking at fraud losses that is different from something that is just straight suspicious activity. If it’s threat finance, terrorist financing, obviously, the answer to that question would be, “No, don’t let him do this,” unless the FBI or whoever you’re working with has given you explicit instructions to keep the account open which is very rare.
If you are in the middle part there, where it has just suspicions, right? You filed him for whatever reason, suspicious movement of funds, that is something that’s not always clear cut. I mean, if it is not fraud and it is not terrorist financing, you filed a SAR, and there is nothing in at least U.S. regulations that disallow you from confirming that wire for that customer. You have to walk a thin line there because you do not want to tell that customer, “Hey, I can’t send the wire because we filed a SAR on you,” or, “because we think you’re suspicious.”
I know that answer is clear as mud, but that is because it really is. Without knowing more information, that is a tough thing to go with. I know we have many of those situations. We had loans that kept being extended, big, big commercial loans that kept being extended even though we were filing SARs on many of these businesses and it is tough because you are like, “I want to tell commercial lending, don’t keep allowing these loans to go through.”
There were a few where we got the point where it was too risky for the institution just on a loan loss reserves to continue to do that. So that conversation was had with commercial lending department. But most times it’s very difficult if it’s not fraud to have a discussion with either the customer or an internal department.
Q: How far do you think institutions should go as far as revealing their entire system of records, applications to ensure noncritical fields are entered on the SAR form?
A: I like to have all the fields populated if I have the information for a couple reasons. One, it gives law enforcement everything that I know that I have, but I do not go out and try to find other things that I don’t know or that I don’t have. I just know that if I have knowledge, I have burden. So if I have that information, I will provide that information. So one, it provides better information to federal or local law enforcement, but also it gives auditors and examiners but mainly auditors who are stuck at that surface level checklist auditing, it gives them less things to ding me on because the last thing I want is for an auditor to go, “Oh, I know this is not a required field, but you had the information. You should put the information in there,” and boom, it becomes an audit finding and then I have to track it, and report it, and do the status update, etc. So if you have it, give it.
How to document your SAR investigations
A case report is a comprehensive report that provides all the details of the suspicious activity case and its related SAR filings all in one place. It allows financial institutions to quickly and efficiently deliver on law enforcement requests for full details of a SAR case.
Case reports can also be an effective tool to document flagged activities that were not filed as SARs – questions that may be faced by compliance officers by an audit or a regulatory review team. Having this readily available will improve collaboration with regulators, give enforcement meaningful insights that only the FI can provide and streamline and reduce the manual efforts associated with reporting for an AML team.
Read more about what to include in a case report.