When to Hold ’em and When to file ’em- A Two Part series on SAR filings, special contributor report

Principal at Virtual Compliance Management
March 17, 2016

Originally published here. Republished with kind permission.

With a brief introduction by Brian Monroe, ACFCS Director of Content and Business Development. Part 2 will be published next week. 

At the Association of Certified Financial Crime Specialists, we are always trying to bring clarity and insight into the areas of compliance that are either the least understood, most divisive or, in this case, most subjective, frustrating and time consuming. Yes, we are talking about what many consider the heart of the financial crime compliance program, the suspicious activity report, or SAR.

Everything that anti-money laundering (AML) compliance professionals do, from KYC, to EDD, risk ranking to transaction monitoring, training tracking to tribulations in independent testing, it is all done to create the SAR, which could, or could not, be the foundation of a criminal case spanning the spectrum of financial crime, such as money laundering, corruption and even terror financing.

But while the obligations to file SARs have been around for years, the standards around what is considered a quality SAR have changed considerably, particularly in the last decade. So banks are in a quandary.

If AML analysts spend too much time on one SAR, doing a thorough investigation, they could miss out on giving adequate scrutiny to other alerts. If an analyst just files on anything that comes across his or her desk, without really delving into the issue at hand, and speeds through alerts to get them done or meet a given quota, in essence filing defensively, that also can lead to examiner scrutiny.

So what are the requisite components for a well-oiled financial crime compliance machine producing timely, quality SARs that can be of value to law enforcement, satisfy auditors and impress regulators?

As Defrantz notes in this piece, there can really be no definitive, impenetrable answer. But there can be some tactics and techniques banks can employ to bolster the decision-making processes around when to file SARs, when to hold them, and bring some more bright line boundaries to the nebulous, instinct-driven world of SAR wars.

When to Hold ‘Em and When to File ‘Em- A two Part Series on SAR Filings

Part One: Not all SARs are the Same  

Amongst the many ongoing tensions of running a Bank Secrecy Act (“BSA”) compliance program, the decision about whether or not to file a Suspicious Activity Report (“SAR”) often becomes a daily test.   To paraphrase the lyric of Kenny Rodgers, you have to know when to hold ‘em and when to file ‘em.”

There was a period of time a few years ago when filing SARs became the remedy for all “ills” in the BSA area. Many small institutions found themselves filing as many as 60-70 SARs a month.  In extreme cases, more than a quarter of all customers had either a new SAR or a follow-up SAR being processed. In those cases, an inordinate amount of time and resources were being spent on processing forms that said essentially, that there was “no change’ and the customer was still doing what had caused the initial report to be filed.

While there is no definitive answer to the ongoing questions of when to file a SAR, there are some guidelines that can be used to help with the process.

The Point of it all with SARs

Why do we even have SARs and what in the world are they used for? According to the FFIEC’s (Federal Financial Institutions Examination Council”) BSA handbook, SARs are a critical component of the national BSA program.

Suspicious activity reporting forms the cornerstone of the BSA reporting system. It is critical to the United States’ ability to utilize financial information to combat terrorism, terrorist financing, money laundering, and other financial crimes. [1]

According to FinCen, the organization that reads and acts on SAR, the purpose of SARs is:

The purpose of the Suspicious Activity Report (SAR) is to report known or suspected violations of law or suspicious activity observed by financial institutions subject to the regulations of the Bank Secrecy Act (BSA). In many instances, SARs have been instrumental in enabling law enforcement to initiate or supplement major money laundering or terrorist financing investigations and other criminal cases. Information provided in SAR forms also presents the Department of the Treasury’s Financial Crimes Enforcement Network (FinCen) with a method of identifying emerging trends and patterns associated with financial crimes. The information about those trends and patterns is vital to law enforcement agencies and provides valuable feedback to financial institutions.[2]

For the BSA Officer who sometimes feels that these reports are being prepared only so that they can disappear into the ether, take heart. Your SAR’s area read and they are acted upon in many instances.

In her comments to the International Bankers annual anti-money laundering seminar, FinCen Director, Jennifer Calvery[3]  described the federal government’s efforts to fight the terror group commonly known as ISIS.    She noted that although much of the activity of that group is in Syria and Iraq, the fact of the matter is that they have to have trading partners around the world to get the supplies that they need to wage war.   There are several things that FinCen and similar agencies are trying to accomplish to stop them; disrupting revenue streams by denying funds wherever possible, limited the access to the international financial system and finally, punishing any individual or group that helps ISIS.

Here is one example that has been cited:

… [A] Case originated in 2008 with BSA data concerning an individual who was later convicted of conspiring to provide and providing material support to the Pakistani Taliban. The defendant funneled money to Pakistan as Taliban insurgents fought for greater control in northwest Pakistan.  BSA data was critical in uncovering the diverse and complex methods the individual used to send money from the United States to Pakistan, each of which was designed to conceal and support his activities. Investigators uncovered at least three methods: 1) wire transfers from the United States to Pakistan, where an associate picked up and administered the funds; 2) transfers of funds from cashier’s checks drawn on U.S. banks to a bank in Pakistan where co-conspirators could draw checks; and 3) bulk cash carried by family members and other travelers from the United States to Pakistan.  [4]

So ultimately, regardless of the size of your institution, the SAR’s that you file are part of something much bigger. You are deputies in the fight against some very dark forces including human traffickers, drug dealers and terrorists and the information that you provide is critical in this fight.

Currency SAR rate concept symbol button on white background
To file or not to file, that is the question?

A Balancing Act

The decision to file a SAR must be a balancing act. For the BSA Officer at most financial institutions there remains the fear that the decision not to file a SAR might result of heavy regulatory criticism.  It is sometimes the case that institutions will file a SAR even when they feel that they are totally informed about the transactions and do not feel it is suspicious.   Filing a SAR to avoid regulatory criticism is commonly called “defensive SAR filing”.   While almost no institution will admit to doing so, a large number have actually filed defensively.

As a best practice, the SAR process should also be tied to the “de-risking” consideration process at your institution. There are many times when a customer engages in a suspicious transaction that is a onetime thing.  Perhaps there a large cash transaction and the explanation from the customer is somewhat sketchy.  A SAR is filed and the account is closely monitored for the next 180 days.   There is no other unusual or suspicious activity.   In these cases no additional SAR needs to be filed.

However, there are cases when a customer engages in suspicious activity and continues to do so. For many institutions, the process has become a continuous string of monitoring account activity and filing SARs.  However, in the event that a customer is engaging in activity that the institutions finds suspicious, the prudent course is to act on that information.   In the event that there are three or more SARs filed on a customer for the same type of activity, it is necessary to make one of two determinations:

  • The activity can be fully explained and vetted and is therefore not suspicious
  • The institution does not have the information necessary to properly monitor and manage the risk presented by the customer and therefore must terminate the relationship (“de-risk”)

Continuously filing SARs on a customer without considering the customer for de-risking is a red flag for regulators. This is in an indication that the BSA staff of your institution does not fully understand what the customer is doing.   Once activity of a customer has been determined to be suspicious, the process for gathering additional information should begin.  Ultimately, if the BSA staff is unclear about a customer’s activity or business, he/she presents an unacceptable level of risk.    Filing a SAR defensively can be an act of simply giving up and admitting that there is insufficient information about the customer.

The Examination Process and SARs

Again, the BSA examination manual is helpful here. It states that what the examiners are supposed to be looking at is the SAR Decision Process.

Within this system, FinCen and the federal banking agencies recognize that, as a practical matter, it is not possible for a bank to detect and report all potentially illicit transactions that flow through the bank. Examiners should focus on evaluating a bank’s policies, procedures, and processes to identify, evaluate, and report suspicious activity. However, as part of the examination process, examiners should review individual SAR filing decisions to determine the effectiveness of the bank’s suspicious activity identification, evaluation, and reporting process[5]

It is clear from the text of the examination manual that they is no expectation that a financial institution will be able to catch every suspicious transaction that takes place.   There are simply not enough resources for that to be the reality.  Instead regulators expect financial institutions to develop systems that allow for the identification, and monitoring of the highest risk areas.

There are five key components to an effective SAR monitoring system.   The five components are:

  • Identification or alert of unusual activity (which may include: employee identification, law enforcement inquiries, other referrals, and transaction and surveillance monitoring system output).
  • Managing alerts.
  • SAR decision making.
  • SAR completion and filing.
  • Monitoring and SAR filing on continuing activity.[6]

In part two-we will discuss what each of these components mean and how to determine when to Hold ‘em and when to file ‘em.

[1] FFIEC BSA Examination Manual Suspicious Activity Reporting-Overview

[2] Guidance on Preparing a Complete & Sufficient Suspicious Activity Report Narrative (November 2003)

[3]  Comments of FinCen Director Jennifer Shasky Calvery at INSTITUTE OF INTERNATIONAL BANKERS


[4] FinCen Recognizes High-Impact Law Enforcement Cases Furthered through Financial Institution Reporting

[5] FFIEC BSA Examination Manual Suspicious Activity Reporting-Overview

[6] FFIEC BSA Manual Systems to Identify, Research, and Report Suspicious Activity

About James DeFrantz

DeFrantz has 30 years of experience in financial service regulatory compliance. He is a specialist in compliance in consumer and real estate lending; BSA; CRA; Fair Lending; Consumer Operations; Non-Deposit Investment Products; Note Department Operations; Assessment of ALL and Credit Approval Process. He has served as a Senior Compliance Examiner at the Federal Reserve Bank in San Francisco; as an Analytical Manager at the Office of Thrift Supervision; and as a Commissioned National Bank Examiner at the Office of the Comptroller of the Currency (OCC).