Principal at Virtual Compliance Management
March 24, 2016

Originally published here. Republished with kind permission.

With a brief introduction by Brian Monroe, ACFCS Director of Content and Business Development.

At the Association of Certified Financial Crime Specialists, we are ceaseless in trying to bring understanding into the areas of compliance that could be the most challenging to implement, the most costly to make a mistake or are the most subjective and divisive from the perspective of persnickety regulators.

Now, while there are a gajillion moving parts in financial crime compliance programs, the analysis in this report focuses on the end product, what many consider the heart of anti-money laundering (AML) processes, the suspicious activity report, or SAR.

In truth, the myriad efforts of teams within and without the compliance department boils down into a nice saucy SAR reduction. From an examiner perspective, a weak SAR, late SAR or missed SAR can call into question the entire AML program, from stem to stern.

For examiners, the door being ajar on a SAR means more scrutiny on every individual programmatic gear and cog, from KYC, to EDD, risk ranking to transaction monitoring, training tracking to tribulations in independent testing.

The reason? One missed SAR could mean more missed SARs. It could mean that a critical piece of intelligence never found its way to law enforcement, potentially being the missing puzzle piece for a range of illicit activities spanning the spectrum of financial crime, including money laundering, corruption and even terror financing.

But while the obligations to file SARs have been around for years, the standards around what is considered a quality SAR, and the mechanisms involved in their creation, have changed considerably, particularly in the last decade. So banks are in a quandary.

If AML analysts spend too much time on one SAR, doing a thorough investigation, they could miss out on giving adequate scrutiny to other alerts. If an analyst just files on anything that comes across his or her desk, without really delving into the issue at hand, and speeds through alerts to get them done or meet a given quota, in essence filing defensively of flippantly, that also can lead to examiner scrutiny and penalties for not taking the time to “see and understand the whole picture,” as one examiner told me once.

So what are the requisite components for a well-oiled financial crime compliance machine producing timely, quality SARs that can be of value to law enforcement, satisfy auditors and impress regulators?

As Defrantz notes in this piece, there can really be no definitive, impenetrable answer. But there can be some tactics and techniques banks can employ to bolster the decision-making processes around when to file SARs, when to hold them, and bring some more bright line boundaries to the nebulous, instinct-driven world of SAR wars.

In this second piece, he gives vital insight and attempts to frame some of the amorphous thresholds involved in deciding to file or not, a sensitive regulatory flashpoint where any hesitation or unbuttoned detail could spell disaster. To read part one of Defrantz’s analysis, please click here.

In the first part of this series, we noted that Suspicious Activity Reports (“SARs”) are an essential part of the world financial crimes monitoring network. There are analysts at an agency called FinCen that read all of the SARs and capture data about the various schemes that criminals employ in attempts to launder money. We also noted that filing of SARs has become an area of stress for BSA staff at financial institutions. On one hand, there is a concern that failure to file a SAR might result in criticism by regulators.

There are also concerns that filing SARs is a pointless exercise that creates more administrative work and accomplishes little. After all, a proper filing involves research transactions, performing analysis and drawing conclusions that must be documented. Moreover, almost all SAR’s require a second filing 90 days later to discuss whether the suspected activity has continued.

At the end of the day, whether or not a SAR should be filed is the decision of the financial institution. It is the expectation of regulators that this decision should be part of a well-established and defined process. According the FFIEC BSA examination manual the process should include five component parts; identification of unusual activity, managing alerts, SAR decision making, SAR completion and Monitoring on continuing activity.

  • Identification or alert of unusual activity: This is the part of any BSA compliance program that combines human intelligence and software. All financial institution staff are required to receive annual training on BSA/AML. One of the main reasons for this requirement is that staff is expected to be able to identify activities that don’t fit into normal patterns or activities for their customers. For example, a longtime customer who normally receives his payroll and pay bills out of his account suddenly deposits $15,000. The expectation is that the staff members of the institutions should gently, but firmly find out the source of this unusual deposit. Of course there are many reasonable answers for how the customer came across this money.

Monitoring software should perform a similar functions.   The whole point of using software is to aggregate transactions so of a customer so that any transactions that fall outside of the normal or expected create an alert and follow-up.

  • Managing Alerts: Managing alerts is important so that institutional resources are focused on the highest area of risk. Not every customer at your institution is engaged in nefarious activity. In fact, the vast majority are good people who are simply conducting banking activity.   Much like the boy who cried “wolf” in the children’s fairy tale, there can be a such thing as too many BSA/AML warnings. The expectation of regulators is that you will adjust your monitoring to create warnings for activity that is truly suspicious or out of the pattern of normal activity.   This is at the heart of the requirement that financial institutions perform model validation on a regular basis.[1] There should be a formal and well established method for reviewing alerts and resolving them in a timely and comprehensive manner.
  • SAR Decision Making:   There has to be a clear process for making SAR decisions and there also has to be an ultimate decision maker for whether or not the SAR will be filed.       The individual decision about whether or not to file a SAR rests with the financial institution.       The FFIEC BSA Manual makes this clear
    • In those instances where the bank has an established SAR decision-making process, has followed existing policies, procedures, and processes, and has determined not to file a SAR, the bank should not be criticized for the failure to file a SAR unless the failure is significant or accompanied by evidence of bad faith.
  • SAR completion and filing: There should be a clearly defined process for who performs the research necessary to complete the SAR in a timely and complete manner. The SAR narrative should tell the story in that it should clearly identify the who, what, where, when and why the activity is considered suspicious. The SAR should be filed within 30 days of the time the activity is determined to be suspicious.
  • Monitoring and SAR filing on continuing activity: Once the SAR is filed, there should be a process in place to continue to monitor the customer to determine if additional suspicious activity is continuing.   At the conclusion of 90 days of monitoring, there should be a follow-up SAR that tells “the rest of the story”. Was the activity repeated, or was it just a bump in the road? [2]

The Decision

So you have your system in place. Your staff is well trained to look for unusual activity and your software is monitoring for suspicious behavior.   The questions still remains, just what exactly is suspicious?   Unfortunately, there simply is no one right or wrong answer to that question. Suspicious is in the eye of the beholder.   This is why the “know your customer” component is critical to a strong BSA compliance program. The more that you know about your customer and what they are doing, the more obvious suspicious activity becomes.

As a best practice, if there aren’t several members of your institutions staff that fully understand the business model of a client, it is a bad idea to continue the relationship. Regulators expect that financial institutions have the ability to know the source of funds, the customer base, and the typical transaction flow of the peers of your customer.

For example, suppose you have a customer who sells fresh flowers. The expectation would be that staff members at your institution understand how a fresh flower stand works, what typical receipts there might be, who the customers of the stand are and how transactions are conducted.

Does the customer sell for cash only? Why? What level of cash is normal for a flower stand?   Is it likely that a flower stand would send or receive wires?   The point is that that the more that is known about the business, then the more likely that unusual activity can be determined.

In addition to knowing the business, the institution must have the means to monitor activity in a transparent manner. Through a combination of software, direct conversations and onsite visitations with the client, the institution should maintain a clear picture of normal transaction activity.

In the event that a transaction seems unusual, there is absolutely nothing wrong with asking the customer directly. In many, if not most cases, there is a completely acceptable explanation. Most customers will have no trouble with providing documentation to support their activities.

Small business owners are generally proud of their accomplishments and don’t mind discussing a large sale or adding a new client.   Of course, when a client is unwilling or unable to provide an explanation and present documentation, there may be trouble.   The decision to file or not to file is one that your institution must be able to live with and defend through documentation.

Defensive SARs – Don’t do it!

In many cases banks don’t truly know or believe that activity is suspicious, but file a SAR “defensively.”   The idea here is that we can tell whether or not the activity is unusual or simply don’t have the time to do the necessary research to make a determination, so filing a SAR is seen as a temporary fix.

However, defensive SARs are a sign of weakness or deficiencies in a BSA compliance program. If there is not sufficient time, or a complete understanding of the business model of the client to properly monitor and research the activity of a customer, as a best practice, the customer should be considered for de-risking (account closure). Simply filing SARs defensively is staving off the inevitable.

There Comes a Time

After a SAR has been filed for the first time on a customer, as a best practice, it is worth considering how the filing might change the relationship between the institution and the customer.   If the possibility exists that there is activity that may be considered suspicious or unusual on an ongoing basis there are really only two clear choices.

The first is to study the business plan of the customer and to gather sufficient information to document that the activity is normal and customary. The concept of suspicious activity is one of context. That is, if we return to the flower shop example above, does it make sense that wires might be going to an obscure bank in Europe? It does indeed if you find out that there is a rare flower that exists in that part of the world and the flower shop has made a marketing point of being able to deliver the rare flower in your area.

Moreover, if the flower shop owner is able to show shipping details of the flower, insurance bills, bills of lading or other similar documents that prove the shipment of flowers, then the wires are ordinary and customary.

The other option is to consider the account for de-risking. Many institutions let ego, or the pursuit of fee income, get in the way of safe and sound operating. When a customers’ operations are way ahead of the capabilities and resources of the institution, it is time, as Kenny Rodgers would say, to know when to walk away and know when to run.

[1] This should not be confused with data validation.  Model validation is a test of the efficacy of the software settings.

[2] FFIEC BSA Manual Systems to Identify, Research, and Report Suspicious Activity