Effective SAR (Suspicious Activity Report) Writing

This webinar addresses effective Suspicious Activity Report (SAR) writing in the context of the SAR’s ultimate purpose: to assist law enforcement in the investigation and subsequent prosecution of criminal activity.

After an introductory discussion of how submitted SAR data is reviewed and stored, Laurie Kelly, CAMS will present detailed recommendations for constructing an effective SAR narrative. She will also review the appropriate use of SAR form checkboxes, the SAR attachment feature, and the distinction between “new” and “continuing activity” SARs.

Finally, Laurie will introduce the concept of SAR case reports as an effective tool in case management as well as providing valuable detailed information to law enforcement upon request.

Need to first brush up on SAR basics? View our additional SAR resources:

• An Overview of Suspicious Activity Reports
• SAR Writing Tips
• How to Write SAR Narratives
• Case Management and Tracking For Suspicious Activity Reports
• Webinar on Creating a SAR Program

Here are the questions and answers from the event.

Q: If the bank is in one state, but pre-paid accounts are located in another state, in fact across the U.S., where would the SAR be filed?

A: Our SARs were filed where the suspicious activity was taking place. For example, suppose we are in Colorado but we have a customer in California, we would contact the SAR review team for the Colorado regional area, and they would refer it to the California review team if they so choose.

Q: The main question from junior team members relates to the level of detail to provide. Another challenge is the level of review internally until a SAR is actually issued, what would be a good period between identification and issuance of the report?

A: So your clock starts ticking for SAR filing once you make the official decision to file the SAR. So you have an alert, a junior associate looks at it and says they think it is SAR-worthy. They raise it to their supervisor and whatever processes you have for who approves that final SAR filing decision. It is at that point that the SAR filing clock starts. So you have time ahead of that to investigate before you make a decision on whether you’re going to file a SAR or not?

It depends on your organization and what your hierarchies are for approvals. In my organization, things would come through a supervisor and then to me, and then I would make a decision on whether or not this was SAR-worthy. I would speak to the chief compliance officer and tell him about the case. And he would say yes or no.

But just to reiterate, the SAR filing clock starts on the date that you make the decision to file.

Q: Do you run into any problems if it takes you a little while to start investigating a transaction?

A: Not necessarily, because I think law enforcement does not want you to file unnecessary SARs that you have not thought about or investigated.  They want the good stuff. They do not want the stuff you are not sure about.

Obviously, if you wait months to make a decision, that is not acceptable.

But if it is typically within the timeframe of 30 days or so. We did not generate alerts daily. We generated them twice a month.

So a transaction could have occurred at the beginning of the month that we wouldn’t see for two weeks as an alert, and then we would investigate that and determine whether we needed to file a SAR. So, that was a two-week period. But, I think that is a reasonable amount of time as long as you can justify it in order to file a good quality SAR.

Q:  How do you handle cumulative dollar amounts in a SAR?  Would you choose ‘continuing’ if it was a SAR follow-up review and only include the cumulative amount for SARs?

A: In the form itself, if you have checked the box for continuing activity, then it’s going to ask you for a cumulative total in the section of the report. Then it will ask you for the amount of this particular SAR. There is a place on the form to guide you as to what information or dollar amounts to use.

Q: Do MSBs file SARs?

A: Absolutely, Yes.

Q; Do you get 150 days for continuing activity?

A: It’s 120 days. The due date of your continuing activities SAR is 120 days from the date of your last SAR. So, that’s the maximum amount of time. You could certainly file it before then

So, even if we were coming up on preparing our SAR and the 120-day due date was coming up, if it was a big case or a critical case, oftentimes, we go in ourselves and look for more activity within our transaction systems and not even wait for the alerts to see what came up. And stick anything in there that we could enter that current SAR.

Q: I agree that we are filing a SAR for the benefit of law enforcement; however, regulating bodies frequently recommend that we add verbiage that clutters the SAR. Ultimately, they do not regulate us, so I think that is where the case report is helpful. Would you agree?

A: Yes. I feel your pain there. That is a long-standing dilemma, and so I personally took a hard stance on what I was providing in my SARs.

Once the attachment feature came out, I had far fewer issues because prior to the attachment feature our regulator wanted every single transaction crammed into that narrative. I could show them conversations that I had had with law enforcement about how they do not want this. But it was a longstanding agree-to-disagree kind of thing.

It is up to you to decide how much you want to go into battle.

Q: How do you handle complying with subpoenas for SAR information, including your case report, for complex or significant cases? Do you turn over the SAR case report?

A:  Yes, because they could probably access the SAR themselves, but we would if they asked for the SAR form, we would provide it along with a case report.

Q: Do you have a suggestion on the number of transactions that would trigger using an attachment, or should you always use an attachment, even if it is just one transaction to keep it from being in the narrative?

A; Well, I guess it depends on the transaction, but if it was just one, I think what I would put in the narrative.  If it was the verbiage and the freeform text field of a wire, you could highlight that, and then just give them what they need to know to understand why this is suspicious.

Maybe if it is two transactions and it’s not cluttering up your narrative, then find a way to reflect those concisely. Because remember, they are going to come back to you anyway for this information.

I have never had anyone from law enforcement just take what was on the SAR verbatim, and then run with it. They are going to contact you, and they are going to want to see all these details anyway. So file enough to get their attention, but three or four are probably worth it doing the attachment.

I had some that were very lengthy. Especially, in counterfeit check cases where there were sometimes hundreds of transactions.

Q: After filing a SAR, should we continue to make transactions for the customer?

A: That is completely at the bank’s discretion. In addition, every bank should have its own policy about what it does when a customer has had suspicious activity reported on them. Some banks have a three-strikes and you are out mentality.  Others may say you have had a SAR filed on you; we want to close your account.

In the case of my institution, we were a lender, predominantly with customers who had multi-million dollar revolving lines of credit that they used for their operating capital. In addition, these loans, how would you know, five or 10-year terms on them?

So our manager was not going to call a loan and say goodbye just because of something compliance has noted, it would have to be serious for them to do that. An actual indictment maybe.

The bank should have its own policy on how it addresses customers who have suspicious activity reports filed against them.

And sometimes I would think even just one might not be, that might be a little extreme. But that is just, kind of my general opinion. If it keeps happening obviously, yes.

Q:  For SAR reports conducted on a customer’s correspondent bank, should I include the bank in my report?

A: You would definitely want to say in your narrative that these were transactions processed for your correspondent.

Q: Can you provide more information on SAR committees? I have been looking and cannot find anything. Where should I look? Or, who should I reach out to?

A:  Some banks choose to have a SAR review committee. It is internal, and so, maybe, it is made up of the head of compliance, the head of audit, and the head of legal. On a periodic basis, they look at and give the final approval to file a SAR.

I think this is more common in smaller institutions because just from a process perspective in a larger institution, there would just be too much, it would be a full-time job for people. It is an extra internal control that I think smaller institutions probably find more useful, especially if they do not file many SARs.

Q: Should the compliance committee comment on SARs with the directors of the banks? In many cases, some customers are related in some ways to the director.

A: So that’s the confidentiality aspect of it, the need-to-know kind of thing. So we always took the approach that we did not let any person on the sales side, or the relationship managers, know that a SAR has been filed.

There is a distinction between the knowledge that a SAR has been filed and the knowledge that a suspicious activity has occurred. So knowing that suspicious activity has occurred is OK internally. It is just that the formal filing of the report has to remain confidential.

You don’t say that you filed a SAR, but you can ask them to help you review that activity and ask them, Does this make any sense to you? Is there some underlying reason why they’re doing this?

Q: A decision to escalate by monitoring analysts for further investigation to the investigation team doesn’t start the six-day clock, is that correct?

A: No, it should not. The clock for filing starts when the formal decision to file has been made. Not just the flag of suspicious activity. You may investigate it, and then, for whatever reason, decide that you are not going to file a SAR.  And it is important to keep track of those decisions as well as from a regulatory perspective.

Q: In an instance where an analyst has a strong reason that an account warrants a SAR based on suspicious transactions, but the BSA officer does not think a filing is justified in this instance, what do you suggest the analyst do?

A: Whoever has the final say, I guess, is what should happen. This is another reason why a case report comes in, as it is very handy because you can document the analyst’s opinion.

Then, the BSA officer’s opinion would be included as to why they did not think it was SAR-worthy.

And then that record is kept where you have both opinions. And regulators come back later and want to see a sample of cases where you decided not to file a SAR. And they can see that and determine if they think that the right judgment was made.

Just documenting both people’s opinions I think, is important.

Q: What do you suggest regarding lengthy, unlicensed MSB cases involving many transactions? Should we just mention we identified the activity, and say information is available upon request, or should we detail each transaction in the narrative?

A: While you would definitely not want to detail each transaction in the narrative. This is where the attachment feature would come in helpful. And if it is like thousands of transactions.  And maybe just describe in your narrative that there were over one thousand transactions, and so on. We can provide these details to you upon request.

Q:  Because of the pandemic, is there any way to justify the delay in SAR reports?

A: I have not seen the latest, but the last FinCEN guidance I saw was, they were kind of wishy-washy about it. They did not provide extra time. I would just check with FinCEN and maybe even call them if you are experiencing a legitimate reason why you need extra time.

Q: So as an MSB, would you file SARs on recipients in a foreign country?

A: Yes. Sure, if it was actively flowing through your institution.

Q; If during an investigation, what do we do if it becomes public before we are able to report it?

A: You still report it.  In fact, I had it reminds me of a case I had one time where it was public information on some illegal activity of a former customer, that prompted us to go back.

We went back several years and looked for anything suspicious that might have been related to that case and reported it. At the time that it occurred, it did not look suspicious. But once this case came to light, and they were talking about all these things they had done, then looking at that activity in a different light, we filed a SAR just to provide that information.

We were never contacted by law enforcement on it, but we felt that it was our responsibility to report it.

Q: We are a broker-dealer and have numerous relationships with clearing firms. Is that relationship something that we should identify in our narrative?

A: Only if it relates to the transactions.

Q: How would we explain identifying an account number with the clearing firm to specifically identify the account as opposed to our internal identifying number, which corresponds to a customer, not specifically an individual account?

A: You could add it if there isn’t a place on the form, where you’re actually reflecting the account number of that customer. I would mention that number in the narrative.

Q: Upon writing a SAR, who is supposed to review it before filing, in the case of a large institution? The head of compliance can certainly not review them all.  What is the best practice before filing?

A: That definitely depends on the size of the institution and the size of your staff. The best practice I can give you is that at least one other person with more experience should review it.

I think every institution has to approach it based on its individual situation. Therefore, it does not always have to be the head of compliance, but at least somebody else who is knowledgeable on filing SARS.

Q: Here is a question about balance. How should you determine whether you should file a SAR that “may be suspicious”?

A: It would be helpful if you could present it to several people in your compliance department to see what their opinion is about whether this is really SAR-worthy or not.

In some cases, I felt that a SAR was not necessary because we had no information to provide to law enforcement. I personally felt that if we had no names, no telephone numbers, and no information to provide to law enforcement, then there was no point in filing a SAR.

Q:  When we file a SAR, can we include multiple different subjects in the SAR? For example, if I have 10 unrelated incidents in one week should I actually be submitting 10 different SARs?

A: I guess I would expand on that question … if it were all related to say one customer, then yes; you can certainly include multiple subjects. The SAR form can accommodate an unlimited number of subjects.

However, I would consider this from a law enforcement perspective: What is it that you are trying to tell them about the case? And even though you may have multiple subjects, if it’s all related to one customer or the same flavor of activities, then you could certainly include those all in one.

Q: After you have created a continuous SAR and still have the same activity, do you create a new or continuous file?

A: If it is the exact same thing going on – you have the same players, you have the same nature of activity, that is when you want to check the continuing activity box. Then, in your narrative, say this is a continuing activity, summarize why this is suspicious, and add the new details.

Q: If within the 90 days, the suspect opens a new account and conducts the same activity, would we do a continuing or a new report?

A: I would call that continuing because it is the same characterization of activity. The fact they opened a new account and started doing it out of a new account is even more suspicious.

Q: So if you have a continuous SAR report, should the narrative from the original SAR be included?

A: No, and that is a very good question. In your first sentence, say this is a report of continuing activity and describe that activity briefly. Have the BSA ID number, date and amount of your original SAR, so law enforcement readers can see that information.

Q: In the case of identity theft, what should we register for subject information, since the data is from the victim?

A: If you do not have any information, you do not list any information. In the case of fraud where your customer is the victim, you do not list your customer as a subject.

The subject section is intended to be only for participants in the illegal activity. In money laundering cases, typically, your customer is an active participant in that activity, so you would list your customer as well as any other parties.

Q:  Do you create case reports for unusual activity where you decide not to produce a SAR?

A: Yes. That is a very good question because it is important to document. If your alert system or something else comes up that is unusual and you ultimately decide not to file a SAR, you need to document the reason why.

It could be something as simple as there is no information of value to provide to law enforcement. Sometimes a case report may not be necessary, so simply document that in your case management system.

However, if there was sufficient detail, you need to document why you chose not to file this SAR. Typically, examiners will ask you for a list of all incidents where you actually decided not to file a SAR.

Q: How do you keep your case reports confidential?

A: It really all comes down to good data security practices. We restricted access to our network to compliance staff only as well as our government. If we were going to provide a case report to someone outside of compliance, but within the organization, we would make that document read-only with password protection.

We sent the document through internal email only, and we provided the recipient with the document password by phone. We kept hard copies as well in a locked cabinet.

If we had any external auditors or examiners who wanted to review the report, we typically made them read it on-site in hard copy only and not take it away from our area. So we had very tight security around anything to do with SARs. And that’s really a definite best practice for any compliance group.

Q: Do you have any recommendations or practices for sharing actionable information with local law enforcement outside of SARs?  Some local law enforcement offices do not have direct access to the FinCEN database, but we may want to inform them directly of certain situations.

A: Actually, it is a very good practice for compliance people at banks to make a connection with your local law enforcement. This would include the local field office of the FBI or even Homeland Security. I think law enforcement does appreciate when we as compliance professionals actually reach out to them directly.

Q: Is there a limit on how many SARs you can write and submit, especially in the closing quarter of the year?

A: You can submit as many as you need to but you want to avoid the defensive filing.

Q Should the FI or listed business be notified by the law enforcement agencies that their SAR was received?

A: If you file electronically, FinCEN sends back something that acknowledges that they received it and then usually within a couple of days FinCEN sends another message that they have processed it and it has been accepted. You know it has been accepted when the BSA ID number is assigned.

Q: How many days should you watch a suspicious customer before creating a SAR?

A: The key date from FinCEN’s perspective is the day that you decide to file the SAR. The date that the decision to file is made is when the clock starts for your filing. But depending on what kind of suspicious activity you noted with your customer, you may want to file the SAR immediately.

Q: If you had a suspicious activity that goes over the 90-day review, or a similar incident occurs a year later, would you reference that previous SAR that has been filed or begin a new series?

A: I still personally believe that if it is exactly the same, it is a continuing activity report even though it has been a year and that law enforcement wants to know that. However, if you feel more comfortable filing it as new, then definitely state that in your narrative.

Q: So another question that came in was is it OK to use the form, section five, in a SAR log?

A: You can really organize these case reports however you would like to. It is not a regulatory form, it is purely an internal form, and you want to design it in a way that is most useful to you. Now we did have a previous section. I believe the SAR narrative is section five. Then we have a separate section where we use it as a SAR filing log.

In addition, I will say that that is incredibly helpful, especially when you are providing that report to law enforcement because if you do include the BSE IDs for each one of the SARs. That is how agents would go and look up previous, SARs or related SARs.

Q: So how can you tell who actually filled out the SAR?  Some forms seem to come from a corporate office, so you cannot tell which branch filed a SAR.

A: There is a place at the beginning of the SAR form where you indicate the financial institution’s contact. That is up to the bank or institution to decide whose name you want to provide there. That way, if law enforcement did reach out and contact that person, they would be the best person to talk to you as they were in charge of that case.

However, other banks may use a general number for compliance, or maybe the director of compliance or whatever they prefer to do.

Q: Would I contact the IRS criminal investigation field office to reach the SAR review team even if the SAR being referenced is not related to any IRS fraud?

A: Absolutely, yes. IRS criminal investigation actually investigates more than just fraud and more than just tax fraud or tax evasion. They investigate structuring cases, money laundering, and all kinds of different types of activities.

In addition, because the IRS is a division of the Treasury Department, which is what FinCEN is a division of, that is kind of why I believe they take the lead when it comes to SAR filings.

The SAR review teams include representatives from many other federal law enforcement agencies. So they will decide if they need to investigate or whether it is worth pursuing, and then they will decide as a team who should this go to. Maybe it will be something they want to give to Homeland Security, or maybe to the Secret Service.

So, yes, the IRS criminal investigations does a lot more than just tax fraud.

Q:  There is a question on the number of transactions that would trigger a SAR.  Is it just one that might trigger a SAR? Or do you need to see a pattern of transactions before you file a SAR?

A: It really does not matter as long as it is suspicious. There are some dollar amount guidelines for SAR filings, which are just guidelines. There is a $25,000 threshold and a $5,000 threshold and it has to do with whether or not a subject, or a suspect, has been identified or not.  But one transaction can certainly be SAR-worthy.

Q: Is the person filing a SAR kept anonymous each time, and if not, are they contacted anytime during the investigation?

A: There is an assumed confidentiality surrounding SAR filings between the filing institution and law enforcement.

Really, it is the bank or institution that is filing the SAR, is kept out of public records. It is actually a federal offense to disclose that a SAR has been filed.

And so that anonymity, if you will, is protected. But as far as dealing with individuals within the institution who have prepared the SAR, worked the case and so forth, there is not really any anonymity that’s needed because you’re partnering with law enforcement.

A law enforcement officer may contact you about one of your SARs because they want to work with you in the end. So you may have multiple conversations with them after you provide information. They may have some more questions. It becomes a dialog.

Q: What is the general rule for a local entity to share a SAR with its parent company? In addition, is there a restriction, if the parent is internationally located?

A: There would not be any international restriction that I am aware of. You want to consider things on a need-to-know basis.

So, for example, you should be advising your Board of Directors of your SAR activity. But you don’t need to tell those members of the board the names of the customers, for example, on whom these SARs have been filed.

You can describe the suspicious activity and talk about it. However, where you need to be really careful is in that indicator that a SAR has been filed. Where the federal offense comes in is in disclosing publicly that a SAR report has been filed.

How much detail does your parent company really need to know? They probably want to know the volume and nature of the SARs you are filing, so maybe consider reporting that.

I would do a quarterly report to our board, where I would describe all the new SARs we filed on our major cases and continuing activities. But I never used any customer names. I just switch, say, customer A, customer, B, and so forth.

Where I did provide customer names, though, was when our customer was a victim of fraud. That way they would want to know when the fraud occurred and what types of fraud, But on the AML side, we never revealed any customer names.

Q: What is a civil penalty for tipping off someone about a SAR?

A: According to FinCEN, both civil and criminal penalties may be imposed for SAR disclosure violations. So, you’re looking at up to $200,000 for each violation and criminal penalties of up to $250,000. And, or imprisonment not to exceed five years. So, I think that’s what the individual financial institutions could be liable for in civil money penalties, and they could be as much as $25,000 per day for each day that the violation continues.

Q:  What do you do if the person on which the SAR has been filed is a PEP?

A: If the suspect or subject is a politically exposed person (PEP), you certainly want to highlight that in your narrative. In that very first paragraph, I would repeat their name and who they are because obviously, their name is going to be shown in the subjects section of the report. But the fact that they are at PEP is not going to be unless they’re very famous.

Now, whether or not you choose to notify local law enforcement, again, depends on the nature of the case. But it is OK to notify local law enforcement. You just wouldn’t send them the SAR. You would file a SAR through FinCEN.  Then the SAR review teams are the ones who are reviewing them.

But in something I would consider to be a hot SAR, you could get in touch with IRS CI, or even call Homeland Security.

I should emphasize here, that instead of going to your SAR review team, you can go directly to a law enforcement, or federal law enforcement agency in your area to tell them about it.

I have even asked whether they thought something was SAR-worthy or not.  I had made law enforcement contacts through networking meetings. Those are great connections to have where you can actually reach out to them and say, I have this weird situation going on, do you think this is SAR-worthy?

In one case, it was related to the beneficial owner of our customer and I was seeing there could be potentially an immigration issue.

That’s when I reached out and contacted them and asked whether I should file a SAR because there weren’t any actual dollar transactions involved. This person could have been in the country illegally.  So, we did file a SAR at their suggestion.

Q: What happens if the entity files a SAR which, according to the IRS regulators is not a suspicious activity? Is there some action taken on the entity if they report something that is not suspicious?

A: No, not to my knowledge. I don’t think there’s ever been a particular penalty assessed.

But sometimes there’s been talk of when this comes back to data quality, which is where there’s a term called defensive filing. This is where an institution files a SAR on anything that has the remotest potential suspicion, but without investigating it.

Sometimes it may be a slap on the wrist, or a warning might come down if a regulator says I think you’re overdoing it a little bit with your SAR filings.

But as far as I know, there is no particular penalty. If you really think it’s suspicious, and then it turns out not to be, It’s not our job as AML professionals to investigate.

Our job is to look at something a little bit and say, yes this is suspicious. This doesn’t smell right to me, because of these reasons. Here’s my report, and now law enforcement makes that decision on how to proceed. Are we going to investigate this? Or, No, I don’t think we’re investigating this. It’s not our job to really figure out if something illegal is actually happening.