Effectiveness is an elusive term that is applicable across any part of an AML/Sanctions Program. Having an effective suspicious activity reporting (SAR) program is an important part of any AML/Sanctions Program, as detecting and reporting suspicious activity is the entire purpose for all actions in AML/Sanctions compliance programs.
An effective suspicious activity monitoring program has many avenues that contribute to it and in turn, it should impact many areas of an institution.
In this webinar, suspicious activity monitoring programs are reviewed to determine what makes them effective or ineffective.
Topics covered during the webinar include:
- Framing what makes an effective suspicious activity monitoring program
- How to use global and national advisories to directly impact the suspicious activity monitoring program
- Common signs of ineffective suspicious activity monitoring programs
- Where KRIs and KPIs should and should not be used as a metric for success
- How to test your suspicious activity report program to ensure any gaps are detected
Need to first brush up on SAR basics? View our additional SAR resources:
- An Overview of Suspicious Activity Reports
- Effective SAR Writing Webinar and SAR Writing Tips
- How to Write SAR Narratives
- Case Management and Tracking For Suspicious Activity Reports
SAR Program Q&A
Q: In terms of SAR types, what would be the difference when you compare a well-established FinTech versus a startup fintech?
A: I would assume that the person who is asking is a FinTech, asking what’s the difference between an early and a mature version of a suspicious activity monitoring program. I have been working with global FinTechs for many years and I have worked with them pre-launch, mid-launch, and then also when they are mature, and they are quite different. Yes, the volume obviously is going to be different, as you ramp up your volume at your FinTech.
Aside from volume, FinTechs should always be learning about typologies. How can this person exploit my payment methodology?
But the biggest change really should be in how the executive management and board of the fintech should become more engaged and knowledgeable over time. I had a FinTech, and a rather large company bought them out, but at the time they were a new FinTech. They were born as a technology company for a few years and they rolled over the FinTech side. And throughout the years that I worked with them, there was really no change. There was no change in how executive management and the board viewed not just the importance of what the anti-money laundering team was doing, but the production of what they were doing. They had zero interest. And so that’s something I would keep an eye on.
If you are growing and you’re saying, “Yeah. We have more SARs. Yeah, we’re filing more on different types of typology,” but you are getting the same feedback or zero feedback from executive management and board, that would be something I would be cautious of.
You do not really see that in the bank world a lot. Once you capture that human element in the bank world, they go, “Oh, wait. There’s human trafficking going on.” On the fintech side, it’s like, “I’m not a bank. I’m a technology company.” So I mean, that’s probably a little bit more than what the person asked, but that’s my take.
Q: What if there is training, but the bank culture does not support the accountability for branch staff to support compliance through their day-to-day activities? How can this person change that culture?
A: Okay. So, one of the things that worked well for me when I was an anti-money laundering officer and I fought the same battle was this thing called a risk acceptance form. It is a form that puts the readers on notice that we as the institution will be assuming the risks attached to non-compliance, or apathy towards compliance, rather than various areas of the institution. And because we’re going to be assuming this risk, I need to have it written down and I need to have people who have actual authority since the person who’s submitting it doesn’t have actual authority, they have the illusion of authority usually.
Since you do not have actual authority, you need to send this risk acceptance form to the individuals who are making the decision and do not support compliance at the front end and you can cover yourself. That’s the type of approach that a risk acceptance form provides for you, that documents the fact that you’re aware of this risk and that you have other people who are making decisions. Since you don’t have the right authority to make this decision it’s out of your hands, but it’s documented, and the executive management team is made aware of it. They don’t have to sign it, they don’t have to do anything, you can just send it to them. And then I would write a memo to cover the fact that you wrote this and that you made executive management, or the board, or whoever aware of this gap or this risk. That for me is the quickest way to deal with that.
Q: Should you really be repeating the information held in other parts of the SAR? And I think it was specifically looking at the social security number.
A: You do not have to repeat that information. I think it helps especially if you are dealing with multiple parties. In the U.S. the way that the SAR information comes in, it’s a lot easier to have all of that information in the actual narrative in the SAR body than it is to only have it in the suspect information in the actual form part. But as far as repeating things, the only thing I would make sure to repeat in the narrative would be your reason why you’re filing, your why, your stab at what you think is going on.
Q: If we file an STR/SAR for a customer and he visits the branch again for another transaction. So for this particular case, do you let this person do another transaction in terms of remittance or do you add them to the deny list?”
A: There is no magic formula for that. If you have a customer where it’s a fraud issue where the institution could be on the hook for fraud losses, that’s a different situation than suspicious activity. So if it’s going to come down to a fraud or loss claim, I would always err on the side of protecting the institution from fraud or losses or the customer for that matter as well.
If it is an older customer and you know that some princess is fleecing them, then I would always take whatever steps are necessary, whatever your institution allows you to not send that. I remember back in the day we had this older person who kept all of his cash in his house, he just kept coming in and sending these wires, and we tried to talk to him. Finally, I asked my friend in the Secret Service, I was like, “Look, he is going to come in today, can you come in and talk to him?” And so they did. They came in, they were nice to him, and they just explained what was going on, they explained the information they had on the receiving party of the wire.
So if you are looking at fraud losses that is different from something that is just straight suspicious activity. If it’s threat finance, or terrorist financing, obviously, the answer to that question would be, “No, don’t let him do this,” unless the FBI or whoever you’re working with has given you explicit instructions to keep the account open which is very rare.
If you are in the middle part there, where it has just suspicions, right? You filed him for whatever reason, suspicious movement of funds, that is something that’s not always clear cut. I mean, if it is not fraud and it is not terrorist financing, you filed a SAR, and there is nothing in at least U.S. regulations that disallow you from confirming that wire for that customer. You have to walk a thin line there because you do not want to tell that customer, “Hey, I can’t send the wire because we filed a SAR on you,” or, “because we think you’re suspicious.”
I know that answer is clear as mud, but that is because it really is. Without knowing more information, that is a tough thing to go with. I know we have many of those situations. We had loans that kept being extended, big, big commercial loans that kept being extended even though we were filing SARs on many of these businesses and it is tough because you are like, “I want to tell commercial lending, don’t keep allowing these loans to go through.”
There were a few where we understood that it was too risky for the institution just on a loan loss reserves to continue to do that. So that conversation was had with the commercial lending department. But most times it’s very difficult if it’s not fraud to have a discussion with either the customer or an internal department.
Q: How far do you think institutions should go as far as revealing their entire system of records, and applications to ensure noncritical fields are entered on the SAR form?
A: I like to have all the fields populated if I have the information for a couple of reasons. One, it gives law enforcement everything that I know that I have, but I do not go out and try to find other things that I don’t know or that I don’t have. I just know that if I have the knowledge, I have the burden. So if I have that information, I will provide that information. So one, it provides better information to federal or local law enforcement, but also it gives auditors and examiners but mainly auditors who are stuck at that surface level checklist auditing, it gives them less things to ding me on because the last thing I want is for an auditor to go, “Oh, I know this is not a required field, but you had the information. You should put the information in there,” and boom, it becomes an audit finding and then I have to track it, and report it, and do the status update, etc. So if you have it, give it.
Q: If you do not find any Google reviews, but you find the business on other search engines, why rely on Google? I don’t think you were suggesting that Google is the only source of information.
A: Right. No. I mean, it’s certainly not the only source. In that particular case, there wasn’t any information on the business period. So how that SAR narrative was written was that the first 10 pages of Google produced nothing. Use DuckDuckGo if that works. It is just a search engine where you can find whether Bob’s Convenience has any reviews on Yelp, TripAdvisor or on any other platform where people can leave ratings or comments for businesses. It is not that I just could not find anything on Google, it is that Google is also used to show you, “Oh, hey, you have a Google review or you have a Yelp review or a TripAdvisor review, or whatever other system.” So it’s not just Google.
Google provides information about what other platforms or websites could possibly hold information for the customer you are looking for.
I think is always very valuable if you cannot find anything. If you are dealing with a business with millions and millions, and millions, and millions of dollars, they should have something online, right? You should be able to find something out about them. If not, how do they have this revenue? How do they have this activity? How do people find them if you cannot find them on the biggest search engine in the world?
How to Document Your SAR Investigations
A SAR case report is a comprehensive report that provides all the details of the suspicious activity case and its related SAR filings all in one place. It allows financial institutions to quickly and efficiently deliver on law enforcement requests for full details of a SAR case.
Case reports can also be an effective tool to document flagged activities that were not filed as SARs – questions that may be faced by compliance officers, an audit, or a regulatory review team. Having this readily available will improve collaboration with regulators, give enforcement meaningful insights that only the FI can provide, streamline and reduce the manual efforts associated with reporting for an AML team.
Contact us today to learn more about how Alessa can help with your SAR program and AML compliance needs.
Learn what makes suspicious activity monitoring programs effective or ineffective. Watch the webinar.