Webinar Q&A: Writing Effective Suspicious Activity Reports
I recently had a chance to have a Question and Answer session with Laurie Kelly following CaseWare RCM’s webinar on writing SARs. Laurie is an expert in the field with a 35-year career spanning the fields of accounting, finance, risk management, and regulatory compliance. Most recently, she served as the Director of Compliance for CoBank ACB, a $136B Farm Credit System institution, where she developed and managed the bank’s anti-money laundering, fraud, and economic sanctions compliance programs.
Anu Sood: Upon writing a SAR, who is supposed to review it before filing, in the case of a large institution? The head of compliance can certainly not review them all. What is the best practice before filing?
Laurie Kelly: That definitely depends on the size of the institution and the size of your staff. The best practice I can give you is that at least one other person with more experience should review it.
I think every institution has to approach it based on their individual situation. Therefore, it does not always have to be the head of compliance, but at least somebody else who is knowledgeable on filing SARS.
Anu: Here is a question around balance. How should you determine whether you should file a SAR that “may be suspicious”?
Laurie: It would be helpful if you can present it to several people in your compliance department to see what their opinion is about whether this is really SAR-worthy or not.
In some cases, I felt that a SAR was not necessary because we had no information to provide to law enforcement. I personally felt that if we had no names, no telephone numbers, no information to provide to law enforcement, then there is no point in filing a SAR.
Anu: When we file a SAR, can we include multiple different subjects in the SAR? For example, if I have 10 unrelated incidents in one week should I actually be submitting 10 different SARs?
Laurie: I guess I would expand on that question … if it were all related to say one customer, then yes; you can certainly include multiple subjects. The SAR form can accommodate an unlimited number of subjects. However, I would consider this from law enforcement perspective: What is it that you are trying to tell them about the case? And even though you may have multiple subjects, if it’s all related to one customer or the same flavor of activities, then you could certainly include those all in one.
Anu: After you have created a continuous SAR and still have the same activity, do you create a new or continuous file?
Laurie: If it is the exact same thing going on – you have the same players, you have the same nature of activity, that is when you want to check the continuing activity box. Then, in your narrative, say this is a continuing activity, summarize why this is suspicious and add the new details.
Anu: If within the 90 days, the suspect opens a new account and conducts the same activity, would we do a continuing or a new report?
Laurie: I would call that continuing because it is the same characterization of activity. The fact they opened a new account and started doing it out of a new account is even more suspicious.
Anu: So if you have a continuous SAR report, should the narrative from the original SAR be included?
Laurie: No, and that is a very good question. In your first sentence, say this is a report of continuing activity and describe that activity briefly. Have the BSA ID number, date and amount of your original SAR, so law enforcement readers can see that information.
Anu: In the case of identity theft, what should we register for subject information, since the data is from the victim?
Laurie: If you do not have any information, you do not list any information. In the case of fraud where your customer is the victim, you do not list your customer as a subject. The subject section is intended to be only for participants in the illegal activity. In money laundering cases, typically, your customer is an active participant in that activity, so you would list your customer as well as any other parties.
Anu: Do you create case reports for unusual activity where you decide not to produce a SAR?
Laurie: Yes. That is a very good question because it is important to document. If your alert system or something else came up that is unusual and you ultimately decide not to file a SAR, you need to document the reason why. It could be something as simple as there is no information of value to provide to law enforcement. Sometimes a case report may not be necessary, so simply document that in your case management system. However, if there was sufficient detail, you need to document why you chose not to file this SAR. Typically, examiners will ask you for a list of all incidents where you actually decided not to file a SAR.
Anu: How do you keep your case reports confidential?
Laurie: It really all comes down to good data security practices. We restricted access to our network to compliance staff only as well as our government. If we were going to provide a case report to someone outside of compliance, but within the organization, we would make that document read-only with password protection.
We sent the document through internal email only, and we provided the recipient with the document password by phone. We kept hard copies as well in a locked cabinet.
And if we had any external auditors or examiner’s that wanted to review the report, we typically made them read it on site in hard copy only and not take it away from our area. So we had very tight security around anything to do with SARs. And that’s really a definite best practice for any compliance group.
Anu: Do you have any recommendations or practices for sharing actionable information with local law enforcement outside of SARs? Some local law enforcement office do not have direct access to FinCEN database, but we may want to inform them directly of certain situations?
Laurie: Actually, it is a very good practice for compliance people at banks to make a connection with your local law enforcement. This would include the local field office of the FBI, or even Homeland Security. I think law enforcement does appreciate when we as compliance professionals actually reach out to them directly.
Anu: Is there a limit on how many SARs you can write and submit especially in a closing quarter of the year?
Laurie: You can submit as many as you need to but you want to avoid the defensive filing.
Anu: Should the FI or listed business be notified by the law enforcement agencies that their SAR was received?
Laurie: If you file electronically, FinCEN sends back something that acknowledges that they received it and then usually within a couple of days FinCEN sends another message that they have processed it and it has been accepted. You know it has been accepted when the BSA ID number is assigned.
Anu: How many days should you watch a suspicious customer before creating a SAR?
Laurie: The key date from FinCEN’s perspective is the day that you decide to file the SAR. The date that decision to file is made is when the clock starts for your filing. But depending on what kind of suspicious activity you noted with your customer, you may want to file the SAR immediately.
Anu: If you had a suspicious activity that goes over the 90-day review, or a similar incident occurs a year later, would you reference that previous SAR that has been filed or begin a new series?
Laurie: I still personally believe that if it is exactly the same, it is a continuing activity report even though it has been a year and that law enforcement want to know that. However, if you feel more comfortable filing it as new, then definitely state that in your narrative.
About Anu Sood
Anu Sood (LinkedIn | Twitter) is the Director Marketing at CaseWare RCM and is responsible for the company’s global marketing strategy. She has over 20 years of experience in product development, product management, product marketing, corporate communications, demand generation, content marketing and strategic marketing in high-tech industries.