Making Amends: Auditing Ongoing Suspicious Activity Report Filings for Financial Institutions

Topics: Anti-Corruption, Compliance, Financial Crime, Fraud, Government, Leadership, Money Laundering, Regulation & Compliance, Regulatory Intelligence, Risk Management

SARs

In the myriad of Suspicious Activity Report (SAR) requirements, there are perennial findings that reflect the failure to file, delays in filing, and deliberate efforts not to file.

The Federal Financial Institutions Examination Council (FFIEC) guidance is broad in this area, and effectively puts the onus on filers to tailor reports in line with their risk assessment. There are ways to enhance overall SAR quality, which also needs to be risk-based. While compliance practitioners can rely on public enforcement actions or the more infelicitous Matter Requiring Attention/Matter Requiring Immediate Attention (MRA/MRIA) to determine the floor and ceiling of regulatory expectations for filing, there is even less guidance when it comes to “on-going” SAR filing.

It’s likely that the vast majority of testing focuses on the initial SAR filing; whether it was filed in a timely way, and whether it fulfilled the overall requirements of the underlying regulations. Similarly, it’s as likely that where there is testing done on on-going SAR reports (i.e. amended, corrected, and follow up filings), it entails a review whether or not such reports were in fact filed, and whether they were done so in a timely manner. Secondarily, there are often automated processes to be checked (e.g., inclusion of the BSA ID number) which are therefore lower risk.

Defining the Drivers

Regulatory adjudication of on-going SAR filings has not been a focus of recent enforcement actions; there are in fact no noticeable mentions of amended, corrected, and continuing SARs in the past 10 years of Bank Secrecy Act (BSA) or anti-money laundering (AML) enforcements. The combined outcome is that these on-going filings may have been deprioritized by financial intuitions and thus represent a potential blind spot for SAR filers. Anecdotally, some financial intuitions have been said to create bare-bones initial SAR filings designed to placate their SAR Quality Assurance (QA) process or internal audit, and then put the “real” details in on-going reports.


For ACFE members: To hear more from financial crimes expert Michael Schidlow, join his upcoming webinar, The Opioid Crisis: How Financial Institutions Can Mitigate Risk, at 1 pm, EST on April 15 .


The value of this workaround, for a SAR filer, is that they might more easily pass that scrutiny of those stakeholders’ inquiries, freeing them to add more detail in a less formal construct in the follow-up report. While outwardly this might make it seem as if all filing requirements are met, it creates a divisive or dismissive attitude towards SAR filing, can foster or exacerbate a lax attitude to the rigors of SAR filing or AML compliance, and could potentially lead filers to come up with additional workarounds to the existing filing requirements. This risk is conditioned by the inherent and increasing pressure — predominantly from QA testers (2nd and 3rd line alike) — to make “perfect” SAR filing a zero-sum game.

As with any other instance, pressure and opportunity will lead to a rationalized deviation from compliance requirements.

Sequels, Sequentials & Continuity

One of the keys to evaluating ongoing SARs is ensuring that the nature of the filing strictly aligns to its designation and requirements, as opposed to a unasinous grouping of “second round SARs.”

Continuing SARs are their own entity, meant to report an extension of the underlying reportable. For example, if an account was engaged in bribery-sensitive activity and that activity continued after the initial report with no material changes (i.e., the filing categories remained the same) then a Continuing Report should be issued within the requisite timeline.

Corrected and Amended reports, as their titles infer, are not synonymous or interchangeable. Corrected SARs should only reflect that an error or omission was made during the filing of the initial SAR, such as identifying information that was on record but was incorrectly entered, or accidentally omitted. To that end, it would be concerning if multiple Corrected reports were issued by the same filer for the same underlying report. However, in the absence of governance over Continuing reports and a lack of exemplification in the enforcement space, an unchecked financial intuition could file numerous incorrectly categorized SARs which then wouldn’t get the right depth of attention from law enforcement.

Amended SARs, on the other hand, are perhaps the most critical because they offer the most breadth. As with any other area of compliance, that discretion requires a policy- and procedure-driven minimum standard, and a governance-dictated maximum tolerance. Amended reports should, regulatorily speaking, exclusively be used when previously unknown information must be referred to law enforcement. One misconception, which also has not been tested in the pantheon of AML enforcement, is that an Amended report should be issued if the same suspect engages in new activity. Referring back to the near infancy of regulatory guidance, the Financial Crimes Enforcement Network (FinCEN) notes that in essence, new activity requires filing a new SAR.

So to parse the issue, if the same initial filing now has a new suspect that would require an Amended report; if either of the suspects in those two (initial and Amended) SARs engaged in unrelated activity, then a new report should be issued.

The Means Justify the Ends

In the end, there is likely going to be a degree of satisfaction in the SARs being filed at all. It’s difficult, though not impossible, to imagine the deciding factor of a bad audit being the conflation of these ongoing SAR categories. However, AML is, for better or for worse, a field of compliance — and compliance necessitates attention to detail.

Thus, in this environment of heightened expectations, the further a financial institution can demonstrate robust awareness of and adherence to these dictates the better it will be to defend against audit or regulatory challenges.