Articles
Suspicious Activity Reports – To File or Not to File – April 2024
Elder Exploitation – Prevention Starts at the Bank – June 2023
Ensure Your SAR is Noticed by Law Enforcement – July 2020
The Skinny on Romance Schemes & Money Mules – Nov. 2019
Elder Financial Exploitation – Protecting Your Customers and Your Bank – May 2019
Human Trafficking Financial Red Flags – March 2019
FAQs
Part II: Suspicious Activity Information
Part III: Information about Financial Institution Where Activity Occurred
Part IV: Filing Institution Contact Information
part i: Subject Information
Question: We have recently seen an influx of customers falling victim to various scams (romance, lottery, phishing schemes, elder financial abuse, etc.). Do we complete Part I (Subject Information) of the Suspicious Activity Report (SAR) using our customer’s information when they are the victim, not the culprit?
Answer: No, the “subject” refers to the individual suspected of initiating and engaging in the suspicious activity (the fraudster), while the “victim” (your customer) is the person allegedly affected by the activity. For the various SAR activities mentioned above, the “subject(s)” in the SAR filing is/are the fraudster(s). The “victim” in the SAR filing is your customer, the target of the scams. Therefore, the SAR should primarily focus on the subject fraudster’s details, while including applicable information about the victim in the narrative section. The goal is to identify potential criminal activity – not to report the victim themselves unless they are actively participating in the activity.
Refer to FinCEN Suspicious Activity Report Electronic Filing Requirements, FinCEN SAR XML Schema User Guide (version 1.6 I August 2021):
Part I Subject Information: Complete a Part I section on each known subject involved in the suspicious activity. Persons who are victims of the suspicious activity are not subjects and should not be recorded in a Part I section. Victim information, if necessary for a complete description of the suspicious activity, should be recorded in Part V.
Question: A business customer with a registered trade name with the County Recorder (doing business as – DBA) was involved in some suspicious activity. When completing the Suspicious Activity Report, how do we complete Part I for the Subject Information?
Answer: Complete Items 4, 5 and 6 of Part I with the customer’s last, first, and middle names, and complete Item 9 (Alternate Name) with the trade name. Do not include the acronym DBA with the name. Refer to FinCEN Suspicious Activity Report Electronic Filing Requirements, FinCEN SAR XML Schema User Guide (version 1.6 | August 2021):
- Alternate name, e.g., AKA if individual; DBA/ trade name if entity. Item 9 Alternate name: Enter the individual’s also known as (AKA) name or the entity’s doing business as (DBA) name if different from the name entered in Items 4-6. Do not include the acronyms AKA or DBA with the name. Multiple Item 9 fields may be completed if multiple subject alternate names are known.
Part II: Suspicious Activity Information
Question: I am going to file a Suspicious Activity Report on suspicious activity that occurred on a single day. Should I enter “from 01/01/2024 to 01/01/2024” as the date range in Part II #30?
Answer: If suspicious activity occurs on a single day, enter that date in field 30a “From” and leave field 30b “To” blank. Refer to FinCEN SAR XML Schema User Guide (version 1.6 | August 2021)
Item *30 Date or date range of suspicious activity for this report: Enter the suspicious activity date or date range for this report. If the suspicious activity occurred on a single day, enter that date in field 30a “From” and leave field 30b “To” blank. If the suspicious activity occurred on multiple days, enter the earliest date of suspicious activity in field 30a and the most-recent date of suspicious activity in field 30b.
Part III: Information about Financial Institution Where Activity Occurred
Question: When should the boxes in Part III, field 68 of a Suspicious Activity Report be selected for “Selling Location,” “Paying Location” or “Both?”
Answer: The “Selling Location” box should be checked if the branch sold the product or instrument recorded in field 45 or 46. Likewise, the “Paying Location” box should be checked if the customer received payment from the branch for the products or instruments recorded in fields 45 or 46. The “Both” box would be checked if the branch was both the paying and selling location of these items. This field generally only applies for banks when the subject conducted transactions involving wire transfers, traveler’s checks, money orders or like products or financial instruments. For example, if the bank issues an official check, the “Selling Location” box is selected. If the bank cashes or negotiates an official check, the “Paying Location” box is selected. If the suspicious activity involves both the selling and redeeming of the transaction, then “Both” is selected.
Part IV: Filing Institution Contact Information
Question: When completing a Suspicious Activity Report (SAR), why is it crucial to collect and complete the law enforcement information within Part IV, Items 89-92?
Answer: This information provides vital details that allow law enforcement agencies to better understand which agencies have been informed of the suspicious activity. This promotes more effective investigations of potential financial crimes to aid in the fight against money laundering and other illicit activities.
Refer to FinCEN Suspicious Activity Report Electronic Filing Requirements, FinCEN SAR XML Schema User Guide (version 1.6 I August 2021):
Item 89 – LE contact agency: Enter the name of the law enforcement agency, if any, which has been informed of the suspicious activity.
NOTE: If more than one LE agency has been contacted about the suspicious activity, record the information on one agency in Items 89-92 and the information on additional agencies in Part V.
Item 90 – LE contact name: Enter the name of the person contacted at the law enforcement agency.
Item 91 – LE contact phone number: Enter the law enforcement contact telephone number. See General Instruction 7 for information on entering telephone numbers.
Item 91a – Extension: Enter the extension, if any, of the law enforcement contact telephone number
Item 92 – LE contact date: Enter the most-recent date the law enforcement agency was contacted about the suspicious activity. If the agency was contacted on multiple dates, record the earlier contact dates in Part V. Discrete filers will use the format MM/DD/YYYY while batch filers will use the format YYYYMMDD.
Coordination of investigation process by law enforcement information is important for several reasons:
- Building a case: Accurate details on the suspect’s identity, account information, and transaction patterns help build a strong case for prosecution.
- Identifying trends: When analyzing multiple SARs with similar patterns, law enforcement can identify broader criminal groups and trends in similar crimes.
- Information gathering: SARs contribute information to databases, allowing agencies to connect the dots between unrelated transactions and individuals.
- Partnership with regulatory bodies: Sharing information with regulatory agencies such as FinCEN allows for a collective effort to stop financial crime.
Part V: Narrative
Question: When completing the narrative on a Suspicious Activity Report, why is it important to include the date on which it was determined that the activity was suspicious?
Answer: In order to determine that the SAR was filed on a timely basis, it is imperative to include the date on which the activity was determined to be suspicious in the narrative. The time period to file a SAR starts when the institution, during the course of its review or as a result of other factors, reached the conclusion in which it knows, or has reason to suspect, that the activity or transactions under review meets one or more of the definitions of “suspicious activity.” Because additional research such as reviewing the customer’s account activity is typically conducted upon the identification of unusual activity, the date upon which it is determined that the activity is suspicious should be noted. It is then that the 30 or 60 day clock for filing a SAR begins to run. For suspicious activity for which a SAR is not filed, it is also important to note this date in the bank’s records.
Question: When completing Part V, Suspicious Activity Information, Narrative, on a Suspicious Activity Report, can we just include a sentence stating that all supporting documentation is being retained by the bank or do we need to describe the supporting documentation?
Answer: The Part V Narrative should describe all supporting documentation and the documentation must be retained for five years. For instance, if the suspicious activity pertains to possible structuring, a description of the supporting documentation, i.e., deposit slips, cash in tickets, account activity, etc. should be included in the narrative. Refer to FinCEN Suspicious Activity Report Electronic Filing Requirements, FinCEN SAR XML Schema User Guide (version 1.6 | August 2021):
Describe all supporting documentation and retain the documentation for five years. DO NOT include supporting documentation with the FinCEN SAR. (See General Instruction 6.)
Deciding Whether to Report
Question: According to local media reports, a current customer of the bank has been charged with embezzling from his employer. Should we conduct a review of his account and file an SAR as a result of the media reports?
Answer: FinCEN recently issued a series of FAQs, two of which addressed this very topic. FinCEN indicates the existence of negative news related to a customer does not by itself indicate that the criteria requiring the filing of an SAR have been met. However, the institution may review media reports, news articles and/or other references to assist in its performance of customer due diligence, as well as its evaluation of any transactions or activity it considers unusual or potentially suspicious. For example, negative news may cause an institution to review customer activity as well as other related information, such as that of third parties with transactions involving the customer’s account.
In circumstances where there are multiple negative news alerts (as identified through monitoring for unusual or suspicious activity) based on the same underlying events, an institution does not need to independently investigate each alert, but rather may consider whether the alert contains new or different information that warrants further investigation or whether the negative news otherwise assists or informs the evaluation of the activity at issue. This type of process will allow the institution to identify and evaluate new information and assess whether to update customer information and risk profile, investigate transactions which may result in the filing of an SAR.
As with other identified unusual or potentially suspicious activity, institutions should follow their established risk-based policies, procedures, and processes to determine the extent to which it investigates and evaluates negative news, in conjunction with its review of transactions occurring by, at, or through the institution, to determine if an SAR filing is required. (February 2021)
Question: If after reviewing suspicious activity, the bank determines not to file a Suspicious Activity Report, what should be documented and retained to support why the SAR was not filed?
Answer: Documentation when the bank has determined a SAR filing is warranted or alternatively has decided to not file a SAR, should be very similar. The IBA generally suggests the bank document the type of activity the bank found suspect and date of the initial detection. You should further document items that were reviewed and considered during the bank’s investigation. Include your decision and the basis of the decision. Lastly, document the specific date the decision was made to file or not file a SAR. (November 2019)
Question: If an institution determines that a customer is engaged in check kiting, is it required to file a Suspicious Activity Report? What if we confront the customer and stop the kite or close the account? Is the SAR still required?
Answer: The Bank Secrecy Act (12 CFR § 563.180(d)(3)(ii)) requires a SAR to be filed for known or suspected violations aggregating $5,000 or more where a suspect can be identified. Check kiting is illegal and kiting schemes involving transactions aggregating $5,000 or more must be reported. Kiting typically occurs when a depositor with accounts at two or more banks draws checks against the uncollected balance at one bank to take advantage of the float, i.e., time required for the bank of deposit to collect from the paying bank. Further, the depositor initiates the transaction with knowledge that there are not sufficient collected funds available to cover the amount of the checks drawn on all accounts. If the amount of the items aggregate to total more than $5,000, you must file a SAR even if you subsequently stop the kite or close the account.
Question: When should a Suspicious Activity Report related to cyber-events be filed? Is it based on the SAR filing thresholds? Or whether or not the cyber threat resulted in a loss for the bank or customer?
Answer: A financial institution is required to report suspicious activity conducted or attempted by, at, or through the institution that involves or aggregates $5,000 or more in funds or other assets. If a financial institution knows, suspects, or has reason to suspect that a cyber-event was intended, in whole or in part, to conduct, facilitate or affect a transaction or a series of unauthorized transactions, it should be considered part of an attempt to conduct a suspicious transaction or series of transactions. Cyber-events targeting financial institutions that could affect a transaction or series of transactions would be reportable as suspicious transactions because they are unauthorized, relevant to a possible violation of law or regulation, and regularly involve efforts to acquire funds through illegal activities.
In determining whether a cyber-event should be reported, a financial institution should consider all available information surrounding the cyber-event, including its nature and the information and systems targeted. Similarly, to determine monetary amounts involved in the transactions or attempted transactions, a financial institution should consider in aggregate the funds and assets involved in or put at risk by the cyber-event, NOT the loss to the bank or its customer.
The FinCEN Cyber Threats Advisory is a helpful resource if your bank has a cyber-event and details what information should be included in the SAR. The information that financial institutions include on SARs when reporting cyber events is a valuable source of information for law enforcement. Information such as IP addresses with timestamps, cyber-event data and virtual-wallet information can often be used to track criminals, identify victims, and trace illicit funds.
Continuing SARs
Question: While doing a review of activity since a previous suspicious activity report (SAR) was filed to determine if a continuing SAR should be submitted, we identified new suspicious activity related to the customer that was previously not reported. For Item 1 on the SAR that will be submitted, can we check both “Continuing activity report” and “Initial report”?
Answer: It depends on whether the activity for the customer that triggered the original SAR is still occurring. If it is, the scope of the review for continuing activity should not be limited to the previously identified activity. New suspicious activity can also be reported on the Continuation SAR. FinCEN SAR Instructions for Item #1 notes “check all that apply”, so you should mark both “Initial report” and “Continuing activity report” for the continuation SAR in this situation. If, however, the activity that triggered the original SAR filing has stopped and new, different, suspicious activity has started, a new SAR should be filed regarding the new activity with only “Initial report” marked.
Regarding the review and reporting timing requirements, it is also a good reminder that, in addition to the original activity reported, if any new suspicious activity surfaces for the subject that is not related to the prior report activity, the new activity should be investigated under the standard alert and case investigation timeframes (30 days when a subject is identified and 60 days when a subject is not identified). For example, if a SAR was filed previously for structuring which is continuing and now the same customer is flagged for unusual wire activity, the wire activity review cannot be postponed and reviewed with the structuring SAR 90-day review. This may mean you need to file the SAR containing both the continuing and new activity within the 30-day timeframe.
Question: If our bank filed a Suspicious Activity Report and, during its mandatory 90-day review, finds that the customer has stopped the original suspicious activity but uncovers other, new suspicious activity for the same customer, should the bank file a continuation SAR or a new SAR?
Answer: The bank should file a new SAR. The SAR instructions state, “A continuing report should be filed on suspicious activity that continues after an initial FinCEN SAR is filed.”
The rule appears to contemplate repeated SAR filings for the same activity and directs banks to file continuing reports rather than new reports for activity that is ongoing. Meaning the subject of the initial SAR is engaging in the same type of previously reported activity. In your example, however, the initial SAR subject has discontinued the original suspicious activity and is now engaging in different suspicious activity. In this case, the bank should file an initial report within the normal SAR filing deadline of 30 days. Since the customer is the same, consider cross-referencing the prior SARs filed for the same subject in the new SAR narrative to point out the same person previously engaged in another type of suspicious activity. Referencing any prior SAR filing(s) assists law enforcement in connecting the cases.
Question: Our bank filed an initial Suspicious Activity Report on a customer almost a year ago. One continuation SAR was filed after that, but the activity stopped for several months and no further SARs were filed. Now, the same suspicious activity just started again. When we file the SAR, should it be a continuation SAR or a new initial SAR?
Answer: Since there have not been ongoing continuation SARs filed and there was a break in reporting, this will be a new initial SAR. However, in the narrative for this new SAR, provide an explanation of the previous related activity and reference the previous SARs.
Question: For a continuous activity Suspicious Activity Report, how should Item #30 (date or date range) be completed when the suspicious activity does not cover the full 90 days covering the continuous SAR? More specifically, can Item #30 be a different (shorter) timeframe than the 90-day review period? For example, if I am filing a continuous SAR and the 90-day review period is April, May, and June but the activity that is suspicious only occurred May 1 through June 10, should Item #30 reflect May 1 through June 10 or should it be completed using the full 90-day review period (April 1 through June 30)?
Answer: For a continuing activity SAR, Item #30 (date or date range) should be completed by entering only the date range of the suspicious activity. In the example above, May 1 through June 10 would be acceptable even though the full review period is April, May, and June. You should also include aggregated date range information for all SARs filed within Part V, the Narrative. FinCEN provides the following guidance on this topic:
FinCEN Suspicious Activity Report (FinCEN SAR) Electronic Filing Requirements XML Schema 2.0 – FinCEN SAR XML Schema User Guide (version 1.5 | July 2020) Page 153
Part II — Suspicious Activity Information
*30. Date or date range of suspicious activity for this report
a. From: MM/DD/YYYY
b. To: MM/DD/YYYY
Item *30 Date or date range of suspicious activity for this report: Enter the suspicious activity date or date range for this report. If the suspicious activity occurred on a single day, enter that date in field 30a “From” and leave field 30b “To” blank. If the suspicious activity occurred on multiple days, enter the earliest date of suspicious activity in field 30a and the most-recent date of suspicious activity in field 30b. If the exact date(s) of the suspicious activity is (are) unknown, enter a date range that the filer believes will encompass the date(s) of the suspicious activity. Explain the nature of this date range in Part V. If the FinCEN SAR involves continuing activity with box 1c “Continuing activity report” checked, enter only the date range covered by this FinCEN SAR. Record in Part V the aggregated date range of all FinCEN SARs filed on the continuing suspicious activity. Use the format MM/DD/YYYY for dates in a discrete FinCEN SAR and the format YYYYMMDD for dates in a batch-filed FinCEN SAR.
Question: When can I stop filing Suspicious Activity Reports? Our bank has filed SARs every 90 days on a customer we suspect is structuring and evading taxes. Finally, after two years, law enforcement has notified the bank that they are investigating the customer. Can the bank now stop filing these SARs, since law enforcement has been made aware of, and acknowledged, the SARs?
Answer: No! The reason the bank files a SAR, including those involving repeated activity, is because it knows, suspects or has reason to suspect that there is illegal activity or something that violates U.S. law or regulation. Just because one agent of law enforcement launches an investigation does not mean the bank can discontinue filing SARs (assuming the activity meets the dollar thresholds). In fact, there may be another unit of law enforcement that is equally interested once the activity meets their threshold and is within their jurisdiction.
FinCEN guidance instructs the only reason to stop filing repeat SARs is if the repeated activity stops (including when the bank closes the account and terminates the relationship) or if the bank determines there is a reasonable explanation for the activity. This may be a result of the banks enhanced due diligence or some material evidence that comes to light in the course of the bank’s investigation.
Question: We recently filed a Suspicious Activity Report on a customer for “unusual cash activity” and within a couple weeks following, it became apparent the customer was “structuring”. We then filed another SAR on this same customer for “structuring”. We are approaching our timeframe for filing the “continuation SAR”; however, the activity now is purely “structuring”. Can we combine these two SARs into one and within the narrative explain the activity from the initial SAR filing has “technically” ceased and the ongoing activity triggering the filing of the continuation SAR is the “structuring” activity?
Answer: Yes, through conversation with FinCEN, we believe this would be proper as the activity from the initial SAR filing has now ceased which would not require a “continuation SAR” to be filed. Within the narrative for the “continuation SAR” for the structuring activity, you will want to refer to the initial SAR for the “unusual cash activity” so FinCEN can tie them together to understand the complete story as to what activity has occurred since the initial SAR filings.
Alternatively, since the bank filed the original SAR for “unusual cash activity” and through continued monitoring determined the activity is “structuring”, the Bank could have waited until it was time to file the “continuation SAR” and added the “structuring” activity to the continued SAR filing. When filing the continuing SAR, the bank should be monitoring the account and reporting any additional suspicious activity at that time. (September 2019)
Question: We are in the process of filing a continuing activity Suspicious Activity Report that was originally filed based on two different suspicious activities. During this review period it has been determined one of the previous suspicious activities has ceased; however, the second suspicious activity is still ongoing. When we file our continuing activity SAR how should we go about completing the dollar amount section and the narrative due to one of the activities originally filed on no longer being deemed suspicious?
Answer: You would proceed with filing a continuing activity report, but the report should only be indicative of the activity and dollar amounts that occurred during the period that was under review. The narrative should provide details about any change in activity in addition to describing any new activity that occurred during the period under review.
Miscellaneous
Question: We know we have to report information on Suspicious Activity Reports filed by our bank to our Board of Directors (BOD). What information are we required to report? Is there a required format we need to follow?
Answer: The Banks’ BOD is ultimately responsible for the bank’s BSA program. As a result, they need adequate information to assess whether the bank’s BSA program meets regulatory requirements they are required to fulfill. Thus, banks are required to keep their BOD informed of the SARs the bank has filed. However, there is no required format or list of information that is required to be provided. The BSA/AML Manual, states the following:
“Banks are required by the SAR regulations of their federal banking agency to notify the board of directors or an appropriate board committee that SARs have been filed. However, the regulations do not mandate a particular notification format and banks should have flexibility in structuring their format. Therefore, banks may, but are not required to, provide actual copies of SARs to the board of directors or a board committee. Alternatively, banks may opt to provide summaries, tables of SARs filed for specific violation types, or other forms of notification. Regardless of the notification format used by the bank, management should provide sufficient information on its SAR filings to the board of directors or an appropriate committee in order to fulfill its fiduciary duties, while being mindful of the confidential nature of the SAR.”
Question: When does the 30-day time frame to file a Suspicious Activity Report begin?
Answer: The SAR reporting rules require that a SAR be filed no later than 30 calendar days from the date of the initial detection of facts that may constitute a basis for filing a SAR. If no suspect can be identified, the time period for filing a SAR is extended to 60 days. Upon identification of unusual activity, additional research is typically conducted, and institutions may need to review transaction or account activity for a customer to determine whether to file a SAR. The need to review a customer’s account activity, including transactions, does not necessarily indicate the need to file a SAR, even if a reasonable review of the activity or transaction might take an extended period of time. The time period to file a SAR starts when the institution, during the course of its review or as a result of other factors, reached the conclusion in which it knows, or has reason to suspect, that the activity or transactions under review meets one or more of the definitions of “suspicious activity.”
The phrase “initial detection” should not be interpreted as the moment a transaction is highlighted for review. There are a variety of legitimate transactions that could raise a red flag simply because they are inconsistent with an account holder’s normal account activity. The 30- or 60-day period does not begin until an appropriate review is conducted and a determination is made that the transaction under consideration is suspicious.
A review must be initiated promptly upon identification of unusual activity that warrants investigation. The timeframe required for completing review of the identified activity, however, may vary given the situation. According to the FFIEC’s Bank Secrecy Act/Anti-Money Laundering Examination Manual, an expeditious review of the transaction or the account is recommended and can be of significant assistance to law enforcement. In any event, the review should be completed in a reasonable period of time. What constitutes a “reasonable period of time” will vary according to the facts and circumstances of the particular matter being reviewed and the effectiveness of the SAR monitoring, reporting, and decision-making process of each institution. The key factor is that an institution has established adequate procedures for reviewing and assessing facts and circumstances identified as potentially suspicious, and that those procedures are well documented and followed.
Question: We had a subpoena from a secretary of state asking us to provide any Suspicious Activity Reports filed on a customer along with Suspicious Activity Report supporting documentation. Are we under any obligation to provide this information or does the safe harbor law protect us in any way?
Answer: SARs and supporting documentation may be made available to appropriate authorities and the safe harbor applies. See the discussion in the FFIEC BSA/AML Examination Manual:
A bank or its agent may reveal the existence of a SAR to fulfill responsibilities consistent with the BSA, provided no person involved in a suspicious transaction is notified that the transaction has been reported. The underlying facts, transactions, and supporting documents of a SAR may be disclosed to another financial institution for the preparation of a joint SAR, or in connection with certain employment references or termination notices to the full extent authorized in 31 USC 5318(g)(2)(B). The sharing of a SAR by a bank or its agent with certain permissible entities within the bank’s corporate organizational structure for purposes consistent with Title II of the Bank Secrecy Act is also allowed.
Any person subpoenaed or otherwise requested to disclose a SAR or the information contained in a SAR, except when such disclosure is requested by FinCEN or an appropriate law enforcement or federal banking agency, shall decline to produce the SAR or to provide any information that would disclose that a SAR has been prepared or filed, citing 31 CFR 1020.320(e) and 31 USC 5318(g)(2)(A)(i). FinCEN and the bank’s federal banking agency should be notified of any such request and of the bank’s response.
Examples of agencies to which a SAR or the information contained therein could be provided include: the criminal investigative services of the armed forces; the Bureau of Alcohol, Tobacco, and Firearms; an attorney general, district attorney, or state’s attorney at the state or local level; the Drug Enforcement Administration; the Federal Bureau of Investigation; the Internal Revenue Service or tax enforcement agencies at the state level; the Office of Foreign Assets Control; a state or local police department; a United States Attorney’s Office; Immigration and Customs Enforcement; the U.S. Postal Inspection Service; and the U.S. Secret Service.