Skip to main content


Suspicious Activity Reports [Part 1/2]: Big Leaks, Tighter Controls

By Blog, Featured

SARs have been in the media a lot recently, dragging these reports into the limelight. Here we discuss how financial firms are expected to respond.

Suspicious Activity Reports (SARs) are undoubtedly the most sacrosanct of all anti-money laundering (AML) work product. Beyond confidential, these reports cannot be disclosed even at grand jury proceedings. Years ago the Financial Crimes Enforcement Network (“FinCEN”) issued a set of final rules on SAR confidentiality, expanding that secrecy from the SAR itself to disclosing the underlying transactions behind the report. By extension this rule has been further interpreted to include the rationale for filing, as well as any discussions on whether or not to file a SAR at all. Still, despite this secrecy, SARs have been referenced in the media a lot in the past few years, bringing the reports begrudgingly into the limelight. 

READ MORE: A New Dawn for AML Compliance + 7 Questions You Should be Asking


A Slow Crescendo: SARs in the Limelight

In 2008, there was a reference to a now-former state politician’s implication in a prostitution ring. At the heart of one article was the mention of how investigators were clued into the politician’s alleged misconduct thanks to a SAR filed by the bank where the politician went, trying to send unusual round-dollar transactions to the ring’s operator. Years later, the public was likely unaware of another “leak” event.

This leak was brought to light by an investigator at a bank who had actually reached out to the subject of a SAR to solicit a bribe in exchange for information on the case. It wasn’t until years later that SARs not only reemerged, but they did so with a bang. A major publication had been given in-depth details of SARs filed from multiple banks in regards to Michael Cohen, and his reported misuse of a shell company, as well as Paul Manafort, and a foreign agent named Maria Butina. The SARs were reportedly leaked from within the Treasury, and several guilty pleas have since been proffered.

Thankfully for both global and financial institutions, there were no indications that any banks had done anything unsound to cause or exacerbate the leak. Still, the articles and related activity should serve as a trigger event for financial institutions to review their SAR-related procedures to reinforce a framework of confidentiality. 

SAR Trigger Events: Financial Firms Expected to Respond

In part 2 of this article, we will talk about some of the institutional concerns regarding the “FinCEN Files”exposé from September 2020. Even though the majority of the recent SAR leak events have been sourced in the public sector, they should serve as a major trigger event for financial institutions to review their own policies and procedures regarding SAR confidentiality. 

Employees with any exposure to or knowledge of any area of AML compliance should be acutely aware that they should:

1) Never disclose the existence of (or contemplation of filing of) a SAR,

2) Immediately report any suspected breaches of SAR confidentiality.

In addition, when considering IT or information security testing, financial services firms should consider whether there are controls in place to limit access to case management tools, investigators’ case journals, and supporting documents.

These controls should focus both on internal privacy (i.e., need to know access only) and data tagging (i.e. confidential, classified, etc. for all SAR materials), as well as outward screening tools to ensure that SAR-sensitive documents are not sent out of the bank by email, external drive, or other file transfer methods.

Similarly, all SAR filing staff should have enhanced procedures and likely training to reiterate the need to store SAR-sensitive documents and communications in those secure platforms.

While financial services firms cannot anticipate all misconduct related to SAR leaks, it is guaranteed that they will need to demonstrate to their regulators that they have taken these recent leak events under consideration, and confirmed that all of their identifiable leaks have been plugged. This process starts by first identifying what your regulatory obligations are in regards to SARs and other FinCEN rules.

READ MORE: Broker-Dealer automates SEC, FINRA, and NFA obligations with Ascent


Know Your FinCEN Obligations

When it comes to identifying your requirements and obligations for FinCEN and other regulators, automation can create massive efficiencies. 

The process of collecting regulatory updates across multiple sources is time-consuming and at high risk for gaps. Conducting impact analysis to determine which of those updates are actually applicable to your firm adds another layer of manual work and complexity. 

Ascent is a regulatory knowledge automation solution that generates your firm’s obligations keeps them updated as rules change. Ascent helps compliance teams zero in on the regulatory information that is relevant to the firm, freeing up time and resources to focus on higher-value activities such as maintaining policies and procedures and executing compliance throughout the organization.

INFOGRAPHIC: Regulatory Knowledge Automation, Explained


For more on regulatory knowledge automation and how it can play a role in your compliance framework, check out this blog. To stay up to date on all things compliance and technology, subscribe to our email series Cliff Notes below.