Skip to main content


Suspicious Activity Reports [Part 1/2]: Big Leaks, Tighter Controls

By Blog, Featured

SARs have been in the media a lot recently, dragging these reports into the limelight. Here we discuss how financial firms are expected to respond.

Suspicious Activity Reports (SARs) are undoubtedly the most sacrosanct of all anti-money laundering (AML) work product. Beyond confidential, these reports cannot be disclosed even at grand jury proceedings. Years ago the Financial Crimes Enforcement Network (“FinCEN”) issued a set of final rules on SAR confidentiality, expanding that secrecy from the SAR itself to disclosing the underlying transactions behind the report. By extension this rule has been further interpreted to include the rationale for filing, as well as any discussions on whether or not to file a SAR at all. Still, despite this secrecy, SARs have been referenced in the media a lot in the past few years, bringing the reports begrudgingly into the limelight. 

READ MORE: A New Dawn for AML Compliance + 7 Questions You Should be Asking


A Slow Crescendo: SARs in the Limelight

In 2008, there was a reference to a now-former state politician’s implication in a prostitution ring. At the heart of one article was the mention of how investigators were clued into the politician’s alleged misconduct thanks to a SAR filed by the bank where the politician went, trying to send unusual round-dollar transactions to the ring’s operator. Years later, the public was likely unaware of another “leak” event.

This leak was brought to light by an investigator at a bank who had actually reached out to the subject of a SAR to solicit a bribe in exchange for information on the case. It wasn’t until years later that SARs not only reemerged, but they did so with a bang. A major publication had been given in-depth details of SARs filed from multiple banks in regards to Michael Cohen, and his reported misuse of a shell company, as well as Paul Manafort, and a foreign agent named Maria Butina. The SARs were reportedly leaked from within the Treasury, and several guilty pleas have since been proffered.

Thankfully for both global and financial institutions, there were no indications that any banks had done anything unsound to cause or exacerbate the leak. Still, the articles and related activity should serve as a trigger event for financial institutions to review their SAR-related procedures to reinforce a framework of confidentiality. 

SAR Trigger Events: Financial Firms Expected to Respond

In part 2 of this article, we will talk about some of the institutional concerns regarding the “FinCEN Files”exposé from September 2020. Even though the majority of the recent SAR leak events have been sourced in the public sector, they should serve as a major trigger event for financial institutions to review their own policies and procedures regarding SAR confidentiality. 

Employees with any exposure to or knowledge of any area of AML compliance should be acutely aware that they should:

1) Never disclose the existence of (or contemplation of filing of) a SAR,

2) Immediately report any suspected breaches of SAR confidentiality.

In addition, when considering IT or information security testing, financial services firms should consider whether there are controls in place to limit access to case management tools, investigators’ case journals, and supporting documents.

These controls should focus both on internal privacy (i.e., need to know access only) and data tagging (i.e. confidential, classified, etc. for all SAR materials), as well as outward screening tools to ensure that SAR-sensitive documents are not sent out of the bank by email, external drive, or other file transfer methods.

Similarly, all SAR filing staff should have enhanced procedures and likely training to reiterate the need to store SAR-sensitive documents and communications in those secure platforms.

While financial services firms cannot anticipate all misconduct related to SAR leaks, it is guaranteed that they will need to demonstrate to their regulators that they have taken these recent leak events under consideration, and confirmed that all of their identifiable leaks have been plugged. This process starts by first identifying what your regulatory obligations are in regards to SARs and other FinCEN rules.

READ MORE: Broker-Dealer automates SEC, FINRA, and NFA obligations with Ascent


Know Your FinCEN Obligations

When it comes to identifying your requirements and obligations for FinCEN and other regulators, automation can create massive efficiencies. 

The process of collecting regulatory updates across multiple sources is time-consuming and at high risk for gaps. Conducting impact analysis to determine which of those updates are actually applicable to your firm adds another layer of manual work and complexity. 

Ascent is a regulatory knowledge automation solution that generates your firm’s obligations keeps them updated as rules change. Ascent helps compliance teams zero in on the regulatory information that is relevant to the firm, freeing up time and resources to focus on higher-value activities such as maintaining policies and procedures and executing compliance throughout the organization.

INFOGRAPHIC: Regulatory Knowledge Automation, Explained


For more on regulatory knowledge automation and how it can play a role in your compliance framework, check out this blog. To stay up to date on all things compliance and technology, subscribe to our email series Cliff Notes below.



A New Dawn for AML Compliance + 7 Questions You Should be Asking

By Blog, Featured

To those in the anti-money laundering practice, Nina Simone’s memorable singing that it’s a “new dawn” and “a new day” may be best suited to the recently-passed Anti-Money Laundering Act (AMLA) of 2020. Passed as part of a broader National Defense Authorization Act (NDAA), the AMLA is likely the most sweeping financial crime-related law update in the U.S. since the USA PATRIOT Act almost two decades ago.

There are, of course, some appropriately-hyped provisions within the AMLA, as well as a few that are related to it, that bear a little bit more attention from compliance practitioners. 

WATCH: [Compliance Over Coffee] Preparing for the Next Wave of U.S. Regulatory Changes 

There’s Risk, then there’s Risk

The AMLA is clearly written, with no in-between-the-lines review needed. As a result, the Secretary of the Treasury will review components of current BSA/AML requirements to see where “adjustments” are necessary. From there, a report that will effectively de-prioritize what the AMLA calls “noncomplex” reporting will be issued, perhaps such as Suspicious Activity Reports (SARs) that deal with run-of-the-mill structuring. 

SARs as a Strategic Priority

The big shift with the AMLA is that there will be yet another report on “strategic priorities,” meaning that SAR reporting is going back to its roots as an information gathering tool for law enforcement and intelligence agencies. Still, what the AMLA hasn’t clarified is whether financial institutions will be able to forgo the “simple” SARs to focus on the more “valuable” SARs, or whether banks will be on double duty to report both. Risk assessments will be put in the same boat as SARs; having to review for those strategic priorities while still looking for the risks unique to their bank’s profile.  

READ MORE: How Bad is PPP Fraud in Financial Services?


Anonymously Speaking

Maybe the most lauded of the AMLA’s provisions is the Corporate Transparency Act (CTA), which doesn’t criminalize or ban shell companies as a structure, but requires that most incorporated entities fall in line with beneficial ownership requirements. The biggest change is that the CTA requires FIs to collect historical information that was exempt from the 2018 regulation’s requirements. FinCEN will then create a registry, with certain exceptions, and will allow FIs to scrub KYC data for their due diligence processes against that list. The mechanics of the list, collection, and verification process aren’t known, meaning that FIs will have to continue to take a risk-based approach to business types. 

READ MORE: SEC Priorities and a Changing of the Guard in 2021


Corruption in Politics and Art

What should get special attention, tying into the NDAA, is the emphasis on the risk related to corrupt political leaders (see the “Kleptocracy Asset Recovery Reward Act”) as well as arts and antiquities dealers. The NDAA goes further here by expanding the foreign bank account records held by a U.S. affiliate, such as KYC information, making those records fair game for subpoena.  

READ MORE: What Recent OCC Enforcements Signal for Firms


7 Questions You Should be Asking

While we wait for the underlying regulations from the AMLA, a few lingering questions remain. First of all, where the AMLA references the intention to streamline and automate, will firms be held accountable if they don’t find ways to do so? Not very likely.  

However, as FIs are required to automate more processes and reporting, will there be a risk of over-automation while regulators challenge the insufficiency of a BSA/AML compliance program’s human touch?  

There is still time before the one-year window for the Treasury to issue supporting regulations kicks in. In the meantime, here are a few questions that FIs should be asking:

1. Are we asking enough questions? Or, minimally, are we asking the right questions for LLP/LLC-type customers? Are we prepared to retroactively work towards data collection beyond the 2018 Customer Due Diligence (CDD) rule’s requirements?

2. What are we doing in terms of Politically Exposed Persons screening? Are we looking for stolen government funds? 

3. How will we risk-rate art/antiquity dealers going forward?

4. What’s the status and strength of our risk assessment process? Have we kicked the tires on the methodology recently? Will we be ready when new priorities emerge? Or will we be behind and at risk of missing critical requirements ?

5. Are our SARs “highly” useful to law enforcement? Or do we need to reinvent our processes with a closer eye on crime and intelligence?

6. If we are going to revamp our SAR processes, what are the best ways to make sure that second-line testing and audit are on board?

7. What should we automate? Where can we innovate? What processes are the most vulnerable to regulatory gaps?

Automate Regulatory Knowledge for AML Compliance

When it comes to identifying your requirements and obligations for AMLA and other regulations, automation can be especially helpful. 

The process of collecting regulatory updates across multiple sources is time-consuming—and it’s only step one of a multi-step process. The next step of determining which updates will actually impact your firm is even more of a challenge.

Ascent is a regulatory knowledge solution, which automatically surfaces the right information and pinpoints your firm’s obligations. Ascent helps compliance teams zero in on the regulation that is relevant to the firm, freeing up time and resources to focus on higher-value activities such as maintaining policies and procedures and executing compliance throughout the firm.

INFOGRAPHIC: Regulatory Knowledge Automation, Explained