Compliance professionals, we need to talk about suspicious activity reporting. The regulators say we’re not doing it well enough.
In July the British government published a three-year plan to reform its approach to economic crime. Improving the quality of suspicious activity reports (SARs) was one of seven strategic priorities.
That plan came on the heels of a paper the U.K. Financial Conduct Authority published in June, reviewing the anti-money laundering programs at 19 financial firms. Two of the major points in the review apply here to our understanding of suspicious activity reports (SARs).
"We found that participants were generally at the early stages of their thinking in relation to money-laundering risk and need to do more to fully understand their exposure… We found that the nature of transactions in this sector means that effective customer risk assessment and customer due diligence (CDD) are key to reducing the opportunities for money laundering."
This ties into numerous studies showing that most SARs are false positives, where no misconduct actually exists. Meanwhile, compliance programs also allow too many false negatives to sneak through the cracks — clearing transactions that in fact are suspect.
(First, a reminder of exactly what a SAR is. It’s what financial firms must file, as required by the Bank Secrecy Act, when they discover facts about a customer that suggest possible money laundering or similar misconduct. The form must be filed within 30 days to the Financial Crimes Enforcement Network. It’s an actual form, filed electronically, with many potential points of data to include.)
As the Financial Conduct Authority said, too many firms are still too early in the maturity curve of an effective AML compliance program. And given the threats that regulators want to reduce (tax avoidance, terrorism funding, criminal activity), information about the customer is crucial to successful AML compliance.
U.S. regulators have been telegraphing the same message. Consider the Customer Due Diligence (CDD) rule that FinCEN adopted in 2018, requiring financial firms to identify the beneficial owners of companies opening new accounts. The point of the CDD rule is to focus on the persons behind a transaction, rather than on the transactions themselves.
That’s how we improve suspicious activity reporting: not by filing more SARs, but by filing more informative SARs. Knowledge about the customer gives law enforcement the context it needs to make better judgments.
Of course, before supplying useful information like that, companies need programs in place that can acquire, track, and analyze that information.
Due Diligence Is the Cornerstone of Effective Suspicious Activity Reporting
Companies need to gather and verify critical information about customers and their beneficial owners. That can include date of birth, employer of record, taxpayer ID number, and so forth.
So step one is to develop workflows that collect all that information.
Most firms will say they already do that, but consider two points here. First, attention to money laundering is going global. More countries want to enforce against it, and more countries are holding firms accountable for compliance failures that happen anywhere in the world. So your workflows must be effective across the entire, global enterprise.
Assure that your compliance program can incorporate new, evolving data into your due diligence efforts.
Second, remember that duty to verify information. Regulators are moving to bring more transparency to ownership information. Registries of shell companies and their owners have proliferated across Europe. And Congress is at least talking about reform of anonymous shell companies in the United States.
As data like that becomes available, regulators will expect firms to cross-reference it to verify their own due diligence work.
So step two is to assure that your compliance program can incorporate new, evolving data into your due diligence efforts.
Customer Information & Transaction Analysis Need to Build a Narrative
Firms need to build analytics capability that effectively track information about customers and their transactions. Those things must go together if we want better SARs and lower error rates.
A thorough suspicious activity report doesn’t just report what the activity is. It presents a narrative of why the activity is suspicious, given the specific profile of the customer. For example, take a pizza cook making weekly deposits of $4,500 to his personal bank account. This is suspicious activity because the person is a pizza cook, not because $4,500 is just below the $5,000 threshold for banks to report large deposits to regulators.
This type of thoughtful, informative due diligence gives law enforcement and regulators the context they want.
In practice, nobody has the budget, manpower, or desire to run a manual compliance program that way. Compliance programs inexorably will rely more and more on technology to do as much of that data collection and vetting as possible.
Yes, humans will always be necessary to make especially subjective judgments, or to deal with particularly high-risk (or, let’s be honest, high net worth) customers. But technology is the lynchpin of anti-money laundering programs that build SARs with thorough customer profiles, transaction histories, and actionable intelligence about potentially suspicious activity.
And that, without question, is what regulators want more of.