Introduction to Suspicious Activity Reports and Best Practices

Suspicious activity report (SAR) is an integral and at the same time puzzling aspect of compliance in any company. Businesses often get into turmoil as to what triggers such a report, are there any specific tools to create it and can it be reported under the whistle-blower concept or do the informants need solid proof of the suspicious activity?

Besides, being ignorant of SAR essentials comes at a high price. As an example, Capital One bank was fined $100 Million over the absence of suspicious activity reports on controversial transactions and inadequate risk management.

Here, we want to highlight the up-to-date key elements and best practices of the SAR.

What is a suspicious activity report

A SAR is a report that has to be submitted for a review in case a business is suspecting criminal activity. As a rule, a SAR is never requested by a financial authority — the company itself is obliged to report suspicious user behaviour or transaction as soon as it is revealed to them.

Usually, a suspicious activity report will incorporate detailed information on the company and the incident to advance the investigation.

• the type of activity of the company;
• the responsible compliance officer contacts;
• the person who (allegedly) conducted the suspicious transaction;
• type of suspicious transaction (currency exchange, cash conversion, remittance, use of foreign bank accounts, purchase of goods, gaming activities, use of shell companies and so on);
• the volume and currency of the transaction;
• the alleged jurisdiction where the money came from;
• the origin of the money (and origin itself, that is, where did the money come from – money laundering, terrorist financing, drug trafficking, fraud);
• who and under what circumstances discovered a suspicious transaction;
• the security measures taken.

The AML laws describing how to file the report and its contents vary across countries, depending on the nature of the suspicious activity and the particularities of the financial institution itself, but the core stays the same.

Who needs to submit a SAR and when

SAR is a must for any financial institution that can be targeted by criminals. Anything from banks and money processors to casinos and gems dealers. The institution or its employees will have to file a SAR if they suspect and have certain proof of the illegal activity.

• A company suspects and have reasonable grounds to believe that their employee or customer is engaged in criminal activity;
• There are signs of ML or BSA violations;
• A company’s computer system has been hacked;
• A customer is suspected in unlicensed business operations,
  etc.

Note: the organization or individual involved in filing the report can remain anonymous if they wish so.

If a business finds itself immersed in a worrisome position over suspicious activity they have to be proactive and submit valid information to the authorities before receiving punishment for failing to do so.

SAR regulations and fines

Global outlook on SARs can vary in the circumstances and transaction values that trigger the necessity of a SAR and the size of a fine for not aligning with these demands.

• Reporting in the USA

Financial Crimes Enforcement Network (FinCEN) acts on the Bank Secrecy Act (BSA) to ensure that financial institutions will raise awareness of the suspected violations.

In the US, SARs must be filled if a suspicious transaction involves over $5,000. A SAR must be filed within 30 days after the suspicion came to exist. If the case requires more time to gather supporting evidence, the deadline can be moved by 60 days. BSA encourages nominated officers to submit reports online.

The US also requires SAR to be kept for five years. Penalties for non-compliance range from fines, loss of banking charter and restrictions to prison sentences.

• Reporting in the UK

In the UK, the National Crime Agency (NCA) supervises the submission of the SARs in case of unusual or exceptionally large transactions. The NCA accepts reports in physical format and through the SAR online system filed by an assigned officer.

• Reporting in Switzerland

In Switzerland, financial institutions report the suspicion to the Swiss Financial Intelligence Unit otherwise known as the Money Laundering Reporting Office of Switzerland (MROS). Failure to comply results in severe monetary penalties (up to CHF500,000 or CHF150,000 in case of negligence) and opening of criminal proceedings.

A general reporting form should be printed and emailed to MROS.

• Reporting in Germany

In Germany, STRs are regulated under the GwG. BaFin sets the thresholds, saying that there must be sufficient, clear indications for a SAR to be triggered. The SARs should be sent to the Federal Criminal Police Office — BKA and kept for five years.

• Reporting in the Czech Republic

In the Czech Republic, obliged entities are required to report suspicious transactions to the Financial Analytical Unit (FAU).

• Reporting in Latvia

Latvian regulations require to file an Unusual or Suspicious Transaction Report (UTR or STR). The reports must be submitted to the Financial Intelligence Service.

• Reporting in Cyprus

In Cyprus, suspicious activity and suspicious transactions are reported to MOKAS. Failing these legal obligations is punishable by imprisonment for up to 2 years and/or by a financial penalty up to €5,000. The report can be filed through a ‘goAML system’.

• Reporting in Singapore

In Singapore, businesses report to Suspicious Transaction Reporting Office (STRO). You can file a Cash Transaction Report (“CTR”) (Form NP 784) electronically or via paper form. For individuals, the maximum penalty for failing to file a Suspicious Transaction Report is S$250,000 and/or up-to three years’ jail. For corporations, the maximum fine reaches S$500,000.

• Reporting in Hong Kong

In Hong Kong, businesses must approach the Joint Financial Intelligence Unit (JFIU) of the Hong Kong Police. Failure to report suspicious transactions is a criminal offense with a maximum penalty of three months imprisonment and a $50,000 fine.

• Reporting in Australia

Australian suspicious matter reports (SMRs) are submitted to AUSTRAC online. Failing to submit an SMR in time leads to 20,000 penalty units in the Federal Court of Australia or 100,000 penalty units for body corporations. The amount of the penalty units differs depending on the date of the crime from $210 on or after 1 July 2017 to $110 before 27 December 2012.

Anyhow, the rules around SAR that we have described here might undergo further changes. The best way to comply would be to turn to the relevant regulator for valid instructions as soon as the business’s trained personnel expressed their suspicions.

Best practices for submitting a SAR

Any employee of a financial institution, who spotted suspicious criminal patterns, is eligible to file a SAR. Usually, a supervisor or a business owner decides, whether a report is necessary for the specific situation. You can submit a report manually or through an automated reporting system.

• Manual submission

To file a SAR manually, a business has to check out the website of the regulator they are reporting to. Many of them have standard SAR forms to fill out online. Businesses will have to put the findings and the requested data on the paper report or into an e-form.

Suits for: above average size firms with a relatively small and mainly local client base.

• Automated reporting

Submitting a SAR can be made effortless by reporting through an automated tool. Sumsub compliance dashboard can tune reports to the relevant regulatory demands and deliver them for the authoritative review automatically.

Suits for: medium to bigger companies with a large number of clients and transactions, international corporations.

SARs is an important instrument to supervise the domestic and international financial market. Thus, a business has to prioritize their SAR’s quality, scrupulousness, and promptness that affect the ability and the efficiency of further investigation of the criminal case.