Suspicious Activity Rules Are Out!

The bank regulatory agencies have issued final rules on suspicious activity reporting. The rules take effect on April 1, 1996, and that's no joke!

There are several important features in the final rules that vary somewhat from the proposal. On the whole, the news is good. In working with the new rules, it may be useful to keep in mind that the purpose is to facilitate reporting of suspicious activities. The new rules therefore emphasize process and leave banks room to make judgments on identifying and reporting activities. For example, the rules are somewhat flexible on how supporting information is filed and the rules provide additional time if needed for identifying suspects.

A bank will be required to file a Suspicious Activity Report (SAR) whenever it detects a known or suspected violation of federal law. Special emphasis is placed on the Bank Secrecy Act, but this rule applies to all violations of federal law.

In a significant reduction of regulatory burden, banks will file one form with FinCEN (the Financial Crimes Enforcement Network) and that will be the end of your filing obligations. FinCEN maintains a shared data base with other law enforcement entities and with bank regulatory agencies. The result should be more effective law enforcement and less burden on banks.

The best part of this new filing system is that the government has developed the software for you. There is no need to go on an extensive search for software programs. Simply contact your favorite regulator to obtain a copy.

Transactions to report
There are several trigger amounts for determining when to file a SAR. First, there is no ceiling or floor for filing a SAR when insider abuse is suspected. Whenever the bank has a "substantial basis" for identifying an insider, including employees and agents, as having committed or aided in a criminal act, the bank should file a SAR regardless of the dollar amount involved.

For transactions that may involve violations of the Bank Secrecy Act or its implementing regulations, the bank should file a SAR whenever the transaction involves $5000 or more. The amount should be calculated by aggregating actions or transactions of the suspect or group of suspects.

For other violations of law, there are two reporting amounts: $5,000 or more when a suspect can be identified, and $25,000 when the bank identifies a pattern or violation but does not have a substantial basis for identifying a possible suspect or group of suspects.

Time frame for reporting.
Banks will have 30 days from discovery to file the SAR. The rule turns on the bank's discovery of the transaction or facts that constitute the basis for filing; not on the date of occurrence. Thus, if a transaction occurred on Monday but was detected and identified as suspicious on the following Thursday, the 30 days for reporting would begin to run from Thursday.

The general time frame for reporting will be 30 days. However, that can be extended to 60 days from the date of discovery if the bank uses the time to identify a suspect. This extension should only be used if the bank believes that the additional time will enable it to identify a suspect and thus provide more useful and complete information to FinCEN. Otherwise, the bank should comply with the 30 day filing period.

Telephone "filing".
The rule requires banks to notify FinCEN by telephone if the bank identifies a transaction that "requires immediate attention." This would include transactions that are on-going or that may require prompt action by the government.

Notification to the bank's board.
SAR filings must be reported to the bank's board. The rule requires complete reports to the board regardless of the size of the bank and the number of SARs filed. The agencies expect the bank's board to be fully aware of the nature and extent of the bank's exposure to any illegal activities. It is permissible to report to a committee of the board, such as the audit committee. If reports are directed to a committee, the regulation contemplates that the committee will provide regular reports to the full board.

Confidentiality Requirement.
The rule maintains strict confidentiality of the SAR. When a bank is asked to disclose information in the SAR or disclosing the fact that the SAR was prepared and filed, it must reject the request and notify its regulatory agency of the request. This confidentiality rule applies even to subpoenas. Both the SAR itself and the supporting information are subject to the confidentiality requirement. Needless to say, all bank staff should be aware of this requirement and reminded never to discuss or mention any aspect of any SAR filing.

Do not confuse this confidentiality requirement with the access that a law enforcement agency may have to the information. If a law enforcement agency requests supporting documentation for a transaction or fact situation reported on a SAR, they have access to that information without producing a subpoena or pursuing other legal process. The rule treats this information as if it had been filed with the SAR. When in doubt, get your counsel's advice.

Recordkeeping
The record retention requirement has been reduced to five years. This retention period matches other record retention requirements. As a practical matter, longer periods would probably not be useful to law enforcement.

Your records need not include the original documents as long as the bank can generate the information reported. Microfiche and computer imaged records will be satisfactory.

Safe Harbor
The agencies have construed the safe harbor provision broadly, providing extensive protection to banks for filing SARs. The rule includes a provision stating this interpretation and also stating that the safe harbor applies to the supporting documentation as well as the SAR itself. This, together with the confidentiality provisions should go far to protect financial institutions from litigation.

Exemptions
In another impressive attempt to reduce regulatory burden, the rule provides that banks do not need to file a SAR if the bank has taken certain other steps that constitute official notice to the appropriate government agency. For example, if the bank reports a robbery or burglary to the appropriate law enforcement agency, that report is sufficient. Similarly, reporting missing or counterfeit securities under the SEC Act would also be sufficient compliance. This interpretation takes the practical approach that when the necessary information reaches the correct law enforcement agency through other reporting requirements, filing a SAR would not serve a useful purpose and is therefore not necessary.

ACTION STEPS

Notify all staff that the rules will take effect on April 1, 1996.
Provide special briefing sessions or information to staff that handles SARs.
Contact your regulatory agency to obtain a copy of the software that will enable you to file on magnetic media. Don't go out and re-invent the wheel - they've done it for you!
Review your internal systems for flagging suspected criminal actions. Determine whether to make adjustments to your internal system. Make sure your systems will comply with the 30 and 60 day time frames.
Schedule training on the new rule. It may be useful to combine training on the new CTR and the new SAR so that the training can demonstrate how they work in conjunction. Be sure all staff is aware of the confidentiality requirement.
Emphasize in training that the SAR should be filed whenever the bank detects a known or suspected violation of federal law, not simply when there is suspected money laundering.