Bank Secrecy: SARs, The Government Gets SARs

The government gets Suspicious Activity Reports - lots of them. And from time to time, the government analyzes trends and publishes their findings. In October, FinCEN published its third "SAR Activity Review." While much of the information is not particularly surprising (more SARs are filed in California than any other state) there is some wisdom to be gleaned from the analysis.

This third issue of the SAR Activity Review concentrates on an analysis of suspicious activity reported by money service businesses (MSBs). Particularly in the wake of September 11, 2001, the analysis provides insight into methods used to move money without triggering the reporting and recording requirements of the U.S.A. and other countries.

Computer Intrusion
The new SAR asks for information about computer crimes, most notably computer intrusion. The reports show a significant increase in computer crimes. However, FinCEN notes several deficiencies in the reports themselves.

Computer intrusion is defined specifically to include any action that invades a financial institution's system and causes harm through theft, misappropriation, fraud, or disabling the system. It does not include computer problems that do not result in the specified harm. Thus, reports of tampering with a website that does not involve actual bank intrusion is not something that should be reported on the SAR.

The largest number of computer invasions reported involved employees of the financial institution. Computer crime is simply a new way for employees to dip into the till.

Another activity that was reported involved a "white knight" hacker who contacted the bank, claiming to have hacked in successfully and gained access to customer information. The self-appointed white knight then offered to help the bank prevent such problems in the future - for a very stiff price. FinCEN concludes that this activity simply boiled down to extortion.

The most interesting features of the report involves the descriptions of reports from money transmitters who identified techniques for structuring and laundering money. In the context of what is now known about how the terrorists made financial arrangements and communicated, these reports are particularly significant.

The structuring reported by MSBs were multiple transactions conducted by a number of senders and a number of receivers. The amount of each transfer fell under the $3,000 limit. For example, many amounts involved transmissions of $2,500. Cumulatively, the transfers could add up to $100,000.

What set off the alarm signals were several common denominators to the transactions. The individuals, senders or receivers, might share a common address or list the same telephone number. Or two or more had the same last name. Another alarm signal was the timing of the transfers. These possibly related transfers occurred within a very short period of time. On occasion, the senders arrived in a group and each conducted a transaction.

Other suspicious behavior was one individual using different offices of the MSB on the same day to make structured transfers. Finally, the occupations listed for the senders didn't match or support the amount of money being transferred.

Getting SARs Right
Instructions for SARs are explicit. There is clear guidance for filling out the form. Generally, people do fairly well at this. The most important omission involves the failure to check all of the pertinent crimes. Structuring, for example, may involve money laundering or computer invasion as well as the act of structuring. In reviews, be sure that all relevant crimes have been indicated.

There is a much more important shortcoming with SARs filed. The new SAR, unlike its criminal referral predecessor, asks the reporter to describe the transaction being reported and to maintain - in the financial institution - all relevant documents to support the report. These documents are not to be sent in with the SAR. However, some people - perhaps trying to be extra helpful - send them in anyway. It's a waste of time and paper because they don't go into a data base where they can be used.

The other problem with SARs is that, instead of providing a concise description of the activity being reported, the reporter puts in something like "see attached documents." First, the documents aren't supposed to be attached. Second, this fails to provide any description that can be used as part of the data base by investigators.

Using SARs
SARs are more - much more - than a report to the government. They are cumulatively a tool for investigation of crimes and criminals. That is why the reports form a database and that is why it is important to complete the SARs correctly.

In its third SAR Review, FinCEN includes some tips on completing SARs that could seem like clerical nit-picking but can make a vital difference in the value and utility of the SAR.

FinCEN recommends that filers obtain and record "as much suspect information as possible." The completeness of this information increases the effectiveness of law enforcement tracking. To the extent possible, use full and complete names and especially try to obtain the customer's first name. Try to avoid using initials. That, after all, is how many of the terrorists have managed to go undetected.

Addresses for reported suspects should be as complete as possible. This may mean more than the standard three-line address. Reports should include details about an address that might easily be omitted, such as apartment or suite numbers, and the complete name of the street, road, avenue, lane, or court. If the applicant provides an address from a foreign country, include the name of the country. FinCEN recommends that the standard country codes be used for this purpose. Using standard codes makes them recognizable by computer analysis.

The method and number used to ID the customer are also key. All numbers should be complete, meaning that a passport number should include the country of issuance, and a driver's license should include the issuing state.

FinCEN also requests that filers complete all parts of the form and not use the narrative portion as a substitute for filling out the form. Although using the narrative may seem easier, it renders the SAR almost useless by keeping key information out of the data items where it should be. Using the narrative in lieu of filling out the form is much like writing a word document instead of putting the information in a spread sheet. When the user of the information goes to use the spread sheet, key information will be in the general narrative dump rather than in the location where the computer picks up the specific data item.

Finally, collect information about the customer's occupation. This is useful both by the institution in determining whether an activity is suspicious and by law enforcement investigators. Sometimes an investigation identifies certain covers or occupations used by criminals or terrorists. And sometimes, the facts simply don't add up.

ACTION STEPS

Review SARs to evaluate whether the form is properly completed, including an indication of all relevant crimes. Sometimes more than one box should be checked.
Check to see that names and ID documentation is complete.
Review the descriptions of the activity and consider what these descriptions communicate to an investigator.
Compare descriptions to the back-up documents on file. Consider whether the descriptions are accurate and whether both the descriptions and the documents are adequate.
Share information about suspicious activity that has been reported. Include this in training or an internal newsletter or memo. These stories always make interesting reading.
Explain how investigators use SARs to help staff understand why the SAR should be filled out in detail - and correctly.
Encourage customer contact and wire room staff to be observant and to discuss their concerns about suspicious customers with you.