This checklist will assist in-house counsel and compliance teams working in financial institutions and responsible for monitoring and reporting suspicious activity to the Financial Crimes Enforcement Network (FinCEN) of the US Treasury Department under the Bank Secrecy Act of 1970 (BSA), as amended by the USA PATRIOT Act of 2001 (PATRIOT Act).
It provides guidance that is of general application. You should check whether the BSA and its implementing regulations contain additional requirements for your sector.
The checklist includes the following key steps:
- Create a framework for detection and investigation
- Be alert to red flags
- Decide whether to file a Suspicious Activity Report (SAR)
- File a SAR, if appropriate
- Preserve confidentiality
The checklist is presented as a list of issues that you can check off as they are addressed. At the end of the document, there are explanatory notes corresponding with each issue in the checklist.
The checklist can be used in conjunction with the following How-to guides: How to identify suspicious activity and make a Suspicious Activity Report (SAR) and Checklist: Currency transaction reporting requirements.
Step 1 – Create a framework for detection and investigation
| No. | Requirement |
| 1.1 | Consider whether there is a clear reporting process |
| 1.2 | Designate personnel to identify, evaluate, and report suspicious activities |
| 1.3 | Ensure that the designated personnel have the tools necessary to complete their tasks |
| 1.4 | Consider whether internal investigations are well documented |
Step 2 – Be alert to red flags
| No. | Requirement |
| 2.1 | Consider whether personnel have been trained to detect suspicious activity |
| 2.2 | Consider whether there is an automated detection process in place |
| 2.3 | Consider whether there are processes in place for dealing with requests for information from law enforcement |
Step 3 – Decide whether to file a SAR
| No. | Requirement |
| 3.1 | Consider whether the transaction meets mandatory reporting thresholds |
Step 4 – File a SAR, if appropriate
| No. | Issue |
| 4.1 | Ensure you are aware of and have correctly identified the filing deadline and that the SAR is filed by the deadline |
| 4.2 | Ensure that the SAR contains all the required information |
| 4.3 | Ensure that the SAR is filed correctly |
Step 5 – Preserve confidentiality
| No. | Issue |
| 5.1 | Be aware of what information cannot go into the SAR |
| 5.2 | Do not disclose the fact that a SAR has been filed |
Explanatory notes
Overview
Banks and other financial institutions subject to BSA reporting requirements must set up internal procedures to identify, investigate, and report suspicious activity, such as money laundering, terrorism financing, and fraud. Suspicious activity must be reported to the Financial Crimes Enforcement Network (FinCEN) by filing a Suspicious Activity Report (SAR).
Employees of financial institution should be trained to identify suspicious activity that may arise during day-to-day operations. Suspicious activity may also become known through internal monitoring systems and law enforcement requests generating red flags that require investigation. However, the financial institution does not have a duty to investigate nor confirm that a crime has been committed. That is the duty of law enforcement. The financial institution’s duty is to identify and report the suspicious activity to law enforcement.
When reporting suspicious activity, a simple framework can assist to incorporate the necessary details in a report. First, describe who or what you saw, making sure to note any distinguishing features or behaviours. Say when you observed the activity, including the date and time. State where the incident occurred, providing exact locations if possible, street addresses, or landmarks to assist with the investigation. Lastly, explain why the activity seemed suspicious to you, highlighting any unusual or concerning elements. This comprehensive approach aids law enforcement in assessing and responding effectively to potential threats.
For further information see the How-to guide: How to identify suspicious activity and make a Suspicious Activity Report (SAR).
Step 1 – Create a framework for detection and investigation
Although no method or system is capable of detecting all potentially suspicious transactions, financial institutions should have a system in place to identify, evaluate, and report suspicious activity as accurately as possible. Employees must receive training in how to detect suspicious activity and what to do once such activity is detected. The exact nature and size of the system will depend on the risk profile of the institution’s products and services, and its customers.
1.1 Consider whether there is a clear reporting process
Establish a defined escalation process for reporting potentially suspicious activity, from the initial detection of a suspicious activity to the decision of whether to file a SAR. Each area or business line should have policies and processes for referring unusual activity to the person or department responsible for evaluating it.
Give individual employees clear channels and procedures for reporting suspicious activity to compliance officers or management, such as an internal worksheet or directions on how to alert the appropriate point of contact.
1.2 Designate personnel to identify, evaluate, and report suspicious activities
Designate key contact people to identify, research, and evaluate reports. At each level, give assigned staff the requisite training, including ongoing training to maintain expertise, and opportunities to gain experience with procedures. Make sure there are enough employees to participate in each identification, evaluation, and reporting stage.
1.3 Ensure that the designated personnel have the tools necessary to complete their tasks
Equip staff involved with identifying, researching, and evaluating potentially suspicious activity with the necessary internal and external research tools. Tools may include, for example, information sharing among different departments or branches of the organization. Sharing brings efficiencies in the collection of information and allows for the identification of suspicious activity that might otherwise go undetected. These tools should also consist of external research procedures, such as conducting internet media searches and utilizing subscription research services.
The financial institution might also participate in FinCEN’s 314(b) information-sharing program. Under section 314(b) of the PATRIOT Act, financial institutions can voluntarily share certain information with each other in order to identify and report activities that may involve money laundering or suspicious activities.
1.4 Consider whether internal investigations are well documented
If an activity is flagged as potentially suspicious, the staff involved should preserve documentation of all events that gave rise to the suspicion. Staff should also document each step of the investigation and evaluation process, all the way up to the decision of whether to file a SAR. Documentation of the entire internal process may be relevant for future investigations, such as a government review of whether the institution meets its BSA obligations.
Step 2 – Be alert to red flags
Potentially suspicious activity can come to light in a variety of ways. Following initial identification, additional research is usually required.
2.1 Consider whether personnel have been trained to detect suspicious activity
Employees must receive adequate training to be able to identify suspicious activity that can occur during the institution’s day-to-day operations. This training must ensure that employees develop the necessary skills and expertise to respond to the following types of inquiries:
- Is the transaction of a type that is consistent with the stated purpose of the relevant account?
- Is it consistent with past transactions?
- If it is inconsistent, is there a legitimate explanation for the anomaly?
- Is there an apparent business purpose to the transaction?
2.2 Consider whether there is an automated detection process in place
Set automated filters based on what is reasonable and expected for each type of account. In order to effectively filter transactions for potentially suspicious activity, it is important first to identify the institution’s higher-risk products, services, and customers, including transactions originating from high-risk geographies. Tailor filters to the institution’s individual risk level.
Automated transaction monitoring focuses on specific types of transactions. Those transactions are then manually reviewed to uncover any unusual activity. For instance, automated monitoring might raise red flags when it detects significant changes in account balances, or if an account has insufficient funds.
More sophisticated surveillance monitoring applies multiple or adaptive filters (eg, to identify spikes from average activity in an individual account) to detect measures taken to evade reporting requirements. These filters are tailored to the activity that the institution is trying to identify, such as common money laundering techniques like structuring multiple transactions to keep them under threshold reporting requirements for currency transactions. See, FinCEN's Notice to Customers: a CTR Reference Guide.
Review and evaluate the reports generated by these types of automated filters to determine if the flagged activity is genuinely suspicious. Make sure there is a clear hierarchy for authority – including compliance officers and senior management – to create and change filters.
Filtering procedures must include periodic reviews and updates to ensure continued effectiveness. All decisions regarding filters should be documented.
2.3 Consider whether there are processes in place for dealing with requests for information from law enforcement
Financial institutions will often receive law enforcement inquiries and requests for information regarding individual customers and their transactions. These might include the following:
- grand jury subpoenas (see 2.3.1 for more information);
- National Security Letters (NSLs) – administrative subpoenas issued to gather information for national security purposes (see 2.3.2 for more information); or
- section 314(a) requests – a request for information from law enforcement directed to a financial institution (see 2.3.3 for more information).
The financial institution should establish procedures for processing law enforcement requests as follows:
- monitoring the subject’s transaction activity;
- identifying potentially suspicious activity; and
- alerting the institution’s compliance officer or senior management.
A law enforcement inquiry, on its own, is probably insufficient to generate a SAR, but the inquiry is relevant to the overall risk assessment of the customer and their transactions.
2.3.1 Grand jury subpoenas
Upon receipt of a grand jury subpoena, a financial institution should conduct a review of relevant customer or account activity. The institution should then consider all known facts about the customer in order to determine risk. Facts to consider include the nature of the customer’s business, the amount of activity concerning that customer’s account, and the length of time the customer has been a customer of the institution. The decision regarding how to proceed (ie, whether to file a SAR) should be based on all the information available.
2.3.2 National Security Letters
An NSL is an investigative demand by the FBI or other federal authorities. NSLs are highly confidential, so make sure that appropriate written policies and procedures are in place to preserve confidentiality in processing the NSL and transmitting the information requested.
2.3.3 Section 314(a) requests
Under section 314(a) of the PATRIOT Act, law enforcement may seek information from financial institutions about possible money laundering and terrorist financing. See, 31 CFR 1010.520. Financial institutions must respond to these requests by searching their records for data matches and reporting back to FinCEN.
Step 3 – Decide whether to file a SAR
Under the BSA, a financial institution must report activity that may involve money laundering, BSA violations, terrorist financing, and certain other crimes.
3.1 Consider whether the transaction meets mandatory reporting thresholds
Reporting is mandatory for potential crimes that involve the following:
- insider abuse in any amount;
- an identifiable suspect where the transactions in aggregate are at least $5,000;
- no identifiable suspect where the transactions in aggregate are at least $25,000, or
- no identifiable suspect where the transactions in aggregate are at least $5,000, and that involve potential money laundering or violate the Bank Secrecy Act.
See, 12 CFR 21.11, 208.62.
Other examples that require reporting include attempted or completed transactions aggregating $5,000 or more, if the financial institution ‘knows, suspects, or has reason to suspect’ that the transaction is as described below:
- it involves funds derived from illegal activity;
- it is designed to hide assets derived from illegal activities, to evade federal law, or avoid reporting requirements;
- it is designed to evade BSA requirements;
- it has no business or apparent lawful purpose, or is not the type of transaction that the particular customer would normally be expected to engage in, and the financial institution knows of no reasonable explanation for the transaction after examining the available facts, including the background and possible purpose of the transaction; or
- it involves the use of the financial institution to facilitate criminal activity.
See, 31 CFR 1020.320, 12 CFR 21.11.
Structured transactions are a prime example of transactions that are set up to evade the reporting requirements of the BSA. Financial institutions must generally report transactions of more than $10,000, although recent developments have lowered the threshold to as little as $200 for transactions conducted in specific geographical areas. Other changes were brought about by a Geographic Targeting Order that requires reporting for certain types of transaction related to real estate transactions (for additional information see Checklist: Currency transaction reporting requirements). Structuring involves a series of transactions deliberately designed to avoid these reporting requirements. See, 31 CFR 1010.100(xx). Financial institutions must report these, even if the customer tries to pull out of the transaction. See, 31 CFR 1020.320(a)(2)(ii).
Where there is any doubt, it is better to overreport suspicious activity than to underreport it. The failure to report suspicious activity may result in civil penalties, including fines. Additionally, the law favors overreporting. Financial institutions have a safe harbor under federal law that protects them from civil liability for reporting customer information to authorities. See 31 USC section 5318(g)(3).
Example
In re: Shinhan Bank America (SHBA), FinCen imposed a penalty of $15 million for willful BSA violations based in part on deficiencies in handling SARs. SHBA lacked formal procedures for managing and reviewing reports of suspicious activity, had an under-resourced compliance program, and corporate governance and change management issues. SHBA’s failures caused hundreds of its SARs to be filed late. In some cases, the SARs were filed years late.
Step 4 – File a SAR, if appropriate
The SAR should be timely, complete, and accurate, and it should include a sufficient description of the suspicious activity and the basis for filing.
4.1 Ensure you are aware of and have correctly identified the filing deadline and that the SAR is filed by the deadline
The deadline for filing a SAR is no later than 30 days after the date of initial detection of facts that form the basis for the report. If no suspect can be identified, the deadline is extended to 60 days. The time period starts once the financial institution knows, or has reason to believe, that the activity is ‘suspicious’ under the transaction reporting regulations. See, 31 CFR 1020.320, 12 CFR 21.11. This is different from the initial red flag alert of unusual activity. Therefore, the time period for filing a SAR does not begin until after an appropriate initial review is conducted and a determination is made.
For requests made under section 314(a), financial institutions have two weeks from the posting date of the request to respond with any positive data matches. If the search does not uncover any matching of accounts or transactions, the financial institution is instructed not to reply to the 314(a) request.
4.2 Ensure that the SAR contains all the required information
The SAR should include a clear, complete, and concise narrative of the suspicious activity. This includes the six essential elements of information listed below.
- Who is engaging in the suspicious or criminal activity? Include names, social security numbers, birth dates, driver’s licenses or passport numbers, addresses, occupations, and phone numbers of all involved parties.
- What are the instruments or mechanisms that are being used to facilitate the suspect transaction? Use codes identifying the suspicious activity.
- When did the suspicious activity occur? Provide dates of the activity.
- Where did the suspicious activity take place? Include information regarding the financial institution where the activity occurred, including individual contact information.
- Why does the financial institution think the activity is suspicious? Provide a narrative description of the activity.
- How did the suspicious activity occur? Give the source, movement, and application of funds.
- Ensure the body of the narrative clearly explains the suspicious activity. Avoid relying on attachments instead of clearly laying out the activity in the narrative.
- Double-check that all data fields are completed. Incomplete or inaccurate data fields are a common mistake in SARs.
4.3 Ensure that the SAR is filed correctly
SARs must be filed through FinCEN’s BSA E-Filing System. Reports can be filed individually or in batches.
Step 5 – Preserve confidentiality
The BSA offers financial institutions safe harbor from liability for sharing otherwise confidential information about transactions and customers. See, 31 USC section 5318(g)(3) and 31 USC sections 5321, 5322.
5.1 Be aware of what information cannot go into the SAR
Grand jury proceedings and NSLs are confidential, so a SAR should omit any reference to either. For questions regarding SAR filings related to grand jury subpoenas, contact FinCen’s Regulatory Helpline at (800) 949-2732.
5.2 Do not disclose the fact that a SAR has been filed
No one at the financial institution may notify any person involved in the suspicious transaction that a SAR has been filed. This means that a financial institution should decline to produce a SAR to a customer or to provide any information that would reveal that a SAR has either been prepared or filed. See, 31 USC section 5318(g)(2).
Additional resources
FDIC Connecting the Dots…The Importance of Timely and Effective Suspicious Activity Reports
Congressional Research Service – National Security Letters in Foreign Intelligence Investigations: A Glimpse at the Legal Background
Federal Deposit Insurance Corporation – Suspicious Activity and Criminal Violations
Financial Crimes Enforcement Network, Small Entity Compliance Guide
Office of the Comptroller of the Currency – Suspicious Activity Reports (SAR)
Institute of Electrical and Electronics Engineers, Predicting Financial Suspicious Activity Reports with Online Learning Methods
Related Lexology Pro content
How-to guides
How to assess your organization for money laundering and terrorist financing risk
How to monitor Bank Secrecy Act (BSA) compliance
How to appoint a Bank Secrecy Act (BSA) compliance officer
How to comply with due diligence requirements for financial institutions determined to be of primary money laundering concern
How to identify suspicious activity and make a Suspicious Activity Report (SAR)
How to identify relevant sanctions regimes and deal with conflicting obligations
How to ensure sanctions screening and sanctions due diligence is effective
Checklists
Being prepared for a visit by a financial regulator
Currency transaction reporting requirements
Screening employees for roles in AML compliance
Staff awareness and training to prevent money laundering and terrorist financing
Reliance on information posted:
While we use reasonable endeavours to provide up to date and relevant materials, the materials posted on our site are not intended to amount to advice on which reliance should be placed. They may not reflect recent changes in the law and are not intended to constitute a definitive or complete statement of the law. You may use them to stay up to date with legal developments but you should not use them for transactions or legal advice and you should carry out your own research. We therefore disclaim all liability and responsibility arising from any reliance placed on such materials by any visitor to our site, or by anyone who may be informed of any of its contents.