BSA Concerns: From Under-filing to Over-filing SARs
First of all, I wanted to congratulate our newest class of NCBSOs! NAFCU wrapped its second BSA Seminar in beautiful Colorado last week where several questions were asked and concerns raised that are worth noting. Apparently, the latest issue with Bank Secrecy Act (BSA) examinations seems to surround examiners who believe credit unions may be over-filing Suspicious Activity Reports (SARs). FinCEN addressed this issue back in 2004 when it coined the term "defensive filing" to mean "when an institution files a suspicious activity report on an activity or transaction that really is not suspicious."
Prior to this over-filing concern, credit unions were criticized a couple of years ago for potentially under-filing SARs and CTRs. These over/under-filing concerns are leaving credit unions attempting to comply with BSA requirements feeling a little bit like this:
Before we attempt to understand examiners' concerns, let's start with the basics on SAR filings. Under the BSA, credit unions are required to file these reports in several circumstances. For example, credit unions must file a SAR for insider abuse involving any amount (insiders may include employees, officials, and managers). Credit unions are also required to file a SAR when there is a criminal violation of $5,000 or more and the suspect is known or can be identified. See, 31 C.F.R. § 1020.320(a)(2). In instances when the suspect is unknown, the credit union must file a SAR if the criminal violation amounts to $25,000 or more.
Other SAR triggers include transactions conducted or attempted by, at or through the credit union and aggregating $5,000 or more if the credit union suspects, or has reason to suspect that the transaction may involve potential money laundering or other illegal activity. The same requirement applies if the credit union suspects the member may be structuring to evade BSA reporting or if the transaction has no business or apparent lawful purpose. See, 31 C.F.R. § 1020.320(a)(2)(ii)-(iii). Aside from these required filings, the BSA also allows credit unions to file SARs to "report of any suspicious transaction that it believes is relevant to the possible violation of any law or regulation…" See, 31 C.F.R. § 1020.320(a)(1). This is commonly known as a catch-all provision.
Identifying suspicious activity requires some level of subjective judgement as what may appear suspicious account activity for one member may be normal or have a reasonable explanation for another account. Generally, the Bank Secrecy Officer or SAR committee is in the best position to make the judgment call as to whether transactions require a SAR or simply monitoring. For that reason, guidance from the FFIEC BSA/AML Examination Manual explains that examiners should ensure credit unions establish and implement risk-based policies, procedures and processes to comply with the Bank Secrecy Act instead of questioning individual determinations unless the decisions are egregious. Here is an excerpt from the manual regarding the amount of deference that should be given to SAR decision-makers:
"The decision to file a SAR is an inherently subjective judgment. Examiners should focus on whether the bank has an effective SAR decision-making process, not individual SAR decisions. Examiners may review individual SAR decisions as a means to test the effectiveness of the SAR monitoring, reporting, and decision-making process. In those instances where the bank has an established SAR decision-making process, has followed existing policies, procedures, and processes, and has determined not to file a SAR, the bank should not be criticized for the failure to file a SAR unless the failure is significant or accompanied by evidence of bad faith."
So it is clear for BSA examinations, the role of the examiner is not to comb through all credit union's SARs. Rather examiners are tasked with ensuring the credit union is effectively monitoring accounts and transactions, flagging suspicious activity, and reporting the activity per the SAR requirements. After all, FinCEN even recognizes that a "one-size fits all approach" is not appropriate for suspicious activity monitoring and reporting.
The takeaway here is that in the interest of complying with BSA laws, credit unions should ensure they are filing SARs whenever they suspect illegal activity is involved with an account or transaction(s). This is especially important as FinCEN's recent enforcement actions against financial institutions target BSA program failures to detect and report suspicious activity. For more in-depth information on enforcement actions, see NAFCU's quarterly BSA Blast (member log-in required).
If your examiner feels the credit union is over-filing, this may be a good time to: (1) have a conversation about the appropriateness of the credit union's internal controls, policies and procedures to identify suspicious activity instead of defending specific decisions; and (2) review the SAR narrative to make sure it is effectively explaining why the activity appears suspicious and drawing contrast to the prior use of the account—which according to the FFIEC BSA/AML Examination Manual, examiners "should not criticize the [credit union's] interpretation of the facts."