Not enough needles and too much hay: the problem with Suspicious Activity Reports

The FinCEN Files shed a light on a creaking system under which millions of reports of suspicious activity are filed to over-stretched authorities every year. FinCrime Report examines how to make it easier for government agencies to find the useful “needles” in the “haystack” of SAR reports.

The numbers are eyewatering.   In the first 11 months of 2020 alone, 2.5 million Suspicious Activity Reports were filed to The Financial Crimes Enforcement Network  (FinCEN), while more than 573,000 were filed to the National Crime Agency in 2019/20 in the United Kingdom.

Millions of these reports are filed across the world every year, arriving at government agencies from banks, credit unions, brokers, money services businesses, casinos, insurance companies, precious metals dealers and more.

The laudable aim is to allow Financial Intelligence Units to receive confidential alerts about activity deemed ‘suspicious’ (with a much lower standard of proof than criminal evidence)  which it can then use as part of investigations or for intelligence purposes.

It is difficult to argue with this but there has been growing unease in the fincrime community for a while now about how effective the SARs system really is.

With all these millions of reports being filed, how can resource-limited government agencies feasibly make use of them effectively by identifying high-quality information? How does a bank decide what criteria to use for the subjective element of SARs reporting when there is often little feedback? Is a system that often relies on retrospective reporting really fit for purpose in the digital, fast-payment era?

The problems were brought to the attention of the wider public in spectacular fashion in September, when the ‘FinCEN Files’ (a cache of 2,100 SARs leaked to journalists) – were published. While much of this reporting was arguably unfair on the banks, who were following the rules by filing a SAR retrospectively, it did raise some uncomfortable questions about the usefulness of the whole system.

The problem, says Charlie Steele, a partner at forensic accounting company FRA and the former deputy director of FinCEN, is analogous to the old saying about finding a needle in a haystack. “I think what the banks would like to do is reduce the amount of hay and increase the amount of needles”, says Steele.

So how do we do this? How can we strip out the ‘hay’ that is taking up valuable resources and perhaps obscuring vital intelligence? Can we improve the amount of ‘needles’ – useful information that helps the authorities with investigations or intelligence?

.

Too many SARS

When seeking to understand why so many SARs are filed it is worth having a look at the broad regulatory requirements for filing (although these do differ slightly in different jurisdictions).

Reporting institutions, including banks, are required to file a SAR when they have reason to believe a transaction may be suspicious. Because, for instance, the amount or location is unusual for the customer. In the US, SARs must be filed within 30 days, or 60 days if an extension is granted.

The issue, according to Steele, is that banks, especially larger institutions, fear being hit with penalties later on if they don’t file a SAR.

“I think its fair to say they err on the side of caution, when in doubt they file a SAR rather than deal with an aggressive enforcement action a few years down the line”, says Steele.

This trend, under which reporting bodies decide to file a SAR primarily to protect themselves, is often labelled as “defensive filing”, and Steele says it is a very real phenomenon.

“The problem is you don’t know the end-to-end story, you don’t have a linear view of transactions”

David Rowe-Francis

“There’s no question in my opinion that there’s lots of defensive filing going on. So you end up with lots and lots of SARs that in many ways the banks fear may never be looked at and they spending all this money on compliance.”

For David Rowe-Francis, founder of Praxis Compliance Consultants, the problem is due to banks not having enough information, in a modern digitised banking system, to confidently determine whether something is suspicious or not.

“In the old days you had one bank account and your banker knew your end-to-end transactions. Nowadays most people, legitimately, have two or three bank accounts and the problem is you don’t know the end-to-end story, you don’t have a linear view of transactions”, says Rowe-Francis.

Faced with this uncertainty, the safest thing to do is to file a SAR. Perhaps this is just one reason why the number of SARS filed in the US has increased by 50% since 2014.

Dr William Scott Grob, AML Director at the Association of Certified Anti-Money Laundering Specialists (ACAMS) Americas, certainly believes too many SARs are being filed currently.

“Unfortunately, only a small percentage (between 1-3%) of SARs are utilized by law enforcement, suggesting low usefulness in the investigative process”, says Grob.  “We must ask ourselves why the number of prosecutions doesn’t correlate better with the number of SARs filed.”

The real question then is how the system can be changed to ensure SARs are more useful to investigators.

.

The importance of information-sharing

Perhaps it is as simple as allowing greater sharing of information between banks, and between jurisdictions. In the aftermath of the FinCEN Files, FinCrime Report highlighted some of the current barriers to information-sharing. Since 2006, banks in the US have been permitted to share details of SARs with another financial institution’s head office, even if it is in another country. Crucially, however, the company’s head office is not then allowed to share the information around its own group.  Therefore, strict disclosure rules are still preventing the sharing of information.

Steele, talking about a hypothetical case says: “If suspicious activity was found in the US and the same client, or an associate of that customer, was engaged in substantial traffic in a foreign branch in France, you could quickly notify the personnel in the French organisation and tell them what to look for.

“They might be able to both head off some bad transactions and generate further material for their own notification for law enforcement.”

For Steele, there is a great desire in the financial crime fighting community to do this but it is hampered by traditional secrecy rules being applied “in a rigid way”.

The good news is that these long-standing concerns, only amplified by the FinCEN Files, are being addressed by lawmakers. The Anti Money Laundering Control Act 2020 was passed by US Congresson New Year’s Day.

Much of the immediate media focus on the Act was on corporate transparency provisions, but it also contains potentially significant measures to promote better information-sharing. The legislation authorises FinCEN to establish a pilot programme to allow US financial institutions to share information in SARs with “foreign branches, subsidiaries and affiliates.” And it isn’t just the US that is seeking to liberalise the sharing of information. AUSTRAC, the economic crime regulator in Australia, just this week published proposals  to more easily allow their version of SARs (called Suspicious Matter Reports) to be more easily shared with external auditors or offshore members of the same corporate groups. AUSTRAC is proposing to expand exceptions to ‘tipping-off’ provisions to enable this.

In the European Union, a key pillar of a proposed “single-rule book” for AML is focused on the exchange of information. The European Commission has said it will “consider the information-sharing possibilities within groups of companies as well as between other obliged entities”.  However, it has said it will look at data privacy concerns relating to this.

So authorities in different parts of the world are looking at ways of removing the barriers to sharing of SARs information, including restrictions on sharing cross-jurisdiction, privacy concerns and allaying concerns over tipping off criminals.

Rowe-Francis however believes that to really strengthen suspicious activity reporting major tech companies and retailers also need to be included. He says: “It can’t just be the banks. The likes of Amazon turnover more than the banks. Google, Amazon, Tesco, they all have more information about client spend than the banks do.”

So more information-sharing between banks and cross-jurisdictions, and between private and public bodies, could have a role to play in enabling more “needles” to be filed.

However, that still leaves us with the issue of how banks know whether what they are filing is actually of use to law enforcement agencies or not.

.

The absence of feedback

In many jurisdictions there is no feedback at all to the reporting authority on whether a SAR filed was ultimately of use to the Financial Intelligent Unit in question. This is largely due to a reluctance of agencies to share information that could ‘tip off’ criminals and jeopardise investigations.

Often the only way of telling if something was useful is if the authority files a request with the reporting entity for more information.

Jose Caldera, chief product officer at regtech fraud prevention firm Acuant, said: “It would be very useful for the bank to understand whether a particular report is part of something bigger or important, because it can enable the bank to take further action, improve their monitoring subjects, and further contribute proactively to an ongoing investigation.

 “At the very least a bank compliance analyst would want to know that their work, SARs in this case, has been reviewed and analysed. That simple confirmation would validate the work these analysts are doing, and give them incentive and assurance that the work they are doing matters.

It should be pointed out FIU in some countries do provide basic feedback, often in terms of whether the agency detected suspicious activity in the SAR, whether it can be used as part of a wider investigation or whether they require follow-up information. Spain is one such jurisdiction, says Graham Barrow.  “One of the consequences in Spain is that they (apparently) have fewer but better quality SARs. It’s difficult to know for sure whether this is true as, by their very nature, they are not public documents and this is hard to verify”.

But, aside from a simple confirmation a SAR has been filed, what other kind of feedback would actually be useful for banks and other reporting bodies?

Matthew Redhead, a financial crime researcher, believes there needs to be a much closer working relationship between law enforcement agencies and banks, with law enforcement providing more specific and prioritised requirements for what they want.

He said: “This could be done in several different ways, including closer working between banks and law enforcement agencies on the setting of transaction monitoring systems and post alert-case investigation, the wider use of bulk sharing of certain types of financial information or typologically framed data (transactions that meet certain characteristics of interest) for analysis by FIUs/LEAs, rather than expecting the financial institutions (FIs) to do it for them with limited guidance”

He says enabling direct law enforcement access to transactions data for monitoring known cases of concern, possibly through the use of Privacy Enhancing Technology, could also work.

Redhead says: “Effectively, the system needs to move from a position where FIs are expected to know, magically, what law enforcement agencies want and need, to one where there are more explicit requirements and closer coupling between the points where the intelligence is created and then consumed.”

One man who has given the matter more thought than most is Jim Richards, founder of RegTech Consulting. Richards has come up with a feedback loop framework involving what he calls Tactical or Strategic Value (TSV) SARs.

Under this idea, law enforcement agencies would be required to notify private sector reporting bodies as to whether their particular SAR has provided tactical value (ie it was useful in a particular case) or strategic value (it was linked to a typology or trend). If seven years pass without a TSV SAR response, the reporting body can assume the SAR was not of value and factor that into its decision-making.

In a blog post outlining his idea, Richards writes: “Over time, the financial institution could eliminate those alerts that were not providing timely, actionable intelligence to law enforcement. And when FinCEN shares that information across the industry, others could also reduce their false positive rates.”

So, although their proposed frameworks differ in detail, both Redhead and Richards would put emphasis on law enforcement providing greater clarity about what is useful and what isn’t.

In the US, the aforementioned Anti Money Laundering Control Act 2020 will require the Attorney General to prepare an annual report on the usefulness of information reported by financial institutions. FinCEN would also be “required to seek feedback from law enforcement agencies about the usefulness of SARs and produce a report for financial institutions.”

It is expected that this kind of report will likely describe trends on types of SARs that are useful, rather than giving feedback on individual SARs in the way Richards has described, but it is nevertheless a first step that has already been welcomed by many.

.

Streamlining, automation and the role of tech

In addition to better feedback on what financial institutions and other reporting bodies should be filing, there is a barrier to overcome in terms of the sheer amount of resource that producing SARs uses.

In response, the new US Anti Money Laundering Act has outlined several measures to make the process easier. It is seeking to review the minimum value thresholds for both SARs and Currency Transaction Reports (currently $10,000). It also provides for FinCEN to “establish streamlined, including automated processes” for non-complex categories of SARs.

“A variety of low-value, repetitive SARs could be streamlined or automated”

Dr William SCoTT Grob

Steele says that the need to provide a narrative in the SAR can lead to lengthy reports, running into several pages and that this is not necessary for less complex reports. “If you can get away from that and maybe have a two or three sentence of explanation, and automate them then you wouldn’t have to re-invent the wheel.”

The key question of course, is how a non-complex SAR is defined for the purposes of this type of streamlining.

Dr Grob, of ACAMs, says: “A variety of low-value, repetitive SARs could be streamlined or automated, such as below-the-threshold transactions, that individually have low utility, but when aggregated into patterns may build intelligence for law enforcement.

“The streamlining should focus on lower-risk SARs, where the information can be standardized.”

New technology such as machine learning could be used to compile “less complex” reports quickly. “The hope of many is that both law and software might enable a swift report and consent for ‘low-level’ SARs, to enable a better focus on the transactions that really need attention,” says John Binns, partner at BCL Solicitors.

Privacy-enhancing technology such as homomorphic encryption might have a role to play in allowing information to be shared more quickly.

A focus on speed, providing real-time information, could also address another criticism of the SAR regime – that by the time the SAR is filed and assessed the money has long gone. This real-time approach is needed, argues Justin Bercich, Head of Artificial Intelligence at Lucinity.

He says: “Several significant issues arising from the FinCEN files were due to a delay in information flowing back from regulators to banks about the SARs filed, leading to banks reporting the same or connected customers for suspicious activity multiple times over a long period”

A note of caution however, is provided by Rowe-Francis who says judgements about suspicious still require a human.

He says: “You can use AI together with machine learning and of course it can write you out a SAR but if you look at all these firms thinking of using robotic analytics and machine automated processes they are saying you still need a human in the loop.” Rowe-Francis also says there needs to be care to ensure the banks systems and processes can talk to the regulators systems and vice versa. He does accept however that automation can be used more easily in straightforward cases, where transaction thresholds are exceeded for example.

So streamlined or automated SARs, better feedback mechanisms, and technology could all help improve the antiquated reporting system used by many countries, and governments seem to be listening.

Until we have change though, banks will carry on churning out millions of reports and the authorities will scrabble around in mountains of hay trying to find the elusive needles.

.

By Carl Brown, February 2, 2021, published on FinCrime Report

Recent Posts