Rethinking the Suspicious Activity Report

The #FinCENFiles coverage, though flawed and exaggerated, did highlight legitimate weaknesses in the U.S. system for stopping financial crime. The impulse to do something, to fix the parts that don’t work well and to better protect society is warranted and healthy.

Banking industry critics have been calling for an overhaul of anti-money laundering regulation in response. It’s a go-to reaction that plays well politically and offers the satisfaction of punishing naughty bankers with even more rules.

A massive overhaul of the current regulatory system for fighting financial crime might take years — first to pass as legislation, then to implement. Such an overhaul would probably change the format for the suspicious activity reports (SARs), the central tool in the current U.S. system.

From my direct experience in compliance technology, I can tell you: That would be a very big, expensive and slow lift. It would give financial criminals plenty more time to keep moving funds, status quo.

Fortunately, I can also say: There are gains we can realize right now through technology, without changing anything about the SAR.

First, some background: SARs are a systemically important communication channel. Licensed financial institutions in the U.S. have a mandate to file these regulatory reports. Before we delve into the problems of our anti-money laundering regime, here’s the basic framework of how it’s all supposed to work:

• Financial Institutions monitor the activity of their customer base, flagging activity that might indicate illegal behavior.
• The institution’s compliance professionals investigate flagged activities.
• If the compliance professionals believe that the flagged activity is truly illegal behavior, they fill out a SAR.
• They file the SAR with FinCEN, the U.S. government agency responsible for collecting the reports and distributing the information to law enforcement.
• Law enforcement professionals query the SAR data and investigate criminal activity.
• When sufficient evidence mounts, law enforcement builds a case for criminal prosecution using SAR data and other evidence.

To face reality, this process has not been particularly effective at preventing money laundering. The information in SARs can be difficult to parse, and there are significant unmet needs for collaboration between the financial industry and law enforcement. A recent U.S. Government Accountability Office report addresses how law enforcement “may be underutilizing these reports — to the detriment of their investigations.”

But even before SARs get to law enforcement, there are problems.

The Underlying Issues

SARs are difficult to operationalize at a financial institution. They are tedious to fill out, tricky to validate, expensive to staff and painful to get wrong. Incorrect or overlooked SARs can result in costly penalties and remediation requirements, as well as a huge toll on professional morale for those of us who find meaning and purpose in trying to stop harmful activities in the darkest corners of society.

Financial Institutions operating at scale in the U.S. have to file a lot of SARs — altogether, 2.3 million in 2019. The form is complicated to complete, with many fields and nebulous requirements. The overall process can be insanely complex. Using the available figures and educated estimates, my calculation for the total spend on SAR salaries last year in this country comes to at least $180 million — just for time spent filling them out.

SAR filings play a critical role in protecting our shared safety and security. But many financial institutions can get in a rut with their laborious, manual filing processes because implementing improvements seems daunting. Doubt shadows their view of how better technology could gain huge efficiencies in this practice area. Yet the time, costs and efforts are in closer reach than many bank compliance professionals realize.

On the Bright Side…

Technology can help make SAR information more accurate, more complete and more useful. Broader adoption across institutions could enhance communication and collaborations among banks, FinCEN and law enforcement. Compliance practice leaders should consider a whole range of opportunities for empowering their teams with tech tools that will help them:

• Ensure investigations follow a thorough process.
• Get more detailed information into SARs.
• Spot trends across different reports.
• Run checks to ensure that the information is valid and meets specifications.
• Use automation to eliminate the time spent filling out forms by hand.
• Increase information security through direct integration with FinCEN rather than maintaining PDF reports on employee computers.
• Deliver the information to law enforcement quickly.

Protecting society from sophisticated criminal operations is a pretty huge undertaking. I suggest we shift how we phrase our expectations for banks, regulators and law enforcement, from “this is what you should have been doing!” to “What can you do?”

Partnerships and collaboration — common, positive themes throughout many fintech conversations — are especially apt here. Stopping malevolent forces isn’t something to take on single-handedly. The list items above are all fine standalone examples of how tech can help. Personally, what would be even more meaningful for me would be exploring how tech could pull all our efforts together.