Common SAR compliance violations

In April of 2000, the OCC issued a letter describing common Bank Secrecy Act compliance violations it had found in the area of suspicious activity reporting. [OCC AL 2000-3, April 25, 2000] The letter was the result of several years of specialized BSA/anti-money laundering examinations.

The common violations had to do with what the letter referred to as “high-risk services” and “high-risk accounts.” High-risk services are transactions involving monetary instruments, international pouch (cash letters), deposit brokers, and international wire transfers. High-risk accounts are money services businesses, offshore private investment companies, nondiscretionary private banking, and international correspondent banking customers. In general, the violations were failures to meet the establishment of maintenance of procedures for compliance. We describe the compliance procedure requirements in the last section of this chapter.

More specifically, the common violations were the failure to adequately:
  • Document and evaluate new, high-risk accounts for money laundering;
  • Establish controls and review procedures for high-risk services;
  • Monitor high-risk accounts for money laundering, including transactions that far exceeded the normal range of activity for such accounts;
  • Conduct adequate independent testing of high-risk accounts for the possibility of money laundering;
  • Train employees to detect suspicious activity in high-risk areas like pouch and wire transfer transactions, particularly to/from known drug source or money-laundering havens; and
  • Review CTR filing patterns for suspicious activity.
The letter cautioned against limiting audits and compliance testing to CTR compliance, emphasizing that institutions needed to include SAR filing in internal and external audits. Finally, the letter noted that institutions should ensure that:
  • Internal controls, including account opening and documentation procedures and management information/monitoring systems, adequately detect and report suspicious activity in a timely manner;
  • Audit processes are risk based; specifically target high-risk accounts and services; and include independent testing of bank systems, controls, and CTR and suspicious activity report filing patterns;
  • Training programs address the possibility of suspicious activity in all bank departments, with emphasis on high-risk accounts, products, services, and geographical locations; and
  • CTR review procedures capture and report suspicious activity.