With the possibility of additional suspicious activity report (SAR) leaks occurring, what sort of internal controls could a financial institution implement?
In July 2007, North Fork Bank filed a Suspicious Activity Report (SAR) regarding the conduct and transactions of then-New York Governor Eliot Spitzer. As the story about his request to wire money to a company with little to no identifying information without having his name on it unfolded, the story anonymously referenced that SAR. After that, reporters began discussing what SARs were and their use.
Then, in 2010, the Financial Crimes Enforcement Network (FinCEN) issued advisories updating and clarifying “the scope of the statutory prohibition against the disclosure by a financial institution or by a government.” The advisory expands from the SAR itself (i.e., the form and narrative), to all “SAR data”, meaning “material prepared by the financial institution as part of its process to detect and report suspicious activity” and limits SAR-sensitive information to a “need-to-know” basis. This effectively created “SAR privilege” where information about SARS cannot be disclosed, even in court proceedings.
Even where SAR-related records are sent to law enforcement pursuant to a request, that information must still be independently subpoenaed by law enforcement as if the SAR didn’t exist.
Soon thereafter, media reports did in fact pick up the incident in which a staff member at a financial institution had disclosed the existence of a SAR in a rather sordid case. An investigator was looking at a case of potential mortgage fraud, and had filed a SAR on a suspect in the case. Subsequently, the investigator contacted the suspect of the SAR, disclosing that the bank had filed a SAR and that there was an ongoing investigation. The investigator solicited a $25,000 bribe from the borrower in exchange for information on any ongoing criminal investigations. The investigator was found guilty for both the bribery solicitation and the SAR disclosure, sentenced to six months in prison and fined $25,000 by FinCEN. This case was the first known instance where an individual was prosecuted for the disclosure of the existence or filing of a SAR.
If there were any SAR leaks over the next few years, they did not receive the same attention that the latter or Spitzer cases received. Then, in 2018 two separate stories took the spotlight which not only mentioned SAR leaks but were in fact centered on them. One article discussed in intimate detail which banks had filed SARs regarding Donald Trump’s former attorney and fixer, Michael Cohen. Shortly thereafter Buzzfeed News picked up the story of another member of Trump’s circle, Paul Manafort, and transactions related to accused Russian spy Maria Butina. In both cases it was staff at FinCEN who had disclosed the existence and to a large degree, the facts of those SARs.
Leveraging again the terminology from the FinCEN advisory that all “SAR data” must be on a need-to-know priority, what sort of controls could a financial institution implement?
While it was interesting to gain insight into a financial institution’s filing process, what categories were selected (gleaned from the articles’ descriptions) and what the red flags were cited. Indeed, these disclosures speak to both the lack of foreseeability about the potential leak of SARs information and the opportunity to review what possible controls might be implemented around SAR privilege.
What SAR Controls Should Financial Institutions Establish?
Leveraging again the terminology from the FinCEN advisory that all “SAR data” must be on a need-to-know priority, what sort of controls could a financial institution implement?
Alerts — An alert is not tantamount to a SAR, however, they are the starter’s pistol for the SAR filing process. The determination to escalate that alert to a SAR filing (or not to) might fall under SAR privilege. Thus, any internal decisioning mechanisms, conversations, and documentation could fall under SAR privilege. As such, their communication and access to the underlying records should have strong data access restrictions. Policies or procedures should clearly delineate what can and cannot be disclosed even among bank staff.
Staff — If the decisioning mechanisms and related conversations fall under SAR privilege, then by extension staff engaged in SAR-sensitive work could be identified, their responsibilities clarified, and their training and procedures tailored to the sensitivity of those materials.
SAR Filing — Inarguably, the SAR, its narrative, and supporting documents fall under SAR privilege. However, that privilege could also extend to how the documents themselves are stored. Given the sensitivity of the material, such documentation should not be stored locally on an investigator’s hard drive, just as much as those materials should not be stored in a way that makes them at all externally accessible. These basic access management controls — i.e., ensuring that the right staff members have access, that those staff have the right levels of access, that the wrong people don’t have any access, and that the data itself cannot be exfiltrated without permissions and an audit trail — are absolutely critical.
Awareness — SAR privilege breach and escalation procedures also demand attention. Somewhere in my career arc in investigations, I was working on an internal case that had been brought to the division’s attention. What was interesting at the time was that when the matter was being reported to the HR department, the HR representative explicitly asked me if I was going to file a SAR in regard to the employee. I declined to comment. From a risk-based perspective their line of questioning was suggestive of too much information about SARs going to the wrong people.
