What CUs Can Learn From Wachovia
When Wachovia Bank agreed to a settlement with the U.S. government on charges that it failed to prevent drug traffickers from laundering more than $100 million through accounts at the bank, it became the financial institution with the unfortunate distinction of having paid the largest penalty, $160 million, for a violation of the Bank Secrecy Act. Under terms of the deferred prosecution agreement, Wachovia forfeited $110 million and paid a $50 million fine to the Treasury.
The U.S. Attorney for the Southern District of Florida called Wachovia's failure to properly monitor and report on suspicious activity "systematic," a problem that allowed more than $400 billion in unmonitored funds to be channeled through accounts at the bank between 2004 and 2007 by currency exchange houses in Mexico, primarily by way of wire transfers.
Was this a case of a financial institution being duped by a gang of sophisticated criminals? From all appearances, that wasn't the case. Simply put, the Suspicious Activity Report program of the Financial Crimes Enforcement Network was not followed. FinCEN requires that financial and nonbanking financial institutions file Suspicious Activity Reports to report "known or suspected violations of federal law" in compliance with the Bank Secrecy Act.
One of the primary goals of a SAR is to help the government combat domestic and international money laundering. Wachovia is not alone. Other financial institutions have been assessed significant penalties because of noncompliance with the SAR filing requirements in addition to possible criminal action against the executives of the financial institutions.
With the passage of the USA PATRIOT Act in 2001, the SAR has become one of the key tools to fight terrorist financing and has served to increase the volume of SARs filed with FinCEN. As a consequence, institutions are faced with the need to:
- Store and easily retrieve a paper trail for filed reports.
- Define and manage a process to file SARs.
- Track the decision-making process leading up to filing a SAR, including determination that a SAR needs to be filed, decisions on why the SAR was filed, determination date for the SAR and who approved the filing and when.
- Manage a single point of contact.
- Store FinCEN's acknowledgement of the SAR.
There are no exceptions. Every institution must participate and have its SAR program audited.
Despite the dramatic rise in the number of SARs filed and the no-excuses approach the government has toward compliance with the program, many credit unions run their SAR programs from spreadsheets and slips of paper that can be easily misplaced. What's more, a credit union can benefit by using the SAR program as a way to help prevent fraud, but only if it uses a mechanism that permits trend analysis that comes from looking at the SARs themselves.
Using such a system, a credit union can identify where suspicious activity is occurring, the specific fraud types and which customers tend to be associated with such activity. Beyond gaining such important insight, managing a SAR program is easier to run, more likely to be compliant and, in all likelihood, less costly than what might be in place.
There are options that can help a credit union address SAR requirements. The salient features to look for in such a solution include automated alerts for filing timely Suspicious Activity Reports and SAR report creation. Also look for the ability to see patterns between and among potentially related cases. Improved productivity, prosecutions and recoveries as well as providing the CU's management with the information needed to communicate success and assure compliance are also important.
During the fraud or financial crime investigation process, the bulk of the data required for SAR reporting is collected. A worthwhile fraud control and management system provides for a seamless flow of data from the case screens into the SAR without requiring reentry of data, reducing errors and increasing productivity.
A SAR needs to be filed no later than 30 calendar days from the date of the initial detection of the suspicious activity, unless no suspect can be identified. In that case, the time period for filing a SAR is extended to 60 days. The time period for filing a SAR starts when a CU, during its review or because of other factors, knows or has reason to suspect that the activity or transactions under review meet one or more of the definitions of suspicious activity.
When the time period starts is a key concept. A CU needs to be able to present its findings in an auditable, trackable manner when the detection date is defined. The detection date can be changed to get more days to file, if necessary. Often times, CUs choose not to change the detection date and file the SAR based on the information they have at hand. A supplementary SAR can be filed later when more information is discovered. This leads to what is called a "defensive SAR filing."
The 30/60 day rule of the SAR program kicks in from the day the determination is made that a SAR must be filed. Consequently, it is of paramount importance that a SAR does not fall through the cracks in the sense that those responsible for timely filing of completed SARs are aware of the current status of the filing.
If it is determined that a SAR will not be filed, such information can be documented and saved with the case details. This is especially helpful during compliance audits and in the event that the case is reopened on the basis of information obtained in the future.
As a result of the recent high profile BSA enforcement actions, like the Wachovia situation, FinCEN is concerned that institutions are filing defensive Suspicious Activity Reports without a formal review process and which is leading to a dilution of the value of suspicious reporting as a whole. An effective automated fraud control and management solution provides the ability to link case management with SAR generation while allowing customers to define an auditable, transparent workflow around the process.
It's also an excellent way to avoid Wachovia's fate.
N. Venu Gopal is CEO of Aithent Inc. He can be reached at 212-725-7646 ext. 2700 or email@example.com