The amount of anti-money laundering considerations may be overwhelming for companies in crypto and the wider blockchain community, from settlement layer companies to consumer-facing NFT platforms. A suspicious activity report (SAR) is yet another factor to consider within AML/CFT efforts. But what is a suspicious activity report? This report is mandatory for traditional financial institutions, crypto companies, and other Virtual Asset Service Providers (VASPs). In this post, we will outline what suspicious activity reports are and the steps needed to remain compliant.
What are suspicious activity reports and who needs to file them?
Suspicious activity reports are a part of wider AML requirements meant to report money laundering and fraud after it has been detected. This helps reduce the impact on customers as well as enable law enforcement to track down perpetrators. By filing SARs, companies are demonstrating that they are doing their best to protect customer interests.
Suspicious activity reports were first introduced in 1970 through the Bank Secrecy Act (BSA). Although initially designed for traditional financial institutions, it has more recently been applied to regulations for online services and transactions. Companies dealing with digital assets are now regulated under the EU’s new AML package announced in July 2021 and will need to do similar reporting if operating in the EU. Due to the cross-border nature of crypto, companies registered outside the EU, but serving customers based there may also have similar standards to meet.
Why crypto companies should incorporate these AML regulatory practices
Apart from the legal liability of failing to comply with AML regulations, companies in crypto now need to differentiate themselves to wary customers. Given the publicity around large-scale hacks and fraud within the crypto industry, the future of growth will depend on establishing security, trust, and dependability.
At their core, anti-money laundering requirements are meant to help companies reduce the risk of, detect, and report fraudulent and illicit activities. In short, they are meant to protect both businesses and end users. One of the ways that businesses can do so is by knowing who their users are (KYC) from the moment they sign up, so that this information can be referenced in the future if they need to be verified again, such as if there is suspicious activity in the account. Without knowing who your customers are, you have no way of determining whether activity that seems suspicious actually is.
Rather than thinking about suspicious activity reports as a regulatory burden, companies that can incorporate it into part of a thorough security strategy will be able to appease regulators and consumers while protecting the business.
When is a suspicious activity report required?
Knowing what event requires filing a suspicious activity report has business operations implications. A suspicious activity report is required whenever a regulated company comes across a potentially suspicious transaction that can include:
- Any unusual activities that stand out of customers’ normal behavior
- Transactions exceeding a certain amount
- Large cross-border payments
In countries like the US, the reports should be submitted within a grace period of 30 days. This deadline may be extended in complicated cases when companies need more time to provide the required evidence.
Also, note that different countries may have different reporting thresholds. Thus, in the Netherlands, companies may report on any transactions they deem to be unusual while in Germany, they do so only when they know there is money laundering or terrorist financing involved.
Having a clear process in place, from data gathering to submission, will help handle such cases, especially when a business is growing. By building an integrated security and anti-money laundering system early on, companies can create case handling logic for scaling operations. For example, you may want to set triggers for a new identity verification to authorize transactions over a certain size. Exploring options early enables teams to build a more cohesive system from day one, rather than needing to find workaround after there is a problem.
How do you detect suspicious activities?
While staff training can help to identify and report suspicious user actions, manual work is realistic to scale for online companies. This is particularly true for companies in crypto, which have a global footprint. The Chainalysis 2021 Geography of Cryptocurrency Report found that 78% of crypto value received globally came from a foreign country.
Because cross-border transfers are common with crypto, it is essential to implement a range of fraud detection and prevention tools. For example, there are automated tools that monitor behavioral or meta data to flag behavior. These should also be complimented with a robust KYC program. In addition to behavioral data, companies need to know who a customer is (KYC) in order to verify their activities or file a suspicious activity report. For example, having a way to both reach the customer and ask them to verify their identity again with biometrics is a way to increase assurance that they were the individual who authorized a high-volume transaction. Companies can set up KYC checks by sourcing a third-party service provider, such as Passbase, to set the foundation of an AML program, in lieu of having a full compliance department.
If your company has reached a certain maturity level, it is also time to get a compliance officer onboard to ensure that all the nuts and bolts of your program are in place. In the best case scenario, having proper detection and prevention systems in place may allow you to avoid having to file a suspicious activity report.
What about handling data privacy?
Filing a suspicious activity report has certain confidentiality requirements. Regulatory requirements state that the subject of the report is not to be informed when the file is opened and discussions with third parties such as media representatives are illegal. Note that employees who initiate suspicious activity reports have the privilege to protect their anonymity as they receive immunity for the statements they make during the SAR process.
Also, you should be aware of legal consequences in case a breach occurs. Remember that the only group of people who should have access to these documents includes financial investigators, top managers of your company, and attorneys.
Can suspicious activity reports be e-filed?
The requirements for filing a suspicious activity report were enacted before the invention of the internet, which means that crypto companies need to find more efficient ways of filing these cases than pen and paper. Residents of the US and the UK have an option to submit suspicious activity reports online. If your company is registered elsewhere, check this information with your local regulatory bodies.
Companies based in the US should submit a FinCen SAR through the BSA e-filing system. To do this, fill in the online form by providing relevant factors, such as transaction dates, the names of involved parties, and descriptions of suspicious activities.
Companies registered in the UK should submit suspicious activity reports to the National Crime Agency (NCA) through the officer nominated by the financial institution. The submission can be done both in online and physical formats.
Although the EU has standardized Anti-Money Laundering Directives (AMLDs), the companies operating from this region have to look up to their local regulatory bodies to find out how to make the submission. For example, in Germany, a financial supervisory body BaFin provides a Suspicious Transaction Reporting System for such purposes.
Now that your question, what is a suspicious activity report, has been answered, keep in mind that it is a mitigation and not a prevention measure. After the one-time process set up for case handling, companies should focus on ongoing monitoring, fraud detection, and other prevention measures as part of an AML program.
To lay the foundation for your anti-money laundering and compliance initiatives, you will need KYC. You can find out how to integrate KYC into your product today when you sign up or by booking a demo.