AML in Action: Practical Strategies for Surveillance, Training, and SAR Reporting

Show Notes

In this episode of the Oyster Stew podcast, Oyster Consulting’s Ed Wegener and Bryan Jacobsen break down how firms can implement risk-based monitoring, tailor training for frontline roles, conduct effective investigations, and ensure your firm’s Suspicious Activity Report (SAR) filings are what regulators require.

Key Takeaways 

• What regulators expect from your AML compliance program
• Risk-based surveillance: Going beyond cookie-cutter monitoring
• How to tailor red flag training by employee role
• Investigating suspicious activity: When to file a SAR, how to do it right
• Leveraging third-party vendors for transaction surveillance and case management
• Common mistakes firms make—and how to avoid them

Oyster Consulting has the expertise, experience and licensed professionals you need, all under one roof. Follow us on LinkedIn to take advantage of our industry insights or subscribe to our monthly newsletter.

Does your firm need help now? Contact us today!

Chapters

• 0:00: Intro to AML Compliance Challenges
• 1:21: Regulatory Requirements for Suspicious Activity
• 7:42: Client Interaction and Risk-Based Training
• 11:40: Effective Monitoring Systems
• 17:33: Investigating Red Flags
• 21:48: Filing Effective SARs
• 28:04: Third-Party Vendor Tools
• 31:13: Conclusion

Transcript

Libby Hall: Hi, and welcome to today's episode of the Oyster Stew podcast. I'm Libby Hall, Director of Communications for Oyster Consulting. Navigating the complex terrain of anti-money laundering requirements demands vigilance, expertise and sophisticated systems. Suspicious activity monitoring isn't just about catching wrongdoers. It's about recognizing when something doesn't quite fit the expected pattern for a particular client or transaction. 

As the regulatory expectations for investment advisors continue to grow, so does the need for tailored risk-based programs that go far beyond check-the-box compliance, from recognizing red flags and trading patterns to filing effective suspicious activity reports or SARs. In this episode, we'll explain how investment advisors can build AML programs that are both regulator-ready and operationally efficient. 

Ed Wegener: Well, hello everyone. I am Ed Wegener, Practice Lead for Governance, Risk and Compliance for Oyster Consulting. I want to welcome you to our continuing discussion of anti-money laundering requirements in the financial services industry. AML (anti-money laundering) continues to be an area of regulatory scrutiny, and not only because of the concerns with money laundering itself, but also because money laundering compliance covers a large number of problematic areas for regulators, including things like money laundering, terrorist financing, tax evasion and corruption fraud, cybercrime and elder abuse, just to name a few areas, and compliance programs are required to monitor for and report activity that is suspicious for any of this type of illicit activity or any illicit activity that's done either by, at or through their firms, and that can be a very difficult task to do effectively and to be able to monitor for such activities because it's so broad. 

But the consequences of not identifying and reporting this type of activity can result in really significant fines and undertaking, as well as reputational damage for the firm. So today we're going to talk about effective practices for the monitoring for and reporting of suspicious activities. Joining me today in my discussion is one of our top consultants, Bryan Jacobsen. In addition to having served in compliance and AML roles within the industry, Bryan's also a subject matter expert in AML and digital assets, both of which are hot topics these days. So welcome Bryan, and thanks for joining. 

Bryan Jacobsen: Thanks, Ed, and thank you for having me on the call. 

Ed Wegener: Excellent. Well, why don't we just start off broadly. When you think about regulators, whether it's FinCEN (Financial Crimes Enforcement Network), who has primary responsibility for AML, or other more functional regulators like the SEC and FINRA, what is it that they require firms to do in terms of monitoring for identifying and reporting suspicious activities? 

Bryan Jacobsen: Yeah, great question. So, I'd like to start off by first saying it's important to understand that when it comes to SAR (Suspicious Activity Report) filing or suspicious activities, you know the first word is the key. It's suspicious. It doesn't necessarily mean that there's in fact wrongdoing, it just means that the firm has a suspicion, and therefore the requirement is to file on that suspicion if it hits a certain threshold, which I'm sure we'll get to. 

But one of the things that I think firms always need to do is first of all make sure that they have a good understanding of all of the different risk factors of their firm. So, within the Bank Secrecy Act (BSA) and the FINRA rules, we always see terms like it has to be a risk-based program, and that's very true. 

So, firms need to make sure that they're not doing a cookie-cutter approach to surveillance but in fact, they're looking at the risks that may impact their firm. So, if a firm does activities such as perhaps, they do low-priced securities. Well, that's a risk factor that they should consider in their surveillance. Maybe they have a diverse client base, a demographically dispersed client base, so some of that may pose additional risks. So, all of that needs to go into your overall planning for how you surveil for this activity. 

Once you have that identified and, in many cases, firms will create and we've talked about that before, but they'll create that risk assessment that will help them identify all of the relevant moving parts for their firm and the risks that their firm takes. But once that's identified, then it's looking at vendors or internally that have tools that can provide some type of alerting system or report-based system that will provide you those reports. So, the first thing I would look at is obviously the type of risks and then further, what tools do you need to surveil those risks? 

Ed Wegener: You know it's interesting. You mentioned tools and you know having a system for monitoring activity is an important factor, but some of the things that need to be looked for are actually found during interactions with the client. So, I wanted to ask you about that. But before I do, one of the things that you had mentioned really kind of struck me is the requirement isn't that there's actual illicit activity happening, it's whether the firm knows, suspects, or has reason to suspect. So that's very broad. That means you just have to be looking out for anything that might give you an inkling that there's some type of this activity happening within your firm or through your firm and causes you to investigate that and come to a conclusion that it's something that's reportable. So again, that's just an area where it's really broad. 

And the other thing, just understanding the firm's business is a really critical component, as you had mentioned, because you have to take a look at it and say what are the things that would cause me to be concerned, what are the things that I should be looking at? And that's going to differ depending on the type of business and risks that the firm has, and there's different stages within money laundering. There's the placement of the illicit assets into the financial services firm or into the firm, and then there's integration and obfuscating where that money came from, and then there's the placement of it back in.  So, any one of those stages, the red flags that are identified could look different depending on what stage of the illicit activity is going on. So, it's really important to really understand the firm's business and then understand what type of activity could be happening within your firm that you need to be looking for. And again, as you mentioned, monitoring systems are one way of doing it, but another important thing is just to understand the interactions with the firm. So, can you talk a little bit about how firms should be looking at those interactions with their clients to identify some red flags in terms of potential illicit activity? 

Bryan Jacobsen: Yeah, great question. So, one thing to always keep in mind, and I'm going to touch on this on a couple of different points, but it's certainly going to lead into the educational component of a firm's AML program. When you look at your AML risks, there's going to be different risks that can affect a firm at different points in the life cycle of that client. It could be the onboarding risk. So, think about who's involved in your staff that deals with onboarding type things. Who, in operations or compliance or supervision, will be responsible for bringing that client account to the firm? And then you have to look at the operational side and who's going to be responsible for handling the ACH and the ACAT, processing, and the wires for the firm. So that's another potential touchpoint that could present risks or red flags. And then there's, of course, transaction monitoring. Who's responsible for that? 

So, the point being is, that when you look at the different risks for the firm, you need to look at the personnel that's actually going to be monitoring the risks and then decide, OK, how can we develop a training course that addresses that? 

So, what I mean by that is sometimes I'll go out to a firm and they'll have a great training course and they'll talk about the three layers of money laundering. They'll talk the generic red flags - if someone doesn't seem like they want to provide you with responses or they're evasive or whatever. Those types of red flags, and that's all great from a general perspective, may not be the most relevant risks that they could potentially see. At the end of the day, the frontline employee is always going to be your first line of defense. So having training that is designed to really address specific risks that these employees might see is much more important. I always recommend that firms produce different training profiles. So, they might have their operations staff as one profile, the people that are involved in money movement as another profile, so on and so forth, and having customized training for them. Now they can certainly have certain parts of that training that runs across all employees, but then, as it relates to specific employees, they have additional things there that will address specific things that they might see. 

Ed Wegener: Well, you mentioned some really important points. Training is a critical component, and not just that you are doing the training, it is the type of training that you are doing for the individual role. As you had mentioned, it is important that they understand what you ask people after training them. 

What are some of the issues that you spotted that will give them practice in terms of keeping an eye open for the things that they need to really be taking a look at? And then another critical part of the training is, if they identify those things, or if they have questions about whether they identified it or not, what is the escalation path for that? How do they get that to the right people who can then do something with it, so it ultimately ends up in the right hands, which is in your AML compliance program? Those are all really critical things to focus on, in addition to making sure that you have an effective means of monitoring activity so that you can look out for the types of transactions or activity that might be indicative of illicit activity. And so, Bryan, I wonder, having worked with a number of clients and having done this in your experience as an AMLCO (Anti-Money Laundering Compliance Officer), what are the types of activities that firms should be setting their systems up to monitor? 

Bryan Jacobsen: I would definitely focus on low price securities. It is always a classic one where the low price securities, even if there is plenty of legitimate trading, just the fact that most of them are illiquid or have low trading volumes, they kind of lend themselves to potential challenges around pump and dump schemes that sort of thing. So, definitely if you have that type of business, having alerts and reports that address that are important. I would say money movement, any type of money movement, there has to be a robust process to monitor for that. Right.  A number of firms are moving away from third party wire and ACHs. But if you do allow for that, then there needs to be additional scrutiny on how you process that. As we know, ACH fraud is so prevalent in our industry and unfortunately, with the NACHA rules, once that ACH goes back, if the client claims that it wasn't them, it pretty much puts the firm in a negative spot because they have no choice but to refund the money or stop the trade or what have you, and that obviously results in losses for firms. So, the point being is that having clear safeguards on that is important. 

Another thing is that firms or clients sometimes may not always provide their actual net worth. They might say, well, my net worth is $500,000, but yet all of a sudden, the equity in their account is a million dollars. Things like that are extremely easy for firms to not necessarily have specific surveillance for, but they need to right. In recent cases, FINRA has pointed to that as a red flag. I mean, if someone has a million dollars in their account and yet they said that they only have $500,000 of liquid net worth, where is that extra money coming from? And then, of course, if there is any type of illicit activity, then that just proves their point. 

So, definitely looking at that, and then, I would say, the onboarding process as well, making sure that there is a clear verification of the information. So, what I often see is firms get hung up on the fact that within the rules, as we know, it talks about documentary and non-documentary means of verification. But using that risk-based approach, firms need to decide when it is appropriate to just do documentary, when it is appropriate to do non-documentary, and when a combination of the two might be appropriate. And that all goes towards the risk of the individual client profiles and how you perceive that risk. So, there's plenty of room for discussion on that at the firm level, but the point being is that it should not be a one-size-fits-all. Where I have seen firms get in trouble is where they have tried to apply the same logic to all their clients and then unfortunately something goes wrong and that client demographic should have been considered a higher risk client. So those are the type of activities I would really focus on though.

Ed Wegener: You mention a lot of good points in that, and I want to unpack those. I think one thing that you said that really struck me is that it is important to monitor activity, but you can't monitor that activity in isolation. You have to do it in the context of the type of customer you're looking at, because what might look like normal activity for one type of customer might be completely abnormal for another type of customer, and it's that difference that should cause suspicion. For example, if you see a lot of trading activity and a lot of money movement activity happening in an active trader account that is in this type of business is sophisticated and can do that, that might be something that you see that type of activity and it's fine. Where, if you see that same type of activity in a typical retail account, especially with a senior investor, that should raise red flags. So, the activity is the same, the customer type is different, and being able to have those profiles to draw on is really what's going to be important, and so that customer due diligence leading into your suspicious activity monitoring is really critical. But it also goes back to what you were talking about before, about understanding the business and the types of things you should be looking out for. There are any number of different schemes that could be happening and they all have different profiles and it's really important to understand what those types of profiles are, and regulators have done what I think is a really decent job of identifying, as best they can, some of those red flags. 

FINRA put out a Regulatory Notice 19-18, where they identified for broker-dealers a number of types of activity that should be considered to be suspicious. So, it's important for firms to take a look at that type of guidance and say, do we have a monitoring system that would allow us to be able to find these things? Because if those things are happening within your pipes and you don't know about it, that's not going to be a good excuse if you don't have an effective monitoring program. But that FinCEN document is great. 

I know FATF (Financial Action Task Force) has put out a number of typologies for different industries and the types of things that they should be looking for. The SEC puts out good information. Industry groups like ACAMS (Association of Certified Anti-Money Laundering Specialists) is another great source and that's really where your most knowledgeable people, like your AMLCO, should be constantly looking to make sure that your systems reflect all that guidance. We talked a little bit about escalation and Bryan, I didn't ask you this before, but I thought I would throw this out to you. What are your thoughts in terms of the monitoring of the activity, the identification of that activity and the reporting. There's a critical step in there and that's the investigation of that activity, and I know that's sometimes where issues can arise for firms with regulators. So, I wonder if you could just briefly talk about what's important to be thinking about as firms put together a program for investigating red flags. 

Bryan Jacobsen: So, one of the challenges I see with firms is sometimes their investigation goes much longer than it should. I mean the early part of the investigation discovered that the activity was suspicious. But the nature of, I think, compliance officers is we're trying to get to the end point and prove yes, it was clearly xyz-elicit activity or no, we can prove that it was not. But the point is that by the time you get to that, the investigation tends to drag out for several months and then it creates either a late SAR filing or because the investigation lasted so long that had you stopped it right at the front end, you could have stopped them from really doing any number of bad things over the next several months. So, I've seen that in several cases. 

What I would say is when it comes to investigation, you need to be very proactive. Remember, suspicious does not necessarily mean that you've been able to prove every single point. It's just that you have enough detailed information to know that it does, at least on the surface, look suspicious. I always tell firms that if you look at any regulatory action. I've never seen the regulators take action against a firm for filing too many SARs. I've seen plenty of times where they've taken action because a firm didn't file enough SARs. So, when in doubt, my recommendation is always to file because again, that will never get you in trouble to file it. But that being said, my recommendation is always do the investigation. 

Once you have enough information at your disposal to say that it's suspicious, file the SAR. There's continuation SARs. There's continuing ways to update that SAR as you go. So, if you find more relevant information you can certainly update that, but file it immediately. Then, at that point in time you should determine whether or not you have enough information with that initial SAR to whether it's restrict trading or, do any other restrictions on that account or what have you, and then you can finish up any final pieces of that investigation that you feel is warranted. 

But, again, never hold off on the initial part. And then, as far as the escalation is concerned, I always recommend don't feel that this is an individual sport. I’m doing an AML review and a SAR filing really is a team event in the sense that you know you need, at a minimum, you should have certainly the AMLCO, the president, and probably, depending on the facts and circumstances, you know someone in operations that can kind of walk you through the operational components, because many of these SARs are going to involve some level of operations, trading or otherwise. So, you want to make sure that it is available. 

Ed Wegener: That's an important piece because you want to make sure that you have enough people involved that can really get a good understanding of what took place. But, as we will talk about later, when we talk about filing a SAR, you also want to make sure, though, that it's only those people who need to know, so you keep the confidentiality that you need to with respect to SARs. One of the things that I had identified when working at FINRA and we would bring AML cases is it was rare that they were going to say they're going to deem activity to be suspicious, and you should have reported. They're usually going to look at the process that you have in place and the quality of the process that you have in place, and that's where they're going to find fault. And one of the things that would come up frequently is individuals that were responsible for following up on alerts and red flags. 

In certain cases, they would just rubber stamp them. The activity or the explanation that they had for how they closed out those alerts were cookie cutter, almost to the point where it looked like it was cut and paste each time. So, it's really important to make sure, this goes back to the training point that you were making earlier, that the individuals that are doing the investigations really are trained on what's expected in terms of chasing down those red flags, and then, importantly, making sure that you have good documentation supporting the decisions that were made. That'll be critical too, because if you do decide that a SAR needs to be filed, you want to make sure that you're providing, or that you have access at least,  the information and documentation that was put together at the time you did the investigation. So why don't we pivot, then, to the determination to file a SAR and what are some best practices in terms of how to file a SAR? 

Bryan Jacobsen: Remember, when filing a SAR, it comes down to, the five W's and then H. It's who, what, when, where, why and how. So, in every SAR filing, and let me back up by saying people should look at SAR filings as one of the few opportunities that the firm has to continuously showcase the efforts that the firm takes in surveilling activity. Because to your point, Ed, I would always say put in exactly how this was discovered. Was it because of an astute frontline individual that overheard a customer say something? Or they noticed in a background picture that there were multiple cell phones that this person was using? Or you know, whatever the case may be. Or was it an alert? But the point being that a SAR is your opportunity to highlight that we are doing a pretty good job. We have frontline employees that are looking for this. We have surveillance tools that have caught this. We have whatever it is. And so, every single SAR filing is an opportunity for you to validate your program to the regulator. So, it really is a great opportunity and should not be missed. 

But when you file a SAR, first of all, the one thing that I see is that way too many firms will use their internal vocabulary, their three-letter descriptions or code for whatever tool or system. Well, more than likely, the person reading the SAR will have no idea what it is. Even if you spell it out, they may not know. So, the point is to be very exhaustive in your detail of exactly what you looked at. Stay really away from any type of internal dialogue or internal vocabulary. So, if your internal operating system is called XYZ, don't say the XYZ did this, just say that our back-office system noted this, or that the firm uses a surveillance tool called this, and that surveillance tool has an alert that does this. But the point is that, even though it takes much more in the drafting, it's a much better-quality SAR by just removing all of that internal dialogue or internal vocabulary. 

But after that you want to talk about who. Who is conducting the suspicious activity? Is it a coordinated effort? Is it an individual person? But is it, hopefully not, an internal employee? Who do you suspect having done that? 

Then you also want to talk about what. Identify what transactions were involved that raised firm suspicion. You want to talk about when, which is when did this activity occur? Where did the activity take place? Was it through your online portal? Was it through a sales representative, or so forth? 

And then the why is why do you think it's suspicious? You just be very matter of fact, say we believe it's suspicious because of whatever the facts are. And then, of course, the how is really for your benefit. How was this identified? It was identified because the firm has a tool that can alert us to these facts, and it came up as a tool or as an alert, and then we did further investigation, and so on and so forth. So, the best thing that I can always say on a SAR filing, though, or the best advice, is to be very clear, concise. Don't let personal emotion, because we all tend to get emotional, just be very fact-driven. Exactly what did you see? Why do you think it's suspicious? And include all of the relevant points account numbers, so on and so forth. 

Ed Wegener: You mentioned the why, why the firm thought that this was suspicious. And it reminded me I was at a conference recently and somebody at the FBI was speaking and having been in this industry for our entire career, we can look at something and say, oh, that's clearly suspicious. And what he was saying is look, I didn't work in those roles. I'm reading this narrative. I don't necessarily understand why something is suspicious and it really struck me, and I realized that something that compliance professionals might see and right away say, hey, that's something that needs to be reported. You really want to make sure that you're writing to the audience. The audience being typically criminal authorities, so that they understand why you thought it was suspicious. And another thing that they had mentioned was don't discount how important even small bits of information are. 

So, if you think that you have a puzzle piece and you might not know how it fits into that broader puzzle, file it anyway, it could be really important. And some of the biggest cases that they had brought were because somebody provided them some small piece of information that pieced everything together. And it was clear that the person that provided that piece of information had no idea that that's what they were doing, but it was extremely helpful. So that's just a reminder. To over-file is never a problem when it comes to the regulators, and don't discount any piece of information as long as you've investigated it and you believe that it is suspicious. 

So, one thing I did want to go back to on the monitoring front. I think it's really important because we talk to our clients about this a lot. We talk about monitoring transactions and firms of any size have any number of different types of transactions going through their pipes. Often it takes the services of a third-party vendor and their technology to help firms be able to take that information and turn it into useful information for identifying red flags. So, Bryan, I wonder if you could talk just briefly about using third-party vendor tools to support your AML programs. 

Bryan Jacobsen: So, especially when it comes to surveillance, I'm a big proponent. Well, two parts of this are surveillance and case management. I fully recommend that firms consider outsourcing versus building internally. As we know, almost every firm out there certainly has limited resources, limited staff, limited money and all that good stuff. And the point being is that even if you build the tool, you're not going to be in a position to really truly monitor that tool and make necessary updates in a quick manner, or at least certainly not to the extent that a vendor can. That is their main tool, their main source of revenue. They're much more vested in making sure that any feedback is taken into account, that changes occur quickly, that they adjust to new rules and all of that stuff. So, I would definitely recommend looking at an external vendor versus trying to build yourself a tool. 

In general, I would say that most firms, if they've built a tool, it's probably not as sophisticated as many of the vendors out there. Of course, there's a cost-benefit analysis there. Certainly, some tools can get very pricey and that certainly needs to be taken into account, but I would always look at that. And then the other thing that I would recommend from a third-party perspective is looking at a good SAR case management tool. So, a lot of firms’ case management tool doesn't really have a great way to organize or track all the SAR information. And remember, when you do the SAR filing, you're uploading the SAR and you're uploading the description, but you're not really uploading all of the background, all of the supporting documentation that goes along with it. That stuff is required to be maintained for five years after you file the SAR. 

And the point being is that some of these investigations certainly have a lot of moving parts, a lot of documents, and what I found is that firms may reference that in the notes and even if they save it in their internal system, their ability to pull that out of that system is very difficult. Whereas, a third-party case manager, you can use it to record all of your notes, all of the supporting documentation and, even better yet, it'll take all of the information from your system. The account name, number, all that stuff, and it'll pre-populate the SAR form. So really, all you have to work on then is the narrative. It just streamlines the whole process, if you're ever called on one of those SARs and you need to produce those reporting documents. Not having such a system could present challenges for a firm. 

Ed Wegener: That's a great point, Bryan. Another thing to think about when you're thinking about third parties is a good third-party vendor is going to keep up on all the trends and patterns and things that they're seeing and all the regulatory expectations, and they're going to be updating that as such, knowing that the vendor is going to make sure that they're updating their alerts to allow for that. So, it takes a little bit of the burden off of the compliance program within your department to be doing that, knowing that the vendor is going to make sure that they're updating their alerts to reflect the current typologies that are out there. 

But also, it's important for a good third-party vendor to allow tailoring to your firm, as you had mentioned before when it came to how you're putting these programs together. It's important to really understand the business and tailor your programs to that business, and so you're going to want to make sure that third party is able to allow you some discretion in terms of how you set your systems, to make sure that you're looking for the right things, given the risk at your firm. All really important things to be thinking about when you're thinking about how to address this really broad area of monitoring and reporting for suspicious activities. But again, this is something that regulators are really looking closely at. So really appreciate you providing your expertise, Bryan, and we'll be back again to talk about more things AML in the near future. Thank you, take care. 

Libby Hall: If you found today's discussion helpful, don't forget to subscribe for more episodes where we dive into industry strategies and best practices. For more information about our experts and our services, visit our website at oysterllc.com. Thanks for listening.