The JFSC has been focusing heavily on Suspicious Activity Reports (“SARs”) recently. This is understandable. SARs are a crucial part of the regulatory framework. If regulated businesses are properly reporting suspicions of criminal conduct then the law enforcement agencies receive vital ammunition for cleaning up the finance industry and investigating crime without lifting a finger. The regulator can step back and leave reporting to businesses, as long as they can be trusted to make SARs when they should.
The Head of Enforcement at the JFSC, Barry Faudemer, has this to say on the topic:
“The JFSC is afforded access to SARs and they are crucial in protecting investors from suffering financial losses and safeguarding the integrity of our finance industry. They form a critical part of what is often a complex jigsaw puzzle of information and timely reporting is key. Our Supervisors will be keen to ensure that SARs are submitted to JFCU as soon as is reasonably practicable. The reason for any delay should be clearly documented.
JFSC staff have seen for themselves how SAR intelligence makes a huge difference and enables the regulator to prevent financial crime working closely with the Joint Financial Crimes Unit. Very often the person submitting the SAR may not appreciate the key role they are playing in contributing to piecing together the jigsaw puzzle. I can only say that in some cases if we had not received a particular SAR we might not have been able to have protected some very vulnerable members of our society.”
SARs are something the JFSC can measure. It knows how many SARs each business makes. It takes a keen interest in how many internal SARs are externalised, and how quickly internal SARs are evaluated by the MLRO.
Though there are no specific targets in the AML Handbook, the JFSC will look at the ratio of internal SARs being externalised, and the time taken to evaluate internal SARs. MLRO’s can expect to be asked to explain any time delays in the evaluation process and any decision not to submit an internal SAR to JFCU. A high percentage of internal SARs that are not submitted to JFCU may be indicative of a dysfunctional AML function within a business.
Some businesses appear to be working towards a target of 75% of internal SARs externalised, or 30 days to evaluate an internal SAR. However these are not targets approved by the JFSC, and meeting these measures may well not in itself be sufficient to demonstrate full compliance. What is adequate to comply with the regulatory requirements will of course vary from business to business and case to case. Barry Faudemer, who is also the JFSC’s MLRO, comments “In some cases a SAR should be submitted immediately for example to prevent financial loss or assist the authorities with a terrorism investigation. I usually process internal SARs submitted to me by JFSC staff and place them in the hands of JFCU within 48 hours. Setting any benchmark for the volume of SARs externalised is dependent on many factors including the type and scale of business together with the risk appetite of the firm.”
The requirement as to timing is to make a SAR as soon as is reasonably practicable. Some SARs are so obviously reportable and urgent that they should be externalised immediately, and in such cases waiting without good reason would constitute a breach for failing to report in good time.
However taking several weeks may be a reasonable timeframe in more complex cases, giving time to investigate the case, and some cases may reasonably take even longer to investigate properly. It is important to avoid falling into the trap of waiting to secure firm evidence of money laundering before submitting a SAR. Only a suspicion of money laundering is required to activate the requirement to submit a SAR.
Monitoring the percentage of SARs externalised can only be a rough guide to the general effectiveness of the SAR procedures in a business. If staff are very cautious then many internal SARs may be made which the MLRO properly decides not to externalise. If staff have poor AML awareness or the culture is hostile to reporting, so only a few internal SARs are made, but each one plainly needs externalising, there is still a problem. Plainly a lot depends on the quality of the training and culture in the business, and the competency of the MLROs and their decision making.
As for measuring SAR reporting, how many SARs should each business be making? Will the JFSC consider a business to be higher risk if it is making “too many” SARs (indicating that it must have too much risky business), or if it is making “too few” SARs (indicating that its staff must be failing to report suspicions adequately)? We can expect the JFSC to apply a risk based approach to this. I posed these questions to Barry Faudemer, and his response was this: “I cannot recall a case in recent times where a business has submitted too many SARs and caused alarm to the JFSC. Enforcement have however received referrals and conducted investigations into instances where a business has failed to file a SAR with JFCU. This usually leads to the identification of wider AML weaknesses within a business requiring enforcement action to remedy the shortfall”
The important thing is ensure that your SAR reporting system is working properly. If the staff know when to report something, they are encouraged to do so, and the MLRO competently and promptly evaluates it, and externalises where appropriate without obstruction from the business, then the system is working. Simply saying you have the procedures will not be enough. Expect the JFSC to require clear proof that your SAR procedures are effective.
William Redgrave, Partner