I recently heard someone from Dominion speaking at a conference and they said that SARs are the most important part of an AML risk assessment. What did they mean?

We believe that SARs, and more importantly the data and investigations behind the SARs, can be among the most useful information for a compliance team completing an AML risk assessment.

Many risk assessment are speculative, meaning they rely on information from public sources like the FFIEC Manual, FinCEN, FATF and other places to provide a list of what is high risk. While this information is helpful and should serve as good guidance, it may not be applicable for your institution. Many risk assessment also rely on interviews with bankers and others about what they may perceive as high risk products, services, and locations.

Now, if (and this is a big “if”) your SAR program is sound (i.e. it has passed audits and regulatory examinations recently) the information in the case files that support those SARs should be used to pinpoint exactly which product, services and operating locations are most risky.

The premise here being when the regulators say “risk” they mean those things that are likely to be used to launder money or finance terror. Well, if you’ve filed a bunch of SARs and ticked off Box 35a – Bank Secrecy Act/Structuring/Money Laundering you know the answer to what in your institution is risky. Getting the answer may take time and analysis but is well worth it.

For example, if the analysis of SAR information shows that your institution has 100 locations but 80% of the SARs are filed on customers or accounts housed in 15 locations or branches, that is likely an indicator those branches pose a “greater than normal geographic risk for money laundering or terrorist financing.” (This assumes that training and operations among all 100 locations is consistent – if it isn’t, a risk assessment may not be your biggest challenge).

From this an AML officer may determine that in order to mitigate the risk posed by the customers of those 15 locations additional training will be provided to staff, the account opening process may ask a few more due diligence questions, the monitoring staff may sample accounts or transactions from those locations more frequently. In other words, you’ve assessed - using supportable data - how you identified riskier locations and the rationale behind the stepped up compliance controls.

Take this same process and apply it to products, services and types of transactions and you will also find where your risks really are so you can better devise the controls necessary to address them.

By using SAR information as a basis for an AML risk assessment, it also makes updates to the assessment easier and less prone to question by auditors and examiners.