Anti-money laundering – When and how to submit a suspicious activity report

Money laundering is a worldwide crime that is estimated to total over $2 trillion annually. In the past 20 years, laws have been put in place in the UK to crack down on this crime. This includes Client Due Diligence (CDD) procedures your firm must follow to ensure that your firm is not assisting in money laundering activities. When staff or businesses witness any suspicious activity, they are required to submit a suspicious activity report (SAR). Here is a short guide to what a SAR consists of and how to submit one.

What is a SAR (Suspicious Activity Report)?

According to the Proceeds of Crime Act, firms must make a suspicious activity report (SAR) if they suspect any form of illegal activity within a transaction. This form should be submitted within 48 hours of an initial suspicion occurring and the transaction cannot be completed without permission from the National Crime Agency. If the NCA does not respond within 7 days, the transaction can be completed.

Suspicious activity reports examples

The following are examples of the types of suspicions that could require filing an SAR:

  • Transactions that don’t make sense
  • Multiple currencies
  • Use of tax havens and high risk countries
  • Evidence of structuring
  • Small deposits followed by a large wire transfer
  • Excessive spending on luxury goods
  • Unclear source of income
  • Use of private banking
  • Evidence of being a PEP
  • Payments to people who seem to be connected

SAR reporting requirements

The criteria for when a SAR reporting can differ from country to country and even from institution to institution. The important things to remember are that 

  • You must report in any case where there is a reasonable grounds for suspicion
  • It is a criminal offence to disclose that a suspicious activity report has been made if that disclosure might prejudice an investigation. This would be known as a ‘tipping off’ offence.

When is a SAR required?

An SAR is required in any case where there is a suspicion of illegal activity. You are required to report when you have reasonable grounds for suspecting that a person is engaged in money laundering or terrorist financing. Failing to do so is a criminal offence that could land you in prison.

A suspicion is more than mere speculation. If money laundering is just one of many possible interpretations, but there was no other evidence of wrongdoing, it wouldn’t meet the test of being suspicious.

On the other hand, your suspicion does not have to be clear, firmly grounded, based on specific facts or even reasonable grounds.

Submitting the SAR (Suspicious Activity Report)

Failure to submit a SAR can result in serious consequences for you and your firm. The Money Laundering Reporting Officer (MLRO) acts as an intermediary between the firm and the National Crime Agency. They are also responsible for keeping all financial records of a firm and reporting any suspicious activity to the NCA. If an employee fails to report suspicious activity to their MLRO, they can face fines and even a prison sentence. If an MLRO fails to report to the NCA, they can face dismissal from their role and even longer prison sentences.

When should you actually submit a SAR?

It is required by British Law to fill out a SAR when there is suspicion of illegal activity within a transaction. “Suspicion” is a very broad term and unfortunately, the legal definition of suspicion is not much clearer. British law states that suspicious activity can be any activity that is out of the ordinary. One who notices any type of unusual transaction should investigate the activity which in theory should either support the claim of suspicion or remove the notion of any wrongdoing. With an ambiguous definition of “suspicion” and harsh penalties for failing to comply, reporting a SAR can be a very stressful and scary process for firms. The bottom line is if you feel like something is unusual and cannot find any validity to the unusual activity, you should file a SAR to the NCA.

If you are filing a SAR, it is illegal to tell the client in question, so it is very unlikely they will ever know. Additionally, if the NCA does not respond to a claim within 7 days, you are legally allowed to proceed with the transaction. If you have a suspicion about a transaction, it is always best to submit an SAR. The biggest risk in submitting a SAR is a delayed transaction, while not submitting one could cause serious legal and financial consequences for you and your firm.

VinciWorks’ AML training

AML training "Source of funds" module screenshot
AML: Know Your Risk presents realistic scnerios in a points-based gamified course

VinciWorks’ interactive anti-money laundering course, AML: Know Your Risk, takes the risk-based approach mandated by the Fourth Money Laundering Directive.  The course drops users into real life, immersive scenarios to test their knowledge, understanding, and ability to uncover risks of money laundering hidden in everyday transactions. VinciWorks has also developed a whistleblowing portal that can be used to report suspicious activity to managers. The platform encourages a “speak up” culture across the organisation by offering a safe place to report suspicious financial activity.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

“In a world older and more complete than ours they move finished and complete, gifted with extensions of the senses we have lost or never attained, living by voices we shall never hear.”

Picture of James

James

VinciWorks CEO, VInciWorks

Spending time looking for your parcel around the neighbourhood is a thing of the past. That’s a promise.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.