Ensuring consistent reporting of internal misconduct
During a relatively routine internal investigation of your run-of-the-mill prestidigitator, a strange line of inquiry began between the Human Resources (“HR”) representative managing the bank’s disciplinary response for the misconduct and myself. “Are you going to file a Suspicious Activity Report on them?” they asked. This was the first time anyone out of roughly 200,000 fellow employees had ever asked that question, and oddly it came from someone outside of the compliance and investigations team.
While taken aback, the response I provided was to reiterate their confidentiality and risks of opening inappropriate inquiries about the reports. On the one hand, the HR rep’s knowledge of compliance requirements should be commended, and perhaps spoke to the strength of internal training. On the other hand, a serious question of where and how misconduct is inventoried and reported arose.
The inside job
There is an extraordinarily broad Suspicious Activity Report (“SAR”) filing category used for employee misconduct – Insider Abuse. According to FinCEN, Insider Abuse is meant to report a bank employee (“directors, officers, employees, agents or other institution-affiliated parties”) committing, aiding, or abetting criminal activities. Aside from its confusion with another, similar-sounding category (“Misuse of Position”), there are two key challenges to the Insider Abuse category:
- Delineating where and when the conditions to filing have been met (i.e., violation of criminal law), and
- Ensuring that all relevant misconduct is inventoried.
Typically, financial institutions will have multiple reporting channels for reporting misconduct – direct referrals to the investigations unit, escalation to HR, external referrals, and a whistleblower hotline. The critical issue is that while only one of those entities would or should have SAR-filing in their remit (Investigations, for ease or purpose), the other entities might be reviewing SAR fileable misconduct without referring it to the Investigations team. As a result, actions that should give rise to a SAR could be missed. To extend the analysis further, if there were largescale or institutional misconduct, and such reports were not filed, a regulator could leverage that lapse to demonstrate deficiencies in the bank’s compliance risk framework.
Did you mean “oversight” or “oversight?”
Most financial institutions’ core Bank Secrecy Act/Anti-Money Laundering (“BSA/AML”) policy likely includes broad definitions and references to SAR filing, their purpose. It may go so far as to discuss their confidentiality. Similarly, general-level BSA/AML training might include equally broad references to SARs as a concept, and technical training would include the nuances of suspicious activity reporting itself. And indeed, somewhere within the policies, procedures, training, and documentation, there would be references to an ethics hotline, whistleblower procedures, and other internal mechanisms.
In the anecdote above, it was only through sheer coincidence that the HR representative knew about SAR filing and was aware that the team with which they were engaged was a SAR issuing team. Tying those contentions together, any team within a financial institution that interfaces with misconduct needs to have a documented awareness of and escalation processes to a SAR-filing group.
Pen to paper
There is a fine line to toe, inasmuch as groups outside of the investigations team should not know or have reason to know that a SAR was even contemplated. Still, there needs to be some oversight across referral points of contact to ensure that there is, at a minimum, a review completed by a SAR-filing team within the institution. The HR or legal decisioning exists in a silo, as does potential SAR filing for the underlying misconduct; however, the latter is dependent on awareness of and from the prior.
A centralized procedure could be developed by the compliance department and cascaded as needed or developed jointly by all interested parties (investigations, HR, legal, whistleblower/ethics team, etc.). This coordination would ensure a mechanism is in place for the investigations team to be made aware of all internal misconduct incidents. This centralized procedure places the burden and confidentiality to determine if a SAR should be filed with the only entity in the bank capable of and responsible for doing so.
However, suppose the plenary of a process seems too cumbersome. In that case, those respective units could consider creating their own procedures to determine the merit and need for a possible referral. If, however, those businesses or functions are going to draft and own those procedures, the procedures themselves would need to have crystal-clear references to maintain SAR privilege.
Objects may be closer than they appear
In fairness, the failure to file SARs related to misconduct hasn’t been at the epicenter of an enforcement action…yet. However, as SAR failures point to broader compliance gaps, it might be worth some cogitation to put together a review panel. The objective would be to review misconduct incidents where SARs were filed and contrast that against incidents with no line of sight by the bank’s SAR-filing arm. The difference between the two are any incidents where a SAR could have been considered, but the appropriate function was not notified. From there, if there are reporting channels that are most often used for misconduct referrals that do not have a referral process in place, training, or oversight, then the organization may have very well found its gap.