Writing A Suspicious Activity Report Narrative

Suspicious activity monitoring and reporting is the cornerstone of your BSA/AML program.  Once you identify the suspicious activity, filling out the Suspicious Activity Report, and more specifically, the narrative, can be a little daunting.  What’s the best way to articulate all the information you might have?

Listen to the video as Kevin explains what he believes to be the six most important items to get into you SAR narrative.

All About Suspicious Activity Monitoring and Reporting

Your suspicious activity monitoring and reporting is the cornerstone of your BSA program. Now, I know. When you sit down and you’ve gathered all of your information and you’ve determined that it’s time to file a SAR, oftentimes when you sit down at that keyboard and start typing in the suspicious activity report narrative, that can be the most daunting task of the entire process. How exactly are you going to articulate all of the information that you have in a format that’s easy to read? Now, I read a lot of suspicious activity reports and sometimes even very experienced BSA officers miss what I think are the six most important items to get into your narrative. It’s the who, what, where, when, why, and how of your narrative.

Who is conducting the suspicious activity? Now, I know that’s already been laid out in the rest of the SAR format, but sometimes in that narrative, you can get really confused as to who did what and who exactly are you focusing on? So who is conducting that suspicious activity? What instruments were used? Again, that is in the body of the SAR as well, but sometimes laying it out in that narrative and being very specific about what were the mechanisms or the instruments or what actually took place and what types of products or services at your banks were being utilized? When did the suspicious activity take place? That’s an easy one to miss simply because there’s a lot of dates already filled into the format.

But if you lay it out in the narrative, it helps investigators really understand what’s going on and piecing it together. Remember, they’re reading these very quickly, so sometimes just having it in that narrative can be really helpful.

    Where did the suspicious activity take place?

    Again, what is their branch information? Did the activity occur outside of the bank?

    Is there activity that occurred in different branches? Make sure you clarify that in the narrative. And then why does the filer think that this is suspicious?

In fact, that’s sometimes the most important part of the narrative that is easily missed. When you fill out all of the information, you have more information than the reader does, and sometimes it’s easy to forget.

You really have to lay out why you think it was suspicious. And then it’s also helpful to say, what crimes do you think might’ve been committed under these circumstances? Just laying that out in the narrative in an easy to understand format can be very helpful. And then finally, how did the suspicious activity occur? The final how. Laying all of that with a very clear and concise narrative can help law enforcement when they’re reading through these to really understand what you’re getting at. So keep in mind, you have the six most important things to make sure you get into your narrative, the who, what, where, why, and how. Thank you.

Find more BSA Resources here

If you want to learn more be sure to check out our webinar, “All About Suspicious Activity Monitoring & Reporting”, which is available now, OnDemand.


FinCEN Advisory on Cybercrimes

It’s no secret that cybercriminals are taking advantage of the COVID-19 pandemic to commit crimes against financial institutions and their customers. 

On July 30, 2020, FinCEN issued an Advisory on Cybercrime and Cyber-Enabled Crime Exploiting the COVID-19 Pandemic.  Cybercrime has been rampant during the pandemic and this latest release alerts financial institutions to a new list of red flags to look for that could indicate cybercrime and cyber-enabled crime.  The Advisory also has interesting descriptions of the scams being encountered and requests that financial institutions reference it specifically when filing related Suspicious Activity Reports (SAR).

The Advisory focuses on three major categories of cybercrime being encountered: 1) Targeting and Exploitation of Remote Platforms and Processes; 2) Phishing, Malware and Extortion; and, 3) Business Email Compromise Schemes.  Red flags for each type are also provided.  Because the pandemic has forced banks and customers to utilize more remote access, cybercriminals have specifically targeted and exploited the vulnerabilities in remote platforms and processes.  There has been a significant increase in phishing, malware and extortion campaigns, specifically related to COVID 19.  Business Email Compromise Schemes occur when criminals have payments redirected to new accounts, claiming it’s due to pandemic-related business changes.

In addition to the 20 red flags FinCEN advises financial institutions to monitor for, it also requests that financial institutions reference the Advisory in any related SAR filings.  The term “COVID19-CYBER FIN-2020-A005” should be included in SAR field 2 and in the narrative.

Need more information on BSA/AML-related topics? 

We have an extensive library of webinars that are available now On Demand.


Hemp Flash Session Agenda

See the full training here – https://store.bankerscompliance.com/link/BSAhempflash7-20

Kevin did more than “hope to accomplish”. He slayed the Flash Webinar today. Hemp Customer Due Diligence Update.


Now the agenda. What we are going to hope to accomplish today is to walk through, at a high level in about a half hour and talk through the difference between legalized marijuana and hemp. We’re going to talk through the guidance that’s available, where we have some concrete information and where you have to make your own program, so to speak. We’re going to go through the farm bill, and how that changed him in the last couple of years. And then also discuss how do you manage that risk. If you are participating in that aspect of the Ag world, you need to understand how it works so you can make sure you’re managing that risk appropriately. We’re going to discuss Enhanced Due Diligence because the guidance does say that a hemp producer is a high risk customer, so you need to manage them appropriately. And then we’re going to talk through some of the specific SAR expectations and red flags.


Need Free BSA-AML Tools? Check them out here – https://store.bankerscompliance.com/link/BSAFreeTools

FinCEN Advisory on COVID-19 Scams

On July 7, 2020, FinCEN issued an Advisory on Imposter Scams and Money Mule Schemes Related to COVID-19.  These two types of consumer fraud have been observed to be on the rise during the current pandemic.  The advisory provides explanations of how these scams and schemes work, red flags that may help identify such activity, as well as, how to report these types of scams/schemes on the Suspicious Activity Report.

Click on the video to listen to Micaela explain more.

Want BSA Lending tools? See them here – https://store.bankerscompliance.com/link/BSAFreeTools


I’m here today to talk about FinCEN’s new advisory that came out in July 7th, and it relates to imposter scams and money mule schemes as it relates to COVID-19.

What exactly is an imposter scam? An imposter scam is when there’s essentially an actor that targets someone acting in some type of an official capacity. For example, the IRS, the CDC, the World Health Organization, or WHO, and they then use that false position to encourage their target to either provide valuable information, provide money, get them to click on suspicious links or open suspicious attachments in an email, and then their computer would become infected with malware in those situations. And so what FinCEN has been seeing is an uptick in these scams with the COVID-19 fear attached to it. And so they’ve issued seven different red flags that you can use and share with your tellers, your bankers, to help identify this activity and make sure it gets reported.

In general, these red flags relate to the verification, the processing, or the expedition of government payments, so either the stimulus checks, unemployment, that type of stuff. It’s usually trying to get action to happen quickly to essentially expedite those funds into someone’s account. Particularly, the vulnerable are susceptible to this, so the elderly, the unemployed, those that may be a little bit more desperate in this COVID-19 environment that we’re living in that are really needing those funds. And so that’s the imposter scam.

The other side of this guidance touches on money mule schemes. A money mule is someone that either transfers illegally acquired money on behalf of someone or at the discretion of someone else. A money mule can relate or a money mule can be someone that is either unwitting or unknowing all the way up to someone who is entirely complicit and aware that they’re part of a larger criminal scheme.

With the money mule schemes, usually a customer’s account activity becomes atypical quickly and any funds that are put into the account are quickly then taken out of the account either via wire transfer, ACH, something of that nature. It usually happens very quickly and these money mule schemes are definitely seeing an uptick as they relate to the unemployment insurance benefits. For example, there might be a bank customer that receives deposits of what appears to be unemployment insurance income into their accounts. The name or on the benefit of what those insurance checks are supposed to be, or who they’re supposed to be to, that might not match your customer’s name. The state that it’s coming from might not match where your customer lives or works or information that you would otherwise know about your customer. And so that’s an example of where then that customer is being used then to transfer that money elsewhere.

Where we’re seeing these schemes might be with unemployment insurance income, again. It might be with students. They might be working at home schemes, that type of stuff, and this is something that we’ve seen as part of Bankers Compliance Consulting. We’ve seen that some of our clients, these money mule schemes happening and they’re having to report on them. We haven’t quite seen as much of the imposter stuff, but the money mule, we’ve definitely been seeing so keep your eyes peeled for that.

With relation to the money mule, there are an additional 11 red flags that FinCEN issued to help banks identify this. Those can be found in the advisory. Those are on pages six and seven. Go ahead and distribute those to your staff. Make sure your tellers are aware of it as it’s usually your frontline staff that are going to pick up on this most quickly.

Lastly, as it relates to whether it’s the imposter scam or the money mule scam, FinCEN is asking that when you file SARS on this activity, that you follow a set of specific instructions. This is by putting or relating this memo in certain key fields and in the narrative and specific guidance on that can be found in the advisory as well. There’s a short summary on the front page, and then the very last page has a step by step details.

Again, new guidance seems to be there’s no shortage of new guidance in this environment that we’re living in, but keep your eyes open. This is something that’s happening and your customers can be taken advantage of. And so FinCEN’s really looking for your help and getting it identified and getting it stopped. Thanks, everyone.


“Why” Suspicious Activity Monitoring & Reporting Training

Kevin Edwards taught the All About Suspicious Activity Monitoring & Reporting. Here he talks about the “Why”. Get it on-demand.

Featured Topics:

Monitoring Systems
Reporting Systems
Types of Suspicious Activity & Reporting Triggers
Decision Making & Timing Requirements
Form Completion Best Practices & Quality Control
Board Notifications
Continuing Activity
Record Retention
Confidentiality & Consequences of Non-Compliance

Designed for BSA/AML personnel, management, compliance officers, auditors and other risk management or operations personnel.


With that, let’s get started. We’ve got a lot of ground to cover, but I always like to start off with why is this so important? It’s always worth starting off with a why. Now, since this is a BSA specific webinar, I really don’t need to explain to you from a regulatory perspective why this is so important because everybody knows that suspicious activity reporting element of your BSA AML program, it’s really the cornerstone. And a lot of how your system is going to be judged from a regulatory perspective is based on how well this suspicious activity reporting is working and how well you’re documenting it, because it’s really a vital element of the program.

Even as we have seen some slight deregulation in the banking industry, you’ve noticed that they’re actually ramping up the expectations from a BSA perspective. So it’s not slowing down even in the deregulatory swing of the pendulum. The other thing that you might want to write down on the front of your page is just remember that, for the first time ever, there was personal liability assigned to a compliance officer for failings in a BSA program. So if you don’t know what I’m talking about, look at the US Bank regulatory enforcement action, because it’s pretty interesting. FinCEN, for the first time, cited someone individually and had a pretty hefty monetary fine levied against somebody because they really had some major failings in their BSA AML program. Things like inadequate SAR monitoring and failure to report SARs. So it really relates to some of the things we’re going to talk about today.

Now, that’s the in-house regulatory perspective, but then also there’s the criminal justice element to the BSA program. There are a lot of bad actors out there. There’s a lot of crime that banks are in a special position to monitor for. So, in the back of your head, as we’re going through this, keep in mind, this is a vital element into fighting things like human trafficking, terrorist financing, money laundering that’s tied to organized criminal activity. And the other thing to keep in mind is that we just got in exam manual update that provided us a little more detail. And one of the areas that it enhanced was the concept of the MLTF and other illicit financing. There’s a new acronym out there that we’re going to get into detail later today, but that acronym should work its way into your monitoring program. So we’ll talk about it a little more when we get there.


Want Free Lending tools? See them here – https://store.bankerscompliance.com/link/LendingFD