3.3. Best Practices for Drafting an STR or SAR
In general, a narrative should identify the five core components - who? what? when? where? and why? -of the suspicious activity being reported to the FIU. The method of operation/modus operandi (or how?) is also important and should be included in the report narrative. An LFI should ensure that the following five questions are answered prior to submitting an STR, SAR, or other report in the FIU’s goAML system.
Who is conducting the suspicious activity or transaction?
• Describe the subject of the STR, SAR, or other report, otherwise known as the suspect(s), including the conductor, beneficiary, and accountholders involved in the transaction or activity. • Provide identifying information on the parties involved in the transaction, such as the suspect’s occupation and position or title within the business. • List beneficial owners, directors, officers, and those with signing authority, if possible. If the transaction or activity involves an entity, include information on the ownership, control, and structure of the business. • Provide details about each individual or entity's role in each of the financial transactions described. It is important to understand who is sending and receiving the funds. [To be included only for an STR and supplementary reports involving transactions]. • If more than one individual or entity is involved in the suspicious activity, explain the relationships among the individuals or entities (if known).
Even though information may not always be available, information should be included to the extent possible. For instance, addresses for suspects are important; filing LFIs should note not only the suspect’s primary street addresses, but also, other known addresses. Any identification numbers associated with the suspect(s) such as passport and driver’s license numbers are also important to document.
What instruments or mechanisms are being used to facilitate the suspicious activity or transaction(s)?
• Review the instruments or mechanisms used in the suspicious activity (e.g., wire transfers, foreign currency, Wages Protection System (WPS), letters of credit and other trade instruments, correspondent accounts, money orders, credit/debit cards, etc.). • Understand the number of different methods employed for initiating the negotiation of funds, such as the Internet, phone access, mail, night deposit box, remote dial-up, couriers, or others. • Describe the source of the funds (as originator) or use of the funds (as beneficiary). In documenting the movement of funds, identify all account numbers at the LFI affected by the suspicious activity or transaction and when possible, provide any account numbers held at other LFIs and the names/locations of the other LFIs involved in the reported activity.
When did the suspicious activity or transaction take place?
• If the activity takes place over a period of time, provide the date when the suspicious activity or transaction was first observed and describe the duration of the activity. • To better understand the history and nature of the activity, and the flow of funds, LFIs should provide information on each individual transaction in a chronological order (e.g., individual dates and transaction amounts, rather than only the aggregated amount). [To be included only for an STR and supplementary reports involving transactions]. • Provide information on when the transaction was completed or attempted. If the transaction was not completed, the LFI should indicate this in the narrative. [To be included only for an STR and supplementary reports involving transactions].
Where did the suspicious activity or transaction take place?
• Explain if multiple offices of a single LFI were involved in the suspicious activity or transaction being reported. Provide the addresses of those locations. • Specify if the suspected activity or transaction(s) involves a foreign jurisdiction. In this case, list the foreign jurisdiction, LFI, address, and any account numbers involved in, or affiliated with the suspected activity or transaction(s). • This information should include any location involved in the full transaction chain, including ultimate originators and beneficiaries to the extent this can be ascertained. [To be included only for an STR and supplementary reports involving transactions].
Why does the LFI think the activity or transaction is suspicious?
• Describe the industry or business and why the activity or transaction is unusual for the customer. Consider the types of products and services involved in the activity and the expected activities of similar customers. • Assess why the activity created a red flag for the LFI or triggered an alert within the system.
These answers will vary based on the LFI type (for example, a depository institution versus an insurance company) and an LFI should also consider such factors as:
• The types of products and services the LFI offers; • The types of accounts the customer has with the LFI; • The normally expected business activity of the customer (if they are a customer of the LFI), and why this is not normal or expected activity; • The purpose of the payment or transaction, to the extent known, reported, alleged, or questioned; and • If the activity resulted from an automated alert, the scenario or rule that generated the alert.
How did the suspicious activity or transaction occur?
• Describe how the transaction or pattern of transactions was committed (i.e., the “modus operandi” or the method of operation). [To be included only for an STR and supplementary reports involving transactions]. • For example, if there appear to be multiple cheques deposited matched with outgoing wire transfers from the accounts, the narrative should include information about both the cheques and outbound transfers (including dates, destinations, amounts, accounts, frequency, and beneficiaries of the funds transfers).
3.3.1. Defensive STR or SAR Filings4
Defensive filing is the practice of filing STRs or SARs on transactions or activity(ies) that LFIs do not deem truly suspicious in order to reduce the risk of regulatory penalties for non-filing of STRs or SARs.5 Although there may be some aspect of the transaction or activity creating potential suspicion, defensive filings do not report on activity that the LFI truly considers suspicious. As such, defensive filings are generally discouraged given that such filings diminish the value of STRs and SARs, including by leading to an increase in non-valuable filings. An STR, SAR, and other report types should be of the best possible quality, including in that it should have a clearly written narrative with sufficient detail that comprehensively articulates the factors involving the reported suspicious transaction or activity. As a result, the CBUAE considers defensive STR or SARs as indicative of an inefficient transaction monitoring system and an LFI’s weak system of internal controls. An LFI may be asked to correct such deficiencies as part of broader supervisory measures provided by applicable law, including administrative sanctions, temporary limitation to business activities, etc. If, for any reason, an LFI needs additional data to assess whether unusual activity is truly suspicious, the LFI should review other mechanisms—such as expanding the time period for reviewing alerted transactions (e.g., from 30 days to 90 days) or reviewing threshold-based reports—to make the determination that an STR or SAR is required.
4 The UAE FIU has noted instances where SAR or STRs are reported due to the LFI not receiving supporting documents that would justify the transaction or activity. However, upon the FIU raising a request to the same LFI in the form of an AIF, supporting documents were subsequently provided for the same subjects and report. This documentation in some instances removed the suspicion of the transaction and in others, helped explain the transaction or action. Submitting reports to the FIU without first conducting a thorough investigation and looking at all available evidence creates a situation where non-suspicious transactions may be reported to the FIU. LFIs are reminded that internal investigations into the suspicious transaction or activity should be conducted to the fullest extent possible prior to raising an STR or SAR and that related documentation, when available or easily retrievable, should be included with the STR or SAR.
5 Egmont Group, Enterprise-wide STR Sharing: Issues and Approaches, Pg. 17