Guidance on suspicious and/or unusual activity reporting for cryptos is always evolving. Here are 3 tips based on the latest compliance best practices for your team to implement.
Everyone who operates a cryptocurrency business will see potentially suspicious and/or unusual activity from some of their customers at some point.
It’s even plausible that you would see potentially suspicious and/or unusual activity multiple times a day, especially if you operate a large platform or multiple kiosk locations.
While suspicious and/or unusual activity doesn’t, in and of itself, constitute a crime, AML compliance requires such activity to be reported to the Financial Crimes Enforcement Network (FinCEN) in the form of a Suspicious Activity Report (SAR).
If you’re new to the concept of SAR filing, we recommend checking out our Crypto Compliance 101 blog post on the topic; it gives an entry-level explanation of the SAR reporting process.
This post is for business owners or BSA Compliance Officers at cryptocurrency financial institutions (FIs) interested in improving the quality of their SAR submissions.
If, whether in communication with FinCEN agents or during the course of an annual AML audit, the quality of SAR filings was commented on as an area in need of improvement, these tips will help.
3 tips for improving SARs
Do not name victims in the subject field
Whenever we review SAR filings for cryptocurrency businesses, one of the most common errors we notice is the naming of a victim in the subject fields of the SAR.
It’s an understandable error, since the SAR preparer wants to be as helpful as possible, and provide as much information as possible. Therefore, they provide information about the victim to help FinCEN investigators connect more dots.
While this spirit of offering as much information as possible is to be applauded, this information is more likely to confuse FinCEN investigators than anything, because it’s simply in the wrong place.
Investigators and regulators only want the names of the subjects, i.e., those responsible for the potentially suspicious and/or unusual activity. Thus, the subject of a SAR should always be the alleged perpetrator, not the victim.
SAR preparers do have the opportunity to offer this information elsewhere in the SAR filing, of course. In the narrative itself, it could be helpful to offer some contextual information about victims there (e.g., “Mrs. O’Leary at 1234 Business Drive, who is 65 years old,”).
This information may be valuable in the sense that it could identify an organized effort by illicit actors to target elders or certain geographic locations, for example.
The key takeaway here is to leave the subject field for the person or persons believed to be engaged in potentially suspicious and/or unusual activity, never the “victim.”
Include location and branch fields
This tip mostly applies to bitcoin ATM/kiosk operators, though any cryptocurrency money transmitter with a brick and mortar location, or multiple locations, should also take note.
There are several fields in a SAR for “branch location.” Many cryptos leave them blank.
Historically, most people associate a “branch” with a local, brick-and-mortar traditional bank location.
Since cryptos, especially ATM/kiosk operators, do not operate such retail locations (in fact, they are most often located within brick-and-mortar establishments unrelated to cryptocurrency), we often see SAR filings that leave this information out.
Again, this is understandable, but the location of the ATM where the suspicious and/or unusual activity occurred could be useful to investigators.
In this way, “branch” is a term of art for crypto. It simply refers to the location of the ATM where the activity occurred.
Absent any direct input from FinCEN, and in the spirit of providing as much useful information as possible, we often advise that kiosk operators input the “branch” location information in the proper fields.
If nothing else, it’s one more piece of information that could help law enforcement.
Explaining your business model
Lately, we’ve advised businesses to include a brief explanation of their business model in the SAR narrative field.
Understanding that not every member of law enforcement has the same level of familiarity with cryptocurrency, we’ve found that information like this goes a long way to fill the knowledge gaps that still exist as the industry continues to become more normalized and mainstream.
Since law enforcement officers are always learning about new methods for laundering money and exploring new financial crime typologies, including some basic details about the cryptocurrency business model is a collaborative, good faith move on the part of businesses.
Some information to include would be a brief description of the business model, whether the transactions flow one or both ways (i.e., fiat to crypto, crypto to fiat, or both), which tokens are offered by the institution and any other details that would help explain how typical business is conducted.
If you’re struggling to explain your business model, you might simply borrow some of the boilerplate from your executive summary or an elevator pitch you shared with colleagues or strategic partners.
Key takeaways for bitcoin compliance
If you are new to SAR filing and have questions about what qualifies as suspicious and/or unusual activity, you might want to review our blog post on the topic of surveillance and monitoring.
We also wrote a blog post about some of the most important transactional red flags that cryptos need to be on the lookout for that may be of assistance here as well.
If you worry that your transaction monitoring procedure isn’t catching enough suspicious and/or unusual activity, or that your SAR filings are incomplete or potentially flawed in any way, we’d highly recommend undergoing an AML audit.
Audits should be performed by a third-party, particularly one that specializes in cryptocurrency businesses and AML compliance (like BitAML), every 12 to 18 months. During an audit, report filings will be reviewed, and suggestions for improvement, if any, will be offered in the final analysis.
If you’re interested in setting up an AML audit, or simply have compliance questions and can use some guidance, reach out to BitAML today at this link. We offer free consultations and can help you design a battle plan for improving your institutional compliance.
