| | | Effective PR

Should FIUs request the filing of only "quality reports?"

Recently, there has been renewed interest in the question as to whether an FIU should ask reporting entities to pre-qualify reports so that the FIU receives only "quality" reports. Here's the view of Nigel Morris-Cotterill

The discussion originated relating to Australia but soon spread around the world.

It is not a geo-political topic: it's almost an existential topic for financial crime risk systems. At its simplest, suspicion-based reporting is at the heart of the global effort to counter money laundering. Around the world, there is an obligation placed on certain persons performing certain activities to be alert to the possibility that money laundering (and terrorist financing) is happening and, if there is a suspicion that it is happening, to report that suspicion in a certain way.

That report is called a "suspicious activity report" or SAR, a "suspicious transaction report" (STR) or a "suspicious matter report" (SMR). There are technical differences between an SAR and an STR but they need not concern us. An SMR is just an SAR by another name. So we will refer in this article to SAR as a generic term.

Legislation (often called Acts) are made by Parliament by a legislative process. Unless a Court says otherwise, they have absolute primacy over secondary legislation (sometimes confusingly called "Regulations"), over regulations issued by regulators and notices, guidelines, etc, issued by regulators or anyone else.

There are two primary points:

1) no LEGISLATION says that financial institutions are permitted to filter. So long as suspicion is formed on reasonable grounds (which is not the same as being reasonably suspicious), the LEGISLATION requires that a report be made to the FIU (and sometimes to someone else, too). To fail to file an SAR where there is suspicion is a criminal offence.

2. The reporting institution does not and cannot possibly assess the value of the intelligence it has gathered. The FIU cannot assess that value until it has been added to its databases and analysis run not on that report in isolation but with that report adding data to that already in the hands of the FIU.

On these two bases alone, reporting entities should not be requested to select which reports are to be made. We will expand on these and then look at additional matters.

To request a reporting entity not to file reports where there is even a hint of suspicion exposes that entity (and those working within it) to risk.

AUSTRAC 2022: we've got too much to do (even though you put the info into our computer that we're told does all the heavy lifting) so we want you to send only "quality" reports.

AFP 2024: the bank downgraded its suspicions because it felt they failed a quality test, a test that has not and cannot be defined until the information is in the hands, or rather the computers, of the FIU. So, yes, we are sorry that a horrible crime, which we could have prevented if the FIU had had the information and passed it onto us, happened.

ASIC 2026: so, after the AFP's comments, we've reviewed some of your records and, with hindsight, we think that there are hundreds of thousands, if not millions, of reports that were not made because someone in the bank decided the intelligence was not of sufficient quality but those reports should have been made. Here's a whacking great fine, we're telling the media about it with our usual spin and we await you nominating a head to fall.

The law says "reasonable cause for suspicion." It does not say "reasonable suspicion." So there really is no argument. Reports are not covering the backside, they are complying with the law.

There is no discretion under the law: the FIU or, for that matter prosecutors or regulators, do not have any standing to go behind the letter of the Act which, unless a Court interprets it differently, is an unequivocal statement. If the law's an ass, Parliament can change it for a horse. But no one else can.

There is a world of difference between "unreasonable grounds" (which, incidentally, would not be protected if the target sued in respect of that report) and what is required.

But technically, if a person files a report saying "I believe this to be suspicious" then that is enough. And so it should be if the prime objective, that of producing a picture of the crimescape (I made that word up) of the entire country, is to be achieved.

If the only purpose of reports is "I think x is doing this, so prosecute him" then there is no reason to have an FIU at all.

FIUs are designed to be hoarders of information in case it might come in useful later. Banks, etc. cannot and should not know what data the FIU holds and compares each report to.

It is absolutely not "must have reasonable suspicion." That is exactly what the law doesn't say. It says "reasonable cause for suspicion."

You can't have a little suspicion like you can't be a little bit pregnant. Suspicion is an on/off switch: if you have it you act; if you don't, you don't.

The "reasonable cause" aspect is a far more grey area. If you form suspicion on unreasonable grounds, that is not acceptable.

If you have reasonable grounds (which a Court can decide retrospectively), and do not form suspicion, that is not acceptable.

So "reasonable" applies only to the reasons that you might, or might not, form suspicion. In short, reasonable has no place in relation to the actual suspicion and even less to the subject matter of the suspicion.

Why should it be a function of banks, etc. to assess the probative value of information that falls into their hands?

In the old days, it was said that the purpose of counter-money laundering laws was not to turn the financial institutions into policemen.

I disagreed with that: the purpose was specifically to turn them into constables because constables identify suspicious activity and report it.

The law was not intended to turn the financial institutions into detectives.

There has been more and more pushing that line to include the function of a detective and, if one looks at it from outside, referral for prosecution. Isn't that where the "quality" reporting argument is headed with FIUs ultimately saying "only send us reports which package a likely prosecution"? The more the line is pushed, the greater the opportunity for failure and the resulting penalties and reputational risk.

The suspicious activity report must have some basis in fact and critics absolutely right that banks etc. really do not know their customers. That gets worse with every step away from branch networks and towards technology as a replacement. Add in that many financial institutions farm out their assessments to data bunnies in sheds in the developing world (ok, maybe not sheds but you get the picture) and it's the same.

Much could be resolved by allocating cases to a single caseworker (not even an account manager) who has continuous control over the enquiry instead of a stream of first-name-only people who work to a checklist, no intellect involved.

As you will gather, I find such practices indefensible.

Reports must be based on "reasonable" suspicion based on a knowledge of the customer, not an unreasonable set of principles that assume everyone wears the same size shirt.

If such a filtering process is adopted, reporting entitles are left trying to work out what "quality" means. in relation to e.g. terrorist networks, organised crime gangs, etc., it is the connections between elements that provides the intelligence that supports preventative policing and, of course, tracing of money and assets.

This is a sample display from the leading join-the-dots analysis software i2, now owned by IBM, courtesy of PiFi Solutions.

This is the statutory obligation of FIUs. Often, it is those that integrate the function of gathering and analysing intelligence with other functions that complain that the information they receive is of poor quality.

I, on the other hand, argue that there is no poor quality intelligence: only intelligence that has yet to be connected to other intelligence.

The purpose of the FIU is not, primarily, to support individual prosecutions. It is to analyse information that supports wider investigations.

The problem there, as FinCEN has found out, their hands are not visible in the end result, a "pure" FIU does not rush into buildings wearing jackets with their names on the back. so their efforts are not recognised by the general public. Some media call FinCEN "shadowy" which it absolutely is not.

Those FIUs that incorporate investigations, based on Thailand's AMLO model, have a higher public profile.

So, FIUs are designed to hoard information in case it comes in useful later. And we know it works: security agencies have their own lists based on little more than who someone spoke to on the phone or in the street. Often, when terrorist networks are analysed, it is found that there were lines of communication that had been noted long before. So all data is good data. It's a pity governments don't recognise that and give FIUs adequate resources.

It follows, then, that the demand for "better quality reports" has no basis in law and undermines the fundamental purpose of the FIU system both domestically and, as Egmont gets its act together, globally.

There is a discrete point: the obligation on banks is to provide intelligence, it is not to prepare an individual case for prosecution. If SARs are filtered to those that a bank thinks might lead to a conviction, that is outside its capability and, arguably, authority. That decision is, or should be, reserved for law enforcement i.e. the state.

If FinCEN and AUSTRAC are overloaded with reports, it is far more likely to be as a result of the cash transaction reporting system than it is of SARs.

Some take the view that it is the FIU that requires the filing of SARs.

No, that requirement is in the law and it is not open to interpretation.

What if a person files a false report?

There is no offence, anywhere in the world so far as I know, of reporting when there was no merit.

However, if the report is malicious then I assume that attempting to pervert the course of justice would apply. As FIUs are rarely part of the police, "wasting police time" wouldn't apply.

But where a report is ill-founded, there is the possibility of civil action because the good faith provisions would have been breached (Shah-v-HSBC)

But this niggled me: I wondered if there were other denouncement statutes where false reporting is a crime.

I found something close to home. The Malaysian Anti-Corruption Commission Act provides for protection of whistleblowers provided they act in good faith. But in the case of a false report (which by implication would not mean where there is an honest mistake) there is a penalty of jail, fine or both.

What's the difference? In counter-money laundering laws, there is an obligation to report; in the Anti Corruption Act, there is an invitation to report.

It follows that, when a person is compelled to give information, the state does not imply a discretion. On the other hand, where reporting is voluntary, discretion must be applied.

Nigel Morris-Cotterill is author of, amongst other things, "Understanding Suspicion in Financial Crime" which is now an e-learning course and available, for some sectors, as a face to face seminar and workshop. See www.financialcrimeriskandcompl...

---------------- Advertising ----------------


World Money Lau...