Unusual Activity Detected in a Customer Account: What to Do Next?

An Investigation into a customer’s account has identified that your customer has been involved in suspicious activity, so what do you do as next steps? do you exit the customer immediately, raise a SMR, or do you let the customer do what he/she is doing let’s find out.

Here are four responses you might do to after unusual activity is identified 

The Challenge of Making a SMR/No SMR Decision:

Firstly If you believe a suspicious activity is linked to a crime then you must report this to a Financial Intelligence Unit or a regulatory body in your jurisdiction (In Australia you report to AUSTRAC, USA – FinCEN, New Zealand-Police FIU). You also must submit this report within 3 business days if it is a money laundering related suspicion and within 24 hours it the suspicion is related to Terrorist financing (AUSTRAC timelines as of writing), which includes situations where you reasonably suspect that a person is committing a crime, is misrepresenting their identity, or might be a victim of a crime.

However on cases where it is unusual activity and not related to criminal or Terrorist financing then filing a SAR is based on a case by case basis. While the investigation process varies by case, decisions to file a suspicious matter report (SAR) should always be fact-based. The condition for filing a SAR again differs across jurisdictions and institutions, which means decisions are not uniform. Similar transactions might trigger a SAR in one scenario but be deemed reasonable in another. Institutions must follow their policies and seek regulatory guidance from a Financial Intelligence unit (FIU) as and when necessary.

When deciding to file a SAR, regulators set specific criteria, but institutions, based on their risk tolerance, ultimately determine if an activity warrants a SAR. Documentation supporting the decision is crucial as it forms the SAR’s core content.

Analysts and investigation teams must investigate customer activity, providing facts that justify the SAR decision. This includes assessing updated CDD of the customer or the Transaction Monitoring Rule description which led to an alert in Banks system amongst other documentation.
Decision-making varies by institution size and type, requiring guidelines to distinguish normal from suspicious behaviour. For example, a student transferring $70,000 to a high-risk country is suspicious, but a business with suppliers there might do so regularly without raising alarms.

Maintaining an Account After Unusual Activity

After filing a SMR, financial institutions must decide whether to keep or close the impacted account, based on their risk tolerance and guidelines. Law enforcement may request the account remain open for further investigation. Post-SMR, it is critical to perform enhanced due diligence (EDD) if the customer is high-risk, reviewing transaction monitoring processes to mitigate additional risks.

Next steps for institutions include regular review and enhanced monitoring of the account, adhering to legal restrictions, and possibly altering the customer relationship. If the account remains open, the institution should monitor for further suspicious activity, perform EDD, and ensure compliance with all legal and reporting requirements. Additional measures may include senior management approval before transactions. Institutions should also be aware of law enforcement restrictions and understand that terminating certain customer relationships, like loans, can be complex. Institutions must maintain lending relationships where required but can prevent customers from opening new accounts, ensuring principal and interest payments are legitimate.

Customer Exit

Institutions may exit customers who fall outside their risk appetite, considering factors on a case-by-case basis. Although regulators provide guidelines, specific processes for managing AML-related decisions vary and regulators also advise Financial Institutions provide enough notice before ending the relationship with a customer.

An account closure strategy should outline types of risks, accounts, or behaviours warranting closure. Before agreeing to closure, steps include giving the customer enough time for closure so they can find an alternative financial institution where possible. After closure, usually with a closure form, acquiring fin-crime teams review, and adding the client to a prohibited list. Other examples to be included in the closure form are Repeat SMRs, negative news, or high-risk transactions without legitimacy often lead to closure recommendations. The closure form, which is reviewed at multiple levels before final approval and execution by the Operations Team within the FI.

These processes vary by institution and jurisdiction, so you should check with your local FIU and relevant regulatory bodies for what is related to your business and for steps to be taken.

Preventing the Customer from Opening a New Account

After multiple SARs, institutions may end the relationship and prevent new account openings, though this doesn’t eliminate the risk entirely. Customers may use alternate identities. Adequate onboarding information, robust monitoring systems, and knowledge of the customer’s related parties help detect and prevent new accounts. Institutions need comprehensive controls and processes to prevent re-entry, using enhanced due diligence and specific transaction monitoring filters to mitigate risk.

Updating the Transaction Monitoring system with this trend for future alerts and reviews

Transaction monitoring systems are most effective when you keep feeding regular information involving the bad and the good activities in your business. This will lead to any future alerts of the customer identifiable information provided. Ideally the customer information should be picked up at the KYC stage, however in case it gets missed there, the transaction monitoring system should pick this up.

Did I cover the steps to be considered, or did I miss out on something crucial, please feel free to comment.

Note -: Opinions mentioned here are mine only and does not constitute the organization I work for and what they do, and users need to consider several factors including their local jurisdiction, risk to their business prior to taking a risk decision. Please consider this post as for educational purposes only.