Q: What requirements do residential mortgage lenders have in regard to notifying their Board of Directors (the "Board") and/or Executive Management of suspicious activity report ("SAR") filings?
A: A compliant and effective AML Program includes, among other components, active involvement and oversight by a mortgage lender's Board and/or Executive Management. Active involvement and oversight requires obtaining sufficient information on SAR investigations and filings so that the Board – or a Board's equivalent, such as an Executive Management Committee – is able to fulfill its fiduciary duties to the company.
Several federal agencies have issued guidance regarding notification requirements for Board members. This guidance may be useful for mortgage lenders in determining how and what to communicate to Board and/or Executive Management members with regard to SAR filings. Specifically, the Federal Financial Institutions Examination Council's ("FFIEC") Bank Secrecy Act / Anti-Money Laundering Examination Manual includes a Suspicious Activity Reporting – Overview section, which indicates in relevant part:
"Banks are required by the SAR regulations of their federal banking agency to notify the board of directors or an appropriate board committee that SARs have been filed. However, the regulations do not mandate a particular notification format and banks should have flexibility in structuring their format. Therefore, banks may, but are not required to, provide actual copies of SARs to the board of directors or a board committee. Alternatively, banks may opt to provide summaries, tables of SARs filed for specific violation types, or other forms of notification. Regardless of the notification format used by the bank, management should provide sufficient information on its SAR filings to the board of directors or an appropriate committee in order to fulfill its fiduciary duties, while being mindful of the confidential nature of the SAR."
Additionally, Section 8.1-46 of the Federal Deposit Insurance Corporation's ("FDIC") Risk Management Manual Examination Policies explains in relevant part:
"Section 353.3 of the FDIC's Rules and Regulations requires the financial institution's board of directors, or designated committee, be promptly notified of any SAR filed...
- Customer's name and any additional suspects;
- Social Security Number or TIN;
- Account number (if a customer);
- The date range of suspicious activity;
- The dollar amount of suspicious activity;
- Very brief synopsis of reported activity (for example, "cash deposit structuring" or "wire transfer activity inconsistent with business/occupation"); and
- Indication of whether it is a first-time filing or repeat filing on the customer/suspects.
Such a tracking report promotes efficiency in review of multiple SAR filings. Nevertheless, there are still some SARs that the board of directors, or designated committee thereof, should review individually.... Financial institutions are encouraged to develop their own parameters for defining 'significant SARs' necessitating full reviews; such guidance needs to be written and formalized within board approved BSA policies and procedures."