Suspicious Activity Reports are unique documents among all the paperwork that a credit union must process. No other document comes to mind that has the protections and ability to affect other laws than the SAR. Few other documents carry the heavy civil and criminal penalties that the SAR does if the document is not timely and properly filed. Moreover, no other document must be kept secret at the credit union with the degree of intensity that the SAR requires.
Sound intriguing? Perhaps it is from the law enforcement side. However, most folks on the credit union side of the world never imagined that they would cross into the realm of law enforcement and yet that’s really what BSA is. All editorials aside, a client recently asked me whether or not credit union directors needed to look at the actual SAR documents every month or would just giving a report as to how many SARs were filed in a given month suffice? The answer is that no one at the credit union should look at a SAR unless he or she has a legitimate business purpose to so view it. This includes directors. Unless a director is part of a BSA audit team or has some other legitimate “need-to-know” basis, he or she should not see the actual SAR documents or paperless versions thereof.
Section 748.1 of the NCUA Regulations states that the management of the credit union must notify the board of SARs filed by the credit union. The NCUA has further explained that this means notifying the board every 30 days as to when SARs are filed. FinCEN has also stated:
Additional risk-based measures to enhance the confidentiality of SARs could include, among other appropriate security measures, limiting access on a “need-to-know” basis, restricting areas for reviewing SARs, logging of access to SARs, using cover sheets for SARs or information that reveals the existence of a SAR, or providing electronic notices that highlight confidentiality concerns before a person may access or disseminate the information.
See FIN-2012-A002. See also FIN-2010-A014.
It is also important to remember that the person upon whom the SAR is being filed can never be told about it. This applies to directors, officers and employees as well. SARs are, in effect, legal plutonium and must be handled with extreme caution. If this sounds wrong or alien or counter-intuitive, understand where this is coming from. SARs are a law enforcement tool. The rules surrounding them sound more in the secret side of law enforcement than in the open and caring environment one normally finds in the credit union.