Chapter 11 Exercises
Suspicious Activity Reporting and Case Management
Exercise 11.1: SAR Filing Threshold Assessment
Difficulty: Introductory
For each of the following scenarios, determine whether a SAR filing is required, and if so, which statute applies and why. Assume all scenarios involve US-regulated financial institutions unless stated otherwise.
a) A US bank's transaction monitoring system flags a $4,200 cash deposit by a retail customer. The analyst reviews the alert and concludes the activity is consistent with the customer's known income and historical transaction pattern.
b) A US bank's analyst reviews a customer account showing a series of wire transfers to a jurisdiction known for narcotics trafficking. The total wired is $85,000 over 60 days. The analyst cannot identify any business purpose consistent with the customer's declared occupation (retired teacher, stated income $40,000/year).
c) A UK bank's compliance team reviews a business account and determines that the account appears to be receiving proceeds of VAT fraud. No transaction exceeds £3,000. Total volume is £18,000 over 3 months.
d) A US money service business (MSB) identifies suspicious activity involving $1,800 in structured transactions by an individual customer.
e) A US bank's relationship manager has a customer who verbally mentions, during a routine meeting, that they have been investing in a cryptocurrency exchange that the relationship manager knows has been seized by US authorities for money laundering. No suspicious transactions have appeared in the bank account.
Exercise 11.2: SAR Narrative Improvement
Difficulty: Introductory-Intermediate
The following SAR narrative is of poor quality. Rewrite it as a high-quality narrative incorporating the five elements described in Section 11.4. You may add plausible (fictional) details to improve specificity.
Poor quality narrative (to improve):
"Customer account showed suspicious transactions over the past few months. Multiple deposits and transfers were made that appear inconsistent with the customer's stated business purpose. The account received funds from various sources and payments were made to multiple parties. This activity is suspicious and is inconsistent with the customer's account history. We are filing this SAR to alert law enforcement."
Assume: Customer is "Bright Star Consulting LLC," account opened 14 months ago, stated business purpose "business consulting services." In the most recent 3 months, the account received 12 wire transfers from 8 different counterparties totaling $145,000, then made 22 outbound ACH payments to 16 individual recipients totaling $138,000 within 5 business days of each inbound wire. Prior 11 months: average monthly inbound $8,000, outbound $7,200. No prior SARs. No adverse media. No law enforcement contact.
Exercise 11.3: Network Analysis
Difficulty: Intermediate
The following transactions have been identified during a SAR investigation (all amounts in USD):
| From | To | Amount | Date |
|---|---|---|---|
| Account A | Account B | 45,000 | Mar 1 |
| Account A | Account C | 32,000 | Mar 1 |
| Account A | Account D | 28,000 | Mar 1 |
| Account E | Account B | 38,000 | Mar 3 |
| Account E | Account C | 29,000 | Mar 3 |
| Account B | Account F | 77,000 | Mar 5 |
| Account C | Account F | 58,000 | Mar 7 |
| Account D | Account F | 25,000 | Mar 8 |
| Account F | Account G | 120,000 | Mar 10 |
| Account F | Account H | 40,000 | Mar 12 |
a) Draw the transaction network (can be text-based notation or ASCII diagram).
b) Identify which account has the highest betweenness centrality. Explain what this indicates about its role in the network.
c) Calculate the in/out ratio for Account F. What does this indicate?
d) Identify which accounts exhibit "fan-in" (receiving from multiple sources). What AML typology does this pattern suggest?
e) Account G is identified as a real estate law firm's client escrow account. Account H is a casino in a jurisdiction known for AML risk. How does this additional information change your assessment of the network?
Coding Exercise 11.4: Build a Transaction Network Analyzer
Difficulty: Coding — Intermediate
Using the build_transaction_network() and identify_aml_risk_nodes() functions from Section 11.3, write a complete case analysis pipeline:
-
Create a
CaseAnalyzerclass that: - Takes a list of transactions and a list of known subject accounts as input - Builds the transaction network - Calculates risk metrics for all nodes - Returns aCaseReportdataclass containing:- Network statistics (total nodes, total edges, total flow)
- Top 5 nodes by betweenness centrality
- All rapid transit nodes
- All high fan-out nodes
- A plain-English summary of the network structure
-
Implement the
CaseReport.to_narrative_fragment()method that returns a paragraph suitable for inclusion in a SAR narrative, describing the network structure in plain language. -
Test with the transactions from Exercise 11.3.
Exercise 11.5: Continuing Activity Assessment
Difficulty: Intermediate
Scenario: A SAR was filed on February 15 for suspicious activity observed in December–January (structuring pattern, total amount $67,000). The SAR's subject is a retail customer named David Holloway.
Since the SAR was filed: - March: Three additional cash deposits, each $8,500 ($25,500 total). Same branch locations as December–January pattern. - April: No suspicious activity. One ordinary payroll deposit ($3,200). - May: One cash deposit of $11,200 (above CTR threshold; CTR filed). Two cash deposits of $4,500 each. Total cash: $20,200. - June: No cash deposits. Account balance drawn down to $400 by ATM withdrawals.
For each month: a) Should a continuing activity SAR be filed? Explain your reasoning. b) If a SAR is filed, what should the narrative describe? c) Should any account action (e.g., enhanced monitoring, exit) be taken?
Exercise 11.6: Case Management System Requirements
Difficulty: Applied
A mid-size bank is selecting a new case management system for its AML compliance team. The team manages approximately 800 active cases per year and files approximately 120 SARs annually.
Design a requirements specification for the case management system. Your specification should address:
a) Core functional requirements: What must the system do? (List at least 10 functional requirements)
b) Data integration requirements: What internal and external data sources must the system connect to? What API or data exchange standards are required?
c) Workflow requirements: What approval workflows must the system support? How should cases be assigned, escalated, and closed?
d) Reporting requirements: What compliance metrics must the system produce? What regulatory examination support functions are needed?
e) Security requirements: What access controls, audit logging, and data protection standards must the system meet?
f) Evaluation criteria: How would you assess competing vendors? What is your weighting scheme for the five categories above?
Applied Exercise 11.7: SAR Program Metrics Benchmarking
Difficulty: Applied — Research Required
Review the available public information from FinCEN's annual SAR statistics reports and UK NCA's annual SARs report.
a) What is the current annual volume of SARs filed in the US? In the UK? How has this trended over the past five years?
b) What percentage of US SARs are filed by depository institutions (banks) versus other filers?
c) FinCEN publishes data on the primary suspicious activity types cited in SARs. What are the most common suspicious activity types reported?
d) The UK NCA reports on "defence SARs" (consent requests) as well as full SARs. What proportion of SARs are defence SARs, and what does this suggest about how UK financial institutions are using the SAR regime?
e) Based on your research, what is the estimated law enforcement "utilization rate" of SARs (what percentage of filed SARs result in law enforcement action)? What does this suggest about the quality and quantity balance in current SAR programs?
Write a 400-word summary with at least three sources cited.