casemark/auditing-aml-transactions

Auditing AML Transactions

Screens transaction data for suspicious patterns using red flag typologies and structures SAR narrative elements for BSA/AML compliance.

When To Use

• Transaction monitoring system generates an alert requiring human review
• BSA officer receives a referral (internal, law enforcement, or examiner finding)
• Periodic look-back or enhanced due diligence review of high-risk accounts
• Continuation SAR is due on the 90-day cycle
• Independent audit requires sample transaction review
• 314(b) information-sharing request received from another institution

Inputs To Gather

Collect all items below before starting review. If transaction records are unavailable, STOP — document the gap and escalate.

Institution & Scope

• Institution type (bank, MSB, broker-dealer, credit union, insurance, casino, other) [VERIFY]
• Charter/license jurisdiction and primary regulator [VERIFY]
• BSA/AML program status (established / recently remediated / under consent order)
• Review period (start and end dates)
• Alert source and alert/case ID

Subject Information

• Subject name(s) — individuals and/or entities
• Account number(s), account type(s), and open date
• Customer risk rating (Low / Medium / High / Unrated)
• KYC profile: stated occupation, income, expected activity, source of funds
• Prior SAR history on this subject

Data Sources

Confirm availability of each: transaction records (debits/credits), wire transfer details (originator/beneficiary), cash activity and CTR history, check images and deposit slips, account statements, CDD/EDD documentation, OFAC/sanctions screening results, negative news and adverse media, law enforcement subpoenas or 314(b) requests.

Workflow

Step 1 — Transaction Profiling

Summarize account activity for the review period:

| Metric | Value | |---|---| | Total credits (count / dollar) | | | Total debits (count / dollar) | | | Cash-in / Cash-out (count / dollar) | | | Wire-in / Wire-out (count / dollar) | | | ACH/EFT and check activity (count / dollar) | | | Average and largest single transaction | | | CTRs filed during period | | | Jurisdictions involved | |

Compare observed activity against three baselines:

• KYC expected activity — Does volume/type match customer declarations?
• Peer group — Consistent with similarly situated customers?
• Historical baseline — Has pattern shifted from prior periods?

Flag material deviations with [DEVIATION] and quantify the variance.

Step 2 — Red Flag Identification

Screen activity against recognized typologies. For each red flag identified, document:

• Red flag typology — Name from reference taxonomy
• Category — Structuring / Rapid Movement / Geographic / Shell-Layering / Trade-Based / Behavioral / Other
• Transactions implicated — Date, amount, type, counterparty
• Severity — High / Medium / Low
• Explanation — Why this pattern is suspicious in context

Key thresholds:

• CTR: $10,000 cash (single or aggregate same-business-day). Transactions just below are a structuring indicator. [VERIFY current threshold]
• SAR dollar minimum: $5,000+ with known suspect; $25,000+ with no identified suspect (banks). No dollar minimum for MSBs. [VERIFY by institution type]
• Rapid movement: Funds deposited and withdrawn/transferred within 48 hours with no apparent business purpose.
• Round-dollar transfers: Unusual frequency of round-amount wires inconsistent with commercial invoicing.

Step 3 — OFAC & Sanctions Screening

Confirm whether any party to flagged transactions appears on:

• OFAC SDN List and Consolidated Sanctions List
• FinCEN 311 Special Measures (jurisdictions/institutions)
• EU/UN sanctions lists (if applicable) [VERIFY applicability]
• FATF High-Risk and Non-Cooperative Jurisdictions list

Record each counterparty/jurisdiction screened, the result, list version, and date. If a potential OFAC match is identified, escalate immediately — OFAC obligations are strict liability with a shorter timeline than SAR filing.

Step 4 — Disposition

Reach one of four dispositions:

| Disposition | Criteria | Action | |---|---|---| | File SAR | Suspicious, unexplained, meets dollar thresholds | Proceed to Step 5 | | Close — Below Threshold | Concerning but below SAR dollar minimums | Document rationale; retain 5 years; consider enhanced monitoring | | Close — Explained | Legitimate purpose confirmed with documentation | Document rationale and evidence; retain 5 years | | Escalate | OFAC match, law enforcement nexus, or insider involvement | Immediate escalation per institution policy |

Document rationale for every disposition. Examiners review closed cases as closely as filed SARs.

Step 5 — SAR Narrative Drafting

The narrative must answer who, what, when, where, why, and how.

Structure:

1. Subject Information — Full legal name(s), DOB, SSN/TIN (if available), address, account relationship, risk rating and basis.
2. Suspicious Activity Description — Nature of activity (use FinCEN characterization codes), identify all subjects and roles, specific transactions and patterns, date range, branches/jurisdictions, why activity is suspicious, method/mechanism used.
3. Transaction Detail — Chronological summary of key transactions, total dollar amount, instruments/channels (cash, wire, ACH, check, crypto).
4. Investigation Summary — Detection method, investigation steps, CDD/EDD reviewed, third-party information (314(b), public records, adverse media).
5. Supporting Documentation — Exhibit list, reference to prior SARs if continuation filing.

Narrative rules:

• Factual, not conclusory — state what happened; never assert a crime was committed
• Chronological presentation
• Specific — dates, amounts, account numbers, counterparty names
• Self-contained — reader with no prior knowledge should understand the case
• Quantified — total suspicious amounts and transaction counts
• No SAR-tipping language — never indicate the customer was or will be notified (31 USC 5318(g)(2)) [VERIFY current statutory cite]

Filing deadlines [VERIFY current FinCEN guidance]:

| Scenario | Deadline | |---|---| | Standard SAR | 30 calendar days from initial detection | | No suspect identified | 30 days; may extend to 60 days to identify suspect | | Ongoing activity | Continuing SARs every 90 days | | Criminal referral | Notify law enforcement immediately; SAR still due within 30 days |

Output

Deliverables for each review:

1. Transaction summary table with profiling metrics and baseline comparisons
2. Red flag log — each flag with typology, category, severity, implicated transactions, and explanation
3. OFAC/sanctions screening record with list versions and dates
4. Disposition memo — selected outcome with written rationale
5. SAR narrative (if filing) — structured per the template above, ready for BSA officer review
6. Filing deadline tracker — calculated deadline with calendar entry

Quality Checks

Completeness

• [ ] Intake items fully populated or gaps explicitly documented
• [ ] Transaction profiling covers all activity types in the review period
• [ ] Every red flag has severity rating and supporting transactions
• [ ] Disposition is one of the four defined outcomes with written rationale

Accuracy

• [ ] Dollar amounts cross-referenced to source transaction data
• [ ] Dates confirmed against bank records (not estimated)
• [ ] Counterparty names verified against wire details / account records
• [ ] OFAC screening uses current list version

Regulatory Compliance

• [ ] SAR narrative answers all six questions (who/what/when/where/why/how)
• [ ] No SAR-tipping or customer-notification language anywhere in output
• [ ] Filing deadline documented and within regulatory window [VERIFY]
• [ ] CTR analysis included for cash-intensive accounts
• [ ] 5-year record retention requirement noted

Professional Standards

• [ ] Findings distinguish confirmed facts from inferences
• [ ] All inferences and assumptions marked with [VERIFY]
• [ ] Terminology consistent throughout
• [ ] Output actionable for BSA officer / compliance committee
• [ ] Escalation triggers clearly identified

Reference Files

| File | Description | |---|---| | references/AML-RED-FLAGS.md | Categorized AML red flag typologies with indicators and activity patterns for transaction screening |