auditing-aml-transactions

# Auditing AML Transactions

Screens transaction data for suspicious patterns using red flag typologies and structures SAR narrative elements for BSA/AML compliance.

## When To Use

- Transaction monitoring system generates an alert requiring human review
- BSA officer receives a referral (internal, law enforcement, or examiner finding)
- Periodic look-back or enhanced due diligence review of high-risk accounts
- Continuation SAR is due on the 90-day cycle
- Independent audit requires sample transaction review
- 314(b) information-sharing request received from another institution

## Inputs To Gather

Collect all items below before starting review. If transaction records are unavailable, STOP — document the gap and escalate.

### Institution & Scope

- Institution type (bank, MSB, broker-dealer, credit union, insurance, casino, other) [VERIFY]
- Charter/license jurisdiction and primary regulator [VERIFY]
- BSA/AML program status (established / recently remediated / under consent order)
- Review period (start and end dates)
- Alert source and alert/case ID

### Subject Information

- Subject name(s) — individuals and/or entities
- Account number(s), account type(s), and open date
- Customer risk rating (Low / Medium / High / Unrated)
- KYC profile: stated occupation, income, expected activity, source of funds
- Prior SAR history on this subject

### Data Sources

Confirm availability of each: transaction records (debits/credits), wire transfer details (originator/beneficiary), cash activity and CTR history, check images and deposit slips, account statements, CDD/EDD documentation, OFAC/sanctions screening results, negative news and adverse media, law enforcement subpoenas or 314(b) requests.

## Workflow

### Step 1 — Transaction Profiling

Summarize account activity for the review period:

| Metric | Value |
|---|---|
| Total credits (count / dollar) | |
| Total debits (count / dollar) | |
| Cash-in / Cash-out (count / dollar) | |
| Wire-in / Wire-out (count / dollar) | |
| ACH/EFT and check activity (count / dollar) | |
| Average and largest single transaction | |
| CTRs filed during period | |
| Jurisdictions involved | |

Compare observed activity against three baselines:
- **KYC expected activity** — Does volume/type match customer declarations?
- **Peer group** — Consistent with similarly situated customers?
- **Historical baseline** — Has pattern shifted from prior periods?

Flag material deviations with `[DEVIATION]` and quantify the variance.

### Step 2 — Red Flag Identification

Screen activity against recognized typologies. For each red flag identified, document:

- **Red flag typology** — Name from reference taxonomy
- **Category** — Structuring / Rapid Movement / Geographic / Shell-Layering / Trade-Based / Behavioral / Other
- **Transactions implicated** — Date, amount, type, counterparty
- **Severity** — High / Medium / Low
- **Explanation** — Why this pattern is suspicious in context

Key thresholds:
- **CTR**: $10,000 cash (single or aggregate same-business-day). Transactions just below are a structuring indicator. [VERIFY current threshold]
- **SAR dollar minimum**: $5,000+ with known suspect; $25,000+ with no identified suspect (banks). No dollar minimum for MSBs. [VERIFY by institution type]
- **Rapid movement**: Funds deposited and withdrawn/transferred within 48 hours with no apparent business purpose.
- **Round-dollar transfers**: Unusual frequency of round-amount wires inconsistent with commercial invoicing.

### Step 3 — OFAC & Sanctions Screening

Confirm whether any party to flagged transactions appears on:
- OFAC SDN List and Consolidated Sanctions List
- FinCEN 311 Special Measures (jurisdictions/institutions)
- EU/UN sanctions lists (if applicable) [VERIFY applicability]
- FATF High-Risk and Non-Cooperative Jurisdictions list

Record each counterparty/jurisdiction screened, the result, list version, and date. If a potential OFAC match is identified, **escalate immediately** — OFAC obligations are strict liability with a shorter timeline than SAR filing.

### Step 4 — Disposition

Reach one of four dispositions:

| Disposition | Criteria | Action |
|---|---|---|
| **File SAR** | Suspicious, unexplained, meets dollar thresholds | Proceed to Step 5 |
| **Close — Below Threshold** | Concerning but below SAR dollar minimums | Document rationale; retain 5 years; consider enhanced monitoring |
| **Close — Explained** | Legitimate purpose confirmed with documentation | Document rationale and evidence; retain 5 years |
| **Escalate** | OFAC match, law enforcement nexus, or insider involvement | Immediate escalation per institution policy |

**Document rationale for every disposition.** Examiners review closed cases as closely as filed SARs.

### Step 5 — SAR Narrative Drafting

The narrative must answer **who, what, when, where, why, and how**.

**Structure:**

1. **Subject Information** — Full legal name(s), DOB, SSN/TIN (if available), address, account relationship, risk rating and basis.
2. **Suspicious Activity Description** — Nature of activity (use FinCEN characterization codes), identify all subjects and roles, specific transactions and patterns, date range, branches/jurisdictions, why activity is suspicious, method/mechanism used.
3. **Transaction Detail** — Chronological summary of key transactions, total dollar amount, instruments/channels (cash, wire, ACH, check, crypto).
4. **Investigation Summary** — Detection method, investigation steps, CDD/EDD reviewed, third-party information (314(b), public records, adverse media).
5. **Supporting Documentation** — Exhibit list, reference to prior SARs if continuation filing.

**Narrative rules:**
- Factual, not conclusory — state what happened; never assert a crime was committed
- Chronological presentation
- Specific — dates, amounts, account numbers, counterparty names
- Self-contained — reader with no prior knowledge should understand the case
- Quantified — total suspicious amounts and transaction counts
- **No SAR-tipping language** — never indicate the customer was or will be notified (31 USC 5318(g)(2)) [VERIFY current statutory cite]

**Filing deadlines** [VERIFY current FinCEN guidance]:

| Scenario | Deadline |
|---|---|
| Standard SAR | 30 calendar days from initial detection |
| No suspect identified | 30 days; may extend to 60 days to identify suspect |
| Ongoing activity | Continuing SARs every 90 days |
| Criminal referral | Notify law enforcement immediately; SAR still due within 30 days |

## Output

Deliverables for each review:

1. **Transaction summary table** with profiling metrics and baseline comparisons
2. **Red flag log** — each flag with typology, category, severity, implicated transactions, and explanation
3. **OFAC/sanctions screening record** with list versions and dates
4. **Disposition memo** — selected outcome with written rationale
5. **SAR narrative** (if filing) — structured per the template above, ready for BSA officer review
6. **Filing deadline tracker** — calculated deadline with calendar entry

## Quality Checks

### Completeness
- [ ] Intake items fully populated or gaps explicitly documented
- [ ] Transaction profiling covers all activity types in the review period
- [ ] Every red flag has severity rating and supporting transactions
- [ ] Disposition is one of the four defined outcomes with written rationale

### Accuracy
- [ ] Dollar amounts cross-referenced to source transaction data
- [ ] Dates confirmed against bank records (not estimated)
- [ ] Counterparty names verified against wire details / account records
- [ ] OFAC screening uses current list version

### Regulatory Compliance
- [ ] SAR narrative answers all six questions (who/what/when/where/why/how)
- [ ] No SAR-tipping or customer-notification language anywhere in output
- [ ] Filing deadline documented and within regulatory window [VERIFY]
- [ ] CTR analysis included for cash-intensive accounts
- [ ] 5-year record retention requirement noted

### Professional Standards
- [ ] Findings distinguish confirmed facts from inferences
- [ ] All inferences and assumptions marked with `[VERIFY]`
- [ ] Terminology consistent throughout
- [ ] Output actionable for BSA officer / compliance committee
- [ ] Escalation triggers clearly identified

## Reference Files

| File | Description |
|---|---|
| `references/AML-RED-FLAGS.md` | Categorized AML red flag typologies with indicators and activity patterns for transaction screening |