As a standard practice and as specified in Article 9.1 of the AML-CFT Law, the FIU can reach out to LFIs to provide additional requested information pertaining to an STR or SAR. Therefore, when responding to the FIU’s inquiries, details should be provided in a way that is precise and outlined as per the request. LFIs should maintain clarity on the presented information and provide it in the required format (e.g., tabular format, pdf, etc.). Moreover, LFIs should avoid adding unnecessary codes and abbreviations or any raw information extracted directly from the core databases, which are unknown to the FIU. It is important to understand that the details pertaining to the source and destination of funds are essential for investigating the reported activity. Therefore, names; account numbers; country of origin and destination; currencies; dates; source and purpose of transactions; and other related information should be detailed in LFI’s response. Once the report is filed, LFI should send the report web reference number and inform the FIU via the goAML Message Board.

Following an STR or SAR filing, the FIU may or may not revert to the LFI with specific instructions, requests for additional information, feedback or further guidance related to the STR or SAR, or to the business relationship in general. In such cases, these communications will generally be directed to the Compliance Officer or MLRO of the LFI. However, LFIs may not receive instructions, additional information requests, or other feedback from the FIU regarding STRs or SARs that have been filed; or the receipt of such communications may be delayed beyond what they consider to be a reasonable time period. In such instances, LFIs must follow their internal policies in relation to such customers and should determine the appropriate handling of the STR or SAR and of the business relationship in general, taking into consideration all of the risk factors involved.

Specifically, once a suspicious transaction or other suspicious information related to a customer or business relationship has been reported to the FIU, the LFI should take the following immediate responses:

Unless specifically instructed by the FIU to do so, LFIs are under no obligation to carry out transactions they suspect, or have reasonable grounds to suspect, of being related to a crime. Furthermore, unless specifically instructed by the FIU to maintain the business relationship (for example, so that the competent authorities may monitor the customer’s activity), it should be the LFI’s responsibility to take appropriate steps in order to decide whether or not to maintain the business relationship based on their risk appetite. However, LFIs should consider the risk of tipping off a customer when taking these restrictive measures on the account. These steps may include, but are not limited to:

LFIs that determine to maintain the business relationship should, commensurate with the nature and size of their businesses:

In such cases, beyond EDD measures, LFIs should also implement additional control measures such as, but not limited to:

LFIs should also document the specific EDD, ongoing monitoring, and additional control measures to be taken. In this regard, LFIs should obtain senior management approval for the plan, including its specific conditions, duration and any requirements for its removal, as well as the roles and responsibilities for its implementation, monitoring and reporting, commensurate with the nature and degree of the money laundering and the financing of terrorism and illegal organisations risks associated with the business relationship.

Thus, retaining a customer relationship, exiting the relationship, restricting an account, or any other actions taken by an LFI following the filing of an STR, SAR, or other report is a decision based on the LFI’s internal policies and procedures, including its risk appetite, to safeguard the LFI from relevant risks. This is unless the entity receives instructions from the FIU or any other competent authority that should be immediately implemented without delay. In cases where the LFI decides to reject a new customer or to exit an existing relationship due to an STR or SAR filing (or other report), the LFI should ensure that the subject of the filing is added to internal watch lists, (e.g., a list of individuals and entities that have been exited for financial crime-related reasons and that should be screened by the LFI to avoid future on-boarding).

While individual STRs, SARs, or other reports that pose particular risk may require escalation and review for potential exit, repeated filings on a single account or group of related accounts should trigger consideration of customer exit. Repeat filings should also prompt a review of risks associated with accounts of a similar type and of whether internal controls are effectively mitigating risk. An LFI should determine a threshold for which an account that has been subject to a certain amount of STR or SAR filings (or other report) will be escalated to senior management for consideration of account closure, possible restrictions on the account, and/or enhanced monitoring.

LFIs should also maintain a customer exit policy that outlines the process for reviewing the overall customer relationship and deciding on next steps, including ending the relationship and notifying law enforcement and/or other group affiliates, as appropriate. Customer exit policies should include criteria for when these actions are appropriate and outline how the LFI should monitor the activity of a customer it decides to retain. The LFI should contact law enforcement before closing an account if the entity has knowledge of an ongoing law enforcement investigation involving that account or customer, or the LFI has filed an STR(s), SAR(s), or other report types on the customer or account due to continuing suspicious activity. LFIs should be aware that law enforcement may have an interest in ensuring that certain accounts remain open notwithstanding suspicious or potential criminal activity in connection with those accounts. If a law enforcement agency requests that an LFI keep a particular account open, the LFI should ask for a written request. The written request should indicate that the agency has requested that the LFI maintain the account along with the purpose and duration of the request. Ultimately, the decision to maintain or close an account should be made by an LFI in accordance with its own standards and guidelines.

LFIs should have mechanisms to inform the Board of Directors (or a committee of the Board) and senior management of compliance initiatives, compliance deficiencies, STRs, SARs, or other regulatory reports filed, and corrective actions taken. LFIs should also develop and maintain a system of reporting that provides accurate and timely information on the status of the AML/CFT program, including statistics on key elements of the program, such as the number of transactions monitored, alerts generated, cases created, and STRs, SARs, or other report types filed.

Employees should report the number and types of STRs, SARs, or other regulatory reports filed to the Board of Directors or a Board-designated committee. While employees are not required to provide actual copies of STRs, SARs, or other regulatory reports to the Board (or a committee of the Board), such notifications should contain sufficient information to enable the Board or its committee to provide appropriate oversight over the LFI’s AML/CFT program. Where an individual filing documents activity that poses a particular risk, management may provide a copy of the report to the Board or Board-designated committee. Where appropriate, the suspicious activity or transaction underlying the filing of an STR, SAR, or other regulatory reports should be communicated to those individuals responsible for managing the risk associated with the customer and/or activity that is the subject of the STR, SAR, or other regulatory reports in order to permit such employees to respond appropriately to the AML/CFT risks identified. Although all such communications are subject to the confidentiality restrictions, it should be noted that the confidentiality requirement does not pertain to communication within the LFIs or its affiliated group members (foreign branches, subsidiaries, or parent company) for the purpose of sharing information relevant to the identification, prevention, or reporting of suspicious transactions and/or crimes related to money laundering and the financing of terrorism and illegal organisations, according to Article 39.1 of the AML-CFT Decision (also referenced in Section 5. Confidentiality and Prohibition against “Tipping Off”).

According to Article 24 of the AML-CFT Decision, LFIs are required to retain all records and documents pertaining to STRs and the results of all analysis or investigations performed for at least five (5) years from the date of completion of the transaction or termination of the business relationship. Such records relate to both internal STRs and those filed with the FIU, and should include but are not limited to: