Case management is an integral component of any institution’s overall compliance program, let alone those with suspicious activity report (“SAR”) filing responsibilities. However, misconduct is often reported through multiple channels such as whistleblower complaints, HR, and even through a company’s legal department. If misconduct requires SAR filing, input from HR, and advice from legal, but comes in through possibly siloed teams, how can a company feel confident that they are accurately capturing and consistently dispositioning these cases?
The answer boils down to an often-overlooked area – case management systems.
Join financial crime compliance advisory and training specialist Michael Schidlow, as he explains best and worst practices in the field, gives tips on what case management tools should always and shouldn’t ever do, and describes how to utilize metrics from those systems to get an accurate snapshot of their company’s risk profile.
Strategic Resources May 2024 Corporate Presentation
Misconduct or Missed Conduct? Ensuring Consistent SAR Reporting of Internal Misconduct
1. E n sur ing C o ns istent S u spic ious A c t ivit y
R e por ting ( “ S AR”) o f I n t ernal
M i sc o nduct
Misconduct or Missed Conduct?
Michael Schidlow
Scienter Group, LLC
2. Polling Question
My company includes insider threat in our risk assessment:
A. Yes, we have a robust sense of risk awareness aligned as best as possible to
our potential exposure to misconduct
B. Yes, we rely on past instances to develop/enhance controls
C. No, but that’s because we have never had an instance of insider abuse
D. No, because we crunched the numbers and don’t think that we would
sustain a loss if something happened
E. What is a risk assessment?
3. Don’t Be Suspicious
Whitney Nat’l Bank v. Karam, 306 F. Supp.2d 678 (S.D.Tex. 2004)
• Individuals filed suit for defamation – bank wrongfully accused them
of crime
• Ruling = good faith belief in underlying activity being a violation of
law
• Plenary “protection to financial institutions and their employees from
civil liability” for reporting customer details to FinCEN in a SAR
Contents (or
existence of
the SAR)
Comms re: SAR
Filing
Comms
to/from Govt
leading to filing
Comms
clarifying the
Rationale
Comms
to/from Govt
post filing
4. Insider Abuse
Just Do It
• Nike executive’s son had a sneaker resale business;
• The son used his mother’s (the executive) corporate credit card
to purchase over $130,000-worth of sneakers and then resell
them for a $19,000 profit;
• The scheme was detected when the son provided statements
to prove revenue (while trying to tout his business acumen) and
his mother’s name and terms referencing the corporate
account appeared on the statements;
• Nike was aware of the business, and despite the son
referencing what appeared to be insider knowledge of new
releases, found no conflict of interest.
5. Saddle Up
Rita Crundwell
• Embezzled USD $53 million over 20 years as the Dixon, IL
Clerk
• She opened a secret account, similarly titled to one the city
might utilize
• Transferred funds by check
• Despite her $80K salary, she had millions in jewelry, high-
end western wear, a luxury touring coach, and a farm with
numerous quarter horses
• The fraud wasn’t detected until she finally went on
vacation and her replacement bookkeeper reviewed the
City’s statements
• Marshalls auctioned items recovered, and have obtained
USD $9 million
6. Multilateral
Gaps
• Many components
of insider abuse
move across a
number of different
control risks
• As a result, may
different risks arise
• Ex. Law Firm abuse
•Lawsuits
•Penalties/Fines
•AB&C
•AML
•Investigations
•Disruption
•Data parameters
not
validated/checked
Cyber/IT Operational
Legal
Compliance
7. Oversight, versus Oversight
• Organizations mistake the absence of
detected misconduct for the absence
of any misconduct;
• Impossible, but not implausible;
• Water on pavement, misconduct
begins with the misconception that it
never/rarely happens.
9. The Explanation
Misconception
• Yes, fraud is broadly tied to financial gain;
• No, many other avenues can be misused for personal gain;
• Yes, it is impossible to enumerate all misconduct in a single
policy/procedure;
• No, its not impossible to cast a wide net;
• Yes, all SuspiciousActivity Report (“SAR”)-obligated misconduct
must be reported.
Need
Opportunity
Ability to
Rationalize
10. Polling Question
When I hear “dual control” what I think of is:
A. Minimizing the risk of maker-checker-enabled fraud
B. Someone is going to have to make sure it actually
happens
C. AM/FM
D. Why bother? I wouldn’t have hired them if I couldn’t trust
them
11. Fraud Risk Governance
Compliance
• Consumer
• Regulatory
• ABC
Legal
• UCC
• Reputation
Operational
• Data
• IT
• Systems
Credit
• Lending
• “Insider”
Lending/
Conflicts of
interest
12. Fraud Risk Governance
Compliance Legal Operational Credit
Quantitative
• Fines per
incident
• Consent
order
remediatio
• Loss per
customer
segment
• Cumulativ
loss
• Detection
• Remediati
• Repair
• Loans by
quantity
quality
Qualitative
Single
violation
Dissolution or
prohibition
new business
Disruption
Commercial
banking loan
consumer
lending
Consumer
vs. SBA
programs
In the absence of correct misconduct reporting and
metrics, root causes cannot be identified, and key
metrics cannot be tracked
13. US DOJ Guidance
Evaluation of Corporate Compliance Programs
• Issued in 2017, then reissued in 2019 and again in 2020
• Discusses “misconduct”
• Not specific to compliance
• Applies to any and all organizational structures, including
limited to financial institutions
• Used as a prosecutor’s framework to evaluate the strength
weakness of a corporate compliance program
14. US DOJ Guidance
Effective Compliance Programs (Select Provisions)
•Demonstration by senior management of adherence to internal standards
•Proven (i.e., demonstrable) commitment and communication of
expectations for compliance
Tone from
the Top
•Sufficient technological resources to administer a compliance program
•Both monitoring and escalation of compliance risk
•Adequate staffing to stay within risk limits
•Both qualitative and quantitative staffing assessments (i.e.,, skillsets and
experience)
Resources
•Is the compliance program sufficiently designed?
•Is it tailored to the risks unique to that organization?
•Is the RA updated on a time-bound and trigger event basis?
Risk
Assessment
•Does compliance have a “seat at the table”?
•And is compliance completely independent of influence from the business?
Autonomy
15. US DOJ Guidance
Additional Considerations
•Compensation
• Base
• Bonus
• Parameters
• Discipline
Training
• Format
• Delivery
• Content
Escalation
• Whistleblower and
• Anti-retaliation
16. Anti-Money Laundering Act of 2020
“AMLA”
Aligns to heightened standards
• First development/update since the USA PATRIOTAct
• Risk governance framework
• Appropriate resources
• 3 Lines of Defense (”LoD”)
18. The Inside Job
FinCEN SAR Filing Category – Insider Abuse
Designed to report:
• A bank employee (“directors, officers, employees,
other institution-affiliated parties”);
• Committing, aiding, or abetting;
• Criminal activities.
19. The Inside Job
“Misconduct” as a catch-all term – Multiple Referral
Channels (ideally)
By definition, one of these entities should have SAR-filing responsibilities
Direct Referrals To
The Investigations
Unit
Manually detected misconduct
Escalation to HR
Line of Business/Function
External Referrals
Law enforcement, external complaints, etc.
Whistleblower
Anonymous
20. Bigger Risk Picture
Are all entities within the organization, in particular
those that review potentially SAR-fileable misconduct,
aware of:
1. The requirement to refer matters for SAR filing;
2. Obligation to refer current cases to the SAR filing
the organization;
3. Requirement not to discuss or inquire in regards to
filing.
22. Who, What, Where, When,
And How
Misconduct
(Civil, Criminal,
Policy)
Direct Referral to
Investigations
SAR Filers
File based on
Criteria
Whistleblower
Hotline
Refer to SAR Filers
Dependent on
Misconduct
Legal/Subpoena
Refer to SAR Filers
Dependent on
Nature of
Misconduct
Direct Referral to
HR
Refer to
Investigations
Case by Case
23. A Quick Question for You
Routine Investigation
• Textbook “Insider Abuse”
• Cause by Embezzlement
• Question from HR – “Are you going to file a SAR”?
24. Poll Question
How confident are you that all of your misconduct
cases are both centralized and confidential?
A. Very confident
B. Somewhat confident
C. Not very confident
D. I have no idea
25. By the Book
Investigative teams have blanket discretion regarding
SAR filing (based on criteria).
Whistleblower/Ombud, HR, and Legal then need:
Policy on what ”Insider Abuse” is relative to the
definition of “Misconduct”
Procedures and processes for referral
Processes to communicate with Investigations . . .
violating “SAR Privilege” (e.g., Investigations reports
disclosable facts to HR, HR provides disciplinary
Investigations)
TRAINING
26. Would You Like A Free Sample?
Given the beyond-confidential nature of SAR filing:
Business/Branch-Level Testing
• First Line of Defense Testing on Process and Adherence
HR/Legal/Function-Level Testing
• Second Line of Defense Testing
• Internal Audit
Internal Audit
• Process and Controls
• Continuous Monitoring (e.g., escalations, whistleblower,
etc.)
27. Case by Case
The information flow for misconduct related cases
toes a very thin line; and
Requires tremendous balance of discipline to SAR
(where appropriate) outcomes
Case Management Systems:
Should be access-restricted;
Should serve as unified platform for information
intake (HR, whistleblower, etc.); and
Should either serve as the platform for or link to the
platform for SAR filing.
28. For Your Eyes Only
Given the data restrictions, other conditions should
be met:
Audit Trail/Action Log for Changes
Audit Trail/Action Log for VIEWING
Specific, user-name access (e.g., not “user1, user2”
29. Quantitative and Qualitative
The case management system should also:
Delineate
Cases
• Referral
Source
• Typology
Produce Clear
Metrics
• SAR (y/n)
• SAR by
category
• Cross-
reference
Trend
Monitoring
• Daily
• Weekly
• Monthly
• QoQ
• Integrated
with
Disciplinary
Outcomes
31. What to Look For
Intake
Ideally, all cases of potential misconduct are:
1. Defined by Policy;
2. Procedurally trained to by any staff who might
receive misconduct “matters”;
3. Centralized within a case management system;
4. Reviewed by Investigations-related team
capable of SAR filing;
5. Confirmed to require/not require potential SAR
filing;
6. Dispositioned consistently.
32. What to Look For
Outtake
Non-SAR filing functions/teams:
External to
Investigations
Should escalate ambiguous matters of misconduct (e.g.,
intellectual property);
Should be able to evidence consistent disciplinary outcomes;
Should provide disciplinary outcomes to the case management
system;
Should be trained on SAR privilege and should not have
processes/procedures that reference SAR filing;
Should not have access to the investigations team's case
management system;
Should not have references to SARs, even by euphemisms/coded
language in employee records (i.e., discoverable records)
33. What to Look For
Hot Take
Testers/Auditors should be acutely concerned with:
Clearly SAR-fileable
misconduct that isn’t
escalated
SAR-fileable
misconduct that has
not resulted in
disciplinary outcomes
Gross deviations
between disciplinary
outcomes
Open-access to case
management systems
No escalation of
“outside” function staff
viewing cases in
system
Absence of user/access
right standards and
deviations
34. What to Look For
Of Particular Concern
The increase in no SAR/no Terms and decrease in SAR No
Terms/SAR and Terms may represent inconsistent
approaches to disciplinary matters and/or a lack of
proper reporting
0
10
20
30
40
50
60
Q1 Q2 Q3 Q4
Disciplinary Outcomes
No SAR no Term No SAR and Term SAR no Term SAR and Term
35. What to Look For
Equally Concerning
Apparent, or even perceived:
• De-masking of whistleblowers and/or
• Retaliatory action (overt and covert)
37. Key Takeaways
1. Data validation is critical, in particular for APIs
and other linked systems;
2. Systems, technology, resources and staffing are
critical focuses for both regulators and
prosecutors;
3. Training is both a pillar under the USA PATRIOT
Act as well as a key component of any
organization's corporate compliance program;
4. The case management system absolutely must
be fit for purpose in order to ensure oversight
of potential and actual misconduct.
Questions?
38. T h a n k Y o u f o r
P a r t i c i p a t i n g
Find more free webinars:
www.i-sight.com/resources/webinars
@isightsoftware
C o n t a c t
M i c h a e l S c h i d l o w
C o n t a c t
i - S i g h t
webinars@i-sight.com
michael@scientergroup.com
https://www.linkedin.com/in/mschidlow/
@ ProfSchidlow