Dynamic Securities Analytics, Inc.
Dynamic Securities Analytics, Inc.
Anti-Money Laundering Currency Transaction Reports Drug Trafficking FinCEN SARs

2020 SAR Insights: Suspicious Activity Reports and COVID-19

by |Published

Dynamic Securities Analytics‘ annual SAR Insights focuses on the interplay between COVID-19 and Suspicious Activity Reports filed by Depository Institutions (banks & credit unions) in 2020.

The consequences of Covid-19 played out in obvious and some not-so-obvious ways in 2020 Suspicious Activity Reports. First, just as all people have had to adapt to the new COVID-19 reality, so too have criminals. Fraudsters found the enormous government stimulus programs to be a rich target. Next, FinCEN’s COVID-19 advisories are echoed in 2020 SAR filing patterns. Finally, the impact on 2020 SARs from the nationwide shutdown, quarantines, border closings, social distancing at businesses, and changes to daily life for all Americans was teased out from the data with some financial crime typologies notching fewer SARs.

Bad Actors Adapt

Transaction(s) Below CTR Threshold was the leading suspicious activity category in 2020 with 318,867 SARs. The last time Transaction(s) Below CTR Threshold was the top reported SAR category was in 2015. March 2017 previously held the single month record with 24,492 Transaction(s) Below CTR Threshold SARs. Every month from March through December 2020 outpaced the prior record, with October 2020 setting a record with over 34,000 Transaction(s) Below CTR Threshold SARs filed.

SARs for Transactions Below CTR Threshold, pre-Covid record
Bar Chart of Monthly SAR Filings: CTR Threshold

Border closings and travel limitations implemented because of Covid-19 may have made it harder to move bulk currency across borders. The DEA seized “substantially more illicit cash than usual” amid lockdowns. NBC quoted Bill Bodner, DEA special agent in charge of the Los Angles field office, as stating “When there’s less hay in the haystack, it’s easier to find the needle.”

If COVID-19 travel restrictions prevented drug cartels from bulk cash smuggling across borders, they may have instead attempted to deposit the cash in US banks via multiple small cash deposits. This behavior could have triggered some of the Transactions Below CTR Threshold SARs. SAR filings for Transactions Below CTR Threshold SARs increased by 43% from 2019.

Arizona and Texas had the largest percentage increases in CTR Threshold SARs at 79% and 77% respectively. Only Pacific islands (Hawaii, Guam, American Samoa & Northern Mariana Islands) and Washington DC reported fewer CTR Threshold SARs. Interestingly, 160 CTR Threshold SARs were filed in locations involving an APO (Army/Air Post Office), DPO (Diplomatic Post Office), or FPO (Fleet Post Office).

CTR Threshold SARs Heat Map. CTR SARs increased during COVID.

COVID-19 Government Stimulus Programs & Suspicious Activity Reports

Government stimulus programs targeted for Covid-19 relief became targets for fraudsters. These programs include the Paycheck Protection Program (PPP), the SBA’s “Economic Injury Disaster Loan” program, and expanded unemployment benefits. Suspicious Receipt of Government Payments/Benefits SARs soared by over 2600%. Tellingly, banks filed more Suspicious Receipt of Government Payments/Benefits SARs in August and September 2020 than for all of 2014 through 2019 combined.

Yearly Suspicious Activity Reports filed for Suspicious Government Payments

Similarly, Business Loan SARs jumped more than 513%. It is likely that banks classified a portion of the COVID-19 stimulus loan programs (ex. PPP) as Business Loans.

Government Payments and Business Loan SARs grew during COVID

FinCEN Advisories on COVID-19 & Suspicious Activity Reports

Fraudsters did not only target the government with their COVID-19 related scams. Criminals also targeted the ill desperate for a cure, parents desperate to support their families, and businesses adapting to work-from-home realities.

To that end, FinCEN issued several advisories related to COVID-19 that are reflected in 2020 Suspicious Activity Report statistics. On May 18th, 2020 FinCEN issued FIN-2020-A002 Advisory on Medical Scams Related to the Coronavirus Disease 2019 (COVID-19). The advisory discussed medical-related frauds including fraudulent cures, tests, and vaccines. FinCEN advised that financial institutions should select Fraud-Other as the suspicious activity type.

On July 7th, 2020 FinCEN published Advisory on Imposter Scams and Money Mule Schemes Related to Coronavirus Disease 2019 (COVID-19) that discussed COVID-19 and money mules. FinCEN stated that financial institutions should select Fraud-Other as the suspicious activity category. FinCEN also stated that Mass Marketing could also be selected if applicable.

Later in July, FinCEN issued Advisory on Cybercrime and Cyber-Enabled Crime Exploiting the Coronavirus Disease 2019 (COVID-19) Pandemic which requested that “cyber-crime involving fraud driven by COVID-19” be noted by selecting Fraud-Other and any other appropriate checkboxes.

Finally, FinCEN’s October 2020 Advisory on Unemployment Insurance Fraud During the Coronavirus Disease 2019 (COVID-19) Pandemic also requested that financial institutions select Fraud-Other as the suspicious activity category.

Not surprisingly, Fraud-Other SARs grew by 73%, with over 61,000 more SARs filed in 2020 than the prior year. Mass Marketing SARs increased 56% from 2019.

Fraud and Mass Marketing Suspicious Activity Reports grew during COVID

Government Payment: 2020 SAR Financial Instrument of the Year

A financial instrument (ex. funds transfer, U.S. currency, or check) can also serve as the starting point to analyze which crimes it is most often linked.

Photo by Giorgio Trovato on Unsplash

2020 was the year of the Government Payment financial instrument. Banks filed fifteen times as many Government Payment financial instrument SARs in 2020 than in 2019. Each SAR that identified Government Payment as the financial instrument was linked to 4.5 different suspicious activities (ex. Wire fraud, Exchange of Currency, Elder Abuse). Comparatively, US Currency was associated with 3.15 suspicious activities per SAR.

Government Payments were associated with 82 different suspicious activity categories in 2020 with every category reporting more SARs than in 2019. Several suspicious activity categories saw increases over 1000% with the use of Government Payments including: ACH, Advance Fee, and Cyber Against the Financial Institution. For example, Mass Marketing schemes using Government Payments leapt from 68 SARs in 2019 to 4,000 in 2020.

FinCEN Director, Kenneth Blanco, noted in his prepared remarks for the September 2020 ACAMS AML conference that “multiple Automated Clearinghouse (ACH) payments disbursed to a single account representing the most common financial pattern reported in SARs” related to fraud in COVID-19 government stimulus programs. ACH Fraud using Government Payments vaulted from 906 SARs in 2019 to 43,164 in 2020.

Banks also reported skyrocketing use of Funnel Accounts associated with Government Payments. In 2019, only 75 SARS linked Funnel Accounts and Government Payments, while 2020 Suspicious Activity Reports registered 2,511 such relationships.

Government Payments used in a variety of schemes. SARs & COVID-19.

Quarantine’s Impact on Suspicious Activity Reports

It is difficult to name an activity that COVID-19 has not impacted. Travel, entertainment, restaurants, work, school…the list goes on.

The quarantine/social distancing/border closure/lockdown-related changes also tie-in to how people use and access money. And how and what bankers detect as suspicious activity.

2020 Suspicious Activity Reports: Crimes Targeting Retail Bank Customers

Several crimes that often target retail bank customers such as Credit/Debit Card Fraud, Check Fraud and Identity Theft had tens of thousands fewer SARs filed in 2020 than in 2019. It is unclear why banks filed fewer SARs for these categories. Perhaps consumers stayed home and were not exposed to fraudsters via card skimmers; or banks’ attention was elsewhere; or fraudsters focused on bigger prey like government stimulus programs.

Some Suspicious Activity Report categories fell in 2020.

Reduced Branch Banker/Customer Interaction

Banks and credit unions are considered “essential businesses” and are not required to close during lockdowns. Depository Institutions have adopted measures to protect employees and customers from COVID-19. These measures include:

  • Reducing hours or temporarily closing some branches
  • Encouraging customers to use online and mobile banking.
  • Requiring appointments for in-branch services
  • Shifting transactions from the lobby to drive-through windows.

Banker/customer interactions can provide starting points for a range of Suspicious Activity Reports. For example, in October 2020 FinCEN published “Supplemental Advisory on Identifying and Reporting Human Trafficking and Related Activity” which included Behavioral Indicators of Human Trafficking.

The Behavioral Indicators noted by FinCEN include:

  • A customer shows signs of poor hygiene, malnourishment, cannot clarify where they live or where they are staying, or provides scripted, confusing, or inconsistent stories in response to inquiry.
  • A third party speaks on behalf of the customer (a third party may insist on being present and/or translating).
  • A third party commits acts of physical aggression or intimidation toward the customer.

However, as account openings and transactions migrate to virtual settings, behavioral indicators will not present themselves as they would in a bank branch. In fact, both Human Trafficking and Human Smuggling SARs decreased in 2020. 2019 was the first full year Human Trafficking and Human Smuggling were provided a checkbox on the SAR form, so this setback may be a disappointment for those who advocated for the addition.

Human Smuggling SARs and Human Trafficking SAR both fell in 2020.

2020 SARs relating to Identification/Documentation.

Forbes reported that 64% of primary account applications in Q2 2020 were submitted either online or via a mobile device. Similarly, accounts opened in a branch dropped by about 20% from Q2 2018 to Q2 2020. As the share of accounts opening remotely grows, banks must learn how to identify fake documents received online.

The FinCEN Advisory on Cybercrime Exploiting COVID-19 noted that “remote identity processes also face significant risks.” FinCEN explained that criminals seek to “undermine online identity verification processes through the use of fraudulent identity documents, which can be created by manipulating digital images of legitimate government-issued identity documents to alter information and/or photos displayed.”

Despite FinCEN’s advisory, banks filed fewer SARs for several suspicious activity types relating to Identification or Documentation in 2020. Multiple Individuals with Same or Similar Identities had the largest decrease in SAR filings with about 52,000 fewer SARs filed in 2020. Changes Spelling or Arrangement of Name, Single Individual with Multiple Identities, Provided Questionable or False Documentation, and Other Identification Document all had fewer SARs in 2020.

Identification and documentation Suspicious Activity Reports fell as more accounts were opened virtually due to COVID-19.

Conclusion

COVID-19 thoroughly impacted 2020 Suspicious Activity Reports filed by Depository Institutions. Fraudsters shifted targets, methods and financial instruments to exploit government stimulus programs. Closed borders and travel restrictions prevented criminals from moving hard currency abroad and may provide new insight into criminal networks that had previously blended into the masses. Finally, the shift towards virtual account openings provides additional challenges to banks in detecting financial crimes.

SAR Counts downloaded from FinCEN SAR Stats. All analysis, charts, and graphs prepared by Dynamic Securities Analytics, Inc.

Looking for more insight? Read DSA’s 2019, 2018 and 2016 SAR Insights.

You may also like