Regulated firm sanctioned for filing too many NON-suspicious SARS

Filing suspicious transaction/activity reports (STRs/SARs) is vital to AML compliance, but these should always be approached with care. The FIU does not welcome a scattergun approach.

A recent decision by the German regulator BaFin penalised a firm for failing to establish and maintain a proper business organisation for detecting suspicious transactions.

One factor contributing to the decision was that the firm regularly filed "unsubstantiated" suspicious transaction reports (STRs).

This appears to be the first case where BaFin (or any other regulator) has imposed sanctions for the submission of an excessive volume of "unfiltered" STRs.

BaFin

• The Federal Financial Services Authority ("BaFin") published a remarkable sanctions decision where a payment institution was penalised for failing to establish and maintain a proper business organisation for detecting suspicious transactions.
• BaFin, the German regulator, argued that it regularly received "unsubstantiated" suspicious transaction reports filed by the obliged entity, which BaFin considered evidence for its allegations.

The legals

1. According to Article 33(1) of Directive (EU) 2015/849 ("AML-Directive"), as transposed into national German law by Sec. 43(1) of the Money Laundering Act (Geldwäschegesetz – "GwG"), companies qualifying as obliged entities under the GWG must promptly inform the financial intelligence unit ("FIU") by filing a report in cases where they know, suspect or have reasonable grounds to suspect that funds of their customers are the proceeds of criminal activity or are related to terrorist financing (the so-called suspicious transaction reports, "STRs").[see notes below og reporting rules]
2. The story
3. On March 6, 2025, BaFin published a sanctions decision concerning a case where an obliged entity (a payment institution) was sanctioned for failing to establish and maintain a proper business organisation, including an adequate data processing system, ensuring compliance with AML requirements, such as the requirement to detect suspicious transactions.
4. Surprisingly, BaFin argued that such failure was demonstrated by submitting "unsubstantiated" STRs to the FIU.
5. This is the first case where BaFin imposed sanctions for the submission of an excessive volume of "unfiltered" STRs.
6. In the past, BaFin imposed sanctions several times in the opposite scenario, i.e., where BaFin concluded that STRs were not filed promptly.
7. Therefore, financial institutions especially prefer to file an STR even in situations where it is not entirely clear whether the reported transaction exhibits the characteristics of a suspicious transaction. It has to be noted that the threshold set out by BaFin is very low (much lower than the initial suspicion required to open a criminal investigation by law enforcement agencies).
8. This resulted in a substantial increase in the STR data that the FIU has to process.
9. With the above sanctions decision, BaFin demonstrated that it expects the obliged entities to implement IT-based monitoring systems, ensuring that transactions that do not exhibit suspicious activity criteria are not reported to the FIU.

Thresholds for Reporting SARs

1. It is important to note that the threshold for suspicion sufficient to trigger an STR to the FIU is very low:
   1. The STR requirement is already triggered if there are "reasonable grounds" to suspect such funds are incriminating.
2. In this respect, BaFin notes that an obliged entity is not required (and in practice even not allowed) to examine whether the fact pattern around the relevant transaction meets the conditions for a criminal offence or involves terrorist financing, nor to investigate the facts.
3. Instead, the obliged entity must assess the fact pattern based on "general experience" and "professional knowledge," considering how unusual the given transaction is in the specific business context.
4. If the assessment finds objective indicators suggesting that the underlying funds could be potentially connected to specific criminal activities (Germany has implemented the "all-crimes approach", i.e., all criminal offences now qualify as predicate offences) and/or terrorism financing, the STR requirement is triggered.

Practical implications

1. While the precise reasons for BaFin's sanctions decision have not been disclosed, BaFin specifically refers to the obliged entity's failure to establish and maintain a proper business organisation, which resulted in the filing of "unsubstantiated" STRS.
2. Consequently, the decision clearly indicates that BaFin will challenge situations in which obliged entities continuously file STRs regarding transactions that do not meet the suspicion criteria.
3. Generating too many STRs also risks internal backlogs and unclear situations regarding transaction execution when the FIU offers no feedback.
4. While the GwG assumes that the transaction can be executed (normally after three business days), there are several unresolved legal issues around this question.
5. Against this backdrop, we see the following key takeaways:
   
   1. Calibrating criteria for suspicious activity: 
      1. Depending on how the obliged entities define the criteria for unusual and suspicious transactions, the AML monitoring system can generate varying numbers of alerts.
      2. i. If such criteria are defined very broadly to ensure that all suspicious activity is reported with STRS and no suspicious transactions fall through the cracks, depending on the nature and number of transactions, the detection system can generate a significant number of alerts. In any case, the chosen criteria must be documented, explained, and recalibrated based on event-driven circumstances and general lessons learned.
   2. Assessment of alerts: 
      1. Once the IT monitoring system has detected potentially suspicious transactions (i.e., generated alerts), the obliged entity must assess the alert and determine whether the respective transaction exhibits characteristics that give rise to the suspicion that the customer funds are the proceeds of criminal activity or are related to terrorist financing.
      2. The transaction in question is assessed in light of the business relationship objective and the customer's previous transactions. Furthermore, it is usually evaluated in light of transaction patterns commonly observed in business relationships with other customers in the respective customer segment. While automated procedures are possible, a dedicated review process and sample checks are required.
   3. Role of the MLRO: 
      1. The anti-money laundering officer ("MLRO") must manually examine transactions exhibiting potentially suspicious characteristics. The MLRO processes suspicious cases, verifies whether the conditions for reporting under Sec. 43 GwG are met, and, if necessary, files the STR with the FIU pursuant to Sec. 43 GwG.
      2. The MLRO is directly responsible for assessing whether the fact pattern requires the obliged entity to report the transaction to the FIU.
      3. In light of BaFin's decision, MLROs will not be able to apply a very broad interpretation of what constitutes suspicious activity and will have to ensure that false alerts are filtered out and that no "unsubstantiated" STRs are reported to the FIU.

Conclusion

• BaFin's decision is likely to prompt a controversial discussion among MLROs.
• Nevertheless, clients should review how they define suspicious activity and reassess their reporting processes in light of BaFin's stance on "unsubstantiated" reports.
• It is important to flag that a definition of suspicious activity that is too narrow can also expose clients to regulatory risk.
• Therefore, when calibrating alerts, clients must strike the right balance between over-reporting and under-reporting.

Read more here:

• https://ow.ly/Kwfz30sMrJA
• https://www.whitecase.com/insight-alert/unsubstantiated-suspicious-transaction-reports

In Germany, Sec. 43 GWG, a STR = When do transactions qualify as suspicious and need to be reported?

1. Detecting unusual or suspicious transactions requires establishing adequate monitoring arrangements.
2. Criteria for suspicious transactions
1. According to Sec. 43 GwG, a STR must be filed if the facts indicate that:
2. The assets related to the business relationship, brokerage or transaction derive from a criminal offence that could constitute a predicate offence for money laundering
3. A business transaction, a transaction or an asset is related to terrorist financing
4. The contracting party does not fulfil its obligation to disclose beneficial ownership
5. In the Interpretation and Application Guidance (Auslegungs- und Anwendungshinweise zum Geldwäschegesetz—"AuA"), BaFin notes that suspicious transactions need to be determined in light of the purpose and nature of the business relationship as well as patterns of similar transactions in the market. If a transaction appears to be inconsistent with the usual activities of the customer (e.g., particularly complex or large), this is deemed sufficient to qualify the transaction as "suspicious."
6. The reporting obligation exists irrespective of the transaction's amount or the underlying asset's value. In addition to transactions or business relationships that are imminent, ongoing, rejected, or not yet executed, the obligation also covers transactions that have already been processed.