The National Crime Agency (NCA) takes the need to protect the confidentiality of reporters very seriously.
Access to Suspicious Activity Reports (SAR) information is conditional on compliance with Home Office issued guidance.
To guard against inadvertent or erroneous disclosure of a SAR, appropriate reporting procedures can also be adopted by the accountancy practice making the report. Read these tips for making SARs safely.
What to do to reduce the chances of inadvertent disclosure
To guard against inadvertent or erroneous disclosure of a SAR, appropriate reporting procedures should be adopted by the accountancy practice making the report. Such procedures might include:
- Excluding the name of the firm and names of staff from the "reasons for suspicion" box. This will help enable Law Enforcement Agencies (LEAs) to pass information to investigation teams which does not include the identity of the reporter and reduce the likelihood of inadvertent disclosure. It is important to give accurate contact information to guard against you or your firm being confused with another firm with a similar name, which might result in enquiries being directed to the wrong person.
- Wherever possible, use the SARs portal to submit reports as risks of interception or loss in transmission are reduced.
- In respect of any further information requested, or information required to support the intelligence provided in a SAR for use in a prosecution, only release the information in response to a properly served Production Order or other order that effectively compels the disclosure. This shows to any persons involved in the prosecution or defence that the reporter was acting only in response to a binding legal duty.
- Where there is particular reason to fear that a suspect might be motivated to try and discover whether a SAR had been made and by whom, and take revenge (for example where a SAR might involve a suspect with a known history of violence, or where organised crime or a terrorist organisation might be involved) bring this to the attention of Law Enforcement. This might be done by the inclusion of a note (in bold type, at the top) in the SARs reporting box on reason for suspicion setting out any concerns over safety or confidentiality.
- Maintain proper records, to ensure that Personal Data (as defined under the Data Protection Act) is only retained where it continues to have information value likely to be useful for the prevention or detection of crime. Where disclosure of information would be likely to be prejudicial in that context, it is exempted from the requirements for disclosure in response to a subject access request under the UK GDPR and the DPA 2018. Guidance on this point has been issued by the Information Commissioner on the Right of Access.
- Do not keep copies of SARs on the client files, or anywhere else where they are available to clients, the general staff of the firm, or third parties. It is safer for them to be kept securely by the money laundering reporting officer (MLRO), and access restricted to the MLRO and any appropriate deputies.
- Don't include any superfluous detail in the "reasons for suspicion" about the circumstances in which information is obtained and provide only that information necessary to explain the information on which the suspicion or knowledge is based, the suspected predicate offence (if known) and the nature of the suspicion. Do not include the names of accountancy practice personnel in the description of information and suspicion.
We also have separate guidance on SARs disclosures in civil litigation cases.