On October 25, 2016 the Financial Crimes Enforcement Network (FinCEN) of the U.S. Department of the Treasury released an advisory to financial institutions on cyber-events and cyber-enabled crime. The advisory reminds financial institutions of their obligations under the Bank Secrecy Act (BSA) to file a Suspicious Activity Report for cyber-related events that meet certain criteria. While the advisory stresses that it does not impose any new obligations, and it does not carry the force of law, the advisory signals FinCEN’s expectation that financial institutions will help combat the ever-increasing tide of cyber-attacks on financial institutions. Financial institutions should review and assess their compliance procedures taking account of these issues.
Under current regulations, a financial institution is required to file a Suspicious Activity Report (SAR) when it knows, suspects, or has reason to suspect that the transaction (or attempted transaction) or series of transactions: (1) involves proceeds derived from criminal activity; (2) is intended or conducted to hide funds or assets derived from illegal activity, or to conceal the ownership, nature, source, or control of the funds; (3) is designed, whether through structuring or other means, to evade the requirements of the BSA; (4) has no apparent business or other lawful purpose, and the financial institution knows of no reasonable explanation after examining the available facts; or (5) involves the use of the financial institution to facilitate illegal activity. For purposes of this regulation, financial institutions include banks and credit unions; casinos and card clubs; money services businesses; brokers or dealers in securities; mutual funds; insurance companies providing certain covered products; futures commission merchants; introducing brokers in commodities; dealers in precious metals, stones, or jewels; and operators of credit card systems.
Willfully failing to file a required SAR is civilly punishable under 31 U.S.C. 5321(a)(1). As a result of a recent inflation adjustment, the penalty ranges from US$53,907 to US$215,628 per violation. In addition to civil enforcement, financial institutions and individuals may also be subject to criminal prosecution for SAR-filing violations.
SAR Triggering Cyber-Events
For cyber-events, a key SAR trigger is the requirement that financial institutions report suspicious transactions conducted or attempted by, at, or through the institution that involve or aggregate to US$5,000 or more (US$2,000 for most money services businesses). Under FinCEN’s guidance, a financial institution that suspects that a cyber incident was partially or wholly intended to conduct, facilitate, or affect a transaction should be considered part of an attempt to conduct a suspicious transaction. More broadly, FinCEN states that cyber-events targeting financial institutions that could affect a transaction would be reportable because they are unauthorized, relevant to a possible violation of law, and regularly involve efforts to acquire funds through illegal activities.
One area of potential ambiguity that arises in this context is whether a cyber-event is significant enough to require a SAR. Cyber-events can range from a network scan, to a significant breach that results in the manipulation or exfiltration of data, or to an attack that fully disables a system. Recognizing that SAR-filing decisions require an exercise of judgment, and are largely fact-dependent, FinCEN states that “in determining whether a cyber-event should be reported, a financial institution should consider all available information surrounding the cyber-event, including its nature and the information and systems targeted.” FinCEN’s FAQs on cyber-event SARs specifically note that financial institutions are not required to file SARs solely to report continuous scanning or probing of networks. However, FinCEN does state that even unsuccessful cyber-events should be reported if the financial institution suspects or has reason to suspect that the event was intended to or could affect a transaction conducted or attempted by, at, or through the institution. In terms of calculating the amount of money affected by an event, FinCEN recommends that institutions consider the funds involved or “put at risk” by the cyber-event. As a practical matter, because the US$5,000 threshold is quite low (especially considering aggregation), financial institutions may choose to file a SAR where there is any risk of funds exposed to misappropriation.
Given the significant intelligence value of SARs, FinCEN encourages financial institutions to file SARs even if they do not meet the above thresholds. For instance, if a Distributed Denial of Service (DDoS) attack disrupts a financial institution’s website and online banking services, but is ultimately determined to not have been able to or intended to affect any transactions, it would not require a SAR. However, FinCEN asks financial institutions to still consider filing a SAR voluntarily because information about such attacks can be useful to law enforcement.
The Content of a Cyber-Event SAR
Both mandatory and voluntary SARs should include complete and accurate information, containing relevant facts and information about the cyber-event in the narrative section of the SAR. Financial institutions may also attach comma separated value (CSV) files to report data. To the extent available, cyber-event SARs should include:
- Description and magnitude of the event
- Known or suspected time, location, and characteristics or signatures of the event
- Indicators of compromise
- Relevant IP addresses and their timestamps (because IP addresses are dynamic, and are “recycled”, a proper time stamp may enable law enforcement to more reliably locate perpetrators)
- Device identifiers
- Methodologies used
- Other information the institution believes is relevant
If a financial institution is subjected to numerous cyber-events, the institution may report them through a single cumulative SAR filing if such events are similar in nature (e.g., multiple malware intrusions that involve similar methods, vulnerabilities, or IP addresses). The FinCEN advisory also notes that non-cyber-event SARs and other BSA/AML monitoring efforts and reports should include cyber-related data wherever possible.
Internal Collaboration between BSA/AML and Cybersecurity
Recognizing the increasing overlap between cybersecurity and BSA/AML issues, FinCEN encourages collaboration and communication among these units within financial institutions. FinCEN believes that the internal sharing of relevant information across teams will help financial institutions conduct more comprehensive threat assessments, develop appropriate risk management strategies, and identify, report, and mitigate cyber-events. While the FinCEN FAQ specifically states that AML compliance personnel do not necessarily need to be knowledgeable about cybersecurity, it is clear that competency with cyber issues will be an asset to AML personnel going forward. Importantly, FinCEN and other regulators have recently criticized the “siloing” of information within institutions.
Sharing Cyber-Related Information With Other Financial Institutions
As with internal sharing, FinCEN encourages financial institutions to share relevant cyber-related information with other financial institutions. To this end, Section 314(b) of the USA PATRIOT Act provides a safe harbor from liability to financial institutions – after notifying FinCEN and satisfying other requirements – for voluntarily sharing information with one another for the purpose of identifying, and if appropriate, reporting potential money laundering or terrorist activities. Sharing cyber-related information, such as malware signatures, IP addresses, and seemingly anonymous virtual currency addresses can help identify the individuals, entities, or countries involved in cyberevents related to money laundering or terrorist activities.
Other Reporting Obligations
The FinCEN advisory stresses that reporting a cyber-event with a SAR to FinCEN does not satisfy other reporting obligations owed by the financial institution to state or federal agencies. For example, cyber breaches may involve export-controlled technology or sanctioned countries, potentially implicating filings to the Treasury Department’s Office of Foreign Assets Control, the Commerce Department’s Bureau of Industry and Security, and the State Department’s Directorate of Defense Trade Controls.
FinCEN encourages financial institutions to be aware of cyber-related SAR obligations required by their functional regulator. For instance, the Office of the Comptroller of the Currency requires national banks to file SARs to report unauthorized electronic intrusions. The Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, and the National Credit Union Administration have all also issued guidance on the use of SARs to report computer related crimes. Additionally, the Cybersecurity Act of 2015 does not change any SARreporting requirements under the BSA.
Although the advisory does not carry the force of law, and despite FinCEN’s repeated claim that its guidance “does not change existing BSA requirements or other regulatory obligations for financial institutions,” FinCEN’s nine-page advisory, supplemented by another five pages of frequently-asked questions, sends a clear message as to regulatory expectations. Given the breadth of what would require the filing of a SAR – including unsuccessful attempts or cyberattacks used to conceal another transaction-related cyber-event – financial institutions should strongly consider filing in many circumstances.
Importantly, although the FinCEN advisory specifically speaks to institutions’ SAR-filing obligations, financial institutions should also ensure that their overall anti-money laundering program appropriately addresses cyberevents, in documentation as well as in implementation. For instance, FinCEN notes that internal cooperation and information-sharing between an institution’s BSA/AML and cybersecurity units not only assists with more complete SAR reporting, but also allows institutions to “conduct a more comprehensive threat assessment and develop appropriate risk management strategies to identify, report, and mitigate cyber-events and cyber-enabled crime.” Although framed as “encouragement” in the advisory, FinCEN’s language and express mention of how such internal cooperation and sharing of information is consistent with its October 2014 “Culture of Compliance” advisory suggests that financial institutions should take such advice as expectation.