The Financial Crimes Enforcement Network (FinCEN) reminded banks that they are required to report cyber-enabled crime and cyber events just like any other suspicious activity.

What happened

Observing that financial institutions can play an important role in protecting the U.S. financial system from cybercriminals, FinCEN reminded banks that the obligations to file suspicious activity reports (SARs) extends to cyber events that are security threats.

For purposes of the advisory, FinCEN defined a "cyber event" as "an attempt to compromise or gain unauthorized electronic access to electronic systems, services, resources, or information," and a "cyber-enabled crime" as "illegal activities (e.g., fraud, money laundering, identify theft) carried out or facilitated by electronic systems and devices, such as networks and computers."

FinCEN and law enforcement "regularly" use information reported by financial institutions pursuant to the Bank Secrecy Act (BSA), the advisory noted, with SARs from banks providing "a valuable source of investigatory leads" to track criminals, identify victims, and trace illicit funds.

The agency reminded financial institutions of regulatory expectations with regard to cyber events and the BSA.

"A financial institution is required to report a suspicious transaction conducted or attempted by, at, or through the institution that involves or aggregates to $5,000 or more in funds or other assets," FinCEN wrote. "If a financial institution knows, suspects, or has reason to suspect that a cyber-event was intended, in whole or in part, to conduct, facilitate, or affect a transaction or a series of transactions, it should be considered part of an attempt to conduct a suspicious transaction or series of transactions."

When deciding whether to report a cyber event, a financial institution should consider the totality of the circumstances, including all available information surrounding the event, its nature, and the data and systems targeted, the advisory explained.

Other cyber-related SAR-filing obligations may also be triggered by a cyber event, FinCEN noted, such as reports to other regulators like the Office of the Comptroller of the Currency or the Board of Governors of the Federal Reserve System.

The advisory offered examples of situations where SAR reporting of cyber events is mandatory. In one hypothetical, a malware intrusion by cybercriminals gained access to the bank's systems and information. The bank later determined that the event put $500,000 of customer funds at risk based on the systems and/or information targeted, leading the bank to reasonably suspect the intrusion was in part intended to enable the perpetrators to conduct unauthorized transactions using customers' funds.

In this situation, the bank would be required to file a SAR, FinCEN said. Although no actual transaction occurred, the circumstances of the cyber event and the systems and information targeted could reasonably lead the financial institution to suspect that the event was intended to be part of an attempt to conduct, facilitate, or effect an unauthorized transaction or series of unauthorized transactions aggregating or involving at least $5,000 in funds or assets.

In addition to the mandatory reporting obligations, the agency encouraged financial institutions "to report egregious, significant, or damaging cyber-events and cyber-enabled crime when such events and crime do not otherwise require the filing of a SAR."

A bank that has been the target of a distributed denial of service (DDoS) attack that disrupted a financial institution's website and disabled the institution's online banking services for a significant period of time, for example, should consider filing a SAR "because the attack caused online banking disruptions that were particularly damaging to the institution," FinCEN wrote. "SAR reporting of cyber-events, even those that may not meet mandatory SAR-filing requirements, is highly valuable in law enforcement investigations."

Financial institutions should include all available cyber-related information in a SAR, the agency said, from IP addresses with time stamps, virtual wallet information and device identifiers. Other important data highlighted by the advisory: a description and magnitude of the event; known or suspected time, location, and characteristics or signatures of the event; indicators of compromise; methodologies used; and any other information the institution believes is relevant.

FinCEN also urged collaboration between cybersecurity and BSA units within a financial institution, which could reveal additional patterns of suspicious behavior and identify suspects not previously known, as well as information sharing between financial institutions, with banks working together to identify threats, vulnerabilities, and criminals.

"By sharing information with one another, financial institutions may gain a more comprehensive and accurate picture of possible threats, allowing for more precise decision making in risk mitigation strategies," according to the advisory, which noted that banks are protected by a safe harbor under Section 314(b) of the USA PATRIOT Act for voluntarily sharing information for the purpose of identifying and reporting potential money laundering or terrorist activities.

To read FIN-2016-A005, click here.

Why it matters

The advisory provided an important reminder for financial institutions of their obligations to report cyber events pursuant to the BSA. FinCEN also encouraged banks to report other cyber-enabled crime even when the activity does not require the filing of a SAR as well as share information both internally and with other financial institutions.