The Financial Crimes Enforcement Network (“FinCEN”) recently published an Advisory to Financial Institutions on Cyber-Events and Cyber-Enabled Crime. The Advisory does not change or create any new regulatory obligations, but it does clarify how existing Bank Secrecy Act (“BSA”) regulations for reporting cyber-events and cyber-enabled crimes apply to financial institutions. Specifically, the Advisory provides additional guidance for reporting cyber-enabled crime and cyber-enabled events through Suspicious Activity Reports (“SARs”), including cyber-related information in SARs; collaborating between BSA units and in-house cybersecurity units to identify suspicious activity; and sharing cyber-related information among financial institutions to prevent and report money laundering, terrorism financing, and cyber-enabled crimes.
The Advisory first clarifies when a cyber-event should be reported through a SAR. Certain cyber-events trigger existing mandatory SAR reporting requirements. FinCEN uses the term “cyber-event” to refer to an “attempt to compromise or gain unauthorized electronic access to electronic systems, services, resources or information.” The BSA regulations require a financial institution to file a SAR if a suspicious transaction conducted or attempted by, at, or through the financial institution involves or aggregates to $5,000 or more in funds or other assets. For money services businesses (“MSBs”), the threshold is generally $2,000 or more in funds or other assets. Accordingly, the Advisory states that if a cyber-event was intended, either in whole or in part, to conduct, facilitate, or affect a transaction or series of transactions at or above the relevant threshold ($5,000 for financial institutions and generally $2,000 for MSBs), a SAR must be filed. In determining the amount of money involved in the transactions, the financial institution or MSB must aggregate the funds and assets involved in or put at risk by the cyber-event.
Even if a cyber-event does not trigger the mandatory SAR reporting requirements, such as when the monetary amount involved is lower than the applicable threshold or when the cyber-event was not intended to and could not have affected any transactions, financial institutions and MSBs are encouraged to file a SAR.
The Advisory also sets forth FinCEN’s expectations for including cyber-related information in SARs. “Cyber-related information” is “[i]nformation that describes technical details of electronic activity and behavior.” Cyber-related information includes, but is not limited to, IP addresses, timestamps, Indicators of Compromise (“IOCs”), and data regarding individuals’ digital footprint and behavior. Financial institutions and MSBs should include any available cyber-related information in the narrative section of any SAR, even if the SAR is filed on a voluntary basis or is not related to a cyber-related event. Cyber-event data and transaction details can also be included in a comma separated value (“CSV”) file attached to a SAR. For SARs that report cyber-events, the cyber-related information should include, at a minimum:
- Description and magnitude of the event;
- Known or suspected time, location, and characteristics or signatures of the event;
- Relevant IP addresses and their timestamps;
- Device identifiers;
- Methodologies used; and
- Other information the financial institution or MSB believes is relevant.
The Advisory also emphasizes collaboration and ongoing communication among various units of each financial institution and MSB to identify, report, and mitigate cyber-events and cyber-enabled crime. A “cyber-enabled crime” includes “[i]llegal activities (e.g., fraud, money laundering, identity theft) carried out or facilitated by electronic systems and devices, such as networks and computers.” One benefit of this internal collaboration is more comprehensive and complete SAR reporting.
Finally, financial institutions and MSBs are advised to share cyber-related information with one another to better identify threats, vulnerabilities, and criminals. Section 314(b) of the USA PATRIOT Act continues to provide a safe harbor to financial institutions and MSBs who voluntarily share information with each other to identify and report potential money laundering and terrorist financing after notifying FinCEN and complying with other requirements under Section 314(b).
Financial institutions and MSBs should circulate and carefully review this new Advisory with their cybersecurity teams, IT personnel, risk departments, fraud prevention departments, compliance staff, and BSA/Anti-Money Laundering teams. Institutions should also review their SAR-filing policies and procedures to ensure they are complying with mandatory SAR-filing requirements for cyber-events and including cyber-related information in SARs when available. Financial institutions and MSBs should also consider voluntarily filing SARs for cyber-events, even when not required, and sharing cyber-related information with other financial institutions and MSBs under Section 314(b). In addition, financial institutions and MSBs should continue to ensure they comply with applicable cyber-related SAR requirements set forth by their functional regulators.