The Financial Crimes Enforcement Network (“FinCEN”) of the U.S. Department of Treasury issued Advisory No. FIN-2016-A005 on October 25, 2016, which provided guidance to financial institutions as to their obligations in the context of cyber-security. The content of the Advisory is discussed below.
Duty to Report Cyber-events through SARs
Under the Bank Secrecy Act, financial institutions are required to report suspicious activity through Suspicious Activity Reports (“SARs”). “Cyber-events,” defined as an attempt to compromise or gain unauthorized electronic access to electronic systems, services, resources, or information,” often target financial institutions and can serve as a means to commit crimes such as fraud or money laundering.
Whether the act is completed or merely attempted, a financial institution must report any activity that is deemed suspicious and involves more than $5,000.00 in funds or other assets. For instance, in a malware intrusion where the hacker gains access to a bank’s systems and information regarding customer accounts, the financial institution would be required to file an SAR, regardless of the fact that the hacker did not actually conduct any transaction with those funds. Similarly, if a data breach results in a cyber-criminal gaining access to retail customer information such as a PIN number, online credentials, or other sensitive information, even if that breach does not result in the transfer of funds, that breach could mandate BSA reporting.
While not intended to be an exhaustive list, these examples shed light on instances where, although no financial transaction was completed, the financial institution would be required to report the data breach through a SAR.
Relevant Cyber-Related Information to Include in Report
When a cyber-event triggers the reporting requirement, the financial institution must complete the form with all relevant information at its disposal. Thus, the report should include, if possible, the following:
- A description and the severity of the event
- The known or suspected time, location, and characteristics of the event
- Any indication of compromised data
- Relevant IP addresses and timestamps
- Device identifiers
- Description of method employed
- Any other information believed to be relevant
Working with Other Cybersecurity Organizations to Identify and Prevent Suspicious Activity
In its Advisory, FinCEN also recommends collaboration among financial institutions, BSA Anti-Money Laundering (“AML”) Units, and internal cybersecurity units to ensure the ability to conduct a comprehensive threat assessment and accurate reporting. Financial institutions are also encouraged to work with these entities to establish risk management strategies. BSA AML units may then use the information received from various sources to identify certain patterns and suspects that may not have otherwise been known. The Advisory calls for the financial institution to become an active participant in the prevention and enforcement of the BSA.
While a financial institution would be understandably reluctant to share certain cyber-related information with other institutions, the PATRIOT Act carves out a safe-harbor provision protecting the entity from liability for sharing information voluntarily for purposes of identifying and reporting potential threats of terrorism or money laundering.
FinCEN’s Advisory may be accessed here.
Financial institutions may submit their SAR through FinCEN’s e-filing system here.