On October 25, the Financial Crimes Enforcement Network (FinCEN), one of the U.S. Department of the Treasury’s lead agencies in the fight against money laundering, issued an Advisory to Financial Institutions on Cyber-Events and Cyber-Enabled Crime and associated Frequently Asked Questions (FAQs) regarding the Reporting of Cyber-Events, Cyber-Enabled Crime, and Cyber-Related Information through Suspicious Activity Reports (SARs). FinCEN was careful to state that its Advisory does not change existing requirements under the Bank Secrecy Act or other federal or state laws or regulations on cyber-related reporting and compliance obligations. Its Advisory and FAQs, however, may nonetheless have the effect of increasing significantly the number of SARs filed under the Bank Secrecy Act and the amount of cyber-related information to be contained therein.
Currently, financial institutions are required to file a SAR to report suspicious activity whenever they detect transactions that they suspect, or have reason to suspect, (1) involve money derived from criminal activity, (2) are designed to evade Bank Secrecy Act requirements, (3) appear to serve no business or other legal purpose, or (4) involve the use of the financial institution to facilitate criminal activity. Even an attempted transaction that is not committed can trigger SAR filing requirements. The range of financial institutions required to file SARs is quite broad, including banks, financial holding companies, broker-dealers, insurance companies, mortgage lenders/originators, money service businesses, and casinos. The minimum monetary threshold for the SAR requirement is typically $5,000 but varies according to the particular type of financial institution.
The Advisory is intended to shed light on a financial institution’s reporting obligations relating to “cyber-events,” defined as attempts to compromise or gain unauthorized electronic access to electronic systems, resources, or information, and “cyber-enabled crime,” defined as illegal activities carried out or facilitated by electronic systems and devices, such as networks and computers.
The Advisory casts a wide net on what qualifies as a reportable cyber-event and provides a non-exhaustive list of examples illustrating situations in which a SAR would be mandatory, as well as circumstances in which a voluntary SAR filing would be encouraged.
The Advisory’s first example for triggering mandatory reporting involves a malware intrusion by which cybercriminals gained access to systems and information that put $500,000 of customer funds at risk. The bank in this example “must” file a SAR “because it has reason to suspect the cybercriminals, through the malware intrusion, intended to conduct or could have conducted unauthorized transactions aggregating or involving at least $5,000 in funds or assets.”
The Advisory’s second example for triggering mandatory reporting involves cybercriminals gaining access to a financial institution’s systems and exposing sensitive customer information that would be useful or necessary to conduct, affect, or facilitate transactions. The financial institution in this example could reasonably suspect that the cybercriminals intended to steal and sell the exposed information for financial exploitation.
“Although no actual transaction may have occurred in these examples, the circumstances of the cyber-events and the systems and information targeted could reasonably lead the financial institutions to suspect the events were intended to be part of an attempt to conduct, facilitate or affect an unauthorized transaction or series of unauthorized transactions aggregating or involving at least $5,000 in funds or assets.”
Beyond mandatory reporting, the Advisory also encourages voluntary SARs to report “egregious, significant or damaging” cyber-events. The example given in the Advisory is of a Distributed Denial of Service (DDoS) attack that disrupts a financial institution’s website and disables the institution’s online banking services for a significant period of time. Even if the institution “determines that the attack was not intended to and could not have affected any transaction,” FinCEN encourages the filing of a SAR on these facts because the attack caused disruptions that were damaging to the institution, and SAR reports are “highly valuable in law enforcement investigations.”
Once the decision is made to file a SAR, the Advisory arguably expands the scope of cyber-related information to be provided therein. The Advisory states that financial institutions “should include available cyber-related information when reporting any suspicious activity, including those related to cyber-events as well as those related to other activity, such as fraudulent wire transfers,” and that this applies to voluntary as well as mandatory SARs.
In a departure from prior specific requirements, the Advisory states that cyber-related information to be provided in a SAR involving a cyber-event “includes, but is not limited to, IP addresses with time stamps, virtual-wallet information, device identifiers, and cyber-event information.” The FAQs provide additional information and identifiers that should be reported as available.
While FinCEN claims to have added no new burdens or reporting obligations, its Advisory has the potential to increase significantly the number of incidents that financial institutions must now consider for filing SARs and to broaden the scope of cyber-related information that FinCEN will expect to be included in SARs.
One concern for financial institutions is that regulators and perhaps private plaintiffs may use a failure to file a SAR, even voluntarily, as evidence of a lack of attention to a “known” issue. Additionally, the Advisory indicates added emphasis by FinCEN on the gathering and use of attribution information in its investigations of financial institutions for Bank Secrecy Act compliance.
The Advisory states that it is not creating any new obligation or expectation requiring financial institutions to collect cyber-related information as a matter of course, but financial institutions remain vulnerable to civil enforcement actions by FinCEN for failure to properly submit SARs. Therefore financial institutions should consider taking steps to incorporate IP addresses and other attribution information into their SARs. This may be easier said than done, depending on the extent to which the institution’s cybersecurity systems and tools capture such information or maintain it in an accessible format.
Accordingly, financial institutions should continue to be vigilant in analyzing their reporting obligations of any cyber-attack or other cyber incident and in evaluating the ability of their cybersecurity systems and tools to capture and provide the needed cyber-related information in the event a SAR needs to be filed.