On October 25, 2016, the Financial Crimes Enforcement Network (FinCEN) of the U.S. Treasury Department issued an advisory that provides financial institutions with guidance on their obligations under the Bank Secrecy Act (BSA) to report cyber-enabled crimes. The advisory suggests that financial institutions should incorporate cyber-related information into their BSA and Anti-Money Laundering (AML) monitoring systems and include any relevant cyber-related events in their Suspicious Activity Reporting (SAR).
The advisory provides financial institutions with guidance in the following areas:
- Mandatory and Voluntary Reporting of Cyber-Events by SARs;
- Required and Voluntary inclusion of Cyber-Related Information in SAR Reporting;
- Collaboration between BSA/AML, Cybersecurity and other Units at Financial Institutions; and
- Voluntary Sharing of Information by Financial Institutions related to Cyber-Events.
In the first item, the advisory sets forth information regarding mandatory and voluntary SAR reporting of cyber-events. Under federal law, financial institutions are required to file SARs to report suspicious transactions that involve an amount of more than $5,000. If the financial institution believes that a suspicious activity involves a cyber event, the institution should report such activity in a SAR. The following information should be considered in deciding whether to report the cyber-event:
- all information surrounding the cyber-event, and
- the systems targeted in the cyber-event.
The advisory provides specific examples of instances in which financial institutions have an obligation to report cyber-events in a SAR, even if no actual transaction has occurred.
The Guidance also suggests that institutions voluntarily report certain cyber-events. Those events include “egregious, significant, or damaging cyber-events and cyber-related crime” even if the transaction would not otherwise require the financial institution to file a SAR.
The second area deals with the inclusion of cyber-related information in SARs. Financial Institutions are required to include cyber-related information in any SAR required to be filed, including fraudulent wire transfers. The advisory mentions including the following cyber-related information in the filing:
- IP addresses with timestamps
- virtual-wallet information
- device identifiers
- cyber-event information
Institutions also should include cyber-related information when filing a voluntary SAR.
The advisory goes on to suggest that financial institutions provide “complete and accurate information, including relevant facts in appropriate SAR fields, and information about cyber-events in the narrative section of the SAR, in addition to any other related suspicious activity.” The following information should be included in any SAR involving cyber-events:
- Description and magnitude of event;
- Known or suspected time, location, and characteristics of signatures of the event;
- Indicators of compromise;
- Relevant IP addresses and their timestamps;
- Device identifiers;
- Methodologies used; and
- Other information the financial institution believes is relevant.
In some instances, the financial institution may file one SAR for multiple events if the events are similar in nature.
In the third area of the advisory, financial institutions are encouraged to share relevant information within the different departments of the institution. The sharing of such information could assist with identifying comprehensive threat assessments; develop stronger risk management strategies; and improve the identification, reporting and mitigation of cyber-events. By sharing information internally, other patterns of activity may be revealed that could result in additional SAR filings which will result in more comprehensive and complete reporting.
Finally, the advisory suggests that financial institutions should collaborate to identify threat, vulnerabilities and criminal activities and help mitigate risk to financial institutions. It should be noted that the Patriot Act provides a safe harbor from liability for financial institutions (after satisfying certain requirements) that voluntarily share cyber-related information in certain instances.