On Tuesday, October 25, the Financial Crimes Enforcement Network (“FinCEN”) issued an Advisory to explain how regulations and requirements of the Bank Secrecy Act (the “BSA”) apply to cyber-events, cyber-enabled crime, and cyber-related information.
Under the BSA, a financial institution must file a Suspicious Activity Report (a “SAR”) in the event of any successful or unsuccessful cyber-event that poses or posed at least a $5,000 risk to such institution. Further, a SAR must be filed for any cyber-event that a financial institution knows or at all suspects was intended to influence a transaction or a series of transactions at such institution. A cyber-event is an attempt to compromise or gain unauthorized electronic access to electronic systems, services, resources, or information. In determining whether to report any cyber-event, a financial institution should take into consideration any information it has that relates at all to the cyber-event and should aggregate any funds and/or assets that were involved or put at all at risk by the cyber-event. FinCEN also encourages any financial institution that discovers any cyber-event that falls outside of the mandatory SAR threshold to consider voluntarily filing a SAR because the information can still provide value to law enforcement investigations.
When filing a mandatory SAR, a financial institution should include any cyber-related information available to it. FinCEN also encourages any cyber-related information be included in the filing of any voluntary SAR. Some examples of cyber-related information are IP addresses with timestamps, virtual-wallet information, device identifiers, and cyber-event information. Both mandatory and voluntary SARs should include complete and accurate information including, to the extent available: a description and magnitude of the event; known or suspected time, location, and characteristics or signatures of the event; indicators of compromise; relevant IP addresses and their timestamps; device identifiers; methodologies used; and any other information the financial institution believes is relevant.
In addition, financial institutions should always ensure that they comply with any other cyber-related SAR requirements that might be imposed by their respective functional regulators.
To view the full text of the FinCEN Advisory, click here.