FinCEN Issues Advisory on Suspicious Activity Reporting Requirements for Cyber-attacks Under the Bank Secrecy Act
On October 25, 2016, the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (“FinCEN”) issued an Advisory to Financial Institutions on Cyber-Events and Cyber-Enabled Crime (“Advisory”). In addition to the Advisory, FinCEN also issued Frequently Asked Questions (“FAQs”) regarding the reporting of cyber-events, cyber-enabled crime, and cyber-related information through Suspicious Activity Reports (“SARs”). FinCEN intends the Advisory to help financial institutions in understanding their Bank Secrecy Act (“BSA”) obligations regarding cyber-events and cyber-enabled crime. While the Advisory does not change any existing regulatory requirements, it offers guidance for financial institutions to better understand how to identify, report, and share information under the BSA.
Mandatory and Voluntary Reporting of Cyber-Events. FinCEN defines a “cyber-event” as “an attempt to compromise or gain unauthorized electronic access to electronic systems, services, resources, or information.” FinCEN defines “cyber-enabled crime” as “illegal activities (e.g., fraud, money laundering, identity theft) carried out or facilitated by electronic systems and devices, such as networks or computers.” Cyber-events or cyber-enabled crime may trigger mandatory reporting of SARs. Mandatory reporting is required for a suspicious transaction conducted or attempted by, at, or through the institution that involves or aggregates to $5,000 or more in funds or other assets. The Advisory offers guidance for determining whether a cyber-event mandates a SAR. FinCEN encourages financial institutions to voluntarily report egregious, significant, or damaging cyber-events and cyber-enabled crime when such events and crime do not otherwise require the filing of a SAR. For example, if a financial institution determines that a Distributed Denial of Service (“DDoS”) attack has disrupted a financial institution’s website, FinCEN encourages the institution to consider filing a SAR because the attack caused online banking disruptions and this information is valuable to law enforcement.
Cyber-Related Information to Include in SAR Reporting. When filing either a mandatory or voluntary SAR, FinCEN encourages financial institutions to provide complete and accurate information, including: a description of the event and its magnitude; known or suspected time, location, and characteristics or signatures of the event; indicators of compromise; relevant IP addresses and their timestamps; device identifiers; methodologies used; and other information the institution believes is relevant. FinCEN also states that financial institutions may file one cumulative SAR report, rather than multiple individual SARs, for multiple cyber-attacks that share “common characteristics and indicators such as the methodology used, the vulnerability exploited, and IP addresses involved.”
FinCEN Encourages Internal Cooperation Between BSA/AML and Cybersecurity Units and Sharing Cyber-Related Information Between Financial Institutions. FinCEN further advises collaboration among BSA/CML, cybersecurity and other units so that a financial institution can develop appropriate risk management strategies to identify, report, and mitigate cyber-events and cyber-enabled crime. FinCEN stresses the importance of financial institutions working together to identify threats. Financial institutions are encouraged to take advantage of the safe harbor provisions of Section 314(b) of the USA PATRIOT Act which enable institutions to share cyber-related information regarding individuals, entities, organizations, and countries for the purposes of identifying and reporting money laundering and terrorist activities. Failure to comply with the safe harbor requirements will result in the loss of the safe harbor protection for information sharing and may result in a violation of privacy laws or other laws and regulations. Further, financial institutions should take precautions to protect attorney-client communications and attorney work product when sharing cyber related information.
For more information, contact:
The articles published in this newsletter are intended only to provide general information on the subjects covered. The contents should not be construed as legal advice or a legal opinion. Readers should consult with legal counsel to obtain specific legal advice based on particular situations.