The Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN), along with the Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, Office of the Comptroller of the Currency, and Office of Thrift Supervision, has issued formal guidance for banking organizations on sharing suspicious Activity Reports (SARs) with head offices and controlling companies. For purposes of the guidance, a controlling company is defined as: (1) a bank holding company, as defined in Section 2 of the Bank Holding Company Act; and (2) a savings and loan holding company, as defined in Section 10(a) of the Home Owners’ Loan Act; and (3) includes a company having the power directly or indirectly , to direct the management or policies of an industrial loan company or a parent company or to vote 25 percent or more of any class of voting shares of an industrial loan company or a parent company.
The guidance confirms that: (1) a U.S. branch or agency of a foreign bank may disclose a Suspicious Activity Report to its head office outside the United States; and (2) a U.S. depository institution may disclose a Suspicious Activity Report to controlling companies whether domestic or foreign. The guidance notes that banking organizations should maintain appropriate arrangements for the protection of confidentiality of Suspicious Activity Reports.
The guidance does not address whether a banking organization may share a Suspicious Activity Report with an affiliate other than a controlling company or head office, whether located inside the United States or abroad. Until further guidance is issued, banking organizations should not share Suspicious Activity Reports with such affiliates.
The Bank Secrecy Act prohibits the filer of a Suspicious Activity Report from notifying any person involved in the suspicious transaction that the transaction has been reported. Implementing regulations issued by the Financial Crimes Enforcement Network have construed this confidentiality provision as generally prohibiting a banking organization from disclosing the existence of a Suspicious Activity Report except where such disclosure is requested by appropriate law enforcement agencies, bank supervisory agencies, or the Financial Crimes Enforcement Network. In addition, the Federal Banking Agencies’ regulations issued pursuant to Title 12 of the United States Code, state that “Suspicious activity reports are confidential.”
A depository institution that files a Suspicious Activity Report may disclose to entities within its organization information underlying the filing (that is, information about the customer/suspect and transaction(s) reported).
Heretofore, it has been unclear whether a depository institution is permitted under the Bank Secrecy Act and Federal Banking Agency regulations to share or disclose to entities within its corporate structure, the Suspicious Activity Report itself or the fact that a Suspicious Activity Report was filed. It has been determined that a U.S. branch or agency or a foreign bank may share a Suspicious Activity Report with its head office outside the United States for these purposes. Similarly, a U.S. bank or savings association may disclose a Suspicious Activity Report to its controlling company, no matter where the entity or party is located. In the event that a depository institution’s corporate structure includes multiple controlling companies, the filing institution’s Suspicious Activity Report may be shared with each controlling entity. It should be noted that the requirement that knowledge of a Suspicious Activity Report’s filing may not be disclosed to the controlling entity or party remains, even under the guidance, if there is a reason to believe it may be disclosed to any person involved in the suspicious activity that is the subject of the Suspicious Activity Report.
There may be circumstances under which a depository institution would be liable for direct or indirect disclosure by its controlling company or head office of a Suspicious Activity Report or the fact that a Suspicious Activity Report was filed. Therefore, the depository institution, as part of its anti-money laundering program, must have written confidentiality agreements or arrangements in place specifying that the head office or controlling company must protect the confidentiality of the Suspicious Activity Reports through appropriate internal controls.
The recipient head office, controlling entities or parties may not disclose further any Suspicious Activity Report, or the fact that such report has been filed; however, the institution may disclose without permission underlying information (that is, information about the customer and transaction(s) reported) that does not explicitly reveal that a Suspicious Activity Report was filed and that is not otherwise subject to disclosure restrictions.