I. INTRODUCTION
The Financial Crimes Enforcement Network (FinCEN) has released a final rule – "Confidentiality of Suspicious Activity Report" as well as an advisory and guidance document that together clarify and strengthen the scope of Suspicious Activity Report (SAR) confidentiality, and expand the ability of certain financial institutions to share SAR information with most affiliates.
Among other things, the final rule clarifies the scope of the statutory prohibition on the disclosure by a financial institution of a report of a suspicious transaction set forth in the Bank Secrecy Act (BSA) by stating that the confidentiality provision does not apply when a depository institution shares a SAR, or any information that would reveal the existence of a SAR, within its corporate organizational structure for purposes consistent with Title II of the BSA, as determined by regulation or guidance.
II. CONFIDENTIALITY OF SARs
The final rule clarifies the SAR confidentiality provisions to read:
“A SAR, and any information that would reveal the existence of a SAR, are confidential and shall not be disclosed except as otherwise authorized. A SAR shall include any suspicious activity report filed with FinCEN pursuant to the regulation in this part.
A. Prohibition On Disclosures By Banks
No bank, and no director, officer, employee, or agent of any bank, shall disclose a SAR or any information that would reveal the existence of a SAR. Any bank, and any director, officer, employee, or agent of any bank that is subpoenaed or otherwise requested to disclose a SAR or any information that would reveal the existence of a SAR, shall decline to produce the SAR or such information, citing the applicable section of the regulation and 31 U.S.C. § 5318(g)(2)(A)(i), and shall notify FinCEN of any such request and the response thereto.
1. Rules of Construction
Provided that no person involved in any reported suspicious transaction is notified that the transaction has been reported, the restrictions on disclosure shall not be construed as prohibiting:
a. The disclosure by a bank, or any director, officer, employee, or agent of a bank, of:
(1) A SAR, or any information that would reveal the existence of a SAR, to FinCEN or any federal, state, or local law enforcement agency, or any federal regulatory authority that examines the bank for compliance with the Bank Secrecy Act, or any state regulatory authority administering a state law that requires the bank to comply with the Bank Secrecy Act or otherwise authorizes the state authority to ensure that the bank complies with the Bank Secrecy Act; or
(2) The underlying facts, transactions, and documents upon which a SAR is based, including but not limited to, disclosures:
(a) To another financial institution, or any director, officer, employee, or agent of a financial institution, for the preparation of a joint SAR; or
(b) In connection with certain employment references or termination notices, to the full extent authorized in 31 U.S.C. § 5318(g)(2)(B); or
b. The sharing by a bank, or any director, officer, employee, or agent of the bank, of a SAR, or any information that would reveal the existence of a SAR, within the bank’s corporate organizational structure for purposes consistent with Title II of the Bank Secrecy Act as determined by regulation or in guidance.
B. Limitation on Liability
A bank, and any director, officer, employee, or agent of any bank, that makes a voluntary disclosure of any possible violation of law or regulation to a government agency or makes a disclosure pursuant to this section or any other authority, including a disclosure made jointly with another institution, shall be protected from liability to any person for any such disclosure, or for failure to provide notice of such disclosure to any person identified in the disclosure, or both, to the full extent provided by 31 U.S.C. § 5318(g)(3).
III. FINCEN GUIDANCE: SHARING SUSPICIOUS ACTIVITY REPORTS BY DEPOSITORY INSTITUTIONS WITH CERTAIN U.S. AFFILIATES
The Financial Crimes Enforcement Network (FinCEN), has issued this guidance to confirm that under the Bank Secrecy Act (BSA) and its implementing regulations, a depository institution subject to FinCEN regulations (“depository institution”) that has filed a Suspicious Activity Report (SAR) may share the SAR, or any information that would reveal the existence of the SAR, with certain affiliates. (“Affiliate” of a depository institution means any company under common control with, or controlled by, that depository institution. “Under common control” means that another company (1) directly or indirectly or acting through one or more other persons owns, controls, or has the power to vote 25 percent or more of any class of the voting securities of the company and the depository institution; or (2) controls in any manner the election of a majority of the directors or trustees of the company and the depository institution. “Controlled by” means that the depository institution (1) directly or indirectly has the power to vote 25 percent or more of any class of the voting securities of the company; or (2) controls in any manner the election of a majority of the directors or trustees of the company.)
The BSA prohibits the filer of a SAR from notifying any person involved in a suspicious transaction that the activity has been reported. Regulations issued by FinCEN construe this confidentiality provision as generally prohibiting a depository institution from disclosing a SAR, or any information that would reveal the existence of a SAR.
However, the regulations make clear that, provided no person involved in the transaction is notified that the transaction has been reported, the prohibition does not include disclosures to (1) FinCEN; (2) any federal, state, or local law enforcement agency; (3) any federal regulatory agency that examines the depository institution for compliance with the BSA; or (4) any state regulatory authority that examines the depository institution for compliance with state laws requiring compliance with the BSA. The regulations also provide that the prohibition does not apply to: (i) the disclosure of the underlying facts, transactions, and documents upon which a SAR is based, including, but not limited to, disclosures related to filing a joint SAR and in connection with certain employment references or termination notices; and (ii) the sharing of a SAR, or any information that would reveal the existence of a SAR, within a depository institution’s corporate organizational structure for purposes consistent with Title II of the BSA, as determined by regulation or in guidance.
In previously issued guidance (“January 2006 Guidance”), FinCEN and the federal banking agencies determined that a U.S. branch or agency of a foreign bank may share a SAR with its head office. The January 2006 Guidance also stated that a U.S. bank or savings association may share a SAR with its controlling company (whether domestic or foreign). The January 2006 Guidance continues to be applicable and comports with the SAR regulations referenced above. The sharing of a SAR or, more broadly, any information that would reveal the existence of a SAR, with a head office or controlling company (including overseas) promotes compliance with the applicable requirements of the BSA by enabling the head office or controlling company to discharge its oversight responsibilities with respect to enterprise-wide risk management, including oversight of a depository institution’s compliance with applicable laws and regulations.
The January 2006 Guidance deferred taking a position on whether a depository institution is permitted to share a SAR with affiliates and directed institutions not to share with such affiliates. FinCEN has now concluded that a depository institution that has filed a SAR may share the SAR, or any information that would reveal the existence of the SAR, with an affiliate, as defined herein, provided the affiliate is subject to a SAR regulation. The sharing of SARs with such affiliates facilitates the identification of suspicious transactions taking place through the depository institution’s affiliates that are subject to a SAR rule. Therefore, such sharing within the depository institution’s corporate organizational structure is consistent with the purposes of Title II of the BSA.
It is not consistent with the purposes of Title II of the BSA for an affiliate that has received a SAR from a depository institution that has filed the SAR to further share that SAR, or any information that would reveal the existence of that SAR with an affiliate of its own, even if that affiliate is subject to a SAR rule.
As is the case with sharing SARs with head offices and controlling companies, there may be circumstances under which a depository institution, its affiliate, or both entities would be liable for direct or indirect disclosure by the affiliate of a SAR or any information that would reveal the existence of a SAR. Therefore, the depository institution, as part of its internal controls, should have policies and procedures in place to ensure that its affiliates protect the confidentiality of the SAR.
Consistent with the BSA and the implementing regulations issued by FinCEN and the federal banking agencies, a SAR, or any information that would reveal the existence of a SAR, must not be disclosed, even under the guidance, if the depository institution has reason to believe it may be disclosed to any person involved in the suspicious activity that is the subject of the SAR.
IV. FINCEN ADVISORY: MAINTAINING THE CONFIDENTIALITY OF SUSPICIOUS ACTIVITY REPORTS
In conjunction with updating the regulations relating to the confidentiality of Suspicious Activity Reports (SARs), the Financial Crimes Enforcement Network (FinCEN) has issued an advisory to regulatory and law enforcement agencies and financial institutions to reinforce and reiterate the requirement to preserve the confidentiality of SAR information.
FinCEN, as administrator of the Bank Secrecy Act (BSA), is responsible for both safeguarding the information it collects and maintaining the integrity of the BSA records and reports, including SARs. The unauthorized disclosure of SARs could undermine ongoing and future investigations by tipping off suspects, deter financial institutions from filing SARs, and threaten the safety and security of institutions and individuals who file such reports. Further, such disclosure of SARs compromises the essential role SARs play in protecting our financial system and in preventing and detecting financial crimes and terrorist financing. The success of the SAR reporting system depends upon the financial sector's confidence that these reports will be appropriately protected.
FinCEN encourages organizations and authorities, both governmental and non-governmental, to be vigilant in ensuring SAR confidentiality is maintained. This includes making certain all employees, agents, and individuals appropriately entrusted with information in a SAR are informed of the individual obligation to maintain SAR confidentiality. This obligation applies not only to the SAR itself but also to information that would reveal the existence of the SAR. Likewise, such persons should also be informed of the consequences for failing to maintain such confidentiality, which could include civil and criminal penalties as explained herein.
A financial institution may want to consider including such information as part of its ongoing training of all employees. Additional risk-based measures to ensure the confidentiality of SARs could include, among other appropriate security measures, limited access on a “need-to-know” basis, restricted areas for reviewing SARs, logging of access to SARs, the use of cover sheets for SARs, or supporting documentation that indicates the filing of a SAR, or electronic notices that highlight confidentiality concerns before a person may access or disseminate the information.
Similarly, law enforcement and regulatory authorities should implement robust programs to protect the confidentiality of SARs and information that would reveal the existence of a SAR. Among other things, these programs should focus on educating all users of SAR information of their responsibilities and the importance of SAR confidentiality, and should establish controls that safeguard against inappropriate use of, and access to, SAR data. The obligation to preserve the confidentiality of SARs applies equally to government officials, and SARs must remain confidential even if law enforcement or regulatory authorities obtain them directly from financial institutions.
The unauthorized disclosure of SARs is a violation of federal law. Both civil and criminal penalties may be imposed for SAR disclosure violations. Violations may be enforced through civil penalties of up to $100,000 for each violation and criminal penalties of up to $250,000 and/or imprisonment not to exceed five years. In addition, financial institutions could be liable for civil money penalties resulting from anti-money laundering program deficiencies (i.e., internal controls, training, etc.) that led to the improper SAR disclosure. Such penalties could be up to $25,000 per day for each day the violation continues. FinCEN is committed to working with regulatory agencies, law enforcement and financial institutions to take appropriate action for unauthorized disclosures of SARs. Incidents involving unauthorized SAR disclosures are investigated and appropriate action is taken for someone found to be in violation of the law.
If you or your institution becomes aware of an unauthorized disclosure of a SAR or if your institution receives a subpoena for a SAR, you should immediately contact FinCEN’s Office of Chief Counsel at (703) 905-3590 as well as your primary federal regulator, as may be applicable in a corresponding SAR rule. If you have any questions regarding this Advisory, please contact FinCEN's Regulatory Helpline at (800) 949-2732.