FinCEN Issues New Advisory to Financial Institutions Regarding Reporting of Cyber-Events
ABSTRACT: On October 25, 2016, FinCEN issued an Advisory outlining recommendations and requirements for financial institutions to report suspicious activity in compliance with the Bank Secrecy Act, clarifying these institutions' obligation to report cyber-events, even where no financial transaction was completed.
The Financial Crimes Enforcement Network (“FinCEN”) of the U.S. Department of Treasury issued Advisory No. FIN-2016-A005 on October 25, 2016, which provided guidance to financial institutions as to their obligations in the context of cyber-security. The content of the Advisory is discussed below.
Duty to Report Cyber-events through SARs
Under the Bank Secrecy Act, financial institutions are required to report suspicious activity through Suspicious Activity Reports (“SARs”). “Cyber-events,” defined as an attempt to compromise or gain unauthorized electronic access to electronic systems, services, resources, or information,” often target financial institutions and can serve as a means to commit crimes such as fraud or money laundering.
Whether the act is completed or merely attempted, a financial institution must report any activity that is deemed suspicious and involves more than $5,000.00 in funds or other assets. For instance, in a malware intrusion where the hacker gains access to a bank’s systems and information regarding customer accounts, the financial institution would be required to file an SAR, regardless of the fact that the hacker did not actually conduct any transaction with those funds. Similarly, if a data breach results in a cyber-criminal gaining access to retail customer information such as a PIN number, online credentials, or other sensitive information, even if that breach does not result in the transfer of funds, that breach could mandate BSA reporting.
While not intended to be an exhaustive list, these examples shed light on instances where, although no financial transaction was completed, the financial institution would be required to report the data breach through a SAR.
Relevant Cyber-Related Information to Include in Report
When a cyber-event triggers the reporting requirement, the financial institution must complete the form with all relevant information at its disposal. Thus, the report should include, if possible, the following:
- A description and the severity of the event
- The known or suspected time, location, and characteristics of the event
- Any indication of compromised data
- Relevant IP addresses and timestamps
- Device identifiers
- Description of method employed
- Any other information believed to be relevant
Working with Other Cybersecurity Organizations to Identify and Prevent Suspicious Activity
In its Advisory, FinCEN also recommends collaboration among financial institutions, BSA Anti-Money Laundering (“AML”) Units, and internal cybersecurity units to ensure the ability to conduct a comprehensive threat assessment and accurate reporting. Financial institutions are also encouraged to work with these entities to establish risk management strategies. BSA AML units may then use the information received from various sources to identify certain patterns and suspects that may not have otherwise been known. The Advisory calls for the financial institution to become an active participant in the prevention and enforcement of the BSA.
While a financial institution would be understandably reluctant to share certain cyber-related information with other institutions, the PATRIOT Act carves out a safe-harbor provision protecting the entity from liability for sharing information voluntarily for purposes of identifying and reporting potential threats of terrorism or money laundering.
FinCEN’s Advisory may be accessed here.
Financial institutions may submit their SAR through FinCEN’s e-filing system here.
Litigation is not late in challenging new CFPB Rule capping credit card late fees. ...
Lenders Beware of Potential Litigation Stemming from Credit Decisions Based on AI ...
About Financial Services Law Blog
Baker Sterchi's Financial Services Law Blog explores current events, litigation trends, regulations, and hot topics in the financial services industry. This blog informs readers of issues affecting a wide range of financial services, including mortgage lending, auto finance, and credit card/retail transactions. Learn more about the editor, Megan Stumph-Turner, and our Financial Services practice.
Subscribe via email
Subscribe to rss feeds
RSS FeedsABOUT baker sterchi blogs
Baker Sterchi Cowden & Rice LLC (Baker Sterchi) publishes this website as a service to our clients, colleagues and others, for informational purposes only. These materials are not intended to create an attorney-client relationship, and are not a substitute for sound legal advice. You should not base any action or lack of action on any information included in our website, without first seeking appropriate legal or other professional advice. If you contact us through our website or via email, no attorney-client relationship is created, and no confidential information should be transmitted. Communication with Baker Sterchi by e-mail or other transmissions over the Internet may not be secure, and you should not send confidential electronic messages that are not adequately encrypted.
The hiring of an attorney is an important decision, which should not be based solely on information appearing on our website. To the extent our website has provided links to other Internet resources, those links are not under our control, and we are not responsible for their content. We do our best to provide you current, accurate information; however, we cannot guarantee that this information is the most current, correct or complete. In addition, you should not take this information as a promise or indication of future results.
Disclaimer
The Financial Services Law Blog is made available by Baker Sterchi Cowden & Rice LLC for educational purposes only as well as to give you general information and a general understanding of the law, not to provide specific legal advice. Your use of this blog site alone creates no attorney client relationship between you and the firm.
Confidential information
Do not include confidential information in comments or other feedback or messages related to the Financial Services Law Blog, as these are neither confidential nor secure methods of communicating with attorneys. The Financial Services Law Blog should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.