Twitter LinkedIn Share this page Facebook RSS

Blogs

Financial Services Law BlogLegal updates, news, and commentary from the attorneys of Baker Sterchi Cowden & Rice LLC

FinCEN Issues New Advisory to Financial Institutions Regarding Reporting of Cyber-Events

December 1, 2016 | Megan Stumph-Turner

The Financial Crimes Enforcement Network (“FinCEN”) of the U.S. Department of Treasury issued Advisory No. FIN-2016-A005 on October 25, 2016, which provided guidance to financial institutions as to their obligations in the context of cyber-security. The content of the Advisory is discussed below. 

Duty to Report Cyber-events through SARs

Under the Bank Secrecy Act, financial institutions are required to report suspicious activity through Suspicious Activity Reports (“SARs”).  “Cyber-events,” defined as an attempt to compromise or gain unauthorized electronic access to electronic systems, services, resources, or information,” often target financial institutions and can serve as a means to commit crimes such as fraud or money laundering.

Whether the act is completed or merely attempted, a financial institution must report any activity that is deemed suspicious and involves more than $5,000.00 in funds or other assets.  For instance, in a malware intrusion where the hacker gains access to a bank’s systems and information regarding customer accounts, the financial institution would be required to file an SAR, regardless of the fact that the hacker did not actually conduct any transaction with those funds.  Similarly, if a data breach results in a cyber-criminal gaining access to retail customer information such as a PIN number, online credentials, or other sensitive information, even if that breach does not result in the transfer of funds, that breach could mandate BSA reporting. 

While not intended to be an exhaustive list, these examples shed light on instances where, although no financial transaction was completed, the financial institution would be required to report the data breach through a SAR.

Relevant Cyber-Related Information to Include in Report

 When a cyber-event triggers the reporting requirement, the financial institution must complete the form with all relevant information at its disposal.  Thus, the report should include, if possible, the following:

  • A description and the severity of the event
  • The known or suspected time, location, and characteristics of the event
  • Any indication of compromised data
  • Relevant IP addresses and timestamps
  • Device identifiers
  • Description of method employed
  • Any other information believed to be relevant

Working with Other Cybersecurity Organizations to Identify and Prevent Suspicious Activity

 In its Advisory, FinCEN also recommends collaboration among financial institutions, BSA Anti-Money Laundering (“AML”) Units, and internal cybersecurity units to ensure the ability to conduct a comprehensive threat assessment and accurate reporting.  Financial institutions are also encouraged to work with these entities to establish risk management strategies.  BSA AML units may then use the information received from various sources to identify certain patterns and suspects that may not have otherwise been known.  The Advisory calls for the financial institution to become an active participant in the prevention and enforcement of the BSA.

 While a financial institution would be understandably reluctant to share certain cyber-related information with other institutions, the PATRIOT Act carves out a safe-harbor provision protecting the entity from liability for sharing information voluntarily for purposes of identifying and reporting potential threats of terrorism or money laundering.

FinCEN’s Advisory may be accessed here.

Financial institutions may submit their SAR through FinCEN’s e-filing system here

 

Subscribe
About Financial Services Law Blog

The BSCR Financial Services Law Blog explores current events, litigation trends, regulations, and hot topics in the financial services industry.  This blog will inform readers of issues affecting a wide range of financial services, including mortgage lending, auto finance, and credit card/retail transactions. Learn more about the editor, Megan Stumph,  and our Financial Services practice.

DISCLAIMER

The Financial Services Law Blog is made available by Baker Sterchi Cowden & Rice LLC for educational purposes only as well as to give you general information and a general understanding of the law, not to provide specific legal advice. Your use of this blog site alone creates no attorney client relationship between you and the firm.

CONFIDENTIAL INFORMATION

Do not include confidential information in comments or other feedback or messages related to the Financial Services Law Blog, as these are neither confidential nor secure methods of communicating with attorneys. The Financial Services Law Blog should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.