On October 25, 2016 FinCEN issued an advisory and FAQs to financial institutions regarding their Suspicious Activity Report (SAR) obligations with respect to cyber-events, cyber-enabled crime, and cyber-related information as those terms are defined. The FAQs supersede previous FAQs issued in 2001. The advisory and FAQ also discuss collaboration between in-house BSA/AML teams (e.g., noting that the BSA/AML teams need not have personnel devoted to cybersecurity) and also encourage sharing cyber threat information with other financial institutions under Section 314(b) of the Patriot Act, which extends a safe harbor from liability to financial institutions. The advisory and FAQ follow other efforts to encourage such sharing, such as the passage of the Cybersecurity Sharing Act passed in December 2015.
The advisory noted, among other things, that
“A financial institution is required to report a suspicious transaction conducted or attempted by, at, or through the institution that involves or aggregates to $5,000 or more in funds or other assets. If a financial institution knows, suspects, or has reason to suspect that a cyber-event was intended, in whole or in part, to conduct, facilitate, or affect a transaction or a series of transactions, it should be considered part of an attempt to conduct a suspicious transaction or series of transactions. Cyber-events targeting financial institutions that could affect a transaction or series of transactions would be reportable as suspicious transactions because they are unauthorized, relevant to a possible violation of law or regulation, and regularly involve efforts to acquire funds through illegal activities.”
Among other things, the FAQ noted that:
continuous scanning or probing generally need not be reported alone and
SARs should be filed even in instances where an otherwise reportable cyber-event is unsuccessful.