On October 25, 2016, the Financial Crimes Enforcement Network (FinCEN) issued an Advisory to financial institutions to (i) clarify reporting requirements under the Bank Secrecy Act (BSA) for filing Suspicious Activity Reports (SARs) on cyber-attacks and cyber-enabled crimes, (ii) note what information financial institutions should include in such reports, and (iii) encourage financial institutions to share information on cyber-attacks within the institution itself, with other banks, and with FinCEN and other regulators as appropriate. The Advisory states that it is not designed to change current law.
I. When to File A Suspicious Activity Report (SAR)
Guidance on Mandatory Reporting
The BSA regulations require financial institutions to file SARs with FinCEN whenever a transaction involves or aggregates up to at least $5,000 for banks or $2,000 for money services businesses (MSBs), such as check cashers or foreign currency exchangers, and the financial institution has reason to suspect that the transaction either (i) violates federal law (e.g., theft of funds), (ii) involves funds derived from illegal transactions, (iii) is designed to evade reporting requirements under the BSA, or (iv) has no apparent lawful purpose.
In the Advisory, FinCEN gives three examples of cybersecurity incidents in which such reports must be filed:
- Cybercriminals use malware to gain access to a bank’s systems and information, in part to conduct unauthorized transactions, even if no unauthorized transactions actually take place, so long as customer funds of $5,000 or more are put at risk.
- Cybercriminals obtain, from a bank, sensitive customer financial information—including account numbers, credit card numbers, account balances, or passwords—that puts at least $5,000 at risk, even if no unauthorized transactions have yet taken place.
- Cybercriminals conduct or attempt a Distributed Denial of Service (DDoS) attack (an attack from multiple, usually compromised, computers against a single, targeted system, designed to force the targeted system to shut down) on a MSB to distract attention from and/or prevent the detection of unauthorized funds transfers of at least $2,000.
Guidance on Voluntary Reporting
While FinCEN does not require the filing of SARs in cases that fall below the minimum dollar amounts, it does encourage banks to file SARs on “egregious, significant, or damaging” cyber-attacks. As an example of an event that merits a voluntary SAR filing, FinCEN cites a DDoS attack that significantly disrupts users’ access to the bank for an extended period of time.
II. Information that Must Be Included in a SAR Filing on a Cyber-Attack
FinCEN notes that the following information, if available to the financial institution, must be included in a SAR filing on a cyber-attack:
- Description and magnitude of the event;
- Known or suspected time, location, and characteristics or signatures of the event;
- Indicators of compromise;
- Relevant IP addresses and their timestamps;
- Device identifiers;
- Methodologies used; and
- Other information the institution believes is relevant.
While FinCEN does not require financial institutions to collect the above-referenced information as a matter of course, the financial institutions must report the information if available. FinCEN also states that financial institutions may file one cumulative SAR report, rather than multiple individual SARs, for multiple cyber-attacks that share “common characteristics and indicators such as the methodology used, the vulnerability exploited, and IP addresses involved.”
III. FinCEN Encourages Financial Institutions to Share Information on Cyber-attacks Internally and with Other Financial Institutions.
FinCEN encourages each financial institution to share information on cyber-attacks internally between the institution’s Bank Security Act (BSA)/Anti-Money Laundering (AML) unit and its cyber-security unit. FinCEN explains that such sharing will help the units identify patterns in suspicious activity, identify otherwise unknown suspicious actors, and better assess the financial institution’s AML risk exposure.
FinCEN also encourages financial institutions to share information on cyber threats with other banks under Section 314(b) of the USA PATRIOT ACT, which provides a safe harbor from liability for institutions that follow the prescribed procedure for sharing information of such threats. Finally, FinCEN reminds financial institutions to be familiar with other cyber-related SAR filing requirements that are imposed by their functional regulators.