The proliferation of cyber-enabled crimes prompted FinCEN to issue a new advisory on October 25, 2016 for filing and completing SARs. The new advisory does not alter existing BSA requirements or other regulatory obligations. It simply aims to clarify when cyber-events elicit a SAR filing and the types of information to include within SARs related to cyber-events.
FinCEN defines a cyber-event as, “an attempt to compromise or gain unauthorized electronic access to electronic systems, services, resources, or information.” The mandatory filing requirements for cyber-events obligates financial institutions to report, “a suspicious transaction conducted or attempted by, at, or through the institution that involves or aggregates to $5,000 or more in funds or other assets.” Under the mandatory filing requirement, it is important to note that financial institutions are required to file SARs for “attempted” transactions. FinCEN’s advisory also notes, “cyber-events targeting financial institutions that could affect a transaction or series of transactions would be reportable as suspicious transactions because they are unauthorized, relevant to a possible violation of law or regulation, and regularly involve efforts to acquire funds through illegal activities.” Therefore, banks must file a SAR for cyber-events when no funds were lost, but the aggregate total of the potential loss exceeds $5,000.