The proliferation of cyber-enabled crimes prompted FinCEN to issue a new advisory on October 25, 2016 for filing and completing SARs. The new advisory does not alter existing BSA requirements or other regulatory obligations. It simply aims to clarify when cyber-events elicit a SAR filing and the types of information to include within SARs related to cyber-events.
FinCEN defines a cyber-event as, “an attempt to compromise or gain unauthorized electronic access to electronic systems, services, resources, or information.” The mandatory filing requirements for cyber-events obligates financial institutions to report, “a suspicious transaction conducted or attempted by, at, or through the institution that involves or aggregates to $5,000 or more in funds or other assets.” Under the mandatory filing requirement, it is important to note that financial institutions are required to file SARs for “attempted” transactions. FinCEN’s advisory also notes, “cyber-events targeting financial institutions that could affect a transaction or series of transactions would be reportable as suspicious transactions because they are unauthorized, relevant to a possible violation of law or regulation, and regularly involve efforts to acquire funds through illegal activities.” Therefore, banks must file a SAR for cyber-events when no funds were lost, but the aggregate total of the potential loss exceeds $5,000.
- Description and magnitude of the event
- Known or suspected time, location, and characteristics or signatures of the event
- Indicators of compromise
- Relevant IP addresses and their timestamps
- Device identifiers
- Methodologies used
- Other information the institution believes is relevant
In the event the financial institution is subject to multiple cyber-events in close proximity that are similar in nature and displaying the same characteristics, you may file one cumulative SAR to report all the incidents.
FinCEN Advisory FIN-2016-A005, notes it is permissible for banks to share information related to cyber-events under the guidelines of 314(b). Providing information such as “malware signatures, IP addresses and device identifiers, and seemingly anonymous virtual currency addresses,” aids law enforcement in identifying the individuals and groups responsible for perpetrating cybercrimes. Consequently, the safe harbor benefits are extended to cover information sharing related to cyber-events.
To review the full advisory and FAQs, visit the links below.