On October 25, 2016, the United States Department of Treasury’s Financial Crimes Enforcement Network (“FinCEN”) issued an advisory entitled Advisory to Financial Institutions on Cyber-Events and Cyber-Enabled Crime (the “Advisory”), to help financial institutions understand how to fulfill their Bank Secrecy Act obligations with regard to cyber events and cyber-enabled crime. The Advisory indicates that SAR reporting is mandatory for cyber events where the financial institution “knows, suspects or has reason to suspect a cyber-event was intended, in whole or in part, to conduct, facilitate, or affect a transaction or a series of transactions….” Implementing this new guidance will require increased collaboration between AML and cybersecurity or IT departments in large institutions, and may create challenges for smaller banks that are more likely to outsource their cybersecurity functions.
Reporting Cyber-Enabled Crime and Cyber Events
In addition to maintaining cyber-related SAR-filing obligations stipulated by their functional regulator, financial institutions are mandated to report suspicious “cyber events” or “cyber-enabled crime” involving or aggregating $5,000 or more in funds or other assets and conducted or attempted by, at or through the institutions. The key terms are defined as follows:
- Cyber Event: An attempt to compromise or gain unauthorized electronic access to electronic systems, services, resources or information.
- Cyber-Enabled Crime: Illegal activities (e.g., fraud, money laundering, identity theft) carried out or facilitated by electronic systems and devices, such as networks and computers.
Illustrative examples provided in the Advisory indicate that the value of a cyber event to be noted in the SAR (and used to trigger the $5,000 threshold) is the amount of customer funds at risk based on the information targeted by the intrusion. Banks also are encouraged to voluntarily report “egregious, significant, or damaging cyber events and cyber-enabled crime” that may not require the filing of an SAR, such as an attack that disables an institution’s online banking services for a significant period but does not pose any risk to transactions. FinCEN states that such SAR reporting is highly valuable to law enforcement investigations even though the intelligence does not relate to specific transactions.