Suspicious Activity Reports

Have you ever heard the term cyber-event? When you put the term in context with FinCEN (United States Department of Treasury’s Financial Crimes Enforcement Network), you know an “event” is a big deal, a significant threat. With the ongoing expansion of cyber-events and cyber-enabled crime, governments have no choice but to create more controls to try to minimize the damages.

To that end, on October 25, 2016 FinCEN issued a Cyber Threats Advisory to assist financial institutions in understanding their Bank Secrecy Act (BSA) obligations regarding cyber-events and cyber-enabled crime. Note, the advisory doesn’t change existing regulatory requirements such as the BSA, or other federal and state requirements.

These are the definitions FinCen uses:

Cyber-Event: An attempt to compromise or gain unauthorized electronic access to electronic systems, services, resources, or information.

Cyber-Enabled Crime: Illegal activities (e.g., fraud, money laundering, and identity theft) carried out or facilitated by electronic systems and devices, such as networks and computers.

There are four main points of the advisory:

  1. Reporting cyber-enabled crime and cyber-events through Suspicious Activity Reports (SARs);
  2. Including relevant and available cyber-related information (e.g., Internet Protocol (IP) addresses with timestamps, virtual-wallet information, device identifiers) in SARs;
  3. Collaborating between BSA/Anti-Money Laundering (AML) units and in-house cybersecurity units to identify suspicious activity; and
  4. Sharing information, including cyber-related information, among financial institutions to guard against and report money laundering, terrorism financing, and cyber-enabled crime.

While all the points are, of course, important, it is the specific nature of the additional SAR requirements that are of special note. First, there’s a specific threshold that now triggers an SAR; if the amount of customer funds that is at risk is over $5,000 dollars. This $5,000 dollar trigger point includes direct threats such as fraud or theft, as well as proceeds of crimes such as a sale of credit card information.

Besides the threshold trigger, financial institutions (FIs) should also file an SAR if it “knows, suspects or has reason to suspect a cyber-event was intended, in whole or in part, to conduct, facilitate, or affect a transaction or a series of transactions.” This is where point 3 comes into play; to know if a cyber-event is affecting a series of transaction requires collaboration with AML units and cybersecurity. Communication silos — within departments, divisions, branches, etc. — limit the sharing of vital information and goes against best practices for compliance, so much so that FinCEN can even make it the reason for enforcement action.

Working with other FIs (point 4) is also necessary to determine best practices for the industry and do everything reasonably possible to prevent cyber-events. While FinCEN is encouraging FIs to cooperate, there’s not a lot of collaboration at this point, even though it’s in all of their self-interest to do so.  There are no specific requirements for sharing information, so without further action this point might go unheeded.

As for point II, this is a common-sense idea to include details of the activity. As the event is cyber based, it makes sense to include cyber information to help the authorities.

As with any federal regulator advisories, FIs need to examine their procedures and determine what changes, if any, they need to make. The specific limits give a hard number to comply to. If different silos aren’t communicating, that requires urgent attention both for compliance sake and for good business. As cyber criminals get more sophisticated in terms of technology, resources and organization, FIs and enforcement need to do the same; the game is getting more complicated and we all have to get up-to-speed, cooperate and collaborate.