SUSPICIOUS ACTIVITY REPORTS AND CYBERSECURITY: FinCEN’s Advisory to Financial Institutions on Cyber-Events and Cyber-Crime
On October 25, 2016, Financial Crimes Enforcement Network (“FinCEN”) issued a formal Advisory to Financial Institutions on Cyber-Events and Cyber-Enables Crime (“Advisory”) and Frequently Asked Questions Reporting of Cyber-Events, Cyber-Enabled Crime, and Cyber-Related Information through Suspicious Activity Reports (“FAQs”).
These issuances are designed to assist financial institutions in understanding their Bank Secrecy Act (“BSA”) obligations regarding cyber-events and cyber-enabled crime which is estimated to cost the global economy more than $400 billion annually. These issuances are also part of a wider government focus on cybercrime including the:
- Federal banking regulators proposed standards to bolster cybersecurity at the nation's largest banking institutions;
- 2015 launch of the Federal Financial Institutions Examination Council Cybersecurity Assessment Tool; and
- New York State Department of Financial Services (“NYDFS”) proposed regulation that would impose new, rigorous cybersecurity requirements on banks, consumer lenders, money transmitters, insurance companies and certain other financial service providers regulated by the NYDFS.
While the Advisory and FAQs do not change existing BSA requirements or other regulatory obligations for financial institutions, they clarify the circumstances under which the filing of Suspicious Activity Reports (“SARs”) is mandatory or voluntary.
The Advisory, defines a:
- "Cyber-event" as "an attempt to compromise or gain unauthorized electronic access to electronic systems, services, resources, or information;” and
- “Cyber-enabled crime" as "illegal activities (e.g., fraud, money laundering, identify theft) carried out or facilitated by electronic systems and devices, such as networks and computers."
According to the Alert, financial institutions must file a SAR when it “knows, suspects, or has reason to suspect that a cyber-event was intended, in whole or part, to conduct, facilitate, or affect a transaction or a series of transactions”.
FinCEN encourages, but does not require, financial institutions to “report egregious, significant, or damaging cyber-events and cyber-related crime when such events and crime do not otherwise require the filing of a SAR.” This would include a Distributed Denial of Service Attack that disrupts a financial institution’s website and disables online banking services but does not affect any transactions.
Lastly, these issuances reaffirm the existing responsibility of financial institutions to report all cyber-related information attribution or digital-identity information for all banking transactions reported in SARs. This information has been required since March 2012 when FinCEN issued the amended digital SAR. Currently, however, less than 2% of the SARs contain this important information. The FAQs contain a non-exhaustive list of relevant cyber-related information and identifiers associated with suspicious transactions and cyber-events that should be reported.
- Ensure that the financial institution has systems and tools to capture cyber-related or digital-identity information for banking transactions;
- Update policy and procedures to include reporting cyber-enabled crime and cyber events though SARs; and,
- Conduct training for all relevant personnel regarding their responsibilities.