Six clarifications issued on Suspicious Activity Report confidentiality
* * *
If you are one of those people that just can't keep a secret, don't get anywhere near the Suspicious Activity Reports (SARs) at your bank. SARs are subject to a very strict code of confidentiality. And, recently, the federal regulators issued some new clarifying regulatory amendments and guidance on how that secrecy code should be applied.
View from above
Before explaining what changes were made to the existing SAR confidentiality requirements, it would be useful to see a high-level roadmap of the latest regulatory actions (all effective Jan. 3, 2011) relating to SAR confidentiality and depository institutions:
FinCEN amended the Bank Secrecy Act regulations for each industry, including banks. The regulations update and clarify the confidentiality provisions of SAR reporting.
The Comptroller's Office amended its Bank Secrecy Act regulations for national banks that parallels the FinCEN updates and clarifications relating to confidentiality provisions of SAR reporting.
The Office of Thrift Supervision amended its Bank Secrecy Act regulations for savings associations that parallels the FinCEN updates and clarifications relating to confidentiality provisions of SAR reporting.
Drilling down
Between FinCEN, OCC, and OTS, there are six major elements of change or insight that impact the confidentiality of SARs for depository institutions:
1. Clarification that confidentiality applies not only to the SAR, but also to "any information that would reveal the existence of a SAR."
Previously, the regulations discussed confidentiality in terms of the Suspicious Activity Report; the fact that the transaction had been reported; and any information contained in the SAR.
The underlying facts, transactions, and documents relating to a suspicious transaction may be disclosed as long as the disclosure does not reveal the existence of a SAR. If, for example, a bank was asked (legally) to disclose checking account transaction information about a customer, that information could be disclosed (legally), even if that account or transaction or customer had been the subject of a SAR disclosure at some point.
2. Clarification that confidentiality applies to everyone, and not just the person involved in the transaction.
It is not enough to just keep the SAR a secret from the person(s) who is the subject of the suspicious activity or transaction; the SAR must also be kept confidential from everyone else who is not specifically permitted to receive the information.
3. Inclusion of a specific prohibition against disclosure of SARs and any information that would reveal the existence of a SAR by government agencies. This includes all federal, state, local, territorial, or tribal government authorities and their directors, officers, employees, and agents, except as necessary to fulfill their official duties.
Previously, the confidentiality provisions of the regulation focused on the financial institution's obligation to maintain confidentiality.
Some historical leaks of SAR information have been presumed to be from governmental agency personnel.
4. Clarification that the safe harbor provision applies to disclosures and not just the reports, and includes disclosures made jointly with another financial institution.
The safe harbor provision provides that a bank and any director, officer, employee, or agent of the bank is protected from liability for disclosing suspicious activity to a government agency. The protection extends to the entire disclosure and not just the SAR itself and extends the protection from liability to any person and not just the person who is the subject of the report or who is involved in the suspicious transaction.
On a related topic, FinCEN also clarified that there is no safe harbor for information relating to activity or transactions that were investigated but did not result in a SAR filing.
Institutions are expected to maintain documentation of situations in which a determination was made not to file a SAR after investigating the activity or transaction. That documentation, if revealed, would not have any safe harbor protection. So, it is especially important that that information also be kept strictly confidential and protected.
5. New guidance to depository institutions that it is permissible to share a SAR and any information that would reveal the existence of a SAR with an affiliate of the depository institution, as long as the affiliate is subject to a SAR regulation.
Insurance companies, securities brokers and dealers, and futures commission merchants are examples of financial entities that are subject to a SAR regulation. The depository institution would also be required to have policies and procedures in place to ensure that affiliates with whom it shares SARs protect the confidentiality of the SAR information. That same requirement also exists for depository institutions that share SARs with their corporate holding company.
6. Guidance that reinforces and reiterates the obligation that financial institutions have to take concrete steps to ensure the confidentiality of SARs and any information that would reveal the existence of a SAR, which may include appropriate physical and other security measures, employee training, restricted areas for viewing SARs, access logs for SAR viewing, and limiting access to SARs to a needs-to-know basis.
The SAR confidentiality regulatory provisions and expectations have been refined and clarified. Banks should take a fresh look at their SAR processes and procedures and make sure they reflect the new regulations and guidance and provide for appropriate controls to protect confidentiality.
The downside of spilling one of these secrets is more than just a loss of trust and hurt feelings.
About Nancy Derr-Castiglione
“Lucy and Nancy’s Common Sense Compliance” is blogged by both Lucy Griffin and Nancy Derr-Castiglione, both ABA Banking Journal contributing editors on compliance.
Nancy, a Certified Regulatory Compliance Manager, is owner of D-C Compliance Services, an independent regulatory compliance consulting services business that has provided expertise in compliance training, monitoring, risk assessment, and policies and procedures to financial institutions since 2002.
Previously, Nancy held compliance positions with Bank One Corporation and with United Banks of Colorado.
In addition to serving as a Contributing Editor of ABA Banking Journal, Nancy has served on the ABA Compliance Executive Committee; National and Graduate Compliance Schools board; conference planning committees, and the Editorial Advisory Board for the ABA Bank Compliance magazine. She can be reached at This e-mail address is being protected from spam bots, you need JavaScript enabled to view it
-
From ABA Government Relations:
Follow developments with the Dodd-Frank Act's implementation with ABA's Dodd-Frank Tracker. Learn more, and sign up for alert services now - Community Bank Compliance Officers: Be sure to check out our other compliance blog, "AML, Fraud, and Other Things." BSA expert John Byrne blogs on money-laundering and related matters with a definite point of view. Check it out
- For ABA Member Banks Only: Get regular compliance news updates with ABA's Compliance Source E-Letter
- ABA member-bank employees have access to almost three dozen ABA news and information e-bulletins on important industry topics. One e-bulletin, THE Compliance Source, is dedicated to becoming your source for compliance information in the electronic world. Compliance Source is published each Monday throughout the year. In this changing regulatory environment, every compliance professional should subscribe THE Compliance Source. It will link you to recent compliance developments and alert you to upcoming compliance events. In addition to regular sections on "What's New in Review" and "On the Compliance Horizon," THE Compliance Source will have rotating sections including analysis of compliance issues by ABA staff in the "ABA Reports" section.
- To subscribe, click here
Set as favorite
Bookmark
Email This
Trackback(0)
TrackBack URI for this entryComments (0)
Subscribe to this comment's feedWrite comment
