FinCEN Clarifies Suspicious Activity Report (“SAR”) Confidentiality and Expands SAR Sharing to Certain Affiliates

Introduction

Long-awaited rule making and guidance took effect on January 3, 2011, with respect to the scope of Suspicious Activity Report (“SAR”) confidentiality and expansion of sharing SAR information with affiliates. The Financial Crimes Enforcement Network (“FinCEN”) released a Final Rule, “Confidentiality of Suspicious Activity Reports” (the “Final Rule”), as well as an Advisory (the “Advisory’) and two Guidance documents (collectively “the Guidance”) clarifying the scope of SAR confidentiality, and expanding the ability of certain financial institutions to share SARs, or information that would reveal the existence of a SAR with certain affiliates.¹ The Guidance applies to depository institutions and to securities broker-dealers, futures commission merchants, and introducing brokers in commodities (collectively “securities and futures industry institutions”), and to mutual funds.  

Previous guidance issued in 2006 permitted depository institutions to share SARs with head offices, securities and futures industry institutions to share SARs with parent companies, and mutual funds to share SARs with an investment adviser that controlled the mutual fund.² The January 2011 Guidance expands the sharing of a SAR with a domestic affiliate provided that the affiliate is itself subject to suspicious activity reporting requirements, the affiliates are under common ownership, and the affiliate is not itself the subject of the SAR. The Guidance clearly states that financial institutions are prohibited from sharing with foreign affiliates.³

Background

The Bank Secrecy Act (“BSA”) and its implementing regulations require covered financial institutions to file a SAR when they detect a known or suspected violation of federal law or regulation or suspicious activity related to money laundering, terrorist financing, or other criminal activity.⁴ The BSA prohibits the filer of a SAR from notifying any person involved in a suspicious transaction that the activity has been reported.⁵ FinCEN construes the confidentiality provision as generally prohibiting a financial institution and its officers, directors, and agents, from disclosing a SAR or any information that would reveal the existence of a SAR. SARs generally can be provided to FinCEN, law enforcement, and the financial institution’s supervisory or examining authority.

SAR Confidentiality Rules

In the Final Rule, FinCEN clarifies scope of the SAR confidentiality provisions to ensure that the persons involved in the transaction and identified in the SAR cannot be notified, directly or indirectly, of the report. The general introduction to the confidentiality provisions in each of the respective SAR rules is amended to provide that the SAR and any information that would reveal the existence of a SAR is confidential.⁶

Given that consequences for failing to maintain such confidentiality could include civil and criminal penalties, the Advisory suggests that financial institutions address the confidentiality of SARs in the ongoing training of all employees.⁷ The Advisory also suggests other risk-based measures to ensure the confidentiality of SARs be taken, including the following:

a. Limiting access on a “need to know” basis;

b. Restricting the areas for reviewing SARs and logging any access to SARs; and/or

c. Using cover sheets and electronic notices that highlight the confidentiality of SARs and any supporting documentation that indicates the filing of a SAR.

SAR and Information That Reveals Existence of SAR Cannot Be Disclosed

Frequently, AML officers and compliance and legal personnel struggle with assessing whether certain information or documents, including the SAR, should be treated as confidential. Clearly, the SAR is confidential, but is all information related to the SAR confidential? The Final Rule indicates that any document or other information that affirmatively states that a SAR has been filed constitutes information that would reveal the existence of a SAR and as such, is deemed confidential. Conversely, a financial institution must also afford confidentiality to any document that states that a SAR has not been filed.

FinCEN points out that financial institutions should “distinguish between certain types of statistical or abstract information or general discussions of suspicious activity that may indicate that an institution has filed a SAR, and information that would reveal the existence of a SAR in a manner that could enable the person involved in the transaction potentially to be notified whether directly or indirectly.”⁸ 

As discussed below, not all documents related to a SAR filing are confidential. Underlying facts, transactions, and documents upon which a SAR may be based are not confidential. For example, documents that may identify suspicious activity but that do not reveal whether a SAR exists (such as customer account statements indicating cash deposits) are not confidential.

To Whom Can Financial Institutions Disclose a SAR or Information Revealing the Existence of a SAR?

Any financial institution, or any director, officer, employee, or agent of a financial institution, that is subpoenaed or otherwise requested to produce a SAR, or information that would reveal the existence of a SAR, must decline to provide the information and must provide notification of the request and its response to FinCEN.⁹ In an effort to further clarify the scope of this SAR disclosure prohibition, in the Final Rule, FinCEN sets forth several rules of construction to describe certain situations that are not covered by the prohibition against the disclosure of SARs or information that would reveal the existence of a SAR.

In January 2006, FinCEN, in consultation with the staffs of the SEC and the CFTC, and separately in consultation with the Federal banking agencies, issued separate guidance regarding the extent depository institutions and securities and futures industry institutions could share a SAR.¹⁰ With respect to depository institutions, the 2006 guidance provided that a U.S. branch or agency of a foreign bank could share a SAR with its head office and that a U.S. bank or savings association could share a SAR with its controlling company (whether domestic or foreign).¹¹ With respect to securities and futures industry institutions, their 2006 guidance provided that they could share a SAR with their parent entity (whether domestic or foreign).¹² Later in October 2006, FinCEN additionally published guidance stating that a mutual fund could share SARs with an investment adviser that controls the fund, whether domestic or foreign.¹³ 

In the Final Rule, FinCEN explicitly recognizes that the term “sharing” within a corporate organization for purposes consistent with Title II of the BSA is distinguishable from a prohibited disclosure, and thus permits financial institutions to share with affiliates within their corporate organizational structure, provided that the affiliate is itself subject to suspicious activity reporting requirements, under common ownership, and not itself the subject of the SAR. The Final Rule does not permit sharing with affiliates without a primary Federal functional regulator or foreign affiliates (other than a foreign head office or parent).

“Common control” is defined in the Guidance.¹⁴ Foreign branches of U.S. banks are considered foreign banks and are specifically stated by FinCEN to not be “affiliates,” even though pursuant to prior guidance, an institution may share SARs with its foreign parent for enterprise-wide risk management purposes.

State Regulatory Authorities

FinCEN states that financial institutions may disclose a SAR or information that would reveal the existence of a SAR to a state regulatory authority if the law authorizes the state authority to examine the institution for compliance with federal laws and regulations generally or with the BSA explicitly or the law authorizes the state authority to examine for compliance with the state law.

Self-Regulatory Organizations

A financial institution examined by a self-regulatory organization (“SRO”) can provide the SAR to the SRO upon the request of the federal agency responsible for its oversight. The responsible federal agency should provide this request either to the institution in writing or to the SRO in the form of a writing that is available for the SRO to share with the institution.

Civil Enforcement Authorities

FinCEN expects financial institutions that receive such subpoenas from the SEC and CFTC enforcement departments for a SAR or information regarding the existing of a SAR to contact FinCEN for its determination of what related information, if any, should be released. 

Underlying Facts, Transactions, and Documents — Not Confidential Under SAR Rules

“A SAR or information that would reveal the existence of a SAR” does not include “the underlying facts, transactions, and documents upon which a SAR is based.” Accordingly, institutions may disclose underlying facts, transactions, and documents for any purpose, provided that no subject named in the SAR is notified and none of the underlying information reveals the existence of a SAR. FinCEN provides non-exhaustive examples of situations where the underlying information may be disclosed, e.g., where an institution prepares a joint SAR with another institution, the institutions may disclose the underlying information to the other financial institution; also, where underlying information needs to be disclosed in connection with certain written employment references and termination notices as authorized by section 351 of the USA PATRIOT Act (applies only to the securities and futures industry). During discovery in civil litigation, underlying documents related to the SAR may be disclosed, but the SAR itself cannot be. Nor can there be any in camera review of a SAR to determine whether the SAR can be disclosed, whether in litigation or otherwise.

Conclusion

The Final Rule took effect on January 3, 2011. In preparation for upcoming exams, financial institutions should review the Final Rule, Advisory, and related Guidance against their existing policies and procedures to assess whether they need to make changes to ensure that SARs and information revealing the existence of a SAR are only shared with permitted affiliates.

For additional information concerning this alert, please contact the following lawyers:

Amy Kroll, Partner, Broker-Dealer Group
amy.kroll@bingham.com, 202.373.6118

David Boch, Partner, Broker-Dealer Group
david.boch@bingham.com, 617.951.8485

Roger P. Joseph, Practice Group Leader, Investment Management; Co-chair, Financial Services Area
roger.joseph@bingham.com, 617.951.8247

Edwin E. Smith, Partner, Financial Restructuring; Co-chair, Financial Services Area
edwin.smith@bingham.com, 617.951.8615

Tim Burke, Practice Group Leader, Broker-Dealer Group; Co-chair, Financial Services Area
timothy.burke@bingham.com, 617.951.8620

¹See Confidentiality of Suspicious Activity Reports, 31 CFR Part 103, RIN 1506-AA99 (Effective January 3, 2011(Issued November 23, 2010)), Notice of Availability of Final Interpretative Guidance — Sharing Suspicious Activity Reports by Depository Institutions and Securities Broker-Dealers, Mutual Funds, Futures Commission Merchants, or Introducing Brokers in Commodities with Certain U.S. Affiliates (Effective January 3, 2011(Issued November 23, 2010)), and FinCEN Advisory, FIN-2010-A014 (Effective January 3, 2011(Issued November 23, 2010)).
²The Interagency Guidance on Sharing Suspicious Activity Reports with Head Offices and Controlling Companies (January 20, 2006), and Guidance on Sharing of Suspicious Activity Reports by Securities Broker-Dealers, Futures Commission Merchants, and Introducing Brokers in Commodities (January 20, 2006). 
³In addition, the Advisory, which according to FinCEN is “intended for all Bank Secrecy Act stakeholders: federal and state regulatory agencies, law enforcement, self-regulatory organizations, and financial institutions,” emphasizes the importance of confidentiality for maintaining a vigorous suspicious activity reporting regime, and is intended to help focus BSA stakeholders to be vigilant in managing information sharing.” See Advisory.
⁴See The Annunzio-Wylie Anti-Money Laundering Act of 1992, Public Law 102-559, Title XV § 1517(b). 106 Stat. 4055, 4058-9 (1992); 31 U.S.C. 5318(g)(1) (amending BSA and authorizing Secretary of the Treasury to require financial institutions to report suspicious transactions). 
⁵See 31 U.S.C. §5318(g)(2).
⁶See Final Rule. 
⁷The Advisory reiterates that the unauthorized disclosure of a SAR is a violation of federal law and could result in civil penalties of up to $100,000 for each violation and criminal penalties of up to $250,000 and/or imprisonment not to exceed five years. In addition, financial institutions could be liable for civil money penalties resulting from AML program deficiencies that led to the improper SAR disclosure; those penalties could be up to $25,000 per day for each day the violation continues.
⁸75 Fed. Reg. at 75595-6 (December 3, 2010).
⁹In the proposed rule, FinCEN proposed that the rules for those industries with parallel SAR requirements administered by a primary Federal functional regulator provide notification to that regulator as well. In issuing the Final Rule, however, FinCEN removed the requirement from its bank SAR rule that an institution notify its primary Federal regulator in addition to FinCEN. Notwithstanding the language change, FinCEN noted that the change does not relieve institutions from their requirement to comply with the provisions of similar but distinct rules administered by separate agencies. 
¹⁰See fn. 2, supra.
¹¹Id.
¹²Id.
¹³See Frequently Asked Questions Suspicious Activity Reporting Requirements for Mutual Funds, FIN-2006-G013 (October 4, 2006).
¹⁴“Under common control” means that another company (1) directly or indirectly or acting through one or more other persons owns, controls, or has the power to vote 25 percent of more of any class of the voting securities of the company and the depository institution; or (2) controls in any manner the election of a majority of the directors or trustees of the company and the depository institution. “Controlled by” means that the depository institution (1) directly or indirectly has the power to vote 25 percent or more of any class of the voting securities of the company; or (2) controls in any manner the election of a majority of the directors or trustees of the company. See. e.g., 12 U.S.C. § 1841(a)(2).