The Financial Crimes Enforcement Network (“FinCEN”) released an advisory (the “Advisory”), a final rule (the “Rule”), and two guidance documents (the “Bank Guidance” and the “Securities/Futures Industry Guidance” and, collectively, the “Guidance”) and a Notice of Availability of Guidance (the “Notice”), which together clarify the confidentiality requirements for Suspicious Activity Reports (“SARs”) and expand the ability of certain financial institutions to share SAR information with certain affiliates. The Rule and the Guidance finalize proposed regulations and interpretive guidance which were described in the March 10, 2009 Alert.
The Rule and Guidance will be effective 30 days after they are published in the Federal Register.
FinCEN released the Advisory to regulatory and law enforcement agencies, SROs, and financial institutions in connection with its release of the Rule and Guidance to reinforce and reiterate the requirement to preserve the confidentiality of SAR information. FinCEN explained that, in addition to violating federal law, the unauthorized disclosure of SARs could undermine ongoing and future investigations by tipping off suspects, deter financial institutions from filing SARs, and threaten the soundness and security of institutions and individuals who file such reports.
FinCEN also described certain steps that institutions and authorities could take to ensure that SAR confidentiality is maintained, including making certain that all employees, agents, and individuals entrusted with information in a SAR are informed of the individual obligation to maintain SAR confidentiality, with respect to not only the SAR itself but also information that would reveal the existence of the SAR, and the potential penalties for unauthorized disclosure of such information. In addition, FinCEN suggested that financial institutions consider emphasizing the confidentiality of SARs in employee training programs and taking other risk-based measures to protect SAR confidentiality, such as providing limited access to SARs on a “need to know” basis only, creating restricted areas for reviewing SARs, keeping a log of access to SARs, using cover sheets for SARs or supporting information that indicates the filing of a SAR, and/or providing electronic notices that highlight confidentiality concerns before a person may access or disseminate SARs or SAR information.
The Rule amends the Bank Secrecy Act (“BSA”) regulations regarding the confidentiality of SARs to (1) clarify the scope of the statutory provision against disclosure by a financial institution of a SAR; (2) address the statutory prohibition against the disclosure; (3) clarify that the exclusive standard applicable to the disclosure of a SAR is to fulfill official duties consistent with the purposes of the BSA; (4) modify the safe harbor provision for SAR filers to address changes made by the USA Patriot Act; and (5) make minor technical revisions for consistency and harmonization among the SAR rules for different categories of financial institutions.
Scope of Confidentiality Requirement
The Rule clarifies that the SAR confidentiality requirements extend not only to the SAR but also to information that would reveal the existence of a SAR. The Rule also provides that any financial institution, or any director, officer, employee, or agent of a financial institution, that is subpoenaed or otherwise requested to disclose a SAR or information that would reveal the existence of a SAR (collectively, “SAR Information”), must decline to provide the SAR Information and provide notification of the request and its response to FinCEN. A proposed requirement that would have required an institution to notify its primary federal regulator of such a request was not included in the Rule, but FinCEN noted that institutions are not relieved from requirements to comply with such requirements under provisions of similar but distinct rules administered by separate agencies, such as the Federal Reserve, the OCC, and the FDIC.
Rules of Construction
The Rule also includes three rules of construction which clarify the scope of the SAR disclosure prohibition. Under these rules of construction, provided that no person involved in any reported suspicious transaction is notified that the transaction has been reported, the Rule shall not be construed as prohibiting:
The disclosure by a financial institution, or any director, officer or employee or agent of the financial institution, of SAR Information to (a) FinCEN, (b) any federal, state, or local law enforcement agency, (c) any federal regulator that examines the financial institution for compliance with the BSA, (d) if applicable, any state regulatory authority administering a state law that the requires the financial institution to comply with the BSA or otherwise authorizes the state authority to ensure that the institution complies with the BSA, or (e) if applicable, any SRO that examines the financial institution for compliance with SAR requirements, upon the request of the applicable federal regulator (i.e., the SEC or the CFTC).
The disclosure by a financial institution, or any director, officer or employee or agent of the financial institution, of the underlying facts, transactions, and documents upon which a SAR is based, including but not limited to, disclosures to another financial institution, or any director, officer, employee or agent of a financial institution, for the preparation of a joint SAR. For banks, securities broker-dealers, futures commission merchants, and introducing brokers in commodities, this rule of construction also applies to disclosure in connection with certain employment references or termination notices, to the extent authorized in 31 U.S.C. § 5318(g)(2)(B).
The sharing by a financial institution, or any director, officer or agent of the financial institution, within the financial institution’s governance structure for purposes consistent with Title II of the BSA as determined by regulation or in guidance. FinCEN explained in the adopting release that this rule of construction recognizes that financial institutions may find it necessary to share SAR information to fulfill reporting obligations under the BSA, and facilitates more effective enterprise-wide BSA monitoring, reporting, and risk management. However, as explained in the discussion of the Guidance below, FinCEN has not extended the Guidance to permit sharing with affiliates by those financial institutions, which do not have a primary federal functional regulator.
Disclosure by Governmental Authorities
The Rule prohibits a federal, state, local, territorial or tribal government authority, or any director, officer, employee or agent of any of the foregoing, from disclosing SAR Information except as necessary to fulfill official duties consistent with Title II of the BSA. The Rule specifies that “official duties” does not include the disclosure of SAR Information in response to a FOIA request or a request for use in a private legal proceeding.
Safe Harbor from Liability
The Rule also clarifies the scope of the safe harbor for financial institutions which file SARs to include voluntary disclosures of possible violations of law and regulation. The Rule also expands the scope of the limit of liability of include any liability which may exist “under any contract or other legally enforceable agreement (including any arbitration agreement).” In addition, to comport with the second rule of construction described above, the Rule clarifies that the safe harbor applies to joint disclosures with other financial institutions.
The compliance provision in the Rule provides that (1) FinCEN or its delegatees may examine the financial institution for compliance with the SAR requirement, (2) that a failure to satisfy the requirements of the SAR rule may constitute a violation of the BSA or BSA regulations, and (3) for banks with parallel SAR requirements under federal banking regulations, that failure to comply with FinCEN’s SAR requirement may also constitute a violation of the parallel federal banking regulations.
In January 2006, FinCEN and the federal banking agencies issued guidance which permits a U.S. branch or agency of a foreign bank to share a SAR with its head office. This guidance also stated that a U.S. bank or savings association may share a SAR with its controlling company (whether domestic or foreign). Also in January 2006, FinCEN, in consultation with the SEC and the CFTC, issued guidance which allows a securities broker‑dealer, futures commission merchant, or introducing broker in commodities to share a SAR with its parent entity (whether domestic or foreign). FinCEN subsequently issued guidance in October 2006 which states that a mutual fund may share SARs with any domestic or foreign investment adviser that controls the fund.
FinCEN deferred taking a position in 2006 regarding the permissibility of sharing SARs with affiliates. Taken together, the Bank Guidance and the Securities/Futures Industry Guidance now allow a bank, savings association, securities broker-dealer, futures commission merchant, or introducing broker in commodities to share SAR Information with an affiliate, provide the affiliate is required to file SARs. However, the affiliate which receives SAR Information may not share such SAR Information with its own affiliates, even those affiliates which are subject to SAR rules.
As is the case with sharing SARs with head offices, controlling companies, and parent entities, the sharing institution, as part of its internal controls, should have policies and procedures to ensure that its affiliates protect the confidentiality of the SAR Information. In addition, no SAR Information may be disclosed to an affiliate if the sharing institution has reason to believe the SAR Information may be disclosed to any person involved in the suspicious activity that is the subject of the SAR.
In the Notice, FinCEN explained that it would not expand the SAR sharing authority under the Guidance to other types of financial institutions that currently have a FinCEN SAR requirement. Due to the particular sensitivity of SAR information, FinCEN declined to expand the Guidance to additional industries, such as money services businesses. However, as explained above, the second rule of construction in the Rule establishes the regulatory framework for additional categories of financial institutions to share SAR information within their corporate structure in the future, without necessarily requiring an amendment to the applicable SAR confidentiality provisions.