FinCEN Proposes SAR Data Fields Revisions

FinCEN published, at 82 FR 9109 in the Federal Register, a notice and request for comment on proposed updates and revisions to the collection of information filings by financial institutions required to file such reports under the Bank Secrecy Act (“BSA”). While the notice does not propose any new regulatory requirements or changes to the requirements related to suspicious activity reporting, it suggests changes to the required data fields used when filing SARs under the BSA. The majority of the proposed changes would alter the “checklist” of violations in Part II of the filings, including the addition of several fields related to cyber events. Written comments must be received on or before April 3.


FinCEN Issues Advisory Regarding FATF-Identified Jurisdictions with AML/CFT Deficiencies

As part of the Financial Crimes Enforcement Network’s (FinCEN’s) Financial Action Task Force’s (FATF’s) listing and monitoring process to ensure compliance with its international Anti-Money Laundering and Countering the Financing of Terrorism (AML/CFT) standards, the FATF identifies certain jurisdictions as having “strategic deficiencies” in their AML/CFT regimes. The identified jurisdictions are listed in either of two documents: (i) the “FATF Public Statement”—which includes jurisdictions that are subject to the FATF’s call for countermeasures or are subject to Enhanced Due Diligence (EDD) due to their AML/CFT deficiencies, and (ii) “Improving Global AML/CFT Compliance: on-going process 21 October 2016”—which includes jurisdictions identified by the FATF to have AML/CFT deficiencies.

On January 19, FinCEN released an advisory updating the list of jurisdictions in which any such “strategic deficiencies” have been identified. FinCen urged financial institutions to consider these lists, including any and all updates thereto when reviewing due diligence obligations and risk-based policies, procedures, and practices.

The jurisdictions identified in the FATF Public Statement included:

  • Democratic People’s Republic of Korea, and
  • Iran.

The jurisdictions identified in Improving Global AML/CFT Compliance included:

  • Afghanistan,
  • Bosnia and Herzegovina,
  • Iraq,
  • Lao PDR,
  • Syria,
  • Uganda,
  • Vanuatu, and
  • Yemen.

Notably, Guyana, which was previously listed, has been removed from the October 2016 list.

COMMENTS: Comments Off
POSTED IN: International, Miscellany

FinCEN Issues Guidance on Sharing Suspicious Activity Reports with U.S. Parents and Affiliates of Casinos

On January 4, the Financial Crimes Enforcement Network (FinCEN) issued guidance to “confirm that, under the Bank Secrecy Act (BSA) and its implementing regulations, a casino that has filed a Suspicious Activity Report (SAR) may share the SAR, or any information that would reveal the existence of the SAR, with each office or other place of business located within the United States of either the casino itself or a parent or affiliate of the casino.” As explained in the guidance, FinCEN expects that the anti-money laundering efforts of the casino’s affiliates could be enhanced by virtue of their access to a clearer and more comprehensive picture of the activities the casino has identified as suspicious. The guidance also specified that casinos may not share SARs or information that would reveal the existence of a SAR with non-U.S. offices or affiliates, individuals or entities within the casino’s corporate famile that perform functions unrelated to gaming, a financial institution without an independent SAR obligation, or unaffialited money services businesses located within the casino. Finally, the guidance specified that a domestic affiliate that receives a SAR or revealing information from a casino may not further share that SAR with an affiliate of its own.


FinCEN Penalizes New York Credit Union for Failure to Manage High-Risk International Financial Activity

On December 14, the Financial Crimes Enforcement Network (FinCEN) announced that it had assessed a $500,000 civil money penalty against a federally-chartered, low-income designated, community development credit union, for “significant violations” of anti-money laundering regulations. According to FinCEN, the credit union had historically maintained an AML program designed to address risks stemming from its designated field of membership in New York, NY. However, in 2011, the credit union began providing banking services to many wholesale, commercial money services business, some of which were located in high risk jurisdictions or engaged in high risk activities, without taking steps to update its AML program. As a result, the credit union was unable to detect and report suspicious activity and was left particularly vulnerable to money laundering.


FinCEN Issues Advisory and Supplemental FAQs on Cyber-Events and Cyber-Enabled Crime

On October 25, FinCEN issued advisory bulletin FIN-2016-A005 reminding financial institutions of their Bank Secrecy Act (BSA) obligations to report certain cyber-events and cyber-enabled crime. The advisory highlights the importance of (i) reporting cyber-events and cyber-enabled crime through Suspicious Activity Reports (SARs); (ii) including cyber-related information such as IP addresses with timestamps, virtual-wallet information, device identifiers, and cyber-event information, in SAR reporting; (iii) collaborating with BSA/AML, cybersecurity, and other in-house units to facilitate “a more comprehensive threat assessment and develop appropriate risk management strategies to identify, report, and mitigate cyber-events and cyber-enabled crime”; and (iv) sharing cyber-related information – including specific malware signatures, IP addresses and device identifiers, and virtual currency addresses that seem anonymous – amongst financial institutions for the “purpose of identifying and, where appropriate, reporting money laundering or terrorist activities.” Importantly, the advisory distinguishes between mandatory SAR reporting of cyber-events, providing three specific examples, and voluntary reporting of cyber-events. Per the advisory, “[c]yber-events targeting financial institutions that could affect a transaction or series of transactions would be reportable as suspicious transactions because they are unauthorized, relevant to a possible violation of law or regulation, and regularly involve efforts to acquire funds through illegal activities.”

FinCEN simultaneously issued FAQs to supplement advisory bulletin FIN-2016-A005. The FAQs, which supersede 2001 FAQs regarding computer intrusion, provide answers to a set of nine questions. The FAQs address, among other things, (i) when cyber-related SAR reports should be filed; (ii) the type of information that should be included in cyber-related SARs; and (iii) cyber-event and cyber-enabled crime information sharing, pursuant to Section 314(b) of the USA PATRIOT Act, between financial institutions.