COMPLIANCE
▪ “ FDIC , Federal Reserve and Department of the Treasury issued a rule in November [ 2021 ] with compliance beginning May 1 , 2022 , that requires banks and their service providers to notify their primary federal regulator within [ 36 ] hours of a computer security incident that is reasonably likely to disrupt the bank ’ s operations .” 9
Elder Financial Exploitation ― FinCEN ’ s Advisory on Elder Financial Exploitation ( EFE ) 10 contains the exact wording as the ransomware advisory referenced above directing FIs to contact FinCEN ’ s Financial Institution Hotline . In addition , this advisory contains the following disclosure : “ Filers are also encouraged to determine their obligations to report suspected EFE under state law and report suspected EFE to [ LE ] and their state-based Adult Protective Services .”
Check Fraud ― The FinCEN Alert on Nationwide Surge in Mail Theft-Related Check Fraud Schemes Targeting the U . S . Mail 11 provides the familiar caution : “[ FIs ] wanting to expedite their report of suspicious transactions that may relate to the activity noted in this alert should call the Financial Institutions Toll-Free Hotline at 866-556-3974 ( 7 days a week , 24 hours a day ).” A footnote accompanied that message : “ The purpose of the hotline is to expedite the delivery of this information to [ LE ]. [ FIs ] should immediately report any imminent threat to local area [ LE ] officials .
Insider Activity ― Although U . S . regulators have standardized examinations for AML compliance via the Federal Financial Institutions Examination Council ’ s BSA / AML Examination Manual , in certain instances , compliance requirements may vary between regulators . For example , 12 CFR 21.11 from the Office of the Comptroller of the Currency 12 requires that the board of directors be notified when an insider SAR is filed . There is a carve-out provision if the SAR is filed with a director as the subject :
“ Notification to board of directors ―
( 1 ) Generally : Whenever a national bank files a SAR pursuant to this section , the management of the bank shall promptly notify its board of directors , or a committee of directors or executive officers designated by the board of directors to receive notice .
( 2 ) Suspect is a director or executive officer . If the bank files a SAR pursuant to paragraph ( c ) of this section and the suspect is a director or executive officer , the bank may not notify the suspect , pursuant to 31 U . S . C . 5318 ( g )( 2 ), but shall notify all directors who are not suspects .” 13
Ongoing Activity ― Under 12 CFR 353.3 ( b )( 2 ) and ( c ), 14 FIs that are regulated by the Federal Deposit Insurance Corporation ( FDIC ) are advised as follows :
“( b )( 2 ) In situations involving violations requiring immediate attention , such as when a reportable violation is ongoing , the FDIC-supervised institution shall immediately notify , by telephone , an appropriate [ LE ] authority and the appropriate FDIC regional office ( Division of Supervision and Consumer Protection ( DSC )) in addition to filing a timely report .
( c ) Reports to state and local authorities . An FDICsupervised institution is encouraged to file a copy of the suspicious activity report with state and local [ LE ] agencies where appropriate .”
And , in part ( f ), FDIC-regulated institutions also have an obligation to notify their board of directors :
“ Notification to board of directors . The management of an FDIC-supervised institution shall promptly notify its board of directors , or a committee thereof , of any report filed pursuant to this section . The term “ board of directors ” includes the managing official of a foreign bank having an insured branch for purposes of this part .” 15
NBFIs
Suspicious activity reporting requirements differ among the various types NBFIs . In addition , if the NBFI does have a reporting obligation , reporting thresholds should be validated as reporting thresholds differ from requirements for a bank . Notification requirements should also be validated for the various types of suspicious activity reported .
Next steps
Institutions should remember to check SAR-related requirements from their examiner and then memorialize those requirements in either a policy or a procedural document . Other important information to memorialize in process documents include :
▪ A contact list for which agency or person should be contacted and how ( e . g ., by phone or email ). Use discretion when setting guidelines for contacting LE as a result of a SAR filing . This is where proper networking through a SAR task force or peer groups becomes invaluable . In these settings , LE can advise which cases they are specifically interested in and at what dollar amount .
SAR filing instructions define the LE contact agency and LE contact name as follows :
― LE contact agency : “ This is the [ LE ] agency ( if any ) that has been informed of the suspicious activity . This party corresponds with Part IV ( Item 89 ) of the FinCEN SAR .” 16
― LE contact name : “ This is the person at [ LE ] agency ( if any ) contacted regarding the suspicious activity . This party corresponds with Part IV ( Items 90-92 ) of the FinCEN SAR .” 17
▪ What information can be legally provided to the contact .
― While there is safe harbor from civil litigation for reporting under the BSA , there are limits to the safe harbor provisions . For example , the report must be made to “ appropriate
40 acamstoday . org