Keep Suspicious Activity Reports Confidential!
by Amy Kleinschmit
Chief Compliance Officer

As credit unions are aware, federal law requires that a report of suspicious transaction relevant to a possible violation of law or regulation be reported using the Suspicious Activity Report (SAR). As a quick review, credit unions are required to file SAR with respect to:

  • Criminal violations involving insider abuse in any amount.
  • Criminal violations aggregating $5,000 or more when a suspect can be identified.
  • Criminal violations aggregating $25,000 or more regardless of a potential suspect.
  • Transactions conducted or attempted by, at, or through the bank (or an affiliate) and aggregating $5,000 or more, if the bank or affiliate knows, suspects, or has reason to suspect that the transaction:
    • May involve potential money laundering or other illegal activity (e.g., terrorism financing).
    • Is designed to evade the BSA or its implementing regulations.
    • Has no business or apparent lawful purpose or is not the type of transaction that the particular customer would normally be expected to engage in, and the bank knows of no reasonable explanation for the transaction after examining the available facts, including the background and possible purpose of the transaction.

Section 31 CFR 1020.320(e) mandates confidentiality of SARs. A SAR, and any information that would reveal the existence of a SAR, are confidential and shall not be disclosed except as authorized by the regulation. No credit union, and no director, officer, employee, or agent of any credit union, shall disclose a SAR or any information that would reveal the existence of a SAR. Any credit union, and any director, officer, employee, or agent of any bank that is subpoenaed or otherwise requested to disclose a SAR or any information that would reveal the existence of a SAR, shall decline to produce the SAR or such information and must notify FinCEN of any such request and the response thereto.

The regulation provides exceptions for disclosure of a SAR which are limited to disclosure by a credit union to FinCEN; any Federal, State, or local law enforcement agency; NCUA; or any State regulatory authority administering a State law that requires the credit union to comply with the Bank Secrecy Act or otherwise authorizes the State authority to ensure that the credit union complies with the Bank Secrecy Act.

Credit unions must retain copies of SARs and supporting documentation for five years from the date of filing the SAR. Credit unions are also required to provide all documentation supporting the filing of a SAR upon request by FinCEN or an appropriate law enforcement or federal banking agency. “Supporting documentation” refers to all documents or records that assisted a bank in making the determination that certain activity required a SAR filing. No legal process is required for disclosure of supporting documentation to FinCEN or an appropriate law enforcement or federal banking agency.

There may be an occasion requiring immediate attention by law enforcement. The 2014 FFIEC BSA/AML Examination Manual provides, “for situations requiring immediate attention, in addition to filing a timely SAR, a bank must immediately notify, by telephone, an “appropriate law enforcement authority” and, as necessary, the bank’s primary regulator. For this initial notification, an “appropriate law enforcement authority” would generally be the local office of the IRS Criminal Investigation Division or the FBI. Notifying law enforcement of a suspicious activity does not relieve a bank of its obligation to file a SAR.” (Emphasis added, Page 71)

Note the above guidance from the exam manual only notes a telephone call. Delivering an actual copy of the SAR would not be necessary as Federal, State and Local law enforcement agencies can access the Bank Secrecy Act data through a secure web connection after their agency has entered into a Memorandum of Understanding with FinCEN. FinCEN provides training, and monitors use to ensure that the BSA information is properly used, disseminated, and kept secure.

The unauthorized disclosure of a SAR is a violation of federal law, as was the case with this enforcement action from 2011. FinCEN assessed a $25,000 civil money penalty against an individual. In this particular case, FinCEN determined that a bank employee willfully violated BSA and its implementing regulations by disclosing the existence of a SAR to a person involved in the reported transaction.

As discussed in the 2011 enforcement action above, “The unauthorized disclosure of a SAR can undermine ongoing and future investigations by, for example, alerting suspects that their activity has been reported. Such ‘tipping off’ can, in turn, threaten the safety and security of the institutions and individuals who file such reports, potentially deterring them from fulfilling their reporting obligations in the first place. Even the occasional unauthorized SAR disclosure can have a chilling effect. Accordingly, the role of SARs in protecting our financial system depends on the financial sector’s (and the government’s) confidence that SAR confidentiality is maintained.”

Feel free to contact Amy Kleinschmit with any compliance related questions.


<< Go to Memo List