We recently hosted a webinar, "Key Issues to Consider Regarding SAR Filings, Due
Diligence and Failure to File," in which we addressed
what financial institutions need to know about filing a
Suspicious Activity Report (SAR) with Treasury's Financial
Crimes Enforcement Network (FinCEN).
We set forth below a non-exhaustive list of suggested practices for
your organization to consider with respect to handling SARs.
SAR Confidentiality Best Practices | |
Dos | Don'ts |
Review applicable policies and procedures to determine
whether your company has mandated certain SAR handling
procedures.
Tip: Look for language about taking steps to avoid
producing or disclosing SARs and documents referencing
SARs. |
Avoid printing a hard copy.
Tip: If printing is necessary, consider printing on different-color paper and keeping in a segregated file. |
Establish clear SAR confidentiality protocols within your
team.
Tip: Document review protocols should provide an
overview of SAR confidentiality and instructions for maintaining
SAR confidentiality. |
Avoid unnecessary sharing—in hard or electronic copy,
or discussion in public places.
Tip: If SARs are maintained on a public drive, place in
a password-protected ZIP file, do not use a filename that indicates
that the file is a SAR and consider restricting
access. |
Include SAR handling instructions in dealings with third
parties/contractors (e.g., email review, analytics).
Tip: The SAR handling instructions may be identical to,
or based on, the SAR confidentiality protocols for the team. |
Avoid referencing specific SARs in writing unless
necessary.
Tip: When referencing SARs in writing, include a header on the document or on your email that states "BSA CONFIDENTIAL / CONTAINS SAR INFORMATION." |
Store electronic copies of SARs and SAR information in a
restricted, password-protected file.
Tip: Apply these protocols to work product that the
team creates (e.g., chronologies). Where possible, use a
header or footer: "BSA CONFIDENTIAL / CONTAINS SAR
INFORMATION." |
Avoid referencing specific SARs in redaction markings or
privilege logs.
Tip: FinCEN has instructed financial institutions to use language such as "nonpublic supervisory information." |
Destroy copies of SARs when they are no longer needed. |
Do not mention specific SARs in internal
documents.
Tip: General references are ok (e.g., "Review
SARs" or "Draft SAR") but "Review SAR re: John
Doe" could lead to an unauthorized disclosure. |
Consult with AML experts, especially if asked to produce SARs. |
Do not assume that a government requestor is entitled to
SARs. |
Produce SAR information carefully.
Tip: Produce SAR information separately from other
documents in the production, and label the SAR information
"BSA CONFIDENTIAL / CONTAINS SAR DATA." Discuss
production with the government ahead of time. |
Avoid sending SARs and SAR information out of the United
States. Tip: We recommend careful controls around cross-border transmission of SARs and SAR information (there is a limited exception to the prohibition for sharing SARs "up" to foreign parents, but financial institutions should handle this with care). Consider sharing sanitized records that do not reveal the existence of a SAR. |
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.