United States: FinCEN To Financial Institutions: Include Cyber Data In Suspicious Activity Reports (SARs)

Last Updated: February 10 2016
Article by Cybersecurity & Data Privacy Group

Article by Jonathan Lopez, Courtney Linn, Aravind Swaminathan, Antony P. Kim and Jonathan Direnfeld

As new legislation aimed at facilitating greater cybersecurity information sharing between private industry and government takes effect (i.e., Cybersecurity Information Sharing Act), FinCEN Director Jennifer Shasky Calvery recently called for "financial institutions to include cyber-derived information (such as IP addresses on bitcoin wallet addresses) in suspicious activity reports."  Director Shasky Calvery's statement dovetails with the Federal Financial Institutions Examination Council (FFIEC)  Cybersecurity Assessment Tool (CAT) launched last year that we discussed previously, which lists "threat intelligence and collaboration" through information-sharing forums as one of five key "domains" for assessing cybersecurity preparedness.  Regulated entities should take stock of this shifting risk management and compliance landscape, and evaluate the need for changes (and investments) to existing cybersecurity tools necessary for information collection, analysis and sharing.

Suspicious Activity Reporting Requirements

One of FinCEN's primary missions is to collect and analyze information about financial transactions in order to combat money laundering, terrorist financing, and other financial crimes.  In particular, the Bank Secrecy Act requires certain financial institutions to file a suspicious activity report (SAR) with FinCEN if the financial institution detects "suspicious activity" in a transaction or a series of transactions.  A transaction is "suspicious" if the financial institution suspects, or has reason to suspect, that the transaction:  (1) involves money derived from criminal activity; (2) is designed to evade Bank Secrecy Act requirements, whether through structuring or other means; (3) appears to serve no business or other legal purpose and for which available facts provide no reasonable explanation; or, (4) involves the use of the financial institution to facilitate criminal activity.  The sub-set of financial institutions required to detect and file SARs is quite broad; SAR reporting requirements cover not only banks, financial holding companies, securities broker/dealers, and mutual funds, but many other entities deemed to be financial institutions such as casinos and card clubs, insurance companies, mortgage lenders/originators, and most money service businesses.  Typically, the transaction, or series of transactions, must involve at least $5,000 for the SAR requirement to apply, however the monetary minimum threshold differs depending upon the particular type of financial institution.  Money services businesses, for example, have a $2,000 transaction threshold.  And, of course, any financial institution may always file a SAR voluntarily regardless of transaction amount or whether it fits within the sub-set of financial institutions with an affirmative SAR filing requirement.

Inclusion of IP Addresses in SARs

While Director Shasky Calvery focused her remarks on suspicious IP addresses that may be cybercrime indicators, she more generally emphasized the need to include attribution or digital-identity information regarding banking transactions in SARs.  This move is not new.  Since 2012, FinCEN has asked financial institutions to include IP addresses involved in suspicious activity within SARs.  Moreover, the FFIEC manual urges banks engaged in higher risk electronic banking activities to implement systems to generate IP address reports.  FinCEN has stated that IP addresses and other cyber information can be helpful in deflecting cyber-attacks, identifying the source of cyber-attacks, and identifying cyber-actors conducting illicit financial activities, such as theft, identify theft, and tax refund fraud.  For instance, Director Shasky Calvery noted that SARs filed by several different financial institutions played a vital role in helping FinCEN and the FBI trace the fraudulent withdrawal of nearly $7 million from an account in Florida to criminal groups in Russia and Ukraine.  In total, these actors were responsible for more than $100 million in losses perpetrated through the GameOver Zeus botnet virus.  Yet, despite prior requests for IP addresses and examples of success stories, Director Shasky noted that only 2% of SARs filed with FinCEN include IP address information.

Although there is no current specific requirement to include IP addresses and electronic attribution information within SARs, Director Shasky Calvery's remarks make clear that FinCEN is continuing to focus on leveraging cyber in the fight against financial crime and is putting financial institutions on notice that it views IP address and attribution information as instrumental to that fight.


FinCEN's repeated requests to provide attribution information in SARs suggests added emphasis on the gathering and use of such information in its investigations of banks and other financial institutions for Bank Secrecy Act compliance purposes.  Since June 2013, FinCEN has taken a more aggressive stance in bringing civil enforcement actions against financial institutions for failure to properly submit SARs, and regulated entities should not ignore cybersecurity information that could improve reporting and identification of suspicious activity.  Financial institutions trying to manage risk with a robust anti-money laundering and Bank Secrecy Act compliance program should consider taking steps to incorporate IP addresses and other attribution information into their programs and SARs.

This may be no easy task.  Although many cybersecurity systems and tools capture this type of information in logs (many unfortunately do not) they are not necessarily configured to efficiently pull, aggregate, and report relevant information to analysts or to provide it in a meaningful, easily accessible format to facilitate BSA compliance.  Firewall logs, for example, can contain millions of records a day, and enterprise-wide log information often needs to be aggregated, parsed, and related before actionable information can be accessed or obtained.  In light of FinCEN's repeated increased focus on cybersecurity information, and its recent willingness to issue proposed rules (i.e., proposed customer due diligence rule, proposed investment adviser rule), financial institutions, in particular those with SAR obligations, should strongly consider today how they will begin to factor the need for attribution information into the development, configuration, use and procurement of new cybersecurity tools.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Events from this Firm
24 Oct 2019, Speaking Engagement, New York, United States

Orrick’s Lisa Lupion will serve as a panelist for an upcoming CLE program hosted by the New York County Lawyers Association entitled, “New Strategies in Sexual Harassment Investigation.”

25 Oct 2019, Speaking Engagement, New York, United States

A joint program of the American Arbitration Association and the Center for Labor and Employment Law at NYU School of Law

29 Oct 2019, Other, Portland, United States

Orrick is hosting an evening reception for Dive/In Day on October 29, 2019 in Portland, OR.

Similar Articles
Relevancy Powered by MondaqAI
In association with
Related Topics
Similar Articles
Relevancy Powered by MondaqAI
Related Articles
Related Video
Up-coming Events Search
Font Size:
Mondaq on Twitter
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.


The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.


Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions