On October 25, 2016, FinCEN issued an Advisory and related Frequently Asked Questions (FAQs) regarding the reporting of cyber-events, cyber-enabled crime and cyber-related information through Suspicious Activity Reports (SARs).
According to FinCEN, while suspicious transactions may not always involve a cyber-event, relevant cyber-related information should still be included in SARs when available (e.g., Internet Protocol (IP) addresses and accompanying timestamps associated with fraudulent wire transfers being reported). Similarly, the FinCEN guidance provides that when suspicious transactions do involve cyber-events, a financial institution should include in SARs all relevant and available information regarding the suspicious transactions and the cyber-event - including the type, magnitude and methodology of the cyber-event as well as signatures and facts on a network or system that indicate a cyber-event. The advisory also encourages collaboration between in- house BSA/AML and cybersecurity units and sharing information with other financial institutions to the extent permitted under Section 314(b) of the USA PATRIOT Act.
Among other things, the FAQs explain the circumstances in which an SAR must be filed in connection with an unsuccessful cyber-event and provide for the submission of a single, cumulative SAR to report multiple cyber-events that are similar in nature and share common identifiers or are believed to be related, connected or part of a larger scheme.
The advisory and FAQs are available at: https://www.fincen.gov/sites/default/files/advisory/2016-10-25/Cyber%20Threats%20Advisory%20-%20FINAL%20508_2.pdf
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
