Keeping Secrets: SAR Confidentiality
Many credit union compliance professionals are familiar with Suspicious Activity Reports (SARs). Section 748.1(c) of the NCUA regulations, and section 1020.320 of the FinCEN regulations require a credit union to file a SAR in certain situations. However, even when a SAR is not required, a credit union may choose to file one voluntarily if it feels a transaction merits the attention of law enforcement.
Despite the fact many credit unions file SARs regularly, they are not allowed to talk about them – federal laws and regulations impose strict confidentiality rules relating to SARs. Section 1020.230(e) states that the SAR itself, as well as any information that would reveal the existence of a SAR, is confidential and may not be disclosed unless a specific exception applies. This means that, in most circumstances, a credit union is prohibited from disclosing whether a SAR has been filed, even when a member wants to know if he or she has been the subject of a SAR.
Let’s review some of the other aspects of this confidentiality:
- Subpoenas. Section 1020.230(e)(i) specifically states that a credit union should not disclose a SAR, or information that would reveal the existence of a SAR, even if that information is requested in a subpoena. If a credit union receives such a subpoena, then the regulation instructs the credit union to decline to produce the SAR or information sought and to notify FinCEN of the request and the credit union’s response to it.
- Other financial institutions. Credit unions and other financial institutions may agree to voluntary information sharing under Section 314(b) of the USA PATRIOT Act. While 314(b) allows credit unions to share or receive information regarding potential illicit activity, the FFIEC BSA/AML Examination notes that 314(b) does not permit sharing information which would reveal the existence (or even the nonexistence) of a SAR:
“[S]ection 314(b) does not authorize a financial institution to share a SAR, nor does it permit the financial institution to disclose the existence or nonexistence of a SAR. If a financial institution shares information under section 314(b) about the subject of a prepared or filed SAR, the information shared should be limited to underlying transaction and customer information. A financial institution may use information obtained under section 314(b) to determine whether to file a SAR, but the intention to prepare or file a SAR cannot be shared with another financial institution.”
But note that a credit union is permitted to share the underlying facts that led to the SAR (see below).
When Disclosure is Permitted
So, when can a SAR (or information revealing the existence of a SAR) be disclosed? Section 1020.230(e)(1)(ii) provides some exceptions to the confidentiality rule:
- Law Enforcement. Section 1020.230(e)(1)(ii) specifically states that it does not prohibit a credit union from disclosing a SAR or information that would reveal the existence of a SAR to “any Federal, State, or local law enforcement agency.” The FFIEC manual notes that disclosure is permissible when the disclosure is made to “appropriate law enforcement,” a term that Footnote 79 defines to include:
“[T]he criminal investigative services of the armed forces; the Bureau of Alcohol, Tobacco, and Firearms; an attorney general, district attorney, or state's attorney at the state or local level; the Drug Enforcement Administration; the Federal Bureau of Investigation; the Internal Revenue Service or tax enforcement agencies at the state level; the Office of Foreign Assets Control; a state or local police department; a United States Attorney's Office; Immigration and Customs Enforcement; the U.S. Postal Inspection Service; and the U.S. Secret Service.”
- Federal Regulators. The regulation also states that it does not prohibit disclosing the SAR (or information revealing the existence of the SAR) to “any Federal regulatory authority that examines the [credit union] for compliance with the Bank Secrecy Act.” Thus, a credit union can reveal SARs and information relating to SARs to the NCUA.
- Underlying Facts. The regulation states that it does not prohibit a credit union from disclosing “the underlying facts, transactions, and documents upon which a SAR is based.” This includes sharing this information with other financial institutions, such as under a 314(b) information sharing program or when preparing to file a joint SAR.
- Internal Sharing. Section 1020.320(e)(1)(ii)(B) permits a credit union or any director, officer, employee or agent of a credit union to disclose a SAR, or information revealing the existence of a SAR, “within the [credit union’s] corporate organizational structure” for purposes consistent with Title II of the Bank Secrecy Act as determined by regulation or in guidance.” On a related note, the Anti-Money Laundering Act of 2020 instructed FinCEN to create a pilot program that would allow credit unions and other financial institutions to share SARs with their foreign branches, subsidiaries or affiliates – that item is currently on FinCEN’s rulemaking agenda.
In advisory FIN-2012-A002, FinCEN reminded financial institutions about the prohibition on disclosing SARs, and noted that the prohibition can be enforced via civil penalties, as well as criminal penalties or even imprisonment. When an unauthorized disclosure of SARs formed the basis for national reporting in the so-called “FinCEN files,” the agency cautioned that “the unauthorized disclosure of SARs is a crime that can impact the national security of the United States, compromise law enforcement investigations, and threaten the safety and security of the institutions and individuals who file such reports.”
About the Author
Nick St. John, was named regulatory compliance counsel in March 2020. In this role, Nick helps credit unions with a variety of compliance issues.