Compliance Blog

Written by Stephanie Lyon, Senior Regulatory Compliance Counsel, NAFCU

Ciao! As some of you know, I just returned from my Italian vacation where I learned a couple of fun tidbits:

• You can never use the word 'allora' too much. Even if you are someone's tour guide for 6 hours…
• No one wants to make change for €50 bills or larger so carry smaller bills.
• The lemon ricotta pizza we found in Capri was life-changing.
• Italy's AML/BSA laws also have beneficial ownership requirements!

And on the last note, let's dive in to something that has been floating around lately in the US—Suspicious Activity Reports (SARs) and confidentiality. 

It is a widely known fact that the disclosure of a suspicious activity report (SAR) is generally prohibited by BSA regulations. See, 31 C.F.R. § 1020.320(e)(1)(i). This means credit unions cannot confirm or deny the existence of a SAR if asked by the person making the transaction or other persons. There may be other individuals with the "need to know" that a SAR is being considered such as the credit union's SAR decisioning committee, employees tasked with filing these reports or those who report the filing of SARs to the board of directors. So the sharing prohibition is generally for people who do not have a "need to know" or may be involved in the suspicious activity. 

The BSA also sets a couple of other narrow exceptions to the confidentiality principle. For example, credit unions are allowed to reveal the existence of a SAR, provide information regarding the SAR and provide the SAR itself to FinCEN, NCUA or any federal, state or local law enforcement agency or any state regulatory authority administering a state law that required the credit union to comply with the BSA. See, 31 C.F.R. § 1020.320(e)(1)(ii)(A)(1). Note that none of these exceptions allow the credit union to notify the subject of the SAR that their activity is being reported.

Because of recent news reports, credit unions are wondering what specific agencies are allowed to request SAR information. Footnote 79 of the FFIEC BSA/AML Examination Manual lists a couple of government agencies that may be allowed to ask for a SAR or SAR information. This list is not exhaustive but it is a good starting point and includes the following:

• The criminal investigative services of the armed forces
• The Bureau of Alcohol, Tobacco, and Firearms
• An attorney general, district attorney, or state's attorney at the state or local level
• The Drug Enforcement Administration
• The Federal Bureau of Investigation (FBI)
• The Internal Revenue Service (IRS) or tax enforcement agencies at the state level
• The Office of Foreign Assets Control (OFAC)
• A state or local police department
• A United States Attorney's Office
• Immigration and Customs Enforcement (ICE)
• The U.S. Postal Inspection Service
• The U.S. Secret Service

For conclusive information regarding whether an agency requesting SAR information fits the exception criteria, FinCEN suggests the credit union contact FinCEN's Regulatory Helpline at (800) 949-2732. See, The SAR Activity Review Trends, Tips & Issues, Issue 9, pp.46 (October 2005).

What if the credit union gets a subpoena, will this list of authorized parties grow? The answer to this question is it depends. If the subpoena is not by FinCEN or an appropriate law enforcement or federal banking agency, the credit union must decline to provide any information regarding the SAR or even confirm the existence of the SAR. In addition, if the credit union receives an improper request to disclose a SAR, the credit union must notify FinCEN and NCUA. See, 31 C.F.R. § 1020.320(e)(1)(i) & 12 C.F.R. § 748.1(c)(5).

It is very important for the credit union's BSA department to have specific policies and procedures regarding the disclosures of SARs because a misstep regarding the improper disclosure of a SAR caries both civil and criminal penalties. Examples of potential penalties for violations include either up to $100,000 of up to $250,000 for each violation depending on whether the case is civil or criminal, up to 5 years imprisonment and other civil money penalties for anti-money laundering program deficiencies that led to the improper disclosure of the SAR(s). Here are a couple of links to documents that may assist a credit union when drafting or updating its SAR disclosure procedures:

• FinCEN Advisory, SAR Confidentiality Reminder for Internal and External Counsel of Financial Institutions, (FIN-2012-A002, March 2, 2012)
• FinCEN Guidance, Sharing Suspicious Activity Reports by Depository Institutions with Certain U.S. Affiliates (FIN-2010-G006, Nov. 23, 2010)
• FinCEN's The SAR Activity Review: Trends, Tips & Issues, Issue 9 at 43-45 (Oct. 2009)
• FFIEC BSA/AML Examination Manual— Suspicious Activity Report Overview
• NCUA's SAR Confidentiality Rule
• FinCEN's SAR Confidentiality Rule

To wrap up, here is a picture of my favorite travel buddy and I about to enjoy some Tuscan wine.