FinCEN to Financial Institutions: Include Cyber Data in Suspicious Activity Reports (SARs)
As new legislation aimed at facilitating greater cybersecurity information sharing between private industry and government takes effect (i.e., Cybersecurity Information Sharing Act), FinCEN Director Jennifer Shasky Calvery recently called for “financial institutions to include cyber-derived information (such as IP addresses on bitcoin wallet addresses) in suspicious activity reports.” Director Shasky Calvery’s statement dovetails with the Federal Financial Institutions Examination Council (FFIEC) Cybersecurity Assessment Tool (CAT) launched last year that we discussed previously, which lists “threat intelligence and collaboration” through information-sharing forums as one of five key “domains” for assessing cybersecurity preparedness. Regulated entities should take stock of this shifting risk management and compliance landscape, and evaluate the need for changes (and investments) to existing cybersecurity tools necessary for information collection, analysis and sharing.
Suspicious Activity Reporting Requirements
One of FinCEN’s primary missions is to collect and analyze information about financial transactions in order to combat money laundering, terrorist financing, and other financial crimes. In particular, the Bank Secrecy Act requires certain financial institutions to file a suspicious activity report (SAR) with FinCEN if the financial institution detects “suspicious activity” in a transaction or a series of transactions. A transaction is “suspicious” if the financial institution suspects, or has reason to suspect, that the transaction: (1) involves money derived from criminal activity; (2) is designed to evade Bank Secrecy Act requirements, whether through structuring or other means; (3) appears to serve no business or other legal purpose and for which available facts provide no reasonable explanation; or, (4) involves the use of the financial institution to facilitate criminal activity. The sub-set of financial institutions required to detect and file SARs is quite broad; SAR reporting requirements cover not only banks, financial holding companies, securities broker/dealers, and mutual funds, but many other entities deemed to be financial institutions such as casinos and card clubs, insurance companies, mortgage lenders/originators, and most money service businesses. Typically, the transaction, or series of transactions, must involve at least $5,000 for the SAR requirement to apply, however the monetary minimum threshold differs depending upon the particular type of financial institution. Money services businesses, for example, have a $2,000 transaction threshold. And, of course, any financial institution may always file a SAR voluntarily regardless of transaction amount or whether it fits within the sub-set of financial institutions with an affirmative SAR filing requirement.
Inclusion of IP Addresses in SARs
While Director Shasky Calvery focused her remarks on suspicious IP addresses that may be cybercrime indicators, she more generally emphasized the need to include attribution or digital-identity information regarding banking transactions in SARs. This move is not new. Since 2012, FinCEN has asked financial institutions to include IP addresses involved in suspicious activity within SARs. Moreover, the FFIEC manual urges banks engaged in higher risk electronic banking activities to implement systems to generate IP address reports. FinCEN has stated that IP addresses and other cyber information can be helpful in deflecting cyber-attacks, identifying the source of cyber-attacks, and identifying cyber-actors conducting illicit financial activities, such as theft, identify theft, and tax refund fraud. For instance, Director Shasky Calvery noted that SARs filed by several different financial institutions played a vital role in helping FinCEN and the FBI trace the fraudulent withdrawal of nearly $7 million from an account in Florida to criminal groups in Russia and Ukraine. In total, these actors were responsible for more than $100 million in losses perpetrated through the GameOver Zeus botnet virus. Yet, despite prior requests for IP addresses and examples of success stories, Director Shasky noted that only 2% of SARs filed with FinCEN include IP address information.
Although there is no current specific requirement to include IP addresses and electronic attribution information within SARs, Director Shasky Calvery’s remarks make clear that FinCEN is continuing to focus on leveraging cyber in the fight against financial crime and is putting financial institutions on notice that it views IP address and attribution information as instrumental to that fight.
FinCEN’s repeated requests to provide attribution information in SARs suggests added emphasis on the gathering and use of such information in its investigations of banks and other financial institutions for Bank Secrecy Act compliance purposes. Since June 2013, FinCEN has taken a more aggressive stance in bringing civil enforcement actions against financial institutions for failure to properly submit SARs, and regulated entities should not ignore cybersecurity information that could improve reporting and identification of suspicious activity. Financial institutions trying to manage risk with a robust anti-money laundering and Bank Secrecy Act compliance program should consider taking steps to incorporate IP addresses and other attribution information into their programs and SARs.
This may be no easy task. Although many cybersecurity systems and tools capture this type of information in logs (many unfortunately do not) they are not necessarily configured to efficiently pull, aggregate, and report relevant information to analysts or to provide it in a meaningful, easily accessible format to facilitate BSA compliance. Firewall logs, for example, can contain millions of records a day, and enterprise-wide log information often needs to be aggregated, parsed, and related before actionable information can be accessed or obtained. In light of FinCEN’s repeated increased focus on cybersecurity information, and its recent willingness to issue proposed rules (i.e., proposed customer due diligence rule, proposed investment adviser rule), financial institutions, in particular those with SAR obligations, should strongly consider today how they will begin to factor the need for attribution information into the development, configuration, use and procurement of new cybersecurity tools.