Banking and Finance Law Daily FinCEN clarifies mandatory reporting requirements for cyber-events
News
Wednesday, October 26, 2016

FinCEN clarifies mandatory reporting requirements for cyber-events

By Lisa M. Goolik, J.D.

The Financial Crimes Enforcement Network has issued an advisory for financial institutions on the mandatory and voluntary reporting of cyber-events and cyber-enabled crime in accordance with the Bank Secrecy Act. As a companion to the advisory (FIN-2016-A005), FinCEN has also provided a Frequently Asked Questions document with additional details on completing a Suspicious Activity Report for a cyber-event.

Valuable information. According to FinCEN, cyber-related information that financial institutions include in their regular BSA reporting is a valuable source of investigatory leads. "Law enforcement has been able to use cyber-related information reported—such as IP addresses with timestamps, cyber-event data, and virtual-wallet information—to track criminals, identify victims, and trace illicit funds," said FinCEN.

For the purposes of the advisory, FinCEN defines a cyber-event as "an attempt to compromise or gain unauthorized electronic access to electronic systems, services, resources, or information" Cyber-enabled crime refers to "illegal activities (e.g., fraud, money laundering, identity theft) carried out or facilitated by electronic systems and devices, such as networks and computers." In addition, cyber-related information is "information that describes technical details of electronic activity and behavior, such as IP addresses, timestamps, and Indicators of Compromise (IOCs)."

While the advisory does not change existing BSA requirements or other regulatory obligations for financial institutions, the guidance clarifies the circumstances under which reporting is mandatory or voluntary.

Mandatory reporting. A financial institution is required to report a suspicious transaction conducted or attempted by, at, or through the institution that involves or aggregates to $5,000 or more in funds or other assets. If a financial institution knows, suspects, or has reason to suspect that a cyber-event was intended, in whole or in part, to conduct, facilitate, or affect a transaction or a series of transactions, it should be considered part of an attempt to conduct a suspicious transaction or series of transactions.

A financial institution should consider all available information surrounding the cyber-event, including its nature and the information and systems targeted. To determine the monetary amount involved in the transactions or attempted transactions, a financial institution should consider in aggregate the funds and assets involved in or put at risk by the cyber-event.

FinCEN also reminds financial institutions that they should also be familiar with any other cyber-related filing obligations required by their functional regulator. The Office of the Comptroller of the Currency requires national banks to file SARs to report unauthorized electronic intrusions, and the Federal Reserve Board, Federal Deposit Insurance Corporation, and the National Credit Union Administration have issued guidance concerning the filing of SARs to report certain computer-related crimes.

In addition, filing a SAR does not relieve financial institutions from any other applicable requirements to timely notify appropriate regulatory agencies of events concerning critical systems and information or of disruptions in their ability to operate.

Voluntary reporting. FinCEN also encourages voluntary reporting of "egregious, significant, or damaging cyber-events and cyber-enabled crime when such events and crime do not otherwise require the filing of a SAR."

As an example, FinCEN describes a situation in which a Distributed Denial of Service (DDoS) attack disrupts a financial institution’s website and disables the institution’s online banking services for a significant period of time. After investigation, the affected financial institution determines the attack was not intended to and could not have affected any transactions. Although the financial institution is not required to report the attack, FinCEN encourages the financial institution to consider filing a SAR because the information may be highly valuable in other law enforcement investigations.

Reporting cyber-related information. Financial institutions reporting a cyber-event should include the following information, to the extent available, when filing a SAR:

  • description and magnitude of the event;
  • known or suspected time, location, and characteristics or signatures of the event;
  • indicators of compromise;
  • relevant IP addresses and their timestamps;
  • device identifiers;
  • methodologies used; and
  • other information the institution believes is relevant.

Collaboration. Lastly, the advisory encourages financial institutions to share information with each other in order to identify threats and vulnerabilities. "By sharing information with one another, financial institutions may gain a more comprehensive and accurate picture of possible threats, allowing for more precise decision making in risk mitigation strategies."

Financial institutions are also urged to share relevant information within the organization including, as appropriate, with BSA or anti-money laundering staff, cybersecurity personnel, fraud prevention teams, and other potentially affected units.

MainStory: TopStory BankSecrecyAct CrimesOffenses CyberPrivacyFeed IdentityTheft Privacy

Back to Top

Interested in submitting an article?

Submit your information to us today!

Learn More