FinCEN Issues Guidance on BSA Reporting of Cyber Threats

Bank Secrecy Act-mandated reports play a critical role in helping stop cyber threats, the Financial Crimes Enforcement Network said in an advisory today that included a restatement of regulatory expectations for BSA reporting of cyber events. Banks must file suspicious activity reports about “cyber events” affecting transactions or series of transactions because they are unauthorized, relevant to a possible legal violation or involve efforts to acquire funds illegally, FinCEN said.

Examples of SAR-required reportable cyber events include malware intrusions that put customer funds at risk, intrusions into a bank’s systems or networks and distributed denial of service attacks that prevent financial institution personnel from stopping an unauthorized money transfer. The guidance includes the kinds of information that must be reported in a cyber-related SAR.

The guidance added that banks may voluntarily report cyber events even when a SAR is not required, such as a DDoS attack that could not have affected any transactions. “SAR reporting of cyber events, even those that may not meet mandatory SAR-filing requirements, is highly valuable in law enforcement investigations,” FinCEN said. “For example, BSA reporting by more than 20 financial institutions — on transactions related to cyber-enabled crimes — played an important role in the investigation of an internet-based company, its cofounders and other collaborators.”

FinCEN noted that the advisory does not change existing BSA or other regulatory requirements. It also issued a set of nine frequently asked questions to help BSA officers file reports on cyber events and cyber-enabled crimes. For more information, contact ABA’s Rob Rowe or Heather Wyson-Constantine.