Banks Must Include Cybersecurity Incidents in SARs: Fincen

WASHINGTON – The Treasury Department's Financial Crimes Enforcement Network issued a reminder to banks that their obligations to report suspicious transactions also extend to certain cybersecurity attacks.

"The proliferation of cyber-events and cyber-enabled crime represents a significant threat to consumers and the U.S. financial system," the agency said in a new advisory. "Financial institutions can play an important role in safeguarding customers and the financial system from these threats through timely and thorough reporting."

In an FAQ published Tuesday, Fincen detailed in what cases financial institutions should report cybersecurity events to the agency, and how they should be inserted into Suspicious Activity Reports. On a number of issues, Fincen appears to be cutting financial institutions some slack in order and incentivizing information sharing when needed.

For instance, some cybersecurity incidents can be reported in a single cumulative SAR, rather than requiring individual submissions. "Fincen recognizes that filing a SAR to report individual cyber-events may require significant time and resources and could detract from a financial institution's efforts to guard against more significant money laundering and cyber threats," the agency said.

And though Fincen requires companies to file SARs even for unsuccessful cybersecurity attacks, the agency said an institution's anti-money-laundering department does not necessarily need any staff specialized in cybersecurity.

Fincen also said banks were allowed to share cybersecurity incidents under Section 314(b) of the Patriot Act, which creates a safe harbor for companies to share information with one another but has mainly been used in anti-money-laundering efforts.

Fincen's announcement follows the release last week of a broad plan by the three federal banking regulators to increase cybersecurity standards at large banks and other systemically important institutions.

Last month, the New York Department of Financial Services also issued a cybersecurity proposal that would affect banks under its jurisdiction.

 

For reprint and licensing requests for this article, click here.
Law and regulation Cyber security Bank technology
MORE FROM AMERICAN BANKER