Should banks be criminally liable for not reporting fishy emails?
Since Congress passed the Bank Secrecy Act in 1970, banks and other financial institutions have had a legal obligation to report suspicious customer activity to the government or risk regulatory penalties and even criminal prosecution. The purpose is to enlist banks in the fight against narcotics trafficking, tax evasion, terrorist financing and other criminal activity. Federal authorities have imposed billions of dollars in penalties against banks and other institutions that allowed crimes to be carried out on their watch.
This past February, the Financial Crimes Enforcement Network proposed a new rule that has the potential to significantly alter the reporting requirement, adding a new category for flagging suspicious “cyberevents.” Unlike the other categories on the standard "suspicious activity report," or SAR, which pertain to misuse of a financial institution’s accounts by customers or employees, the “cyberevent” category requires institutions to detect and report all varieties of digital mischief, whether directed at a customer’s account or at the bank itself. For example, the new proposed SAR form has specific instructions to report the use of malware, or even receipt of a suspicious email address or file name.
The effect of this proposed change is potentially massive. Financial institutions will be required to detect and report cyberevents as a matter of federal criminal law. This is a significant shift in focus from traditional SAR filing, which has been centered on suspicious customer or employee activity. Bank compliance officers have been trained to look at a customer’s account activity to detect impropriety. But they typically have not been focused on criminal activity aimed at the bank itself (employee misconduct aside). SAR forms don’t have a category for armed robberies, for example.
There are several serious potential problems with the proposed change — which is still not final, public comments having been due earlier in April. First, the proposal adds Fincen to the small army of state and federal agencies that have already planted their flag in the fertile ground of cybersecurity enforcement, increasing the potential for duplicative or overlapping requirements.
Meanwhile, incorporating cybersecurity requirements into a bank’s anti-money-laundering compliance program raises serious questions about the consequences for failing to meet the government’s standards. Other violations pertaining to AML reporting have opened up banks to the risk of criminal prosecution. Will inadequate reporting of cyberthreats have the same effect? Under a worst-case scenario, a bank’s failure to detect a suspicious attachment or a phishing attack could theoretically result in criminal prosecution, massive fines and additional oversight.
While the collection of data about cyberevents by federal authorities will no doubt help law enforcement and is a worthwhile goal, it is simply not clear that making the failure to accurately report cyberevents a crime is the right solution.
The new requirement will impose substantial burdens on financial institutions, especially in light of the significant infrastructure that has already been built up around BSA compliance. Already, banks spend millions on this compliance. Last year, financial institutions filed over 2.3 million SARs — a number that is sure to go up significantly with the new cyberevent reporting requirement. In responding to the proposed changes, for example, one large bank publicly estimated that the proposed changes to the SAR form (including the new cyberevent reporting) would cost it an additional $9.6 million every year.
Not surprisingly, however, the proposed changes will probably hit smaller banks, brokers and other financial institutions the hardest. In public comments responding to the proposed changes, one Florida-based credit union noted that it was “concerned” that the new cyberevent reporting requirement was “very technical in nature and would require experienced information security professionals to complete.” Similarly, the National Association of Federally-Insured Credit Unions, a trade organization for credit unions, asked the Treasury Department to “provide a methodology for IT Departments outside of the current SAR process to fulfill cyberevent reporting and recording directly, mainly due to the unique, evolving, and technical nature of each cybercrime.” This is recognition that existing compliance staffs lack the sort of technical know-how necessary to adequately and helpfully report cyberevents.
Cybersecurity has for some time now been the (proper) focus of federal and state bank regulators as well as other agencies such as the Federal Trade Commission. Going further and elevating cybersecurity compliance to the level of federal criminal law is a step that should not be taken lightly.