The Financial Crimes Enforcement Network (FinCEN) is issuing this Advisory to remind financial institutions, and in particular, the lawyers that advise them, of the requirement to maintain the confidentiality of Suspicious Activity Reports (SARs). FinCEN is concerned that an increasing number of private parties, who are not authorized to know of the existence of filed SARs, are seeking SARs from financial institutions for use in civil litigation and other matters. Financial institutions, and their current and former directors, officers, employees, agents, and contractors, are prohibited from disclosing SARs, or any information that would reveal the existence of a SAR.¹ FinCEN recognizes that an escalation in the number of requests for use of SARs in private litigation may increase the likelihood of an unauthorized disclosure of a SAR. This is especially true when external counsel is unfamiliar with the regulations covering SAR confidentiality. Financial institutions, and their current and former directors, officers, employees, agents, and contractors could be subject to civil and criminal penalties for the unauthorized disclosure of a SAR.

FinCEN is responsible for both safeguarding the information it collects under its regulations implementing the Bank Secrecy Act, including SARs, and promoting appropriate protection of this by authorized users of the data across the Federal, State and local levels of government. The unauthorized disclosure of SARs could undermine ongoing and future investigations by tipping off suspects, deterring financial institutions from filing SARs, and threatening the safety and security of institutions and individuals who file such reports. Such disclosure of SARs compromises the essential role SARs play in protecting our financial system and in preventing and detecting financial crimes and terrorist financing. The success of the SAR reporting system depends upon the financial sector's confidence that these reports will be appropriately protected.

Possible Civil and Criminal Penalties for Unauthorized SAR Disclosures

The unauthorized disclosure of a SAR is a violation of federal law.² Both civil and criminal penalties may be imposed for SAR disclosure violations. Violations may be enforced through civil penalties³ of up to $100,000 for each violation and criminal penalties⁴ of up to $250,000 and/or imprisonment not to exceed five years.⁵ In addition, financial institutions could be liable for civil money penalties resulting from anti-money laundering program deficiencies (i.e., internal controls, training, etc.) that led to the SAR disclosure. Such penalties could be up to $25,000 per day for each day the violation continues.⁶ FinCEN is committed to working with regulatory agencies, law enforcement, SROs, and financial institutions to take appropriate action for unauthorized disclosures of SARs. Incidents involving possible unauthorized SAR disclosures are investigated, and appropriate action is taken for violations of the law.

Guidance on Maintaining SAR Confidentiality

FinCEN reminds financial institutions to be vigilant in maintaining the confidentiality of SARs. This includes ensuring all employees, agents, and individuals appropriately entrusted with information in a SAR are informed of the individual obligation to maintain SAR confidentiality. This obligation applies not only to the SAR itself, but also to information that would reveal the existence (or non-existence) of the SAR. Likewise, such persons should be informed of the consequences for failing to maintain such confidentiality, which could include civil and criminal penalties as explained herein.

A financial institution may consider including such information as part of its ongoing training of all employees. Furthermore, financial institutions may want to remind their counsel of the strict requirements of SAR confidentiality. Additional risk-based measures to enhance the confidentiality of SARs could include, among other appropriate security measures, limiting access on a "need-to-know" basis, restricting areas for reviewing SARs, logging of access to SARs, using cover sheets for SARs or information that reveals the existence of a SAR, or providing electronic notices that highlight confidentiality concerns before a person may access or disseminate the information.

If you or your institution becomes aware of an unauthorized disclosure of a SAR, or if your institution receives a subpoena or other request for a SAR from other than an authorized government authority or self-regulatory organization as defined in the applicable SAR regulations, you should immediately contact FinCEN's Office of Chief Counsel at (703) 905-3590.⁷ Additionally, an institution may be required to contact its primary federal regulator, as may be applicable in a corresponding SAR rule.

Questions or comments regarding the contents of this Advisory should be addressed to the FinCEN Regulatory Helpline at 800-949-2732. Financial institutions wanting to report suspicious transactions that may relate to terrorist activity should call the Financial Institutions Toll-Free Hotline at (866) 556-3974 (7 days a week, 24 hours a day). The purpose of the hotline is to expedite the delivery of this information to law enforcement. Financial institutions should immediately report any imminent threat to local-area law enforcement officials.