The Financial Crimes Enforcement Network, along with the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the Office of the Comptroller of the Currency, and the Office of Thrift Supervision (collectively, the “Federal Banking Agencies”) is issuing this guidance to confirm that under the Bank Secrecy Act and its implementing regulations (and parallel provisions issued by the Federal Banking Agencies): (1) a U.S. branch or agency of a foreign bank may disclose a Suspicious Activity Report to its head office outside the United States; and (2) a U.S. bank or savings association (“depository institution”) may disclose a Suspicious Activity Report to controlling companies1 whether domestic or foreign. This guidance does not address the applicability of any other Federal or state laws.
The Bank Secrecy Act prohibits the filer of a Suspicious Activity Report from notifying any person involved in the suspicious transaction that the transaction has been reported.2 Implementing regulations issued by the Financial Crimes Enforcement Network have construed this confidentiality provision as generally prohibiting a banking organization from disclosing the existence of a Suspicious Activity Report except where such disclosure is requested by appropriate law enforcement agencies, bank supervisory agencies, or the Financial Crimes Enforcement Network.3 In addition, the Federal Banking Agencies’ regulations, issued pursuant to Title 12 of the United States Code, state that “Suspicious activity reports are confidential.”4
A depository institution that files a Suspicious Activity Report may disclose to entities within its organization information underlying the filing (that is, information about the customer/suspect and transaction(s) reported). However, neither the Financial Crimes Enforcement Network nor the Federal Banking Agencies have taken a definitive position concerning whether a depository institution is permitted under the Bank Secrecy Act and Federal Banking Agency regulations to share or disclose to entities within its corporate structure, the Suspicious Activity Report itself or the fact that a Suspicious Activity Report was filed.5 The answer to this question has become a critical issue, particularly in a global context.
We have carefully considered this issue, taking into account the need for a head office, controlling entity or party to discharge its oversight responsibilities with respect to enterprise-wide risk management and compliance with applicable laws and regulations. To fulfill those responsibilities, head offices and controlling entities or parties may have a valid need to review a branch’s, office’s, or depository institution’s compliance with legal requirements to identify and report suspicious activity. Accordingly, we have determined that a U.S. branch or agency of a foreign bank may share a Suspicious Activity Report with its head office outside the United States for these purposes. Similarly, a U.S. bank or savings association may disclose a Suspicious Activity Report to its controlling company, no matter where the entity or party is located. In the event that a depository institution’s corporate structure includes multiple controlling companies, the filing institution’s Suspicious Activity Report may be shared with each controlling entity.6
There may be circumstances under which a depository institution would be liable for direct or indirect disclosure by its controlling company or head office of a Suspicious Activity Report or the fact that a Suspicious Activity Report was filed. Therefore, the depository institution, as part of its anti-money laundering program, must have written confidentiality agreements or arrangements in place specifying that the head office or controlling company must protect the confidentiality of the Suspicious Activity Reports through appropriate internal controls.
The sharing of a Suspicious Activity Report with a non-U.S. entity raises additional concerns about the ability of the foreign entity to protect the Suspicious Activity Report in light of possible requests for disclosure abroad that may be subject to foreign law. These concerns will need to be addressed in the confidentiality agreements or arrangements. The recipient head office, controlling entities or parties may not disclose further any Suspicious Activity Report, or the fact that such report has been filed; however, the institution may disclose without permission underlying information (that is, information about the customer and transaction(s) reported) that does not explicitly reveal that a Suspicious Activity Report was filed and that is not otherwise subject to disclosure restrictions.
The Financial Crimes Enforcement Network and the Federal Banking Agencies are considering whether a depository institution may share a Suspicious Activity Report with an affiliate other than a controlling company or head office, both in instances where the affiliate is located inside the United States and where the affiliate is located abroad. We expect to issue guidance on this issue shortly; but, until such time, depository institutions should not share Suspicious Activity Reports with such affiliates.