The Financial Crimes Enforcement Network (“FinCEN”), after consulting with the staffs of the Board of Governors of the Federal Reserve System (“FRB”), the Federal Deposit Insurance Corporation (“FDIC”), the National Credit Union Administration (“NCUA”), the Office of the Comptroller of the Currency (“OCC”), and the Office of Thrift Supervision (“OTS”) (hereinafter, the “Federal Banking Agencies”), is issuing this guidance to confirm that under the Bank Secrecy Act (“BSA”) and its implementing regulations, a depository institution subject to FinCEN regulations (“depository institution”) that has filed a Suspicious Activity Report (“SAR”) may share the SAR, or any information that would reveal the existence of the SAR, with certain affiliates1. This guidance does not address the applicability of any other Federal or state laws.
The BSA prohibits the filer of a SAR from notifying any person involved in a suspicious transaction that the activity has been reported.2 Regulations issued by FinCEN construe this confidentiality provision as generally prohibiting a depository institution from disclosing a SAR, or any information that would reveal the existence of a SAR. 3
However, the regulations make clear that, provided no person involved in the transaction is notified that the transaction has been reported, the prohibition does not include disclosures to (1) FinCEN; (2) any Federal, state, or local law enforcement agency; (3) any Federal regulatory agency that examines the depository institution for compliance with the BSA; or (4) any state regulatory authority that examines the depository institution for compliance with state laws requiring compliance with the BSA. The regulations also provide that the prohibition does not apply to: (i) the disclosure of the underlying facts, transactions, and documents upon which a SAR is based, including, but not limited to, disclosures related to filing a joint SAR and in connection with certain employment references or termination notices; and (ii) the sharing of a SAR, or any information that would reveal the existence of a SAR, within a depository institution’s corporate organizational structure for purposes consistent with Title II of the BSA, as determined by regulation or in guidance. 4
In previously issued guidance (“January 2006 Guidance”), FinCEN, the OCC, the OTS, the FRB, and the FDIC determined that a U.S. branch or agency of a foreign bank may share a SAR with its head office.5 The January 2006 Guidance also stated that a U.S. bank or savings association may share a SAR with its controlling company (whether domestic or foreign). The January 2006 Guidance continues to be applicable and comports with the SAR regulations referenced above. 6 The sharing of a SAR or, more broadly, any information that would reveal the existence of a SAR, with a head office or controlling company (including overseas) promotes compliance with the applicable requirements of the BSA by enabling the head office or controlling company to discharge its oversight responsibilities with respect to enterprise-wide risk management, including oversight of a depository institution’s compliance with applicable laws and regulations.
The January 2006 Guidance deferred taking a position on whether a depository institution is permitted to share a SAR with affiliates and directed institutions not to share with such affiliates. FinCEN has now concluded that a depository institution that has filed a SAR may share the SAR, or any information that would reveal the existence of the SAR, with an affiliate, as defined herein, provided the affiliate is subject to a SAR regulation.7 The sharing of SARs with such affiliates facilitates the identification of suspicious transactions taking place through the depository institution’s affiliates that are subject to a SAR rule. Therefore, such sharing within the depository institution’s corporate organizational structure is consistent with the purposes of Title II of the BSA. 8
It is not consistent with the purposes of Title II of the BSA for an affiliate that has received a SAR from a depository institution that has filed the SAR to further share that SAR, or any information that would reveal the existence of that SAR with an affiliate of its own, even if that affiliate is subject to a SAR rule.
As is the case with sharing SARs with head offices and controlling companies, there may be circumstances under which a depository institution, its affiliate, or both entities would be liable for direct or indirect disclosure by the affiliate of a SAR or any information that would reveal the existence of a SAR. Therefore, the depository institution, as part of its internal controls, should have policies and procedures in place to ensure that its affiliates protect the confidentiality of the SAR
Consistent with the BSA and the implementing regulations issued by FinCEN and the Federal Banking Agencies, a SAR, or any information that would reveal the existence of a SAR, must not be disclosed, even under this guidance, if the depository institution has reason to believe it may be disclosed to any person involved in the suspicious activity that is the subject of the SAR.