Confidential means CONFIDENTIAL!

This post is part of our occasional series on AML program fundamentals which focuses on refreshing foundational knowledge for experienced members of the AML community and providing an introduction to key topics for those new to the subject.

Recently, a former senior FinCEN official pled guilty to “conspiring to unlawfully disclose Suspicious Activity Reports.” The press release from the Department of Justice noted that the official agreed to “repeatedly disclose highly sensitive information contained in Suspicious Activity Reports” to a reporter for a news organization who used the information to publish 12 news articles over the course of 1 year.

Why is this guilty plea so surprising? Let’s take a step back and consider a fundamental aspect of anti-money laundering and financial crimes compliance – SARs are confidential.

The requirement to file a SAR when a financial service company[1] identifies activity which may relate to money laundering, a financial crime or terrorist financing was established in the Annunzio-Wylie Anti-Money Laundering Act (1992); the first SAR form became effective in early 1996. Because SARs contain unproven reports of possible bad acts, the Bank Secrecy Act prohibits a financial services company  and its employees, officers, directors and agents from disclosing to anyone involved in the reported activity the existence of the SAR. Regulations allow for the disclosure to FinCEN, law enforcement and financial services regulators. The USA PATRIOT Act extended this rule to include officers or employees of the Federal Government or of any State, local, tribal, or territorial government within the United States.[2] Unauthorized disclosure of SARs or SAR data can result in substantial civil and criminal penalties for both the individual and the organization.

As the previous paragraph makes clear, the confidential nature of SARs is not new. It also makes clear that the limitation on disclosure is very broad. To ensure that your organization avoids violating this rule, the protocols your institution uses to mitigate this risk should be reviewed and included in your AML training program.[3]

What can you do?

Here are several practices to consider implementing to ensure that your AML program effectively controls the availability and distribution of SARs and SAR data:

• If the confidential nature of SARs is not discussed in the training provided to your analysts, investigators, internal auditors and any others involved in the SAR filing process, update the training to add it; the training should include clarity that staff members with access to SARs and SAR data should not disclose any information about SARs to others in the organization, except for others who have such access as part of their duties; this limitation should include the fact that a SAR has been filed
• Establish clear limits on who in your organization may access investigation files
• Include a confidentiality warning on physical and electronic files containing SARs and SAR data
• Include a confidentiality warning on any board reports which contain SAR data; when making reports to the board or any of its committees do not include copies of SARs and wherever possible anonymize the information in the reports
• Establish processes to track access to SARs and investigations through logging and other data management techniques
• Establish a sequestered physical location for review of physical SAR files
• Establish processes to limit staff members who are authorized to discuss SARs and SAR data with regulators and law enforcement
• Establish processes to track any transmission of SARs and SAR related information, including in response to inquiries from FinCEN or law enforcement about filed SARs
• Apply general data access controls to SARs and SAR data; e.g. when personnel change responsibilities ensure that their access rights are adjusted accordingly
• Establish protocols for sharing SARs and SAR data with your federal regulators during onsite visits.

The confidential nature of SARs and SAR data has been a part of AML compliance for many years. An event such as discussed at the beginning of this post presents an opportunity for all of us to review our processes and training and remind our colleagues how to properly handle SARs and SAR data.

AML RightSource

AML RightSource is the leading provider of AML/BSA and financial crimes co-sourcing solutions. With over 1,000 AML/BSA professionals, AML RightSource assist clients in meeting their AML/BSA regulatory demands. The company’s current services include transaction monitoring, alert backlog management, enhanced due diligence reviews, fraud, and financial crimes advisory services. AML RightSource, a Clarion Capital Partners portfolio company, is headquartered in Cleveland, Ohio, and has additional facilities in Ohio, Arizona, New York, and Mississauga Canada.

[1] The requirement applies to insured depository institutions, casinos and card clubs, money services businesses, securities and futures brokers and dealers, mutual funds, residential mortgage lenders and originators, and insurance companies.

[2] USA PATRIOT ACT (2001) §351(b).

[3] For an overview of the principal requirements of an AML compliance program see my blog post The Five Pillars of an AML Compliance Program.