• FinCEN Clarifies SAR Confidentiality Rules
  • March 18, 2011 | Author: Karla L. Reyerson
  • Law Firm: Fredrikson & Byron, P.A. - Minneapolis Office
  • On December 3, 2010, the Financial Crimes Enforcement Network (FinCEN) published a final rule in the Federal Register modifying portions of its Suspicious Activity Report (SAR) regulations to more clearly identify and limit the circumstances under which a financial institution or other entity subject to SAR regulations can share a SAR with third parties. FinCEN also released an advisory and formal guidance on the topic. Additionally, the Office of the Comptroller of the Currency and the Office of Thrift Supervision released final changes to their SAR regulations that coincide with FinCEN’s final rule.

    The Bank Secrecy Act (BSA) requires certain entities, including financial institutions, to file a SAR when they detect a known or suspected violation or suspicious activity related to money laundering, terrorist financing, or other criminal activity.

    The General Rules

    Prior to publication of the revised rules, the SAR rules stated that financial institutions could not notify the subject of a SAR that a SAR was created. FinCEN interpreted this language to mean that SARs could not be shared with anyone except as provided in the regulations. The rule has now been clarified, as further discussed in this article, and explicitly states that SARs are not to be disclosed to anyone except as authorized under the regulations (for banks, 31 C.F.R. 103.18).

    The revised rules also clarify that “information that would reveal the existence of a SAR” is also confidential. According to the Federal Register commentary, by this language FinCEN means that any document that specifically states that a SAR was or was not filed is confidential. However, documents that identify suspicious activity but do not indicate whether a SAR exists, such as an account statement indicating a cash deposit or a funds transfer, is not confidential. This would be considered part of the underlying facts, transactions and documents upon which the SAR is based, which are not afforded confidentiality. Further, general statistical or abstract information indicating that an institution has filed SARs but that does not reveal information that could lead someone to determine whether a SAR was filed on a person is not confidential.

    Additionally, the rules have been modified to indicate that if an institution is subpoenaed or otherwise requested to disclose either a SAR or any information that would reveal the existence of a SAR, the institution must decline to fulfill the request, cite the regulation and 31 U.S.C. 5318(g)(2)(A)(i), and notify FinCEN. The institution may also need to notify its primary federal regulator if the regulator’s rules require notification.

    Rules of Construction

    The revised regulations create certain rules of construction designed, among other things, to clarify the scope of the SAR disclosure prohibition. The first rule of construction allows a financial institution to disclose a SAR or information that would reveal the existence of a SAR (as well as supporting documentation) to FinCEN, any federal, state, or local law enforcement agency, any federal regulatory authority that examines the bank for compliance with the BSA, or any state regulatory authority administering a state law that either requires the financial institution to comply with the BSA or authorizes the state authority to ensure the institution complies with the BSA.

    The second rule of construction allows a financial institution to disclose the underlying facts, transactions and documents upon which a SAR is based (1) to another financial institution for the preparation of a joint SAR; and (2) in connection with certain employment references or termination notices allowed under banking laws, such as the permissibility of financial institutions including in an employment reference information concerning the possible involvement of an institution-affiliated party in a potentially unlawful activity.

    The third rule of construction allows institutions to share a SAR or any information that would reveal the existence of a SAR within the institution’s corporate organizational structure for purposes consistent with the BSA as determined by regulation or in guidance. The Guidance FinCEN released in conjunction with the revised regulations, entitled, “Sharing Suspicious Activity Reports by Depository Institutions with Certain U.S. Affiliates” (Guidance) further addresses the ability of institutions to share SAR information with certain affiliates. The Guidance defines an affiliate of a financial institution as any company under common control with or controlled by the institution.

    The Guidance states that a financial institution is allowed to share a SAR or information revealing the existence of a SAR with its controlling company, such as a bank holding company. Further, a financial institution may share a SAR or information revealing the existence of a SAR with an affiliate, provided the affiliate is subject to SAR regulations itself. The Guidance directs financial institutions, as part of their internal controls, to implement policies and procedures to ensure their affiliates protect the confidentiality of the SAR information that has been shared.

    Government Disclosure of SAR Information

    The revised rules also contained modified language with respect to the prohibition on disclosures by government entities. The regulations now specify that a federal, state, local, territorial or tribal government authority may not disclose a SAR or any information that would reveal the existence of a SAR, except when necessary to fulfill “official duties” consistent with Title II of the BSA. The rule specifically provides that “official duties” do not include disclosing a SAR or information that would reveal a SAR’s existence in response to a request for disclosure of nonpublic information or a request for use in a private legal proceeding.

    Safe Harbor Rules

    The revised rules also include clarifying language with respect to the limitation on liability for institutions that file SARs. The revised rules now specifically state that an institution will not be held liable for voluntary disclosures of possible violations of law and regulations to a government agency. The revised rules also limit liability that may exist “under any contract or other legally enforceable agreement (including any arbitration agreement).” This revised rule has been broadened to protect “disclosures,” whereas the old rule used the more narrow term “reports” in describing the liability limitations. Finally, the limitation of liability specifically states that it covers disclosures made jointly with another institution.

    The FinCEN Advisory

    Along with publishing the final rules discussed above, FinCEN published an Advisory directed to regulatory and law enforcement agencies, self-regulatory organizations and financial institutions for the purpose of reinforcing and reiterating the requirement to preserve the confidentiality of SARs and information revealing the existence of SARs. FinCEN recommended that institutions train all employees, agents and others that work with SAR information to be aware of their individual obligations to maintain confidentiality and the consequences for failing to maintain confidentiality, including civil and criminal penalties.

    FinCEN also suggested other risk-based measures to ensure SAR confidentiality, including limiting SAR access to a “need-to-know” basis, providing restricted areas for reviewing SARs, logging access to SARs, using cover sheets for SARs or documentation indicating a SAR was filed, or giving electronic notices that highlight confidentiality concerns before a person may access or disseminate the information. Law enforcement and regulatory authorities were also provided with suggestions to maintain confidentiality.


    The revised SAR regulations and related publications FinCEN recently released highlight the seriousness with which FinCEN treats SAR confidentiality. Financial institutions should review their SAR confidentiality practices in light of these new rules to ensure that each SAR and information that would reveal the existence or nonexistence of a SAR are disclosed only as necessary and consistent with these revised rules.