“Fraud” and the 314(b) Safe Harbor
The Financial Crimes Enforcement Network (FinCEN) issued an updated fact sheet to clarify how financial institutions can share information with each other about suspected fraud, money laundering, terrorist activity and other specified unlawful activities (SUAs) under section 314(b) of the USA PATRIOT Act. Yes – you read that sentence correctly. This guidance directly addresses whether credit unions can share information regarding fraud offenses in general under the 314(b) safe harbor. Spoiler alert: the answer is “yes.”
The guidance reflects several recommendations America’s Credit Unions has made during its engagement with FinCEN and other agencies. Voluntary information sharing was also discussed at the most recent Bank Secrecy Act Advisory Group (BSAAG) Plenary Meeting, attended by America’s Credit Unions.
Back-to-Basics: What is 314(b) Information Sharing?
Section 314(b) allows financial institutions (and associations of financial institutions) to share information with one another, under a safe harbor that offers protections from liability, to improve the identification and reporting of activities that may involve money laundering or terrorist activities. Participation is voluntary. However, FinCEN strongly encourages involvement, as it strengthens institutions’ ability to manage illicit finance risks and supports the government’s efforts to detect and prevent financial crime.
To receive safe harbor protection, credit unions that choose to participate in 314(b) information sharing must register with FinCEN, designate a point (or points) of contact, verify that the other financial institution is a 314(b) registrant before sharing any information, and have procedures in place to ensure the security and confidentiality of information received from other 314(b) institutions. Instructions are available in the fact sheet and also at www.fincen.gov/resources/financial-institutions.
What information can be shared under the 314(b) safe harbor?
According to the updated guidance, credit unions may rely on the 314(b) safe harbor to share information with other participating institutions regarding “individuals, entities, organizations, and countries for purposes of identifying and, where appropriate, reporting activities that may involve possible terrorist activity or money laundering - which may include information about fraud and other specified unlawful activities (SUAs).”
Activity constituting a SUA is defined in 18 U.S.C. § 1956, which lists the crimes associated with a money laundering offense. These SUAs include a range of fraud offenses, including, but not limited to, mail fraud, wire fraud, bank fraud, health care fraud offenses, securities fraud, and fraud connected to unauthorized access of a protected computer - see 18 U.S.C. § 1956(c)(7).
Bottom line: the guidance explicitly states that “fraud offenses are SUAs for money laundering offenses.” Therefore, when a credit union suspects that a transaction involves the proceeds of fraud (or other criminal activity), or is intended to further or conceal such activity, it may share relevant information with other 314(b)-participants.
A credit union may also share information related to activities that may involve possible terrorist activity or money laundering even when they do not constitute a “transaction,” under the Bank Secrecy Act or elsewhere. For example, where the other conditions of section 314(b) are satisfied, a credit union may share information on:
• Attempts to engage in transactions that it suspects may involve money laundering or terrorist activity; and/or
• Attempts to induce others to engage in transactions, such as in a money mule scheme.
No Limits on Information Sharing under the Safe Harbor
The guidance further explains that “the BSA imposes no limitations on the sharing of personally identifiable information under the section 314(b) safe harbor where such sharing is otherwise consistent with section 314(b) and its implementing regulations.”
For example, the types of information credit unions may share include:
• Transaction information; video surveillance footage;
• Cyber-related data (such as IP addresses and geolocations);
• Device identification numbers;
• Decisions related to account creation, maintenance, closure, or services (and related research and analytical materials);
• Transaction monitoring system alerts; and
• Indicators that activity may be suspicious, including newly added payees followed by large transfers, multiple accounts with the same or similar identifying information, and login activity from geographically distant locations.
There are also no limitations on how information can be shared, provided that the sharing is consistent with section 314(b) and its implementing regulations. Credit unions may share information verbally or in writing, as well as through electronic platforms. They may also share information in real time as the activity is occurring.
Sharing may occur between one financial institution or association of financial institutions and another, or financial institutions and associations of financial institutions may share information within a group of participating financial institutions or associations of financial institutions.
Regardless of how information is shared, all participating financial institutions must maintain adequate procedures to protect the security and confidentiality of all information shared pursuant to section 314(b) and may only use the shared information for anti-money laundering/countering the financing of terrorism (AML/CFT) purposes.
Last but not least: what about Suspicious Activity Reports? No update here. Financial institutions participating in 314(b) information sharing remain prohibited from disclosing a SAR or any information that would reveal the existence of a SAR. However, 314(b)-collaborating institutions that file joint-SARs may freely discuss a prospective or already filed joint SAR among themselves and share its contents.
This blog post only hits the highlights of the updated fact sheet, which includes several helpful FAQs that every credit union should review. Click here to read more. Questions? Contact the Compliance Team at [email protected].