Keeping Secrets: SAR Confidentiality

We know that what is old is often new again, and this is true even in compliance. Each Thursday, we revisit previously published blogs, updating them as necessary to provide the most current information needed to navigate recurring compliance challenges.

Many credit union compliance professionals are familiar with Suspicious Activity Reports (SARs). Section 748.1(d) of the NCUA regulations, and section 1020.320 of the Financial Crimes Enforcement Network’s (FinCEN’s) regulations require a credit union to file a SAR in certain situations. However, even when a SAR is not required, a credit union may choose to file one voluntarily if it feels a transaction merits the attention of law enforcement.

Despite the fact many credit unions file SARs regularly, they are not allowed to talk about them – federal laws and regulations impose strict confidentiality rules relating to SARs. Section 1020.230(e) states that the SAR itself, as well as any information that would reveal the existence of a SAR, is confidential and may not be disclosed unless a specific exception applies. This means that, in most circumstances, a credit union is prohibited from disclosing whether a SAR has been filed, even when a member wants to know if he or she has been the subject of a SAR.

Let’s review some of the other aspects of this confidentiality:

•    Subpoenas. Section 1020.230(e)(i) specifically states that a credit union should not disclose a SAR, or information that would reveal the existence of a SAR, even if that information is requested in a subpoena. If a credit union receives such a subpoena, then the regulation instructs the credit union to decline to produce the SAR or information sought and to notify FinCEN of the request and the credit union’s response to it.

•    Other financial institutions. Credit unions and other financial institutions may agree to voluntary information sharing under Section 314(b) of the USA PATRIOT Act.

While 314(b) allows credit unions to share or receive information regarding potential illicit activity, the FFIEC’s BSA/AML Examination Manual notes that 314(b) does not permit sharing information which would reveal the existence (or even the nonexistence) of a SAR: “[S]ection 314(b) does not authorize a financial institution to share a SAR, nor does it permit the financial institution to disclose the existence or nonexistence of a SAR. If a financial institution shares information under section 314(b) about the subject of a prepared or filed SAR, the information shared should be limited to underlying transaction and customer information. A financial institution may use information obtained under section 314(b) to determine whether to file a SAR, but the intention to prepare or file a SAR cannot be shared with another financial institution.” See also “Fraud” and the 314(b) Safe Harbor | America's Credit Unions

Note that a credit union is permitted to share the underlying facts that led to the SAR (see below).

When Disclosure is Permitted

So, when can a SAR (or information revealing the existence of a SAR) be disclosed? Section 1020.230(e)(1)(ii) provides some exceptions to the confidentiality rule:

•    Law Enforcement. Section 1020.230(e)(1)(ii) does not prohibit a credit union from disclosing a SAR or information that would reveal the existence of a SAR to “any Federal, State, or local law enforcement agency.”  The FFIEC manual notes that disclosure is permissible when made to “appropriate” federal, state and local law enforcement agencies.

•    Federal and State Regulators. The regulation also states that it does not prohibit disclosing the SAR (or information revealing the existence of the SAR) to “any Federal regulatory authority that examines the [credit union] for compliance with the Bank Secrecy Act, or any State regulatory authority administering a State law that requires the [credit union] to comply with the Bank Secrecy Act or otherwise authorizes the State authority to ensure that the bank complies with the Bank Secrecy Act.” Thus, a credit union can reveal SARs and information relating to SARs to the NCUA and/or its state regulator.

•    Underlying Facts. The regulation states that it does not prohibit a credit union from disclosing “the underlying facts, transactions, and documents upon which a SAR is based.” This includes sharing this information with other financial institutions, such as under a 314(b) information sharing program or when preparing to file a joint SAR.

•    Internal Sharing. Section 1020.320(e)(1)(ii)(B) permits a credit union or any director, officer, employee or agent of a credit union to disclose a SAR, or information revealing the existence of a SAR, “within the [credit union’s] corporate organizational structure” for purposes consistent with Title II of the Bank Secrecy Act as determined by regulation or in guidance.”

Consequences

FinCEN Advisory FIN-2012-A002 reminds financial institutions that the unauthorized disclosure of a SAR constitutes a violation of federal law. Accordingly, all employees, agents, and other individuals entrusted with SAR information should be advised of their obligation to maintain strict confidentiality. This obligation extends not only to the SAR itself, but also to any information that could reveal the existence or non-existence of a SAR. Such individuals should also be made aware that failure to uphold these confidentiality requirements may subject them to significant legal consequences, including civil and criminal penalties.