TIP: This Compliance Courier was prepared by one of The League’s Compliance Specialists – Julie Jennerjohn. She is a CUNA-certified Bank Secrecy Act Compliance Specialist (BSACS), as are all of our Specialists. To learn more about how the Compliance Specialist program could help your credit union, contact Paul Guttormsson.
Yes and no! FinCEN encourages financial institutions (including credit unions) to report significant or damaging cyber-events1 or cyber-enabled crime2 where the activity doesn’t require filing a suspicious activity report (SAR). For example, if there were an attempt to disrupt services provided on the credit union’s website, but the credit union’s investigation found the attempt could not affect transactions, this type of activity is not required to be reported, but encouraged, as this type of information is valuable to law enforcement agencies in their investigations.
Credit unions are already required to report a suspicious transaction conducted or attempted by, at, or through the institution that involves or aggregates to $5,000 or more in funds or other assets. To that end, if the credit union knows, suspects or has reason to suspect a cyber-event was intended (in whole or in part) to either conduct, facilitate or affect a transaction or a series of transactions, FinCEN Advisory – FIN-2016-A005 says that these transactions would be reportable because they are unauthorized, could possibly be a violation of a regulation or law, and often involve illegal activities.
All of the information surrounding the cyber-event should be gathered including what systems and information were targeted, as well as the nature of the event. The credit union should also aggregate the funds or assets that were impacted or involved in the event. The Advisory identifies examples, although not an all-inclusive list, where circumstances require a credit union to file a SAR. By reviewing these examples, the credit union should understand the nature of events that warrant a required SAR filing.
When completing a SAR, credit unions should follow guidance provided by FinCEN in Frequently Asked Questions Regarding the FinCEN Suspicious Activity Report (SAR) and with FinCEN’s October 2016 Advisory Letter, Frequently Asked Questions (FAQs) regarding the Reporting of Cyber-Events, Cyber-Enabled Crime, and Cyber-Related Information through Suspicious Activity Reports (SARs). This FAQ outlines what information should be included in the SAR such as the source and destination of information, file and involved account information, as well as subject usernames and system modifications.
Fields are built into the SAR for credit unions to use when reporting cyber-related activity: Item 44 is available to provide IP addresses, and Item 19a and item 19 can be used for website/URL addresses and e-mail addresses, respectively. Additional fields on the SAR help the credit union to characterize the event and/or suspected crime. In Part II, the credit union can check either item 35q for “Unauthorized Electronic Intrusion,” or “Account Takeover” with item 35a.
Use the same rule of thumb, “who, what, where, when, why, how” when building the narrative as is expected for all SAR filings. The narrative helps agencies reading these reports with clear and concise information as to the activity(ies) the credit union feels are suspect as well as why and how the credit union concluded that filing the SAR was warranted.
Compliance tips:
- Keep in mind, with this type of SAR, you may need to rely on more than the frontline staff to help identify suspicious activity. Other departments such as the Operations and IT departments may be critical teams to include in the investigation and documentation of a transaction(s) or event.
- Consider incorporating cyber-related information in your BSA/AML programs, as well as suspicious activity monitoring, identification, and reporting process.
Note: The League recently submitted a comment letter generally supporting a proposed NCUA rule that would require a federally insured credit union (FICU) to notify the agency within 72 hours after a “reportable cyber incident” (such as computer hacking or a ransom malware attack). “Prompt reporting can alert regulators to new threats,” we wrote, “helping the industry as a whole head off potentially catastrophic consequences quickly and efficiently.” However, we urged the NCUA not to shorten the reporting deadline to 36 hours – a standard that federal banking regulators have recently imposed. We argued that the 72-hour deadline is “more reasonable and realistic,” especially for smaller FICUs with limited resources and small staffs.