In light of the proliferation of cybercrime affecting consumers and financial institutions, on October 25, 2016, the FinCEN (Financial Crimes Enforcement Network) issued an advisory and FAQ to U.S. financial institutions regarding their Bank Secrecy Act (BSA) obligations related to cyber-events and cyber-enabled crime. The advisory is targeted at four specific areas:
In this advisory, FinCEN introduces three concepts: the cyber-event, cyber-related crime, and cyber-related information. Cyber-event is defined as an “attempt to compromise or gain unauthorized electronic access to electronic systems, services, resources, or information.” Cyber-enabled crime is defined as “illegal activities (e.g., fraud, money laundering, and identity theft) carried out or facilitated by electronic systems and devices, such as networks and computers.” Finally, cyber-related information is defined as “information that describes technical details of electronic activity and behavior, such as IP addresses, timestamps, and Indicators of Compromise (IOCs). Cyber-related information also includes, but is not limited to, data regarding the digital footprint of individuals and their behavior.”
Cyber-events can involve fraud, identity/credential theft, and misappropriation of funds, or it can involve illicit proceeds from events such as a ransomware attack or the theft of credit card information. A financial institution is required to report a suspicious transaction of $5,000 or more. If a financial institution knows or suspects that a cyber-event was part of a transaction at the financial institution, the cyber-event should be considered an attempt to conduct a suspicious transaction. In determining whether a cyber-event should be reported, a financial institution should consider all available information, including the information and systems targeted, and the aggregate funds and assets involved. Financial institutions will also need to comply with any other SAR obligations required by their functional regulator.
FinCEN also encourages financial institutions to report other types of cyber-events that may not otherwise require filing of a SAR, such as a distributed denial of service attack (DDoS). The advisory further encourages financial institutions to include available cyber-related information when filing either a voluntary or required SAR. SARs involving cyber-events should include (to the extent available):
For additional information, please refer to the FinCEN advisory and the FAQ.
If you have further questions about your institution’s obligations related to cyber-events and cyber-enabled crime, please contact George Meinz.
Gray Plant Mooty is recognized as one of the leading corporate law firms in Minnesota and one of the top franchise firms in the world. Our roots go back to 1866. Today, we are a full-service firm with nearly 180 attorneys and offices in Minneapolis and St. Cloud, Minnesota; Washington, D.C.; and Fargo, North Dakota.