Examples of SAR-required reportable cyber events include malware intrusions that put customer funds at risk, intrusions into a bank’s systems or networks and distributed denial of service attacks that prevent financial institution personnel from stopping an unauthorized money transfer. The guidance includes the kinds of information that must be reported in a cyber-related SAR.
The guidance added that banks may voluntarily report cyber events even when a SAR is not required, such as a DDoS attack that could not have affected any transactions. FinCEN said:
SAR reporting of cyber events, even those that may not meet mandatory SAR-filing requirements, is highly valuable in law enforcement investigations. For example, BSA reporting by more than 20 financial institutions – on transactions related to cyber-enabled crimes – played an important role in the investigation of an internet-based company, its co-founders and other collaborators.
FinCEN noted that the advisory does not change existing BSA or other regulatory requirements. It also issued a set of nine frequently asked questions to help BSA officers file reports on cyber events and cyber-enabled crimes.
Read the advisory.
Read the FAQs.