On March 3, 2009, the US Treasury Department's Financial Crimes Enforcement Network (FinCEN) issued a Notice of Proposed Rulemaking (Proposed Rule), "Confidentiality of Suspicious Activity Reports," amending its regulations implementing the Bank Secrecy Act (BSA), effectively broadening the scope of the prohibition against disclosures of suspicious activity reports (SARs) by financial institutions and the US government. In conjunction with the Proposed Rule, FinCEN issued for notice and comment proposed interpretive guidance for depository institutions and for securities broker-dealers, mutual funds, futures commissions merchants and introducing brokers in commodities (collectively, Guidance) expanding the ability of such institutions to share SARs with certain US affiliates. The Proposed Rule and the Guidance were published in the Federal Register on March 9, 2009. 74 Fed. Reg. 10148 (Mar. 9, 2009). Comments are due by June 8, 2009.
The Proposed Rule is similar to proposals issued on March 9, 2009 by the Office of the Comptroller of the Currency (OCC) and the Office of Thrift Supervision (OTS), which, along with the Board of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC) and the National Credit Union Administration (NCUA), have parallel SAR requirements for their supervised entities. 74 Fed. Reg. 10130 (Mar. 9, 2009); 74 Fed. Reg. 10139 (Mar. 9, 2009). The Guidance was issued after consultation the US Securities and Exchange Commission (SEC) and the Commodity Futures Trading Commission (CFTC), the FRB, FDIC, NCUA, OCC and OTS.
This Regulatory Alert briefly discusses the key aspects of the Proposed Rule and Guidance.
Confidentiality of SARs
The Proposed Rule would broaden the confidentiality language in the SAR regulations in two key ways. (The current FinCEN rules on SARs are located at 31 C.F.R. §§ 103.15-103.21. The OCC and OTS rules on SARs are located at 12 C.F.R. §§ 21.11 and 563.180, respectively.) First, the Proposed Rule would prohibit financial institutions from disclosing SARs to any person, not just persons involved in the transaction as is stated in the current regulations and in the BSA itself. The Proposed Rule states that this broad reading of the BSA prohibition has been upheld in the courts, which have created an unqualified discovery and evidentiary SAR privilege. This reading is also, to some extent, implicit in the current SAR provision, which permits the disclosure of SARs and information that a SAR has been prepared or filed only to appropriate supervisory and law enforcement agencies. These disclosures would still be permitted by the Proposed Rule. All other disclosures—such as in response to a subpoena or other request—would be prohibited, as they are now.
Second, the Proposed Rule would extend confidential treatment to SARs and any information that would reveal the existence of a SAR. The current SAR rules protect SARs and any information that a SAR has been prepared or filed, which has created some confusion among financial institutions. The confidentiality requirements in the Proposed Rule would cover anyone in a financial institution who may have access to a SAR or information that would reveal the existence of a SAR. It would also protect any SAR of which a financial institution may be aware, not just SARs prepared and/or filed by the financial institution itself (e.g., a joint filing made by another institution).
FinCEN has also provided in the Proposed Rule several rules of construction to help financial institutions understand the types of disclosures that are permitted by the confidentiality provisions. First, as noted above, a financial institution and its associated individuals would be able to disclose a SAR or information that would reveal the existence of a SAR to FinCEN or any federal, state or local law enforcement agency or any federal or state regulatory agency (and, in the case of broker-dealers, futures commission merchants and introducing brokers in commodities, to the appropriate self-regulatory organization (SRO)) that examines the financial institution for compliance with the BSA. Second, the SAR confidentiality rule would not prohibit the disclosure of the underlying facts, transactions and documents created in the ordinary course of business giving rise to the SAR, which the Proposed Rule notes is also consistent with case law. The Proposed Rule would permit the underlying facts, transactions and documents to be disclosed in connection with, for example, discovery in civil litigation and the sharing of information with other financial institutions to prepare joint SARs. Depository institutions, broker-dealers, futures commission merchants and introducing brokers in commodities would also be able to disclose this underlying information in certain employment references and termination notices.
Despite the broad prohibition in the Proposed Rule on sharing SARs and any information that would reveal the existence of a SAR with any person, including an affiliate, the third rule of construction in the Proposed Rule clarifies that depository institutions, broker-dealers, mutual funds, futures commission merchants and introducing brokers in commodities and their associated individuals would be able to share SARs and information that would reveal the existence of a SAR within their corporate organizations, if provided for in regulations or interpretive guidance. Such sharing could only occur for purposes that are consistent with Title II of the BSA, which states, "It is the purpose of this [title] to require certain reports or records where they have a high degree of usefulness in criminal, tax, or regulatory investigations or proceedings, or in the conduct of intelligence or counterintelligence activities, including analysis, to protect against international terrorism." 31 U.S.C. § 5311. The Guidance elaborates on this third rule of construction and would enable depository institutions, broker-dealers, mutual funds, futures commission merchants and introducing brokers in commodities to share SARs with U.S. affiliates that are also subject to SAR regulations.
While the Guidance would expand the scope of permissible affiliate information-sharing, it still may not go far enough for multinational financial institutions seeking to engage fully in enterprise-wide BSA compliance. Current FinCEN guidance permits sharing of SARs upward in an organizational structure to entities that are deemed to control the financial institution. For example, depository institutions can share SARs with their US or non-US head offices or controlling companies; broker-dealers, mutual funds, futures commission merchants and introducing brokers in commodities can share SARs with their US or non-US parent entities; and mutual funds can share SARs with the US or non-US investment adviser controlling the fund. The new Guidance would permit covered financial institutions to share SARs more broadly, with all US affiliates that have SAR filing requirements, subject to written confidentiality agreements.
The sharing of SARs would not therefore be permitted with US investment advisers, mortgage companies and other affiliates that are not subject to a SAR requirement or with non-US entities (other than the controlling entity, as noted above), although the underlying information could be shared with these entities. Affiliates receiving a SAR or information about the existence of a SAR would be prohibited from sharing the SAR or such information with another affiliate under any circumstance (even if such affiliate is subject to a SAR requirement). It may be challenging, even unrealistic, for broad-based and multinational financial institutions to disclose to affiliates with whom SAR sharing is not permitted only the underlying facts, transactions and documents of a suspicious incident without revealing that a SAR was filed. Moreover, the Guidance could similarly limit the effectiveness of a financial institution's centralized risk management system by preventing the client intake operations of some affiliates from accessing important information about clients or potential clients.
Disclosures by Government Authorities and/or Self-Regulatory Organizations; Other Provisions
Consistent with the Proposed Rule's prohibition on disclosures by financial institutions of SARs and any information that would reveal the existence of a SAR, the Proposed Rule would also strengthen the prohibition against such disclosures by officers and employees of federal, state, local, territorial or tribal government authorities and SROs, except as may be necessary to fulfill official duties consistent with Title II of the BSA (described above). Official disclosures of SARs and any information that would reveal the existence of a SAR would be permissible in response to a grand jury subpoena; a request from an appropriate federal or state law enforcement or regulatory agency; a request from an appropriate Congressional committee or subcommittee; and certain mandated prosecutorial disclosures. The proposed provisions, however, would not permit disclosures in response to requests for non-public information or for use in private legal proceedings.
In addition, the Proposed Rule would broaden the regulatory safe harbor language so that it tracks the safe harbor language of the BSA and would harmonize the SAR compliance audit provisions so that all such provisions would state the FinCEN or its delegates may examine the institution for compliance with the SAR requirement.
The effort by FinCEN and the banking regulators to enable financial institutions to share SARs with affiliates, while also strengthening the scope of the confidentiality of SARs, is welcome. The Proposed Rule and Guidance appear to create a tension, however, between the limitations on sharing SARs with only those US affiliates with SAR filing requirements and an institution's efforts, often encouraged by its regulators, to engage in enterprise-wide AML compliance and, more generally, centralized risk management. If appropriate confidentiality agreements and access controls are in place, it would seem feasible to permit the sharing of SARs more broadly and maintain their confidentiality.