Since Congress passed the Bank Secrecy Act in 1970, banks and other financial institutions have had a legal obligation to report suspicious customer activity to the government or risk regulatory penalties and even criminal prosecution. The purpose is to enlist banks in the fight against narcotics trafficking, tax evasion, terrorist financing and other criminal activity. Federal authorities have imposed billions of dollars in penalties against banks and other institutions that allowed crimes to be carried out on their watch.
This past February, the Financial Crimes Enforcement Network proposed a new rule that has the potential to significantly alter the reporting requirement, adding a new category for flagging suspicious “cyberevents.” Unlike the other categories on the standard “suspicious activity report,” or SAR, which pertain to misuse of a financial institution’s accounts by customers or employees, the “cyberevent” category requires institutions to detect and report all varieties of digital mischief, whether directed at a customer’s account or at the bank itself. For example, the new proposed SAR form has specific instructions to report the use of malware, or even receipt of a suspicious email address or file name.continue reading »