Are we required to file a SAR on the Home Depot data breach if Visa informs us that some of our cards were compromised? For some reason I thought there was guidance on this, but cannot locate it. Thank you.

Since you cannot identify a suspect you would only file a SAR if the attempted transactions related to the breach reached $25,000.

Visa informing you that the cards were compromised does not trigger a required SAR filing.

With that being said, it may be wise to just file the SAR and not over-think whether it's a required SAR or not. It'd be easier to manage and less controversial, in my opinion.

Arguably, you could track the cards and see if their are enough completed or attempted transactions to warrant filing a SAR - either now or months later.

In theory, you could argue against SAR filing because being on the Home Depot list does not necessarily mean that the attempted or completed fraud was a result of the Home Depot breach. Given the sheer number of breaches, it would certainly be a valid counterargument.

Whatever you do, make sure you at least conduct an investigation, consider SAR filing, and adequately support your decision.

With that being said, it may be wise to just file the SAR and not over-think whether it's a required SAR or not. It'd be easier to manage and less controversial, in my opinion.

I highly disagree with this statement. Without fraudulent transaction being attempted on the cards within the notification, of what value to law enforcement does this present and what law has been broken involving the bank. Wait until suspected transactions cross the $25,000 barrier unless you have a suspect.

I didn't explain myself well. I did not intend to suggest the OP should file without any regard to the dollar volume, but it definitely reads that way. The point I should have made is that, based on my experience with this breach, that you can almost guarantee that most banks have already had over $25,000 in attempted or completed fraud, so the non-filing based on threshold is probably a moot point formost banks.

most banks have already had over $25,000 in attempted or completed fraud


Most banks????? Really???

Is it really that hard to believe that a breach of this magnitude could have such an impact on financial institutions?????

Consider that the scope of the breach is every Home Depot location from April to September. Keeping in mind the sheer number of people that shop at Home Depot throughout the United States, it shouldn't be much of a surprise. At my $3 billion institution, roughly 20% of our customer base had been there. We reviewed the dollar totals of both attempted and completed fraudulent transactions during the scope of the breach, and the number was far in excess of the $25,000 mark (it actually exceeded $1 million). If that does not seem right to you (it seemed wrong to me at first too), remember: shutting down a card does not stop fraudsters from selling it on the black market; and it does not stop the purchases of the compromised cards from attempting to use them.

I stand by my statement.