Need it in writing! Help:

Board members at our bank are providing tables detailing information on each SAR filed. Management discusses the SARs with the Board and said they do this because the Board may provide input on the activities of the suspects listed in the SARs. Mgmt said that sometimes if a board member knows the customer they will speak with them about their "activities" without revealing anything about SARs or CTRs, etc. This is a big no-no all around in my opinion and should not continue.

However, this was not an issue during the recent BSA exam-somehow -(I was not there)- so mgmt thinks it is acceptable since no names are included specifically in the minutes. (These practices are not documented just verbally confirmed from mgmt.)

I feel that the confidentiality required for SARs includes the Board.

What are your practices and do you have written
documentation to validate those practices?

Mgmt. feels like their practices are ok and want something in writing that specifically states those actions are unacceptable.

We give very basic info to the board..no details/no names...for their protection on confidentiality...sorry, it is not in writing.

Some banks do give names to the board, some do not. The part that concerns me in your post is this:

"Mgmt said that sometimes if a board member knows the customer they will speak with them about their "activities" without revealing anything about SARs or CTRs, etc. This is a big no-no all around in my opinion and should not continue. "

Names or no names, this is a huge risk.

I posted the initial message!

While I completely feel that the practices that are going on are too high risk to continue-and have expressed this to mgmt. -they have said they think their practices are appropriate and will continue until proven otherwise.

Perhaps you'll find some support in
Federal law (31 U.S.C. 5318(g)(2)) or FDIC rule located at 12 CFR Part 353 (g).
There's also a semi-pertinent court case that was mentioned in another thread some time back (look for a thread using the terms 'Grand Jury', 'subpoena', 'SAR'.

Doing my best Caveman Lawyer impersonation....
The line you do not want to cross is telling the wrong person "We filed a SAR that says.....". The facts underlying the SAR can be discussed ("We're concerned about this situation...."), but not the existence of the SAR. In my own head I compartmentalize it that the SAR belongs to FinCEN, and the facts belong to me.

Anon #365920,
If there is any justice, the examiners who conducted surveillance on a customer at another poster's bank wil examine you next time. They can sit around with your senior management and your board and swap cop stories with their thumbs in their Sam Browne belts.

Do not make this a career issue. Leave yourself a paper trail pointing in the right direction and drop it.

Interesting discussion, but I'm a little confused about what the original poster is taking issue with. Board members are provided tables detailing information on each SAR filed. Nothing wrong there. In fact, it's even ok to give the directors actual copies of the SARs, if that's what they want.

Management discusses the SARs with the Board and said they do this because the Board may provide input on the activities of the suspects listed in the SARs. Nothing wrong there either.

Mgmt said that sometimes if a board member knows the customer they will speak with them about their "activities" without revealing anything about SARs or CTRs, etc. Nothing wrong here, either, as long as it is true that nothing is disclosed about the filing of a SAR or that the customer is under some suspicion.

Confidentiality of SARs does include the Board, but nothing has been said indicating that the directors have, in fact, breeched that confidentiality, only that they have discussed a customer's activities with them. In my experience, it's quite common, and actually encouraged by management, for directors to engage customers in discussions about their business. It's called community outreach.

So, given what's been presented here, I can see why the examiners didn't take exception to the bank's practices. The bank did nothing wrong! I can only imagine the outrage if an examiner tried to tell banks that directors couldn't talk to customers just because they MIGHT disclose the filing of a SAR. AR.

Quote:

---

Mgmt said that sometimes if a board member knows the customer they will speak with them about their "activities" without revealing anything about SARs or CTRs, etc. This is a big no-no all around in my opinion and should not continue.

---

So, board members talking to the object of a SAR about their activites is okay? I've met a few hundred bank directors and I'm struggling to think of one who might have been competent for the task. This is like playing Russian Roulette with an automatic.

You really should be out of the closet when you say stuff like this.

Without commenting on the general competency of board members (I've met a number myself, and let's just say that Ken's assessment is perfectly understandable...) Step back for a second and think about who is on a typical board of directors. They're not usually bankers (duh), they are heavyweights politically, and commercially. By commercially, I mean they are drawn from industries or specific companies that the bank has close business relationships with.

With all due respect to AnonRegulator, the Board of Directors is not a body that I would feel comfortable sharing 1)the existence of a specific SAR, 2)the details contained in a specific SAR. And the thought that they will, in turn, go have a chat with the object of a SAR about 'their activities' just gives me the terminal creeps.

Just think about this in the specific example of a SAR based on suspected structuring:
"Ms. Boardmember, we filed a SAR on so-and-so because based on this string of cash deposits, there's a possibility that they are structuring to avoid cash transaction reports."
"Oh, I know them, I'm sure they don't realize it looks like they're structuring. I'll go talk to them about it."

If you did it, it would be illegal. If a teller did it, it would be illegal. If a board member does it, it's OK?

Have I misunderstood something along the way?

When the original poster said that directors talk to customers about their activities, I took that to mean they were talking them about their business in general in order to put the specifics of the suspicious activities into context. We can argue what was meant and what they actually do all we want here, but my point was that with what was presented, there is no evidence of any violations. No SARs were disclosed to subjects of those SARs. We weren't told that directors told customers they were under suspicion for something. We were told of directors having conversations with customers about their business. So, no, you didn't miss anything.

Ken Pegasus: Your "out of the closet" comment is out of line. Retract it.

No. You post as Anon Regulator rather than Anonymous because you want the presumptive credibility that attaches to it in the minds of some people. If you had posted as Anonymous, my response would have been exactly the same, minus the last sentence.

AR had stated his reasons for his moniker in the past. Some folks would take his comments as official OCC positions and he can't do that. Heck, look at my signature. "Its all good."

I will say that my experience is limited to two small community banks but the board had been given SAR copies up until they adopted a new policy appointing a committee to do this on their behalf. That happened to be about the time I headed security. What a coincidence.

I know Ken's position on this. But if I were a director and knew of the BSA mess our industry is involved in and knew I was one of those "ultimately responsible" I would have a hard time with someone telling me that I had no need to know anything other than very raw basics. I think to do this requires that they have great confidence in the staff executing these policies. I also think they do need some details. I do not think they should ever approach the customer for fear that they could say the wrong thing or compromise ongoing activities.

We provide extensive details on the situation but no name unless it gets to look like a "really big deal". Our directors have been educated in the legalities of revealing too much to customers and would NEVER approach a customer who has had an SAR filed. Otherwise they talk with customers regularly. This is a very special situation and they know we have procedures for the cases where a customer will be spoken with about the situation. They leave that to the people they are paying to do that and who have the expertise.

I would again encourage everyone to read the latest version of the FDIC examination policies and see what the FDIC says about this issue. The bottom line appears to be the regulators fully expect that the Board of Directors be fully briefed on the filing of sars and that this secrecy with disclosing too much information with the Board of Directors is most likely a little misguided. I would hate to be the one telling the regulators that we don't openly share this information with our Board because we feel they are incompetent of understanding the confidentiality rules - not a great vote of confidence in your Board.


Notification to Board of Directors of sar Filings

Section 353.3 of the FDIC’s Rules and Regulations requires the financial institution’s board of directors, or designated committee, be promptly notified of any sar filed. However, if the subject of the sar is a senior officer or member of the board of directors of the financial institution, notification to the board of directors should be handled differently in order to avoid violating Federal laws that prohibit notifying a suspect or person involved in the suspicious transaction that forms the basis of the sar. In these situations, it is recommended that appropriate senior personnel not involved in the suspicious activity be advised of the sar filing and this process be documented.

In cases of financial institutions that file a large volume of sars, it is not necessary that the board of directors, or designated committee thereof, review each and every sar document. It is acceptable for the BSA officer to prepare an internal tracking report that briefly discusses all of the sars filed for a particular month. As long as this tracking report is meaningful in content, then the institution will still be meeting the requirements of Part 353 of the FDIC’s Rules and Regulations. Such a report would identify the following information for each sar filed:

• Customer’s name and any additional suspects;
• Social Security Number or TIN;
• Account number (if a customer);
• The date range of suspicious activity;
• The dollar amount of suspicious activity;
• Very brief synopsis of reported activity (for example, “cash deposit structuring” or “wire transfer activity inconsistent with business/occupation”); and
• Indication of whether it is a first-time filing or repeat filing on the customer/suspects.

Such a tracking report promotes efficiency in review of multiple sar filings. Nevertheless, there are still some sars that the board of directors, or designated committee thereof, should review individually. Such “significant sars” would include those that involve insiders (notwithstanding the guidance above regarding the handling of sars involving board members and senior management), suspicious activity above an internally determined dollar threshold, those involving significant check kiting activity, etc. Financial institutions are encouraged to develop their own parameters for defining “significant sars” necessitating full reviews; such guidance needs to be written and formalized within board approved BSA policies and procedures.

In an attempt to refocus, Kaybee's response and my own were clearly directed toward the advisability of having board members talking to the object of a SAR about their activities. (Only because I am trying not to be inflammatory, I will my raise my estimation of that practice to describe it as "foolish.") Neither of us picked up the dog-eared discussion about how much information should be reported to the board.

As to the wisdom of sharing all the relevant information with the entire board, it's only an issue in small institutions. Its been well debated here. Even those who do not think it's necessary (me included) have acknowledged that large dollar cases and those involving employees or directors should be individually reported to the board or, preferably, a designated committee.

There is no new information, only differing points of view.

However, perhaps the ABA's Letter in connection with EGRPRA might be a helpful resource. It advocates that the requirement to report SARs to the board be discontinued. A couple of key phrases from the letter are to the effect that the requirement, "...is inconsistent with rational risk management responsibilities... and "...it adds further risk to information security issues without concomitant benefit to the bank." That's not a new perspective, it's been offered here several times in support of sanitizing the information given to the board. However, the ABA clearly thinks the board's involvement is either more dangerous or more meaningless than put forth here - they want it eliminated entirely.

As I have already stated, I do not support board members approaching customers on whom the bank has filed SARS.

On the side topic, one consideration in board reporting is HOW. Is a written report included in each members board package? Does it leave the building - either mailed to them in a package before the meeting or handed out at the meeting and taken away?

I - and our directors - do not want a document with names, socials, account numbers and the facts that an SAR has been filed - floating around. What if they are in an accident on the way to or from the meeting? Do they secure these documents at home or their place of business? If these documents end up in the street after an accident or an unauthorized person sees them at the directors home or office, you have an information security breech and a breech of SAR confidentiality.

Same with putting copies of the SARs in their packages.

Also consider who else is in the board room at the time the report is made. Are there other managers who have no need to know in attendance waiting to also make reports?

This is not an easy reporting requirement to deal with but all angles need to be considered.

Please provide a link to the FDIC's exam procedures listing this information--can't find it. Thanks!

FDIC - Suspicious Activity Reporting

Kaybee, when we gave the board materials, they were distributed at the meeting, not early. They were presented more than discussed, and the report was collected back and went to the shredder.

That is an excellent way to handle it, Andy. These types of reports need to be treated as the confidential information that they are.

The real hazard here is the confidentiality of Board Minutes. If you put too much SAR information in the Board minutes, you risk disclosing that information to people who have no need to know, and you have the risk that those people will inadvertently disclose the information to someone else who has no need to know. You can protect SARs from disclosure, but can you protect your Board Minutes?

I am surprised nobody has mentioned anything about financial institutions having a "safe harbor" when filing SAR's. This means banks and their employees who report suspicious or potentially criminal activity to appropriate law enforcement are protected from civil liability, if they follow the regulations and requirements for filing SAR's.

One of the requirements is strict confidentiality from all employees, including the Board about the filing of a particular SAR and most importantly, the individual or business the SAR was filed on. The more people who know of a SAR a bank filed, the higher probability the word gets out in the public. If this happens, the bank may no longer have a "safe harbor".

This question really depends on much risk, both financial and reputational risk the bank wants to engage in. I feel the fewer who know the better. Also, since financial institutions have a safe harbor, we always error on the side of caution when filing SAR's. After all, the activity only has to be suspicious.

In the rare case that board minutes are subpoenaed, they should be thoroughly reviewed before being released. If there is anything in the minutes relating to the filing of a specific SAR (a statement that the board was informed of 15 SAR filings would be OK, but any detail that included names or specifics of the filings would not) should trigger a call to the bank's regulator before the release.

If the bank keeps detailed minutes that reference specific SAR filings, that information should be in a schedule or appendix to the minutes and redacted before release in response to a subpoena.

I think that the entire point is being lost that the reason for the agency regulations regarding the reporting of SARs to the board is to ensure that directors have the information necessary to effectively exercise their responsibility to supervise the bank and bank management. How can this be accomplished when a director is only told that X number of reports were filed?

Honestly, as has been mentioned previously, the directors have a legal duty to maintain the confidentiality of SARs. I agree that having a director "counsel" customers about their activity is dangerous in terms of a potential inadvertent disclosure. However, to use this or simple paranoia as a basis for not providing directors the detail they need, and that the regulations explicitly intended, is absolutely wrong.

I not sure why the continued argument about specifically what information is required to be given to the BOD. Did anyone bother to read what the FDIC said about the reporting requirements in their examination manual? They pretty much have laid out a road map as to what specifically is required to be communicated. What's the argument and why is it continuing?

I'm with John, in the rare case your Board records are subpoenaed - redact the information. End of story.

It may be that someone who’s higher on the food chain than one of us gets to say where the story ends.

The agencies could supply the end of the story by incorporating the FDIC’s advice in the upcoming interagency examination procedures. At this point, only the FDIC, in interpreting its own regulation, has suggested reporting the intimate details of the SAR to the board is necessary. In one of the banks they supervise, it would take someone with a great deal of self confidence and subject matter expertise to defend supplying something less than a matrix reflecting the listed information. However, the FDIC's advice has no impact on institutions they do not supervise.

On the other hand, the ABA could obviously write an alternative ending. Bolstered by common sense, they could get the agencies to remove their requirements to report SARs to the board altogether.

A lot of people are tired of this issue, but it seems to upset you the most. Why don’t you challenge whoever brings it up (including the person who brought it up here) mano a mano. For your choice of weapons, I suggest copies of today's Federal Register at 10 paces.