The Security Officer's Role, Part VI
Up to now, we've discussed the security aspect of the Security Officers role and responsibilities. If, as in many financial institutions, the Security Officer is also the Bank Secrecy Act (BSA) Officer, there are some additional training, requirements, and reporting responsibilities.
Suspicious Activity Reporting
It is the BSA Officer's responsibility to ensure that Suspicious Activity Reports (SARs) are filed with the appropriate Federal Law enforcement agencies and the Department of the Treasury when the institution detects a known or suspected violation of Federal law, or a suspicious transaction related to a money laundering activity or a violation of the Bank Secrecy Act. It is also the responsibility of the alert Security Officer to see that such reports are filed with state and local law enforcement when appropriate.
- A SAR must be filed within 30 days of the discovery when there is any known or suspected employee or other insider abuse - regardless of the loss amount and even if there is no loss.
- Filing is also required within 30 days after initial detection for a singular or aggregate loss of $5,000 or more in funds or other assets where the suspect can be identified and particularly if an alias was used.
- If the singular or aggregate loss is $25,000 or more in funds or other assets a SAR must be filed within 30 days from discovery. (60 days if a suspect cannot be identified)
- A SAR must be filed in 30 days for transactions involving or aggregating $5,000 or more that involves money laundering, terrorist financing, identity theft or any known or suspected BSA violation.
- A SAR must also be filed for what is termed "suspicious activity." This includes transactions involving funds from illegal activity, or conducted in order to hide or disguise funds. Any attempt to violate or evade any law is considered to be reportable. This would include tax evasion or structuring. The requirement is stated this way: "The transaction has no business or apparent lawful purpose or is not the sort in which the particular customer would normally be expected to engage, and the financial institution knows of no reasonable explanation for the transaction after examining the available facts, including the background and possible purpose of the transaction."
- Computer intrusions (excluding websites and other non-critical information systems) that are designed to compromise funds or critical information, or to disable the information system are also reportable.
- Robbery or burglary committed or attempted should not be reported as suspicious activity on a SAR. Neither should a SAR be used for reporting lost, missing, counterfeit or stolen securities.
All records substantiating the facts that would normally be filed physically with a Suspicious Activity Report must be kept for five years from the date of filing and made available on request of law enforcement for their investigations. No records are to be sent with the SAR when the report is filed. The details of how to complete the form and how to file it are all included in the instructions on the SAR.
It is the responsibility of the BSA Officer to ensure that the institution is in compliance with all SAR instructions, including timely filing and the retention and maintenance of records.
Report to the Board of Directors
Regulation H and all the other similar regulations require that the filing of SARs be reported to the Board of Directors. Details of the report are not necessary, in the opinion of most BSA officers, but the fact that a report has been filed as required by regulations should be noted in the minutes of the Board.
SARs are confidential. The fact they are completed and filed must not be disclosed to anyone, even under subpoena. The regulation is very clear on this fact. "Any member bank subpoenaed or otherwise requested to disclose a SAR or the information contained in a SAR shall decline to produce the SAR or to provide any information that would disclose that a SAR has been prepared or filed citing this section, applicable law (e.g., 31 U.S.C. 5318(g)), or both, and notify the Board." FinCEN has instructed that any request for information about a SAR be referred directly to them.
You and your financial institution are both protected from any lawsuit from the subject of a SAR by the safe harbor provisions of the United States Code (31 U.S.C. 5318(g), which exempts any financial institution that makes a disclosure of any possible violation of law or regulation from liability under any law or regulation of the United States, regardless of whether such reports are filed pursuant to the regulation or are filed on a voluntary basis.
Monitor BSA Compliance
The regulations also say you must monitor your BSA program, by establishing a compliance program spelling out, in writing, the recordkeeping and reporting requirements. This has to be approved by the Board of Directors.
Your written program must:
- Provide for a system of internal controls to assure ongoing compliance;
- Provide for independent testing for compliance to be conducted by bank personnel or by an outside party;
- Designate an individual or individuals responsible for coordinating and monitoring day-to-day compliance; and
- Provide training for appropriate personnel.
(This series of training pages is for the new and/or experienced Security Officer. Dana Turner is a security practitioner and the author of the Financial Institution Security Library. He serves as a moderator on BankersOnline.com's Security Forum and is a frequent contributor to the Bankers' Hotline. Dana can be reached at (830)535-6500 or at email@example.com)
Copyright © 2005 Bankers' Hotline. Originally appeared in Bankers' Hotline, Vol. 15, No. 1, 2/05
First published on 02/01/2005