Disclosure of fraudulent activity to authorities

Is it a violation of the customer's privacy if we were, without prior explicit consent from our customer, to report to the police a forgery that was perpetrated on our customer's account? We have received confirmation from the customer that she did not write the checks [and fortunately, we caught the forgery early enough to send the checks back within the midnight deadline.] Must it be left to her decision about if she contacts the police and when she does so, or do we have the right to be proactive and make the contact? Since this matter was caught early and we are returning items and closing the account, the customer may not see the need or urgency to take action, although one would think that she would want to take all precautions necessary to try to prevent the same thing from happening again.

I don't know that the police would take a report from the bank since the bank is not the "victim". The customer should make a report and the person or merchant who had a loss should make a report.

Take a look at what is allowed under 216.15 (also known as section .15 exceptions) of Reg P:

http://www.bankersonline.com/regs/216/216-15.html

(ii) To protect against or prevent actual or potential fraud, unauthorized transactions, claims, or other liability;

I suggest you review Tennnessee's financial privacy statute before you make any disclosure. (I do not have the citation.)

Regulation P and its parallel regulations are not a source of authority for making a disclosure. Nor are they a source of authority for prohibiting a disclosure other than an account number. All the regulation requires is that financial institutions give consumers disclosures of their practices and, if they make disclosures to third parties other than those “allowed by law” they must give the consumer a chance to opt out. This is simply not a disclosure the consumer has a right to opt out of.

For the sake of discussion, let’s look at what happened here. Someone forged checks against your customer’s account. It was caught early enough so that the checks were returned and the customer and the bank suffered no loss. You did not mention the amount, but if it was less than $5,000 and there was a identified suspect, no SAR would be required. If the suspect was not identified and the amount was less than $25,000, no SAR would be required. Loss to the bank is not a prerequisite for filing a SAR. What if you had not returned the checks in a timely manner? Would the bank have suffered a loss then?

If the amount exceeded the reporting thresholds, why would you not file a SAR? The perpetrator attempted to use the bank as a conduit for fraudulent activity. The SAR rule says “involving a transaction or transactions conducted through the bank” and “that the bank was used to facilitate a criminal transaction”. The forgery involved a “transaction conducted through the bank” and “the bank was used to facilitate a criminal transaction.”

Filing a SAR is not a violation of customer privacy. By filing a SAR, you might provide law enforcement with some information they can use to make their case. Sure the customer should file a complaint, and the persons who actually suffered losses should file complaints, but does that relieve the bank of its responsibility if the SAR reporting threshold has been exceeded?

I would say any SAR filing here would be voluntary because the attempted crime was forgery, a criminal act under state, not federal, law. The SAR content would be limited to that which the bank is allowed to disclose under RFPA.

Found the relevant portion of the Tennessee statute:

Tennessee: 45-10-104(b) Nothing in this chapter shall preclude any financial institution, or any officer, employee, or agent of a financial institution, from notifying a government authority that such institution or officer, employee, or agent has information which may be relevant to a possible violation of any statute or regulation. Such information may include the name or other identifying information concerning any individual, corporation, or account involved in and the nature of any suspected illegal activity. Such information may be disclosed notwithstanding any law or regulation of this state to the contrary. Any financial institution, or officer, employee, or agent thereof shall not be liable to the customer under any law or regulation of this state or any political subdivision thereof, for disclosure or for any failure to notify the customer of such disclosure.

What if Identity Theft is part of the equation? Do we know any of the circumstances surrounding the "forgeries"? I'm not arguing, I'm just exploring all of the possibilities. We know the signatures were forged, but do we know the circumstances surrounding the negotiation of the checks? Did the person negotiating the checks produce an identity with the customer's name on it?

This is just one of those situations where you have to explore all of the possibilities before making a decision on filing a SAR.

Thanks for all the helpful input...at this point we think the customer was a victim of someone who just went on a "week-end spree" and left the area. The checks surfaced over just a few days, and totaled around $7,000.00, all of which we were able to return before the midnight deadline.