Skip to content

When Hacking Triggers an SAR

Answered by: 

Question: 
Does the Bank have a responsibility to file a SAR on those individuals who attempt to "hack" into our computer system? If so, what if we do not have much information on them to complete the SAR with?
Answer: 

A recent issue of the SAR Activity Review covered this subject in some detail. We wrote about it in our article, "Tips on Suspicious Activity".

The bottom line is that you are required to file a SAR on a "computer intrusion". Computer intrusion is defined as gaining access to a computer system of a financial institution to:
a. remove, steal, procure or otherwise affect funds of the financial institution or the institution's customers;
b. remove, steal, procure or otherwise affect critical information of the financial institution including customer account information; or
c. damage, disable, disrupt, impair or otherwise affect critical systems of the financial institution.

If your situation doesn't fit this criteria, don't report it on a SAR.

These examples, given by FinCEN, help illustrate scenarios that would trigger the reporting requirement:

The perpetrator may be an insider (e.g., an employee of the financial institution) who has misused or overridden his/her authority to access and manipulate computer-based customer information.

The perpetrator may be an outsider who has somehow hacked his/her way into the financial institution's critical computer system that contains customer data.

The report indicated that apparently institutions are either not reading the instructions closely, when it comes to reporting computer intrusions, or are simply misinterpreting those instructions. Close to half (64 out of 147) of the SARs dealing with computer intrusions should not have been filed! Only 83 of the reports that dealt with computer intrusions actually described activities that were considered "computer intrusions" as the term is defined in the SAR instructions.

Your intrusion detection software should at least provide an IP address for the hacker. You may then be able to use one of the reverse IP lookup sites on the Web to find the owner of that IP address. It may end up being a commercial ISP, with one of its users engaging in the objectionable conduct. Having the IP address can be a valuable tool for investigators.

First published on BankersOnline.com 6/3/02

First published on 06/03/2002

Filed under: 

Banker Store View All

From training, policies, forms, and publications, to office products and occasional gifts, it’s available here:

Banker Store

hot right now

image description

Looking for effective, convenient training on a particular subject?

BOL Learning Connect offers more than 200 courses ON-DEMAND or on CD ROM from AML to Reg Z and every topic in between.

Search Topics