This is serious fraudulent activity, and we recommend consulting with your bank counsel immediately to discuss a strategy for safeguarding against potential monetary, regulatory and reputational risks.
Meanwhile, we would recommend that you contact local law enforcement, as well as the FBI. In addition, you should contact your primary federal regulator (the FDIC) to report that fraudulent cashier’s checks bearing your bank’s name are in circulation. You also should file a Suspicious Activity Report. While you have told us that the initial fraudulent event was for less than $5,000, the fact that numerous fake cashier’s checks are now circulating across the country certainly will negate any minimum reporting thresholds.
Also, as to discussing the scam with news outlets, we note that Regulation P generally prohibits a bank from disclosing nonpublic personal information about a customer, including “the fact that an individual is or has been one of your customers or has obtained a financial product or service from you.” The Illinois Banking Act similarly prohibits a bank from disclosing a customer’s financial information. Consequently, certain comments — such as disclosing that a certain customer has been affected by the scam — could violate federal and state privacy laws (although both laws create a safe harbor when disclosure is necessary to protect against actual or potential fraud). Again, we recommend consulting with your bank counsel before engaging in any discussions with the media about this matter.
For resources related to our guidance, please see:
- FBI Chicago Office: (312) 421-6700 (Covers 18 counties in northern Illinois, from Interstate 80 north to the Wisconsin border, east to Indiana, and west to Iowa.)
- FinCEN SAR rules, 31 CFR 1020.320(a)(1) (“Every bank shall file with the Treasury Department, to the extent and in the manner required by this section, a report of any suspicious transaction relevant to a possible violation of law or regulation. A bank may also file with the Treasury Department by using the Suspicious Activity Report specified in paragraph (b)(1) of this section or otherwise, a report of any suspicious transaction that it believes is relevant to the possible violation of any law or regulation but whose reporting is not required by this section.”)
- FinCEN SAR rules, 31 CFR 1020.320(a)(2) (“A transaction requires reporting . . . if it is conducted or attempted by, at, or through the bank, it involves or aggregates at least $5,000 in funds or other assets . . . .”)
- FinCEN SAR rules, 31 CFR 1020.320(b)(3) (“A bank is required to file a SAR no later than 30 calendar days after the date of initial detection by the bank of facts that may constitute a basis for filing a SAR. . . .”)
- Regulation P, 12 CFR 1016.3(q)(2)(i)(C) (“Personally identifiable financial information includes . . . The fact that an individual is or has been one of your customers or has obtained a financial product or service from you . . . .”)
- Regulation P, 12 CFR 1016.15 (Lists exceptions to opt-out requirements, including “[t]o protect against or prevent actual or potential fraud, unauthorized transactions, claims, or other liability”)
- Illinois Banking Act, 215 ILCS 5/48.1(c) (“Except as otherwise provided by this Act, a bank may not disclose to any person, except to the customer or his duly authorized agent, any financial records or financial information obtained from financial records relating to that customer of that bank unless . . . .”)
- Illinois Banking Act, 215 ILCS 5/48.1(b)(18) (“This Section does not prohibit . . . The disclosure of financial records or information as necessary to protect against actual or potential fraud, unauthorized transactions, claims, or other liability.”)