IBA Compliance Connection

Your go to source for compliance!

Thirty days ago, we discovered that a former loan officer sent emails from her bank email account to her personal email account (possibly related to her search for future employment with another bank). We still are sifting through hundreds of emails, but so far we know she sent herself at least one individual’s W-2 form. The loan officer quit as soon as we questioned her about the emails. We suspect that the loan officer obtained the W-2 from a loan applicant, and that the loan officer intended to steer the applicant to her new employer, but we have not been able to confirm this suspicion. Our attorney told us to notify the affected individual and any others that we discover. We are almost certain we also will file a Suspicious Activity Report (SAR). Is that something we should do? Should we also contact our primary federal regulator (the FDIC)?

by

admin

We recommend filing a SAR, but at this point, we do not (and from what you have told us, the bank does not) have enough information to determine whether a data breach has occurred that would require your bank to notify its primary regulator or any affected individuals.

The SAR regulations require a bank to file a SAR when it suspects insider abuse. Here, it appears that a SAR is required because there is reason to suspect insider abuse. The term “insider abuse” is not defined, but an issue of FinCEN’s SAR Activity Review adopts a General Accounting Office definition that defines insider abuse to include situations in which “individuals in a position of trust in the institution or closely affiliated with it have, in general terms, breached their fiduciary duties; traded on inside information; usurped opportunities or profits; engaged in self dealing; or otherwise used the institution for personal advantage.” In this case, you suspect your former employee misappropriated proprietary customer information in an attempt to steer the customer to another bank, which we would view as insider abuse.

We also recommend investigating whether the employee’s conduct may have constituted a security breach, requiring notice to both your primary regulator and any affected individuals. Interagency guidance on data security requires notification of an institution’s primary federal regulator as soon as possible “when the institution becomes aware of an incident involving unauthorized access to or use of sensitive customer information.” Additionally, the Illinois Personal Information Protection Act requires banks to notify affected individuals when there is “unauthorized acquisition of computerized data.” As you gather more information, you and your bank counsel should determine your reporting requirements under Illinois and federal law.

For resources related to our guidance, please see:

  • FDIC SAR Regulations,12 CFR 353.3(a)(1) (“A bank shall file a suspicious activity report with the appropriate federal law enforcement agencies and the Department of the Treasury, in accordance with the form’s instructions, by sending a completed suspicious activity report to FinCEN in the following circumstances: (1) Insider abuse involving any amount . . . .”)

  • The SAR Activity Review Trends Tips & Issues, pg. 10 (May 2013) (“The General Accounting Office (GAO) reported that absent a universally agreed upon definition of the term ‘fraud and insider abuse’ it would adopt the term as defined in a 1988 Federal Home Loan Bank Board (FHLBB) Report to Congress: ‘ . . . individuals in a position of trust in the institution or closely affiliated with it have, in general terms, breached their fiduciary duties; traded on inside information; usurped opportunities or profits; engaged in self dealing; or otherwise used the institution for personal advantage.’”)

  • Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice (“At a minimum, an institution's response program should contain procedures for the following: . . . b. Notifying its primary Federal regulator as soon as possible when the institution becomes aware of an incident involving unauthorized access to or use of sensitive customer information, as defined below . . . .”)

  • Personal Information Protection Act, 815 ILCS 530/10(a) (“Any data collector that owns or licenses personal information concerning an Illinois resident shall notify the resident at no charge that there has been a breach of the security of the system data following discovery or notification of the breach.”)
  • Personal Information Protection Act, 815 ILCS 530/5 (“‘Data collector’ may include, but is not limited to . . . financial institutions . . . and any other entity that, for any purpose, handles, collects, disseminates, or otherwise deals with nonpublic personal information.”)
  • Personal Information Protection Act, 815 ILCS 530/5 (“‘Breach of the security of the system data’ or ‘breach’ means unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the data collector. ‘Breach of the security of the system data’ does not include good faith acquisition of personal information by an employee or agent of the data collector for a legitimate purpose of the data collector, provided that the personal information is not used for a purpose unrelated to the data collector’s business or subject to further unauthorized disclosure.”)