We are a national bank, and we recently moved our wealth and farm management groups into a separate, state-chartered trust company that will be regulated by the IDFPR and the Federal Reserve. Do the ID theft/red flag requirements and the FACT Act apply to the trust company? Also, if our trust company obtains cash from an estate in a fiduciary capacity and deposits the cash at our bank, which entity is responsible for the CTR filing? Would both the bank and the trust company file the CTR? If the trust company files a SAR on its own, could it use the bank’s filing number?

State-chartered trust companies are subject to the Fair and Accurate Credit Transactions Act of 2003 (FACTA), including its identity theft/red flag requirements.

With respect to who should file currency transaction reports (CTRs) in the scenario in your question, we believe that either the bank or the trust company may choose to file the CTRs for cash transactions exceeding $10,000. In your example, the currency transaction involves both the trust company and the bank (the trust company accepts the currency and the bank accepts the deposit).

This is similar to a situation described in FinCEN’s guidance regarding CTR filings by affiliate institutions held by the same bank holding company. FinCEN clarifies that when one bank receives more than $10,000 in cash and deposits the cash at an affiliated bank, both institutions have an obligation to file a CTR. However, FinCEN does not require two CTR filings — to avoid duplicative filing, one affiliate may file the CTR on behalf of the other (with a recommendation that the non-filing institution retain a copy of the CTR in its files for examination purposes). Similarly, we believe that either the bank or the trust company may file a CTR in this situation, with the non-filing entity retaining a copy of the CTR in its records.

Also, we believe that the trust company may file a suspicious activity report (SAR) on its own, but it may have to supply its own filing number when doing so — the latest SAR form issued by FinCEN includes the “Filing Institution Contact Information,” including its “institution identification number.” Even if the bank files a SAR on behalf of the trust company, it would have to enter a filing institution identification number to identify the financial institution where the suspicious activity occurred. Our understanding is that the trust company may contact its local Fed district to obtain an RSSD identifier to use as its institution identification number.

For resources related to our guidance, please see:

  • Fair Credit Reporting Act, as amended by the Fair and Accurate Credit Transactions Act of 2003, 15 USC 1681m(e) (“The Federal banking agencies, the National Credit Union Administration, the Federal Trade Commission, the Commodity Futures Trading Commission, and the Securities and Exchange Commission shall jointly, with respect to the entities that are subject to their respective enforcement authority under section 1681s of this title (A) establish and maintain guidelines for use by each financial institution and each creditor regarding identity theft with respect to account holders at, or customers of, such entities, and update such guidelines as often as necessary; . . .”)
  • Fair Credit Reporting Act, 15 USC 1681a(t) (“The term ‘financial institution’ means a State or National bank, a State or Federal savings and loan association, a mutual savings bank, a State or Federal credit union, or any other person that, directly or indirectly, holds a transaction account (as defined in section 461(b) of title 12) belonging to a consumer.”)
  • FinCEN Regulations, 31 CFR 1010.311 (“Each financial institution other than a casino shall file a report of each deposit, withdrawal, exchange of currency or other payment or transfer, by, through, or to such financial institution which involves a transaction in currency of more than $10,000, except as otherwise provided in this section. . . .”)
  • FinCEN Regulations, 31 CFR 1020.320 (“Every bank shall file with the Treasury Department, to the extent and in the manner required by this section, a report of any suspicious transaction relevant to a possible violation of law or regulation.”)
  • FinCEN Regulations, 31 CFR 1010.100(t) (“Financial institution. Each agent, agency, branch, or office within the United States of any person doing business, whether or not on a regular basis or as an organized business concern, in one or more of the capacities listed below: (1) A bank (except bank credit card systems); . . .”)
  • FinCEN Regulations, 31 CFR 1010.100(d) (“General definitions. . . . (d) Bank. Each agent, agency, branch or office within the United States of any person doing business in one or more of the capacities listed below: (1) A commercial bank or trust company organized under the laws of any State or of the United States; . . .”)
  • FinCEN Ruling 2001-1 (July 26, 2001) (“Bank A and Bank B are subsidiaries of the same bank holding company. A customer maintains an account at Bank A, but not at Bank B. The customer makes a cash deposit of $12,000 at Bank B for credit to his account at Bank A. . . . According to the facts outlined above, the customer’s cash deposit occurs ‘by, through, or to’ Bank B, because Bank B is the financial institution that physically receives the cash. Thus, Bank B has an obligation to file a CTR. The customer’s cash deposit also can be said to occur ‘by, through, or to’ Bank A, because the cash deposit is conducted at one of its agents. Thus, both Bank A and Bank B are technically required to file a CTR; however, to avoid unnecessary duplicative reporting, FinCEN would require that only one report actually be filed (in the manner set forth in the following paragraph) with respect to the same transaction. Thus, for example, Bank A would not need to file a CTR with respect to the customer’s $12,000 cash deposit so long as it knows for a fact that Bank B filed a CTR with respect to that transaction, and vice-versa.2

    Footnote 2: A bank that relies on its affiliate to file a CTR should retain in its own files a copy of the filed CTR for examination purposes.

    If Bank A files a CTR with respect to the customer’s $12,000 deposit, then Bank A should fill out Part III of the CTR form with its own information. In addition, the accounts affected by the deposit should be listed below Box 35 (‘Account Number(s) Affected (if any):’) and the phrase ‘Affiliate Transaction(s)’ should be written in below Box 36 (‘Other (specify):’). Conversely, if Bank B chooses to file a CTR with respect to the $12,000 deposit, then Bank B should fill out Part III of the CTR form with its own information. Further, the accounts affected by the deposit (even if those accounts are not held at Bank B) should be listed below Box 35 and the phrase ‘Affiliate transaction(s)’ should be written in below Box 36. Completing the CTR in this fashion will serve to notify law enforcement that the reported transaction may not have been physically conducted at the filing financial institution and/or that the account affected by the transaction is not held at the filing institution.”)

  • FinCEN Announces Update to CTR (May 24, 2017) (“Added new Part IV ‘Filing Institution Contact Information’ section to collect data about the institution that filed the CTR.”)
  • FinCEN, Bank Secrecy Act Suspicious Activity Report Database Proposed Data Fields, 75 Fed. Reg. 63545 (October 15, 2010) (SAR lines 42 and 82 include prompts for a “institution identification number,” whether a CRD, IARD, NFA, SEC ID, RSSD or other identification number.)
  • FinCEN, Suspicious Activity Report FAQs, Question 20 (“What information should be provided in Items 78–90 in Part IV of the FinCEN SAR? . . .

    a. A Bank Holding Company (BHC) has implemented an enterprise-wide approach to their compliance program. As a result, the BHC will file all required reports with FinCEN. In this scenario, Part IV would be completed with the information of the BHC, and then a Part III would be completed with the information of the financial institution where the activity occurred. If the activity occurred at additional branch locations, then that information would be entered in Items 64–70, and would be repeated as many times as necessary. In Part IV, the filing institution should enter the name of the office that should be contacted to obtain additional information about the report. . . .”)
     

  • FinCEN, SAR Electronic Filing Requirements (“5. Joint Report: A FinCEN SAR may be jointly filed when two or more distinct financial institutions collaborate in filing a single FinCEN SAR on suspicious activity involving all of the collaborating financial institutions. Financial institutions are ‘distinct’ for this purpose when they are different legal entities; a financial institution is not distinct from its own branches. . . . The filing institution must include joint filer contact information in Part V, along with a description of the information provided by each joint filer. Record joint filer information in Part III Items 47 through 63 and joint filer branch information in Part III Items 64 through 77. . . . Both filers and joint filers are required to keep copies of the FinCEN SAR and their own supporting documentation for five (5) years after the date of filing.”)