IBA Compliance Connection

Your go to source for compliance!

After filing a suspicious activity report (SAR) on FinCEN’s website, we were contacted by someone asking for supporting documentation related to the SAR. This person has an email address indicating they work for the Department of Homeland Security, and they appear to be knowledgeable about the facts in the SAR, but they asked for the requested information to be sent to their email address rather than through a secure platform. Is this proper procedure for submitting supporting documentation related to a SAR?

by

admin

We recommend reviewing your Bank Secrecy Act (BSA) compliance and anti-money laundering program for procedures related to verifying the identity of requestors of supporting documentation before deciding whether and how to submit the requested documentation. While we are not aware of any laws or guidance outlining any specific procedures required for submitting supporting documentation, FinCEN has issued guidance stating that financial institutions should “take special care to verify that a requestor of information is, in fact, a representative of FinCEN or an appropriate law enforcement or supervisory agency” and incorporate procedures related to such verification into its BSA compliance or anti-money laundering program.

FinCEN goes on to explain in its guidance that such procedures could include independent employment verification with the requestor’s field office or face-to-face review of the requestor’s credentials. We believe that requesting independent verification of the requestor’s identity, as well as a secure delivery method that ensures that the verified requestor is the one actually receiving the supporting documentation, would be a reasonable procedure under these circumstances.

Additionally, we have received feedback from members of our Compliance Division Advisory Committee regarding their experiences submitting supporting documentation related to a SAR. None of them had ever been requested to send supporting documentation by email. One member stated that their institution had received a request to send supporting documentation by mail, which they accomplished by creating a password protected CD with images of the requested documents. Another member stated that their institution would require written notification of receipt via USPS before sending any supporting documentation, and another member stated that they would call their primary federal regulator for guidance.

For resources related to our guidance, please see:

  • 31 CFR 1020.320(d) (“A bank shall maintain a copy of any SAR filed and the original or business record equivalent of any supporting documentation for a period of five years from the date of filing the SAR. Supporting documentation shall be identified, and maintained by the bank as such, and shall be deemed to have been filed with the SAR. A bank shall make all supporting documentation available to FinCEN or any Federal, State, or local law enforcement agency, or any Federal regulatory authority that examines the bank for compliance with the Bank Secrecy Act, or any State regulatory authority administering a State law that requires the bank to comply with the Bank Secrecy Act or otherwise authorizes the State authority to ensure that the institution complies with the Bank Secrecy Act, upon request.”)
  • FinCEN, Suspicious Activity Report Supporting Documentation (June 13, 2007) (“Financial institutions must provide all documentation supporting the filing of a SAR upon request by FinCEN or an appropriate law enforcement or supervisory agency. When requested to provide supporting documentation, financial institutions should take special care to verify that a requestor of information is, in fact, a representative of FinCEN or an appropriate law enforcement or supervisory agency. A financial institution should incorporate procedures for such verification into its BSA compliance or anti-money laundering program. These procedures may include, for example, independent employment verification with the requestor’s field office or face-to-face review of the requestor’s credentials.”)
  • 31 USC 5318(g)(3)(A) (“Any financial institution that makes a voluntary disclosure of any possible violation of law or regulation to a government agency or makes a disclosure pursuant to this subsection or any other authority, and any director, officer, employee, or agent of such institution who makes, or requires another to make any such disclosure, shall not be liable to any person under any law or regulation of the United States, any constitution, law, or regulation of any State or political subdivision of any State, or under any contract or other legally enforceable agreement (including any arbitration agreement), for such disclosure or for any failure to provide notice of such disclosure to the person who is the subject of such disclosure or any other person identified in the disclosure.”)