IBA Compliance Connection

Your go to source for compliance!

A customer asked to deposit several checks totaling more than $5,000 and then requested that the funds be wired out. The customer claimed to be helping a friend, but we suspect they may be involved in a money mule scheme. Our primary regulator is the FDIC, and we are familiar with the steps for filing a suspicious activity report (SAR) but would like to know who in addition to FinCEN we should contact regarding this matter. Is it appropriate to alert local law enforcement, and is there a hotline we should call? We do not want to provide information we are prohibited from disclosing.

by

admin

In addition to FinCEN, we believe it would be appropriate to alert local law enforcement, your local FBI field office, and your FDIC regional office of a suspected money mule scheme.

The FDIC’s SAR rules direct banks to file a SAR “with the appropriate federal law enforcement agencies and the Department of Treasury in accordance with the form’s instructions.” Banks also are “encouraged” to file a copy of a SAR “with state and local law enforcement agencies where appropriate.”

The FBI has advised that “criminals recruit money mules to help launder proceeds derived from online scams and frauds or crimes” and that money mules “add layers of distance between crime victims and criminals, which makes it harder for law enforcement to accurately trace money trails.” In addition to contacting your local FBI field office, reports of suspicious activity involving money mule schemes may be reported on the FBI’s Internet Crime Complaint Center (IC3) at www.ic3.gov.

Banks are required to file a SAR within thirty days of detecting suspicious activity when a suspect is identified, and the FDIC’s SAR rules state that when a reportable violation is ongoing, an FDIC-supervised bank should “immediately notify, by telephone, an appropriate law enforcement authority and the appropriate FDIC regional office (Division of Supervision and Consumer Protection (DSC)) in addition to filing a timely report.” (The other federal banking agencies’ SAR rules include similar requirements.)

Additionally, the Illinois Banking Act and Regulation P’s financial privacy protections both include exceptions that allow the disclosure of financial information as necessary “to protect against actual or potential fraud, unauthorized transactions, claims, or other liability.” If your customer is elderly, you also may consider filing a report with the Illinois Department on Aging for suspected elder financial exploitation, with protection from liability under the Illinois Banking Act.

Also, although banks generally are prohibited from disclosing information that would reveal the existence of a SAR, they may disclose a SAR to any federal, state, or local law enforcement agency as well as any state or federal regulatory authority that examines the bank for compliance with the Bank Secrecy Act. The FDIC’s SAR rules also create a safe harbor from liability for banks when filing SARs.

For resources related to our guidance, please see:

  • FDIC Suspicious Activity Report Rules, 12 CFR 353.3(a) (“A bank shall file a suspicious activity report with the appropriate federal law enforcement agencies and the Department of the Treasury, in accordance with the form’s instructions, by sending a completed suspicious activity report to FinCEN in the following circumstances: . . . (2) Transactions aggregating $5,000 or more where a suspect can be identified.”)
  • FDIC Suspicious Activity Report Rules, 12 CFR 353.3(c) (“An FDIC-supervised institution is encouraged to file a copy of the suspicious activity report with state and local law enforcement agencies where appropriate.”)
  • FBI Warns of Money Mules (December 11, 2020) (“Criminals recruit money mules to help launder proceeds derived from online scams and frauds or crimes like human trafficking and drug trafficking. They often target the elderly, students, those looking for work, or those on dating websites. Money mules often receive a commission for their service, or they might help because they believe they have a trusting or romantic relationship with the individual who is asking for help. Money mules add layers of distance between crime victims and criminals, which makes it harder for law enforcement to accurately trace money trails. Some money mules know they are supporting criminal enterprises; others are unaware that they are helping criminals profit.”)
  • FBI Warns of Money Mules (December 11, 2020) (“If you believe that you are participating in a money mule scheme: . . . Notify law enforcement. Report suspicious activity to the FBI’s Internet Crime Complaint Center (IC3) at www.ic3.gov and contact your local FBI field office.”)
  • FDIC Suspicious Activity Report Rules, 12 CFR 353.3(b) (“Time for reporting. (1) An FDIC-supervised institution shall file the suspicious activity report no later than 30 calendar days after the date of initial detection of facts that may constitute a basis for filing a suspicious activity report. If no suspect was identified on the date of detection of the incident requiring the filing, an FDIC-supervised institution may delay filing a suspicious activity report for an additional 30 calendar days to identify a suspect. In no case shall reporting be delayed more than 60 calendar days after the date of initial detection of a reportable transaction.

    (2) In situations involving violations requiring immediate attention, such as when a reportable violation is ongoing, the FDIC-supervised institution shall immediately notify, by telephone, an appropriate law enforcement authority and the appropriate FDIC regional office (Division of Supervision and Consumer Protection (DSC)) in addition to filing a timely report.”)

  • Illinois Banking Act, 215 ILCS 5/48.1(c) (“Except as otherwise provided by this Act, a bank may not disclose to any person, except to the customer or his duly authorized agent, any financial records or financial information obtained from financial records relating to that customer of that bank unless . . . ”)
  • Regulation P, 12 CFR 1016.10(a)(1) (“Except as otherwise authorized in this part, you may not, directly or through any affiliate, disclose any nonpublic personal information about a consumer to a nonaffiliated third party unless . . .”)
  • Illinois Banking Act, 205 ILCS 5/48.1(b)(18) (“This Section does not prohibit: . . . The disclosure of financial records or information as necessary to protect against actual or potential fraud, unauthorized transactions, claims, or other liability.”)
  • Regulation P, 12 CFR 1016.15(a)(2)(ii) (“The requirements for . . . the opt out in §§ 1016.7 and 1016.10 . . . do not apply when you disclose nonpublic personal information: . . . To protect against or prevent actual or potential fraud, unauthorized transactions, claims, or other liability . . .”)
  • FinCEN Rules, 31 CFR 1020.320(e)(1) (“Prohibition on disclosures by banks — (i) General rule. No bank, and no director, officer, employee, or agent of any bank, shall disclose a SAR or any information that would reveal the existence of a SAR. . . . (ii) Rules of Construction. Provided that no person involved in any reported suspicious transaction is notified that the transaction has been reported, this paragraph (e)(1) shall not be construed as prohibiting: (A) The disclosure by a bank, or any director, officer, employee, or agent of a bank, of:

(1) A SAR, or any information that would reveal the existence of a SAR, to FinCEN or any Federal, State, or local law enforcement agency, or any Federal regulatory authority that examines the bank for compliance with the Bank Secrecy Act, or any State regulatory authority administering a State law that requires the bank to comply with the Bank Secrecy Act or otherwise authorizes the State authority to ensure that the bank complies with the Bank Secrecy Act . . .”)

  • FDIC Suspicious Activity Report Rules, 12 CFR 353.3(h) (The safe harbor provisions protecting banks from liability when filing a SAR “cover all reports of suspected or known criminal violations and suspicious activities to law enforcement and financial institution supervisory authorities, including supporting documentation, regardless of whether such reports are filed pursuant to this part or are filed on a voluntary basis.”)
  • Illinois Banking Act, 205 ILCS 5/48.1(b)(16) (Creates exemption from privacy requirements for furnishing information to law enforcement authorities, the Illinois Department on Aging and its regional administrative and provider agencies, the Department of Human Services Office of Inspector General, or public guardians “if there is suspicion by the bank that a customer who is an elderly or disabled person has been or may become the victim of financial exploitation.”)