Several years ago, I had just arrived on-site for a bank visit when the BSA Officer quickly pulled me into her office and shut the door. She had a dilemma: she had filed a SAR on a director and was faced with the challenge of how she was going to report that SAR to her board. Her challenge was that the board had a practice of viewing a copy of the entire completed SAR and if she continued on with this practice, should be be disclosing to the director that the bank had filed a SAR on him. This, of course, would be problematic for a number of reasons: unlawful disclosure and a very uncomfortable boardroom are two of them.
Fortunately for this BSA Officer, I had a simple solution for her. But before we get to that solution, let’s take a look at what is actually required in SAR reporting.
SAR Reporting Requirements
For years, I have advocated that only basic, general information should be reported to the board regarding each SAR. The reality is that SAR guidance only tells us that each SAR must be reported, though it does not tell us exactly what must be reported.
From the FFIEC BSA Exam Manual:
“Banks are required by the SAR regulations of the federal banking agency to notify the board of directors or an appropriate committee that SARs have been filed. However, the regulations do not mandate a particular notification format and banks should have flexibility in structuring their format. Therefore, banks may, but are not required to, provide actual copies of SARs to the board of directors or a board committee. Alternatively, banks may opt to provide summaries, tables of SARs filed for specific violation types, or other forms of notification. Regardless of the notification format used by the bank, management should provide sufficient information on its SAR filings to the board of directors or an appropriate committee in order to fulfill its fiduciary duties, while being mindful of the confidential nature of the SAR.”
The bottom line here is that banks have flexibility in how they report their SARs to the board. They are permitted to provide entire copies of a SAR, or can provide a general summary or other similar format. That said, I strongly believe that it is a best practice to avoid providing entire copies of SARs to the board for one main reason: confidentiality.
SAR rules prohibit a financial institution from notifying any person involved with the SAR that one has been reported. In fact, SARs are supposed to be so extremely confidential that the regulators want a bank to have internal controls around the SAR filing process that minimize the risk of SAR disclosure.
From the FFIEC BSA Exam Manual:
“No bank, and no director, officer, employee, or agent of a bank that reports a suspicious transaction may notify any person involved in the transaction that the transaction has been reported. A SAR and any information that would reveal the existence of a SAR, are confidential, except as is necessary to fulfill BSA obligations and responsibilities. For example, the existence or even the non-existence of a SAR must be kept confidential, as well as the information contained in the SAR to the extent that the information would reveal the existence of a SAR. Furthermore, FinCEN and the federal banking agencies take the position that a bank’s internal controls for the filing of SARs should minimize the risks of disclosure.”
The exam manual continues:
“A bank or its agent may reveal the existence of a SAR to fulfill responsibilities consistent with the BSA, provided no person involved in a suspicious transaction is notified that the transaction has been reported.”
This statement seems to imply that certain employees and even directors can be be privy to SAR information, so long as they were not involved in the transaction that has been reported.
Going briefly back to our original dilemma where a SAR was filed on a director who usually receives full copies of reported SARs, this sentence seems to put our BSA officer in a difficult position. On one hand, she is required to report each filed SAR to the Board. On the other hand, she is prohibited from disclosing the SAR to the director involved in the transaction.
As you can imagine, this situation just causes headaches all around as it would be very difficult to exclude only one director without the director discovering the fact that a SAR was filed on them. In fact, FinCEN has had issues with inappropriate SAR disclosure over the years which they seemed to blame directors for.
Back in 2012, FinCEN released an advisory (FIN-2012-A002) which discussed the increasing evidence of inappropriate SAR disclosure:
“The Financial Crimes Enforcement Network (FinCEN) is issuing this Advisory to remind financial institutions, and in particular, the lawyers that advise them, of the requirement to maintain the confidentiality of Suspicious Activity Reports (SARs). FinCEN is concerned that an increasing number of private parties, who are not authorized to know of the existence of filed SARs, are seeking SARs from financial institutions for use in civil litigation and other matters. Financial institutions, and their current and former directors, officers, employees, agents, and contractors, are prohibited from disclosing SARs, or any information that would reveal the existence of a SAR. FinCEN recognizes that an escalation in the number of requests for use of SARs in private litigation may increase the likelihood of an unauthorized disclosure of a SAR. This is especially true when external counsel is unfamiliar with the regulations covering SAR confidentiality. Financial institutions, and their current and former directors, officers, employees, agents, and contractors could be subject to civil and criminal penalties for the unauthorized disclosure of a SAR.”
One of the challenges that comes with providing complete SAR information to the Board of Directors is that some directors may not fully understand how important SAR confidentiality is. As many directors work in industries that may have limited or non-existent privacy laws, the extreme nature of SAR confidentiality may just not be in their paradigm. Therefore, an unknowing director may inadvertently disclose confidential information without fully understanding the consequences of those actions.
For this reason, I believe it is a best practice to only provide general SAR information to a financial institution's directors.
Avoiding Full SAR Disclosure to the Board
While the best practice is to avoid full SAR disclosure, some financial institutions still include this as their practice. Financial institutions like the BSA officer who approached me several years about a SAR she had filed on a director where she was now supposed to provide a copy of the SAR to the board.
Fortunately for this BSA Officer, and other financial institutions who may run into this rare situation, the BSA Exam Manual provides a simple solution: to just not report the SAR to the board.
Footnote 76 of the 2014 version of the BSA Exam Manual states the following:
“As noted in the Bank Secrecy Act Advisory Group’s The SAR Activity Review - Trends, Tips & Issues, Issue 2, June 2001, ‘In the rare instance when a suspicious activity is related to an individual in the organization, such as the president or one of the members of the board of directors, the established policy that would require notification of a SAR filing to such an individual should not be followed. Deviations to established policies and procedures so as to avoid notification of a SAR filing to a subject of the SAR should be documented and appropriate uninvolved senior organizational personnel should be so advised.”
Based on this guidance, my BSA Officer was able to relax and continue on without reporting the SAR to the Board. And you probably already guess this, but she also changed her SAR reporting procedure to no longer include full copies of SARs but to now provide only a general summary of each SAR to the board.