Update on 7/27/18 - As of today, we are now hearing reports that the new SAR Form has been released. At this time, FinCEN has not released anything publicly as e-filers must log-in to view the new SAR from (2018) and instructions. View our article here for more information on our understanding of this new form and the 7/27/18 release. Compliance Cohort members (free membership) will be notified with applicable updates when we know more. - The Compliance Cohort Team -
As we explained several months back, FinCEN announced in January that they would be revising the SAR form in June of 2018. As of today, that revision has not yet been released, so Financial Institutions are reminded that they should expect a new SAR form to be released within the next few days.
The planned revision is the first change to v1.1 of the original electronic-only SAR form that was implemented a few years back. Based on the proposed revisions (which we wrote about here) , it appears that all but one of the changes should not be substantial for financial institutions. The one change that will be fairly significant, however, relates to cyber events. Specifically, a new category of “Cyber-event” will be added to the selection of reason the SAR is being filed. Item “a” will be a new item of “Against the Financial Institution(s)” while item “b” will be “Against the Financial Institutions customer(s).” Item “z” will be added to include an “Other” option with the associated text field. It appears that this will be item 42 of the SAR form.
In addition to item 42, a new item 49 will be added to record the Cyber Event Suspicious Activity Type and Associated Subtypes.”. This new category of fields will record up to 99 cyber events associated with the suspicious activity. The following cyber event indicators are going to be added along with the event value (and date and timestamp, if applicable): Command & Control IP address; Command & Control URL/Domain; Malware MD5, Malware SHA-1, or Malware SHA-256; Media Access Control (MAC) Address; Port; Suspicious e-mail address; Suspicious filename; Suspicious IP Address; Suspicious URL/Domain; Targeted system; and Other.
As the revisions to the SAR form in relationship to Cyber Events is going to be new, Financial institutions are encouraged to review FinCEN’s August 2016 gudidance (FIN-2016-A005) on reporting SARs on Cyber Events and Cyber crimes (which can be found here), prior to the release of the new SAR form.