[Federal Register Volume 74, Number 44 (Monday, March 9, 2009)]
[Proposed Rules]
[Pages 10158-10161]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: E9-4693]


-----------------------------------------------------------------------

DEPARTMENT OF THE TREASURY

31 CFR Part 103

[Docket Number: TREAS-FinCen-2008-0022]


Interpretive Guidance--Sharing Suspicious Activity Reports by 
Depository Institutions With Certain U.S. Affiliates

AGENCY: Financial Crimes Enforcement Network, Department of the 
Treasury.

ACTION: Proposed guidance.

-----------------------------------------------------------------------

SUMMARY: The Financial Crimes Enforcement Network (``FinCEN'') of the 
Department of the Treasury, after consulting with the staffs of the 
Board of Governors of the Federal Reserve System (``FRB''), the Federal 
Deposit Insurance Corporation (``FDIC''), the National Credit Union 
Administration (``NCUA''), the Office of the Comptroller of the 
Currency (``OCC''), and the Office of Thrift Supervision (``OTS'') 
(hereinafter, the ``Federal Banking Agencies''), is issuing for comment 
this proposed interpretive guidance. Published elsewhere in this part 
of the Federal Register are proposed rules clarifying the scope of the 
statutory prohibition on the disclosure by a financial institution of a 
report of a suspicious transaction set forth in the Bank Secrecy Act 
(``BSA''). The proposed rules include a provision which states that the 
prohibition does not apply when a bank shares a suspicious activity 
report (``SAR''), or any information that would reveal the existence of 
a SAR, within its corporate organizational structure for purposes 
consistent with Title II of the BSA, as determined by regulation or 
guidance. The proposed guidance interprets this provision to permit a 
bank to share a SAR with its affiliates that also are subject to SAR 
rules.

DATES: Written comments on the proposed guidance may be submitted on or 
before June 8, 2009.

ADDRESSES: You may submit comments, identified by docket number TREAS-
FinCen-2008-0022,\1\ by any of the following methods:
---------------------------------------------------------------------------

    \1\ This single docket number is shared by three related 
documents (a notice of proposed rulemaking, and this and another 
piece of proposed guidance related to that notice of proposed 
rulemaking) published simultaneously by FinCEN in today's Federal 
Register. Accordingly, commenters may submit comments related to any 
of the proposals, or any combination of proposals, in a single 
comment letter.
---------------------------------------------------------------------------

     Federal e-rulemaking portal: http://www.regulations.gov. 
Follow the instructions for submitting comments.
     E-mail: [email protected]. Include docket 
number TREAS-FinCen-2008-0022 in the subject line of the message.
     Mail: FinCEN, P.O. Box 39, Vienna, VA 22183. Include 
docket number TREAS-FinCen-2008-0022 in the body of the text.

FOR FURTHER INFORMATION CONTACT: Regulatory Policy and Programs 
Division, FinCEN, (800) 949-2732.

SUPPLEMENTARY INFORMATION:

I. Background

    FinCEN, through its authority under the BSA as delegated by the 
Secretary of the Treasury, may require financial institutions to keep 
records and file reports that FinCEN determines have a high degree of 
usefulness in criminal, tax or regulatory investigations or 
proceedings, or for intelligence or counterintelligence activities to 
protect against international terrorism. Within this framework, FinCEN 
may require financial institutions to file SARs and has issued rules 
implementing that specific authority with respect to certain types of 
financial institutions.\2\ The Federal Banking Agencies have issued 
comparable rules for financial institutions subject to their 
jurisdiction.\3\ The SAR rules issued by FinCEN and those issued by the 
Federal Banking Agencies currently include a section implementing the 
statutory prohibition on the disclosure by a financial institution of a 
SAR that is set forth in the BSA.\4\
---------------------------------------------------------------------------

    \2\ See 31 CFR 103.15 to 103.21.
    \3\ See 12 CFR 208.62 (FRB); 12 CFR 353.3 (FDIC); 12 CFR 748.1 
(NCUA); 12 CFR 21.11 (OCC); and 12 CFR 563.180 (OTS).
    \4\ 31 U.S.C. 5318(g)(2)(A)(i).
---------------------------------------------------------------------------

Sharing Within the Corporate Organizational Structure

    In January 2006, FinCEN and all the Federal Banking Agencies other 
than the NCUA issued joint guidance concluding that, subject to certain 
exceptions or qualifications, a U.S. branch or agency of a foreign bank 
may share a SAR with its head office outside the United States, and a 
U.S. bank or savings association may disclose a SAR to its controlling 
company, no matter where the entity or party is located.\5\ FinCEN also 
issued guidance in consultation with the staffs of the Securities and 
Exchange Commission (``SEC'') and the Commodity Futures Trading 
Commission (``CFTC'') determining that, subject to certain exceptions 
or qualifications, a securities broker-dealer, futures commission 
merchant, or introducing broker in commodities may share a SAR with its 
parent entities,

[[Page 10159]]

both domestic and foreign.\6\ Moreover, guidance issued by FinCEN in 
consultation with the SEC in October 2006, stated that a U.S. mutual 
fund may share a SAR with the investment adviser that controls the 
fund, whether domestic or foreign, so that the investment adviser could 
implement enterprise-wide risk management and compliance functions over 
all of the mutual funds that it controls \7\ and improve its 
identification and reporting of suspicious activity.\8\ Nothing in the 
proposed guidance for sharing with affiliates supersedes any of the 
guidance mentioned in the preceding paragraph.
---------------------------------------------------------------------------

    \5\ ``Interagency Guidance on Sharing Suspicious Activity 
Reports with Head Offices and Controlling Companies'' (January 20, 
2006).
    \6\ ``Guidance on Sharing of Suspicious Activity Reports by 
Securities Broker-Dealers, Futures Commission Merchants, and 
Introducing Brokers in Commodities'' (January 20, 2006).
    \7\ ``Control'' for purposes of the October 2006 Guidance is 
defined in section 2(a)(9) of the Investment Company Act of 1940 (15 
U.S.C. 80a-2(a)(9)) to mean ``the power to exercise a controlling 
influence over the management or policies of a company, unless such 
power is solely the result of an official position with such 
company.'' A mutual fund typically is organized and operated by an 
investment adviser that controls the fund. By contrast, an 
investment adviser that performs limited functions in managing a 
mutual fund's securities portfolio (also known as a ``subadviser'') 
would not typically control the fund and therefore would be outside 
the scope of the guidance.
    \8\ FIN-2006-G013, ``Frequently Asked Questions: Suspicious 
Activity Reporting Requirements for Mutual Funds'' (October 4, 
2006).
---------------------------------------------------------------------------

    These guidance documents reflected a recognition by FinCEN, the 
FDIC, the FRB, the OCC, the OTS, the SEC, and the CFTC (referred to 
collectively in the proposed guidance as the ``Federal regulators'') 
that a head office, controlling entity or party, or parent entity of a 
depository institution, broker-dealer, mutual fund, futures commission 
merchant, and introducing broker in commodities has oversight 
responsibilities with respect to enterprise-wide risk management. These 
responsibilities include a valid need to review compliance by U.S.-
based depository institutions, broker-dealers, mutual funds, futures 
commission merchants, and introducing brokers in commodities with legal 
requirements to identify and report suspicious activity.
    The guidance documents regarding the sharing of SARs with head 
offices, controlling companies or parties, and parent entities 
(referred to here as the ``2006 Guidance'') expressly noted that the 
sharing of a SAR with a non-U.S. entity raises concerns about the 
ability of the foreign entity to protect the SAR in light of possible 
requests for disclosure abroad that may be subject to foreign law. The 
2006 Guidance on sharing SARs with head offices and controlling 
companies also provides that the recipient may not disclose further any 
Suspicious Activity Report, or the fact that such a report has been 
filed; however, the recipient may disclose without permission 
underlying information. The 2006 Guidance also stated that FinCEN and 
the Federal regulators were considering whether a financial institution 
may share a SAR with other entities within the financial institution's 
corporate organization located inside the United States and those 
located abroad, and instructed financial institutions not to share SARs 
with such entities until further guidance was issued.

Proposed Regulatory Changes

    In proposed regulations issued today, FinCEN is proposing to revise 
its regulations implementing the BSA regarding the confidentiality of a 
SAR to clarify, among other things, the scope of the statutory 
prohibition against the disclosure by a financial institution of a SAR. 
These proposed rules include a provision clarifying that the statutory 
prohibition does not apply to sharing by a depository institution, or 
any director, officer, employee, or agent of the depository 
institution, of a SAR, or any information that would reveal the 
existence of a SAR, within the depository institution's corporate 
organizational structure for purposes consistent with Title II of the 
BSA, as determined by regulation or in guidance, provided that no 
person involved in any reported suspicious transaction is notified that 
the transaction has been reported.

II. Proposed Guidance

    This proposed guidance interprets the general statement in the 
proposed SAR confidentiality rules \9\ that a bank may share a SAR, or 
information that reveals the existence of a SAR, within its corporate 
organizational structure for purposes consistent with Title II of the 
BSA. First, the proposed guidance acknowledges that the 2006 Guidance 
regarding depository institutions continues to be applicable. It 
explains that sharing of a SAR or information that reveals the 
existence of a SAR by a depository institution with its head office or 
its controlling company, whether domestic or foreign, promotes 
compliance with the BSA by enabling the head office or controlling 
company to discharge its oversight responsibilities with respect to 
enterprise-wide risk management, including oversight of the depository 
institution's compliance with applicable laws and regulations.
---------------------------------------------------------------------------

    \9\ The proposed guidance interprets a provision in the proposed 
SAR regulations. The final guidance issued will be modified to 
correspond to any changes made in the final SAR regulations.
---------------------------------------------------------------------------

    Next, the proposed guidance explains that FinCEN has concluded that 
the proposed regulations may be interpreted to permit a depository 
institution that has filed a SAR to share the SAR, or any information 
that would reveal the existence of the SAR, with an affiliate \10\ that 
is subject to a SAR regulation \11\ issued by FinCEN or the Federal 
Banking Agencies.
---------------------------------------------------------------------------

    \10\ For the purposes of this proposed guidance, an 
``affiliate'' is effectively defined as a company under common 
control with, or a subsidiary of, the depository institution. 
``Affiliate'' does not include holding companies because sharing 
with these entities is already addressed in the 2006 Guidance.
    \11\ See 31 CFR 103.15 to 103.21. See also, 12 CFR 208.62 (FRB); 
12 CFR 353.3 (FDIC); 12 CFR 748.1 (NCUA); 12 CFR 21.11 (OCC); and 12 
CFR 563.180 (OTS).
---------------------------------------------------------------------------

    FinCEN has concluded that such sharing within a corporate 
organization is consistent with two important purposes of the BSA: 
Promoting efforts to detect and report money laundering and terrorist 
financing by financial institutions that are subject to the BSA, and 
ensuring the confidentiality of a SAR or any information that would 
reveal the existence of a SAR. The sharing by a depository institution 
of a SAR, or any information that would reveal the existence of a SAR, 
can facilitate the identification of suspicious transactions taking 
place through the depository institution's affiliates that are also 
subject to SAR reporting requirements. Although the sharing of 
information underlying the filing of a SAR has never been prohibited 
under the BSA, it is understood that the sharing of a SAR itself 
pursuant to this proposed guidance may entail greater efficiencies.\12\
    Moreover, the proposed SAR confidentiality rules provide that a 
``SAR, and any information that would reveal the existence of a SAR, 
are confidential.'' \13\ Accordingly, affiliates subject to a SAR rule 
are prohibited from disclosing any SAR or information that a SAR was 
filed, including both SARs they have filed, and any SARs they have 
received that have been filed by others. In addition, because the 
guidance applies only to the sharing of a SAR by the depository 
institution ``that has filed'' the SAR, the guidance includes a 
statement clarifying that it is not permissible for an affiliate that 
has received such a SAR from a depository institution to share that 
SAR, or any

[[Page 10160]]

information that would reveal the existence of that SAR with another 
affiliate, even if that affiliate is subject to a SAR rule. The 
guidance also states that a depository institution, as part of its 
internal controls, should have written confidentiality agreements in 
place ensuring that its affiliates protect the confidentiality of the 
SAR through appropriate internal controls. Given the above 
restrictions, FinCEN is satisfied that the sharing permitted by this 
guidance is consistent with the BSA objective to ensure that suspicious 
activity reporting remains confidential.
---------------------------------------------------------------------------

    \12\ For example, the sharing of a SAR eliminates the need to 
create a separate summary document which, if shared, might 
inadvertently reveal the existence of a SAR itself.
    \13\ See the Notice of Proposed Rulemaking published elsewhere 
in today's Federal Register.
---------------------------------------------------------------------------

    FinCEN has declined to permit sharing with affiliates that are not 
subject to a SAR rule, whether domestic or foreign.\14\ At this time, 
it is not apparent that such sharing would be consistent with the 
purposes of the BSA, to promote efforts to detect and report money 
laundering and terrorist financing by financial institutions that are 
subject to rules implementing the BSA, and to ensure the 
confidentiality of a SAR or any information that would reveal the 
existence of a SAR.
---------------------------------------------------------------------------

    \14\ A footnote in the proposed guidance makes clear that 
foreign branches of U.S. banks generally are regarded as foreign 
banks for purposes of the BSA and, therefore, would be 
``affiliates'' that are not subject to a SAR regulation. 
Accordingly, a U.S. bank that has filed a SAR may not share the SAR, 
or any information that would reveal the existence of the SAR, with 
its foreign branches.
---------------------------------------------------------------------------

    Finally, this proposed guidance is intended only to remove 
unnecessary obstacles to detecting and reporting suspicious activity. 
It should not be read to impose new BSA requirements or to suggest that 
sharing with affiliates is compulsory.

III. Request for Comment

    FinCEN invites comments on all aspects of the guidance. We solicit 
comment on whether this proposed guidance would achieve the intended 
effect of promoting compliance with the BSA. We also request comment on 
whether the proposed guidance will be beneficial, whether it raises any 
ambiguities, and whether it will result in any negative consequences. 
In addition, we specifically invite comment on the following:
     Whether the definition of affiliate is appropriate;
     Whether the scope of the guidance should be expanded to 
permit sharing with other affiliates within the United States. 
Commenters suggesting that the scope of the guidance be expanded should 
address how additional sharing would be consistent with the purposes of 
Title II of the BSA;
     Whether the scope of the guidance should be expanded to 
permit sharing with other affiliates outside of the United States, 
including with foreign branches of U.S. banks. Commenters suggesting 
that the scope of the guidance be expanded should address how 
additional sharing outside of the U.S. would be consistent with the 
purposes of Title II of the BSA. In particular, commenters should 
explain how a foreign affiliate might protect a SAR in light of a 
possible request for disclosure abroad that may be subject to foreign 
law;
     Whether similar provisions to allow sharing with certain 
affiliates should be permitted among all financial institutions subject 
to a SAR rule;
     Whether financial institutions, other than depository 
institutions, securities broker-dealers, mutual funds, futures 
commission merchants, or introducing brokers in commodities subject to 
a SAR rule, should be permitted to share a SAR, or any information that 
would reveal the existence of a SAR, with parent entities and/or 
affiliates; and
     Whether and how a depository institution can store and 
provide access to SARs in an electronic system in a way that prevents 
the SARs from being subject to disclosure laws or obligations of 
foreign jurisdictions.

Proposed Interpretive Guidance \15\

    \15\ For purposes of the guidance text below, all citations to 
Title 31 SAR regulations are references to the amended regulations 
we anticipate promulgating as discussed in the above section, 
Proposed Regulatory Changes.
---------------------------------------------------------------------------

Sharing Suspicious Activity Reports by Depository Institutions With 
Certain U.S. Affiliates \1\
---------------------------------------------------------------------------

    \1\ For purposes of this guidance, ``affiliate'' of a depository 
institution means any company under common control with, or 
controlled by, that depository institution. ``Under common control'' 
means that another company (1) directly or indirectly or acting 
through one or more other persons owns, controls, or has the power 
to vote 25 percent or more of any class of the voting securities of 
the company and the depository institution; or (2) controls in any 
manner the election of a majority of the directors or trustees of 
the company and the depository institution. ``Controlled by'' means 
that the depository institution (1) directly or indirectly has the 
power to vote 25 percent or more of any class of the voting 
securities of the company; or (2) controls in any manner the 
election of a majority of the directors or trustees of the company. 
See, e.g., 12 U.S.C. 1841(a)(2).
---------------------------------------------------------------------------

    The Financial Crimes Enforcement Network (``FinCEN''), after 
consulting with the staffs of the Board of Governors of the Federal 
Reserve System (``FRB''), the Federal Deposit Insurance Corporation 
(``FDIC''), the National Credit Union Administration (``NCUA''), the 
Office of the Comptroller of the Currency (``OCC''), and the Office of 
Thrift Supervision (``OTS'') (hereinafter, the ``Federal Banking 
Agencies''), is issuing this guidance to confirm that under the Bank 
Secrecy Act (``BSA'') and its implementing regulations, a depository 
institution subject to FinCEN regulations (``depository institution'') 
that has filed a Suspicious Activity Report (``SAR'') may share the 
SAR, or any information that would reveal the existence of the SAR, 
with certain affiliates. This guidance does not address the 
applicability of any other Federal or state laws.
    The BSA prohibits the filer of a SAR from notifying any person 
involved in a suspicious transaction that the activity has been 
reported.\2\ Regulations issued by FinCEN \3\ construe this 
confidentiality provision as generally prohibiting a depository 
institution from disclosing a SAR, or any information that would reveal 
the existence of a SAR.
---------------------------------------------------------------------------

    \2\ See 31 U.S.C. 5318(g)(2).
    \3\ See 31 CFR 103.18(e).
---------------------------------------------------------------------------

    However, the regulations make clear that, provided no person 
involved in the transaction is notified that the transaction has been 
reported, the prohibition does not include disclosures to (1) FinCEN; 
(2) any Federal, state, or local law enforcement agency; or (3) any 
Federal or state regulatory agency that examines the depository 
institution for compliance with the BSA. The regulations also provide 
that the prohibition does not apply to: (i) The disclosure of the 
underlying facts, transactions, and documents upon which a SAR is 
based, including, but not limited to, disclosures related to filing a 
joint SAR and in connection with certain employment references or 
termination notices; and (ii) the sharing of a SAR, or any information 
that would reveal the existence of a SAR, within a depository 
institution's corporate organizational structure for purposes 
consistent with Title II of the BSA, as determined by regulation or in 
guidance.\4\
---------------------------------------------------------------------------

    \4\ See the Notice of Proposed Rulemaking published elsewhere in 
today's Federal Register.
---------------------------------------------------------------------------

    In previously issued guidance (``January 2006 Guidance''), FinCEN, 
the OCC, the OTS, the FRB, and the FDIC determined that a U.S. branch 
or agency of a foreign bank may share a SAR with its head office.\5\ 
The January 2006 Guidance also stipulated that a U.S. bank or savings 
association may share a SAR with its controlling company (whether 
domestic or foreign). The January 2006 Guidance continues to be 
applicable and comports with the SAR regulations referenced above.\6\ 
The

[[Page 10161]]

sharing of a SAR or, more broadly, any information that would reveal 
the existence of a SAR, with a head office or controlling company 
(including overseas) promotes compliance with the applicable 
requirements of the BSA by enabling the head office or controlling 
company to discharge its oversight responsibilities with respect to 
enterprise-wide risk management, including oversight of a depository 
institution's compliance with applicable laws and regulations.
---------------------------------------------------------------------------

    \5\ Interagency Guidance, ``Sharing Suspicious Activity Reports 
with Head Offices and Controlling Companies'' (January 20, 2006).
    \6\ See supra note 5.
---------------------------------------------------------------------------

    The January 2006 Guidance deferred taking a position on whether a 
depository institution is permitted to share a SAR with affiliates and 
directed institutions not to share with such affiliates. FinCEN has now 
concluded that a depository institution that has filed a SAR may share 
the SAR, or any information that would reveal the existence of the SAR, 
with an affiliate, as defined herein, provided the affiliate is subject 
to a SAR regulation.\7\ The sharing of SARs with such affiliates 
facilitates the identification of suspicious transactions taking place 
through the depository institution's affiliates that are subject to a 
SAR rule. Therefore, such sharing within the depository institution's 
corporate organizational structure is consistent with the purposes of 
Title II of the BSA.\8\
---------------------------------------------------------------------------

    \7\ See 31 CFR 103.15 to 103.21. See also, 12 CFR 208.62 (FRB); 
12 CFR 353.3 (FDIC); 12 CFR 748.1 (NCUA); 12 CFR 21.11 (OCC); and 12 
CFR 563.180 (OTS).
    \8\ Because foreign branches of U.S. banks are regarded as 
foreign banks for purposes of the BSA, under this guidance, they are 
``affiliates'' that are not subject to a SAR regulation. 
Accordingly, a U.S. bank that has filed a SAR may not share the SAR, 
or any information that would reveal the existence of the SAR, with 
its foreign branches.
---------------------------------------------------------------------------

    It is not consistent with the purposes of Title II of the BSA for 
an affiliate that has received a SAR from a depository institution that 
has filed the SAR to further share that SAR, or any information that 
would reveal the existence of that SAR with an affiliate of its own, 
even if that affiliate is subject to a SAR rule.
    As is the case with sharing SARs with head offices and controlling 
companies, there may be circumstances under which a depository 
institution, its affiliate, or both entities would be liable for direct 
or indirect disclosure by the affiliate of a SAR or any information 
that would reveal the existence of a SAR. Therefore, the depository 
institution, as part of its internal controls, should have written 
confidentiality agreements in place ensuring that its affiliates 
protect the confidentiality of the SAR through appropriate internal 
controls.
    Consistent with the BSA and the implementing regulations issued by 
FinCEN and the Federal Banking Agencies, a SAR, or any information that 
would reveal the existence of a SAR, must not be disclosed, even under 
this guidance, if the depository institution has reason to believe it 
may be disclosed to any person involved in the suspicious activity that 
is the subject of the SAR.

    Dated: February 27, 2009.
James H. Freis, Jr.,
Director, Financial Crimes Enforcement Network.
 [FR Doc. E9-4693 Filed 3-6-09; 8:45 am]
BILLING CODE 4810-02-P