FinCEN Releases Cyber-Event Advisory and FAQ

The Financial Crimes Enforcement Network (FinCEN) released Advisory FIN-2016-A005 and an accompanying FAQ regarding the reporting of cyber-events, cyber-enabled crime, and cyber-related information through Suspicious Activity Reports (SARs).

According to the Advisory, the size, reach, speed, and accessibility of the U.S. financial system make financial institutions attractive targets to traditional criminals, cybercriminals, terrorists, and state actors. These actors target financial institutions’ websites, systems, and employees to steal customer and commercial credentials and proprietary information; defraud financial institutions and their customers; or disrupt business functions.

Financial institutions can play an important role in safeguarding customers and the financial system from these threats through timely and thorough reporting of cyber-events and cyber-related information in SARs.  FinCEN and law enforcement regularly use information financial institutions report under the BSA to initiate investigations, identify criminals, and disrupt and dismantle criminal networks.

The cyber-related information that financial institutions include in this reporting is a valuable source of investigatory leads. Law enforcement has been able to use cyber-related information reported— such as IP addresses with timestamps, cyber-event data, and virtual-wallet information—to track criminals, identify victims, and trace illicit funds.

The Advisory does not change existing BSA requirement, but does provide an explanation of how BSA regulations and requirements apply to cyber-events, cyber-enabled crime, and cyber-related information.  In addition, the Advisory provides examples of both mandatory and voluntary reporting of cyber-events and what cyber-related information to include in the SARs.

Compliance Question of the Week

Is the credit union required to send a monthly statement is no share drafts have cleared an account and no EFT transactions have occured during the monthly cycle?

No, a monthly statement would not be required in this situation. The Electronic Fund Transfer Act (EFTA) and Section 1005.9(b) of Regulation E require the credit union to deliver periodic statements for each monthly cycle in which an electronic fund transfer (EFT) has occurred, or at least quarterly if no transfer has occurred.

Share and share draft account disclosures are governed by the Truth in Savings Act (TISA), not the EFTA. TISA, as implemented by NCUA’s Part 707, does not require the credit union to deliver periodic statements at all. However, if the credit union does deliver periodic statements, the disclosures must also comply with TISA’s requirements (e.g., properly disclose annual percentage yield earned, amount of dividends, fees imposed, and length of the statement period).

So, if there is no EFT activity, quarterly statements will suffice, regardless of share draft activity. However, if the credit union usually delivers monthly statements on a regular basis, its members may expect to receive them regardless of transaction activity. So, member notification, as well as some reeducation, may be necessary.

Related Links:

12 CFR 1005.9

12 CFR 707

Legal Briefs

National Credit Union Administration (NCUA)

The NCUA announced the meeting dates for its 2017 board meetings.

Federal Reserve Board (FRB)

The FRB released the October 2016 Senior Loan Officer Opinion Survey.

The FRB updated its Reserve Maintenance Manual.

Federal Financial Institutions Examination Council (FFIEC)

The FFIEC announced the release of its updated Uniform Interagency Consumer Compliance Rating System. The updated rating system will be used by regulatory agencies for examinations occurring on or after March 31, 2017.

Office of Foreign Assets Control (OFAC)

OFAC has updated the SDN list as of November 10, 2016. The last update prior to this was November 01, 2016.

Questions? Contact the Compliance Hotline: 1.800.546.4465,

Posted in Compliance News, Compliance News, Economy, Federal, NWCUA.