Financial Crimes Enforcement Network; Confidentiality of Suspicious Activity Reports, 75593-75607 [2010-29869]

Download as PDF Federal Register / Vol. 75, No. 232 / Friday, December 3, 2010 / Rules and Regulations 2. Section 563.180 is amended by revising paragraphs (d)(2)(iii) and (d)(3) introductory text, adding a new sentence to the end of paragraph (d)(8), and revising paragraph (d)(12) to read as follows: ■ § 563.180 Suspicious Activity Reports and other reports and statements. emcdonald on DSK2BSOYB1PROD with RULES2 * * * * * (d) * * * (2) * * * (iii) SAR means a Suspicious Activity Report. (3) SARs required. A savings association or service corporation shall file a SAR with the appropriate Federal law enforcement agencies and the Department of the Treasury on the form prescribed by the OTS and in accordance with the form’s instructions, by sending a completed SAR to FinCEN in the following circumstances: * * * * * (8) Retention of records. * * * A savings association or service corporation shall make all supporting documentation available to OTS, FinCEN, or any Federal, State, or local law enforcement agency, or any Federal regulatory authority that examines the savings association or service corporation for compliance with the Bank Secrecy Act, or any State regulatory authority administering a State law that requires the savings association or service corporation to comply with the Bank Secrecy Act or otherwise authorizes the State authority to ensure that the institution complies with the Bank Secrecy Act, upon request. * * * * * (12) Confidentiality of SARs. A SAR, and any information that would reveal the existence of a SAR, are confidential, and shall not be disclosed except as authorized in this paragraph (d)(12). (i) Prohibition on disclosure by savings associations or service corporations. (A) General rule. No savings association or service corporation, and no director, officer, employee, or agent of a savings association or service corporation, shall disclose a SAR or any information that would reveal the existence of a SAR. Any savings association or service corporation, and any director, officer, employee, or agent of any savings association or service corporation that is subpoenaed or otherwise requested to disclose a SAR, or any information that would reveal the existence of a SAR, shall decline to produce the SAR or such information, citing this section and 31 U.S.C. 5318(g)(2)(A)(i), and shall notify the following of any such request and the response thereto: VerDate Mar<15>2010 18:12 Dec 02, 2010 Jkt 223001 (A) Deputy Chief Counsel, Litigation Division, Office of Thrift Supervision; and (B) The Financial Crimes Enforcement Network (FinCEN). (ii) Rules of construction. Provided that no person involved in any reported suspicious transaction is notified that the transaction has been reported, paragraph (d)(1) of this section shall not be construed as prohibiting: (A) The disclosure by a savings association or service corporation, or any director, officer, employee or agent of a savings association or service corporation of: (1) A SAR, or any information that would reveal the existence of a SAR, to FinCEN or OTS, or any Federal, State, or local law enforcement agency; or any Federal regulatory authority that examines the savings association or service corporation for compliance with the Bank Secrecy Act, or any State regulatory authority administering a State law that requires compliance with the Bank Secrecy Act or otherwise authorizes the State authority to ensure that the institution complies with the Bank Secrecy Act; or (2) The underlying facts, transactions, and documents upon which a SAR is based, including, but not limited to, disclosures: (i) To another financial institution, or any director, officer, employee or agent of a financial institution, for the preparation of a joint SAR; or (ii) In connection with certain employment references or termination notices, to the full extent authorized in 31 U.S.C. 5318(g)(2)(B); or (B) The sharing by a savings association or service corporation, or any director, officer, employee, or agent of a savings association or service corporation, of a SAR, or any information that would reveal the existence of a SAR, within the corporate organizational structure of the savings association or service corporation, for purposes consistent with Title II of the Bank Secrecy Act as determined by regulation or in guidance. (iii) Prohibition on disclosure by OTS. The OTS will not, and no officer, employee or agent of OTS, shall disclose a SAR, or any information that would reveal the existence of a SAR, except as necessary to fulfill official duties consistent with Title II of the Bank Secrecy Act. For purposes of this section, ‘‘official duties’’ shall not include the disclosure of a SAR, or any information that would reveal the existence of a SAR, in response to a request for use in a private legal proceeding or in response to a request PO 00000 Frm 00021 Fmt 4701 Sfmt 4700 75593 for disclosure of non-public information under 12 CFR 510.5. (iv) Limitation on liability. A savings association or service corporation and any director, officer, employee or agent of a savings association or service corporation that makes a voluntary disclosure of any possible violation of law or regulation to a government agency or makes a disclosure pursuant to this section or any other authority, including a disclosure made jointly with another institution, shall be protected from liability for any such disclosure, or for failure to provide notice of such disclosure to any person identified in the disclosure, or both, to the full extent provided by 31 U.S.C. 5318(g)(3). * * * * * Dated: June 1, 2010. By the Office of Thrift Supervision. John E. Bowman, Acting Director. [FR Doc. 2010–29877 Filed 12–2–10; 8:45 am] BILLING CODE 6720–01–P DEPARTMENT OF THE TREASURY 31 CFR Part 103 RIN 1506–AA99 Financial Crimes Enforcement Network; Confidentiality of Suspicious Activity Reports The Financial Crimes Enforcement Network (‘‘FinCEN’’), Treasury. ACTION: Final rule. AGENCY: FinCEN is issuing this final rule to amend the Bank Secrecy Act (‘‘BSA’’) regulations regarding the confidentiality of a report of suspicious activity (‘‘SAR’’) to: Clarify the scope of the statutory prohibition against the disclosure by a financial institution of a SAR; address the statutory prohibition against the disclosure by the government of a SAR; clarify that the exclusive standard applicable to the disclosure of a SAR by the government is to fulfill official duties consistent with the purposes of the BSA; modify the safe harbor provision to include changes made by the Uniting and Strengthening America by Providing the Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (‘‘USA PATRIOT Act’’); and make minor technical revisions for consistency and harmonization among the different SAR rules. These amendments are part of the Department of the Treasury’s continuing effort to increase the efficiency and effectiveness of its anti-money laundering and counter-terrorist SUMMARY: E:\FR\FM\03DER2.SGM 03DER2 75594 Federal Register / Vol. 75, No. 232 / Friday, December 3, 2010 / Rules and Regulations financing policies. These amendments are consistent with similar proposals to be issued by some of the Federal bank regulatory agencies in conjunction with FinCEN.1 DATES: Effective Date: January 3, 2011. FOR FURTHER INFORMATION CONTACT: The FinCEN regulatory helpline at (800) 949–2732. SUPPLEMENTARY INFORMATION: I. Background emcdonald on DSK2BSOYB1PROD with RULES2 The BSA requires financial institutions to keep certain records and make certain reports that have been determined to be useful in criminal, tax, or regulatory investigations or proceedings, and for intelligence or counter-intelligence activities to protect against international terrorism. In particular, the BSA and its implementing regulations require financial institutions in certain industries 2 to file a SAR when they detect a known or suspected violation of Federal law or regulation, or a suspicious activity related to money laundering, terrorist financing, or other criminal activity.3 SARs generally are unproven reports of possible violations of law or regulation, or of suspicious activities, that are used for law enforcement or regulatory purposes. The BSA provides that a financial institution and its officers, directors, employees, and agents are prohibited from notifying any person involved in a suspicious transaction that the transaction was reported.4 FinCEN implemented this provision in its SAR regulations for each industry through an explicit prohibition that closely mirrored the enacting statutory language. Specifically, we 1 The Federal bank regulatory agencies have parallel SAR requirements for their supervised entities: See 12 CFR 208.62, 12 CFR 211.24(f), and 12 CFR 225.4(f) (the Board of Governors of the Federal Reserve System) (‘‘Fed’’)); 12 CFR 353.3 (the Federal Deposit Insurance Corporation (‘‘FDIC’’)); 12 CFR 748.1 (the National Credit Union Administration (‘‘NCUA’’)); 12 CFR 21.11 (the Office of the Comptroller of Currency (‘‘OCC’’)) and 12 CFR 563.180 (the Office of Thrift Supervision (‘‘OTS’’)). 2 FinCEN has implemented regulations for suspicious activity reporting at 31 CFR 103.15 (for mutual funds); 31 CFR 103.16 (for insurance companies); 31 CFR 103.17 (for futures commission merchants and introducing brokers in commodities); 31 CFR 103.18 (for banks); 31 CFR 103.19 (for broker-dealers in securities); 31 CFR 103.20 (for money services businesses); 31 CFR 103.21 (for casinos). 3 The Annunzio-Wylie Anti-Money Laundering Act of 1992 (the Annunzio-Wylie Act), amended the BSA and authorized the Secretary of the Treasury to require financial institutions to report suspicious transactions relevant to a possible violation of law or regulation. See Public Law 102–550, Title XV, 1517(b), 106 Stat. 4055, 4058–9 (1992); 31 U.S.C. 5318(g)(1). 4 See 31 U.S.C. 5318(g)(2). VerDate Mar<15>2010 18:12 Dec 02, 2010 Jkt 223001 clarified that disclosure could not be made to the person involved in the transaction, but that the SAR could be provided to FinCEN, law enforcement, and the financial institution’s supervisory or examining authority. In certain SAR rules, we have expressly provided for the possibility of institutions jointly filing a SAR regarding suspicious activity that occurred at multiple institutions.5 The USA PATRIOT Act strengthened the confidentiality of SARs by adding to the BSA a new provision that prohibits officers or employees of the Federal government or any State, local, Tribal, or territorial government within the United States with knowledge of a SAR from disclosing to any person involved in a suspicious transaction that the transaction was reported, other than as necessary to fulfill the official duties of such officer or employee.6 To encourage the reporting of possible violations of law or regulation, and the filing of SARs, the BSA contains a safe harbor provision that shields financial institutions making such reports from civil liability in connection with the report. In 2001, the USA PATRIOT Act clarified that the safe harbor also covers voluntary disclosure of possible violations of law and regulations to a government agency and expanded the scope of the limit on liability to cover any civil liability that may exist ‘‘under any contract or other legally enforceable agreement (including any arbitration agreement).’’ 7 II. The Notice of Proposed Rulemaking and Related Actions On March 9, 2009, FinCEN published in the Federal Register a notice of proposed rulemaking (‘‘the proposed rule’’) and two separate notices and requests for comment on proposed guidance (‘‘the proposed guidance’’) (collectively, ‘‘the notices’’). In the proposed rule, FinCEN proposed amendments to each of FinCEN’s SAR rules to include key changes that would (1) clarify the scope of the statutory 5 Bank Secrecy Act regulations expressly permitting the filing of a joint SAR when multiple financial transactions are involved in a common transaction or series of transactions involving suspicious activity can be found at 31 CFR 103.15(a)(3) (for mutual funds); 31 CFR 103.16(b)(3)(ii) (for insurance companies); 31 CFR 103.17(a)(3) (for futures commission merchants and introducing brokers in commodities); 31 CFR 103.19(a)(3) (for broker-dealers in securities); and 31 CFR 103.20(a)(4) (for money services businesses). 6 See USA PATRIOT Act, section 351(b). Public Law 107–56, Title III, § 351, 115 Stat. 272, 321(2001); 31 U.S.C. 5318(g)(2). 7 See USA PATRIOT Act, section 351(a). Public Law 107–56, Title III, § 351, 115 Stat. 272, 321(2001); 31 U.S.C. 5318(g)(3). PO 00000 Frm 00022 Fmt 4701 Sfmt 4700 prohibition against the disclosure by a financial institution of a SAR; (2) address the statutory prohibition against the disclosure by the government of a SAR; (3) clarify that the exclusive standard applicable to the disclosure of a SAR, or any information that would reveal the existence of a SAR by the government is ‘‘to fulfill official duties consistent with Title II of the BSA,’’ in order to ensure that SAR information is protected from inappropriate disclosures unrelated to the BSA purposes for which SARs are filed; (4) modify the safe harbor provision to include changes made by the USA PATRIOT Act; and (5) where possible, harmonize minor technical differences that exist among the confidentiality, safe harbor, and compliance provisions of our rulemakings for different industries. The proposed guidance interpreted one of the provisions of the proposed rules relating to (1) above, to clarify that SARs could be shared, subject to certain qualifications, within an institution’s corporate organizational structure. In separate but contemporaneous rulemakings, some of the Federal bank regulatory agencies proposed amending their SAR rules to incorporate comparable provisions to FinCEN’s proposed rules, and amending their information disclosure regulations 8 to clarify that the exclusive standard governing the release of a SAR, or any information that would reveal the existence of a SAR, is set forth in the confidentiality provisions of their respective SAR rules. The notices and related Federal bank regulatory agency actions were published together in their own separate part of the Federal Register to encourage commenters to take into account all relevant provisions. III. Comments on the Notices— Overview and General Issues The comment period for the notices ended on June 8, 2009. We received a total of 26 submissions from 25 distinct entities.9 Of these, 15 were submitted by trade groups or associations, four were submitted by individual financial 8 Generally, these regulations are known as ‘‘Touhy regulations,’’ after the Supreme Court’s decision in United States ex rel. Touhy v. Ragen, 340 U.S. 462 (1951). In that case, the Supreme Court held that an agency employee could not be held in contempt for refusing to disclose agency records or information when following the instructions of his or her supervisor regarding the disclosure. As such, an agency’s Touhy regulations are the instructions agency employees must follow when those employees receive requests or demands to testify or otherwise disclose agency records or information. 9 All comments to the notices are available for public viewing at http://www.regulations.gov or http://www.fincen.gov/statutes_regs/bsa/regs_ proposal_comment.html. E:\FR\FM\03DER2.SGM 03DER2 Federal Register / Vol. 75, No. 232 / Friday, December 3, 2010 / Rules and Regulations institutions, three were submitted by Federal, Tribal, or foreign government agencies, three were submitted by consultants or attorneys not affiliated with a specific financial institution, and one was submitted by a self-regulatory organization (‘‘SRO’’). The comments generally supported the proposed rules while requesting the broadening of the proposed sharing guidance.10 Several of the comments specific to the proposed rules provided suggestions for additionally strengthening or clarifying the general confidentiality provision, as well as the specific confidentiality provisions for institutions, governments, and SROs. Due to the broad and varied topics raised during comment, the majority of comments are addressed in the section-by-section analysis, below. IV. Section-by-Section Analysis emcdonald on DSK2BSOYB1PROD with RULES2 A. Confidentiality of SARs FinCEN proposed clarifying the general introduction to the confidentiality provision in each of its SAR rules to read, ‘‘A SAR, and any information that would reveal the existence of a SAR, are confidential and shall not be disclosed except as authorized in this paragraph.’’ FinCEN proposed this change to be more comprehensive than the previous language that, on face value, was limited only to the person involved in the transaction and applied only with respect to the SAR form itself. The phrase ‘‘SAR[s] are confidential’’ also was consistent with the existing Federal bank regulatory agency SAR rules, while the application of confidentiality to ‘‘a SAR, and information that would reveal the existence of a SAR’’ (‘‘SAR information’’) was consistent with both FinCEN and case law interpretations 11 of the previous non-disclosure provision. In the final rule, FinCEN is adopting this language as proposed, without change. Some commenters asked that FinCEN clarify the term ‘‘information that would reveal the existence of a SAR’’ for the purpose of defining the scope of SAR confidentiality. One commenter specifically asked whether that term only includes information that affirmatively states that a SAR was filed. Another commenter urged that FinCEN formally recognize that documents prepared by a financial institution when 10 Comments about the sharing guidance are addressed separately in a related ‘‘notice of availability of guidance’’ published by FinCEN in today’s Federal Register. 11 See, e.g., Whitney Nat’l Bank v. Karam, 306 F. Supp. 2d 678, 682 (S.D. Tex. 2004); Cotton v. Private Bank and Trust Co., 235 F. Supp. 2d 809, 815 (N.D. Ill. 2002). VerDate Mar<15>2010 18:12 Dec 02, 2010 Jkt 223001 complying with its SAR obligations should be afforded confidentiality. Clearly, any document or other information that affirmatively states that a SAR has been filed constitutes information that would reveal the existence of a SAR and should be kept confidential. By extension, an institution also should afford confidentiality to any document stating that a SAR has not been filed. Were FinCEN to allow disclosure of information when a SAR is not filed, institutions would implicitly reveal the existence of a SAR any time they were unable to produce records because a SAR was filed.12 The more difficult situation is when a document or other information is silent as to whether a SAR has or has not been filed. Documents that may identify suspicious activity but that do not reveal whether a SAR exists (e.g., a document memorializing a customer transaction, such as an account statement indicating a cash deposit or a record of a funds transfer), should be treated as falling within the underlying facts, transactions, and documents upon which a SAR may be based, and should not be afforded confidentiality.13 This distinction is set forth in the final rule’s second rule of construction and reflects relevant case law.14 However, the strong public policy that underlies the SAR system as a whole— namely, the creation of an environment that encourages financial institutions to report suspicious activity without fear 12 For example, a private litigant may serve a discovery request on a bank in civil litigation that calls for the bank to produce the underlying documentation on companies A, B, and C, where the bank has filed a SAR on company A but not companies B or C, and the underlying documentation reflects the SAR filing decisions. If the bank then produces the underlying documentation for companies B and C, but neither confirms nor denies the existence of a SAR when declining to provide similar documentation for company A, by negative implication it may have revealed the existence of the SAR filed on company A. 13 As one commenter correctly suggested, information produced in the ordinary course of business may contain sufficient information that a reasonable and prudent person familiar with SAR filing requirements could use to conclude that an institution likely filed a SAR (e.g., a copy of a fraudulent check, or a cash transaction log showing a clear pattern of structured deposits). Such information, alone, does not constitute information that would reveal the existence of a SAR. 14 See, e.g., Whitney Nat. Bank v. Karam, 306 F. Supp. 2d 678, 682 (S.D. Tex. 2004) (noting that courts have ‘‘allowed the production of supporting documentation that was generated or received in the ordinary course of the banks’ business, on which the report of suspicious activity was based’’); Cotton v. Private Bank and Trust Co., 235 F. Supp. 2d 809, 815 (N.D. Ill. 2002) (holding that the ‘‘factual documents which give rise to suspicious conduct * * * are to be produced in the ordinary course of discovery because they are business records made in the ordinary course of business’’). PO 00000 Frm 00023 Fmt 4701 Sfmt 4700 75595 of reprisal—leans heavily in favor of applying SAR confidentiality not only to a SAR itself, but also in appropriate circumstances to material prepared by the financial institution as part of its process to detect and report suspicious activity, regardless of whether a SAR ultimately was filed or not. This interpretation also reflects relevant case law.15 As explained in more detail in the proposed rule, the primary purpose for clarifying the scope of the confidentiality provision is to ensure that, due to potentially serious consequences, the persons involved in the transaction and identified in the SAR cannot be notified, directly or indirectly, of the report. Accordingly, FinCEN proposed replacing the previous rule text prohibiting disclosure of the SAR to the person involved in the transaction with a broad general confidentiality provision for all SAR information applicable to all persons not authorized in the rules of construction to receive such information. With respect to ‘‘information that would reveal the existence of a SAR,’’ therefore, institutions should distinguish between certain types of statistical or abstract information or general discussions of suspicious activity that may indicate that an institution has filed SARs,16 and information that would reveal the existence of a SAR in a manner that could enable the person involved in the 15 See, e.g., Whitney at 682–83 (holding that the SAR confidentiality provision protects, inter alia, ‘‘communications preceding the filing of a SAR and preparatory or preliminary to it; communications that follow the filing of a SAR and are explanations or follow-up discussion; or oral communications or suspected or possible violations that did not culminate in the filing of a SAR’’); Cotton at 815 (holding that ‘‘documents representing the drafts of SARs or other work product or privileged communications that relate to the SAR itself * * * are not to be produced [in discovery] because they would disclose whether a SAR has been prepared or filed’’); Union Bank of California, N.A. v. Superior Court, 130 Cal. App. 4th 378, 391 (2005) (holding that ‘‘a draft SAR or internal memorandum prepared as part of a financial institution’s process for complying with Federal reporting requirements is generated for the specific purpose of fulfilling the institution’s reporting obligation * * * [and] fall within the scope of SAR [confidentiality] because they may reveal the contents of a SAR and disclose whether ‘a SAR has been prepared or filed’ ’’). 16 One example of such information could include summary information commonly provided by banks in the ‘‘notification to the board’’ required by the various Federal bank regulatory agency SAR rules. Banks subject to the requirement are encouraged to be cautious in the production of relevant portions of board minutes or other records to avoid the risk of potentially exposing SAR information to the subject, either directly or indirectly, in the event such records are subject to future subpoena. E:\FR\FM\03DER2.SGM 03DER2 75596 Federal Register / Vol. 75, No. 232 / Friday, December 3, 2010 / Rules and Regulations emcdonald on DSK2BSOYB1PROD with RULES2 transaction potentially to be notified, whether directly or indirectly. FinCEN also proposed modifying this introductory section to clarify that ‘‘for purposes of [the confidentiality provision] only, a SAR shall include any suspicious activity report filed with FinCEN pursuant to any regulation in this part’’ and eliminating references in the confidentiality provisions of certain rules to specific versions of the SAR form like the SAR–SF (for use by the securities and futures industries) or SAR–MSB (for use by money services businesses). This change clarified that the confidentiality provisions of our SAR rules apply with respect to any type of SAR in the filing institution’s possession, which, since it may result from the joint filing or sharing of a SAR with another type of financial institution in accordance with the provisions of these proposed rules, could include a type of SAR form not used by the institution. This provision is also being adopted as proposed, without change. B. Disclosure by Financial Institutions The proposed rule provided that any financial institution, or any director, officer, employee, or agent of a financial institution, that is subpoenaed or otherwise requested to disclose a SAR, or information that would reveal the existence of a SAR, must decline to provide the information, citing this section of the rules and 31 U.S.C. 5318(g)(2)(A)(i), and must provide notification of the request and its response thereto to FinCEN and, in the rules for those industries with parallel SAR requirements administered by a primary Federal functional regulator,17 notification to that regulator as well. One commenter suggested that FinCEN adjust the SAR rule for banks to remove the ‘‘duplicative’’ requirement for a bank to notify both FinCEN and its primary Federal functional regulator when SAR information is inappropriately requested. FinCEN disagrees with the characterization of the requirement as ‘‘duplicative’’ since the entities in question have separate SAR rules issued and administered by separate agencies. The joint notification requirement in FinCEN’s rule, therefore, simply acknowledges the notification requirement of multiple SAR regulations issued under multiple authorities. 17 Primary Federal functional regulator, for purposes of this final rule, means the Federal bank regulatory agencies, the Securities and Exchange Commission (‘‘SEC’’), and the Commodity Futures Trading Commission (‘‘CFTC’’). Only the Federal bank regulatory agencies administer parallel SAR requirements. VerDate Mar<15>2010 18:12 Dec 02, 2010 Jkt 223001 Because FinCEN’s jurisdiction is limited to the Title 31 SAR rules, however, FinCEN is removing the requirement from its bank SAR rule that an institution notify its primary Federal regulator in addition to notifying FinCEN in the event of an inappropriate request for SAR information. While this will create greater consistency within FinCEN’s SAR rules for multiple industries and between FinCEN’s rules and most of the primary Federal regulator bank SAR rules with respect to the requirement to notify only the agency administering that rule, it does not relieve institutions from their requirement to comply with the provisions of similar but distinct rules administered by separate agencies. FinCEN will continue to explore the possibility of streamlining the process of notification under separate legal authorities.18 Another commenter asked FinCEN to establish procedures by which an institution, if it thought it would benefit the institution, could petition FinCEN to authorize the disclosure of SAR information for in camera review during a private legal proceeding. As discussed elsewhere in this rulemaking, the protection of the filing institution is not the only reason for the SAR confidentiality provision. Further, FinCEN believes that in most legal proceedings, a filing institution that would benefit from the disclosure of a SAR would benefit comparably with evidence from underlying facts, transactions, and documents. Consequently, FinCEN does not intend to establish procedures for submitting such a request in this rulemaking. C. Rules of Construction FinCEN proposed rules of construction that clarify the scope of the SAR disclosure prohibition and implement statutory modifications to the BSA made by the USA PATRIOT Act. The proposed rules of construction primarily describe situations that are not covered by the prohibition against the disclosure of SAR information. The introduction to these rules makes clear that the rules of construction are each qualified by and subordinate to the statutory mandate that no person involved in any reported suspicious transaction can be notified that the transaction has been reported. This introductory sentence is being adopted as proposed, without change, in the final rule. 18 In the interim, upon notification by a financial institution, FinCEN will ensure that an institution’s primary Federal regulator has been notified of such a request and the institution’s response thereto. PO 00000 Frm 00024 Fmt 4701 Sfmt 4700 1. The First Rule of Construction The first proposed rule of construction clarified the permissibility of disclosures to governmental authorities or other examining authorities that are otherwise entitled by law to receive SARs and to examine for or investigate suspicious activity. For most industries, the rule stated that a financial institution, or any director, officer, employee, or agent of a financial institution, may disclose a SAR, or information that would reveal the existence of a SAR, to FinCEN or any Federal, State, or local law enforcement agency or any Federal or State regulatory authority that examines the financial institution for compliance with the BSA. a. State Regulatory Authorities FinCEN is adjusting the language slightly in the final rule to make a technical correction in the SAR rule text for some industries. While the original SAR rules provided for requests for disclosure from ‘‘appropriate law enforcement [and] supervisory agenc[ies],’’ the proposed rules sought to expand these terms by describing explicitly the types of entities that fit into those categories. Accordingly, some of the proposed rules used the phrase ‘‘* * * state regulatory authority that examines [the institution] for compliance with the BSA.’’ FinCEN believes that commenters clearly understood and consented to the intent of this language, but will use the more technically accurate phrase ‘‘* * * state regulatory authority administering a state law that requires [the institution] to comply with the BSA or otherwise authorizes the state authority to ensure that the institution complies with the BSA’’ in the final rule. This change recognizes that State regulatory authorities are generally authorized by State law to examine for compliance with the BSA in one of two ways: (1) The law authorizes the State authority to examine the institution for compliance with all Federal laws and regulations generally or with the BSA explicitly, or (2) the law requires a financial institution to comply with all Federal laws and regulations generally or with the BSA explicitly, and authorizes the State authority to examine for compliance with the State law. An institution may provide SAR information to a State regulatory authority meeting either criterion. Commenters pointed out that some, but not all of the rules, provided for a financial institution to disclose SAR information to these State regulatory authorities. While one of FinCEN’s goals E:\FR\FM\03DER2.SGM 03DER2 Federal Register / Vol. 75, No. 232 / Friday, December 3, 2010 / Rules and Regulations for the final rule is to create consistency between the various industry SAR rules where appropriate, FinCEN intentionally omitted State regulatory agencies from this rule of construction for the securities and futures industries. FinCEN has not delegated, and Congress has not authorized, State regulation for compliance with the BSA to these industries. Accordingly, the provision regarding disclosures to State regulatory authorities has been incorporated into the final rule for all industries other than securities broker-dealers, futures commission merchants, introducing brokers in commodities, and mutual funds. For each of those industries excluded from the aforementioned ‘‘state regulatory’’ provision, FinCEN also has made a comporting change in the final rule to the paragraph entitled ‘‘Retention of Records.’’ With respect to an institution’s obligation to provide the supporting documentation to a SAR only to appropriate parties upon request, the final rule text includes Federal regulatory agencies, but not State regulatory agencies. emcdonald on DSK2BSOYB1PROD with RULES2 b. Tribal Regulatory Authorities FinCEN received a similar comment regarding Tribal casinos that may be regulated by a Tribal regulatory authority. As with State agencies, FinCEN believes disclosures to such authorities should be limited only to an entity with authority to examine for compliance with laws requiring compliance with the BSA. Accordingly, FinCEN is incorporating a technical change similar to that described for State regulatory authorities, above, to more accurately describe the methods by which Tribal regulatory authorities obtain jurisdiction to examine for BSA compliance. The first rule of construction in the final rule for casinos now reads, ‘‘* * * or any tribal regulatory authority administering a tribal law that requires the casino to comply with the BSA or otherwise authorizes the tribal regulatory authority to ensure that the casino complies with tribal law.’’ c. Self-Regulatory Organizations For the proposed rules governing securities broker-dealers, futures commission merchants, and introducing brokers in commodities, an institution’s ability to disclose under the first rule of construction also was extended to a selfregulatory organization that is examining the institution for compliance with the requirements ‘‘of this section,’’ a phrase FinCEN interpreted in the preamble as meaning the SAR rules. FinCEN received VerDate Mar<15>2010 18:12 Dec 02, 2010 Jkt 223001 multiple and conflicting comments on this provision. Commenters correctly noted that this language differs from the standard used for Federal and State regulatory authorities. One comment received from a government agency supported this different standard, stating that while Congress directed FinCEN to make SARs available to certain SROs in Section 358(c) of the USA PATRIOT Act (amending 31 U.S.C. 5319), Congress’s simultaneous expansion in Section 358(a) of the ‘‘declaration of purpose’’ for the data collected under the BSA in Chapter 53 of Title 31 of the U.S.C. did not include self-regulatory purposes. Another comment from an SRO argued, however, that limiting SRO access to SAR information only in conjunction with an examination for BSA compliance was inconsistent with the aims of the BSA. The language in the proposed rule limiting SRO use of SARs was consistent with the uses originally described in the previous SAR rules.19 As such, the proposed rule did not propose restricting, but rather declined to expand, the existing SRO authority to use SARs. In the final rule, however, FinCEN is emphasizing the important role of BSA data in the support of supervisory functions to promote the integrity of financial markets and mitigate risks of financial crime. Accordingly, the final rule text regarding SROs more closely models the language used for government regulatory authorities. At the same time, the final rule recognizes the relationship of SROs and the Federal agencies responsible for their oversight, upon whom FinCEN relies for the purpose of helping to ensure that the SROs are operating in a manner consistent with FinCEN’s mission. SROs are not governmental entities, but do play a significant role in regulating segments of the financial industry under the close supervision and regulatory oversight by specific Federal agencies. The SEC regulates the Financial Industry Regulatory Authority (‘‘FINRA’’) and other SROs, while the CFTC regulates the National Futures Association (‘‘NFA’’) and a number of other SROs. FinCEN relies on the close supervision by the Federal functional regulators of those industries also subject to SRO oversight to assist FinCEN in ensuring that SROs appropriately use and handle BSA 19 For example, prior to this final rule, the existing SAR rule for securities broker-dealers at 31 CFR 103.19(g) stated that ‘‘[r]eports filed under this section shall be made available to an SRO registered with the [SEC] examining a broker-dealer for compliance with the requirements of this section.’’ PO 00000 Frm 00025 Fmt 4701 Sfmt 4700 75597 information. As these agencies are in a position to understand the needs of the SROs for BSA information and are also in a position to monitor the SROs’ interaction with the entities subject to both the regulators’ and the SROs’ purview, FinCEN has determined that SROs should obtain SARs and supporting documentation from the entities that they examine in a manner and for purposes that the Federal agency responsible for its oversight deems appropriate. Thus, the final rule makes it clear that a financial institution examined by an SRO can provide SAR information to the SRO, upon the request of the Federal agency responsible for its oversight. This request may apply to the SRO in an isolated context or in a broad context to cover a variety of situations and understood uses, as determined appropriate by that agency. FinCEN expects the Federal agency responsible for the SRO’s oversight to provide this request either to the institution in writing, or to the SRO in the form of a writing that is available for the SRO to share with the institution. Given the fact that many institutions may come under the jurisdiction of more than one regulator and more than one SRO, a record of the relevant Federal regulator’s request is important to avoid confusion. In keeping with its cooperative relationships with the relevant Federal regulators, FinCEN will monitor the regulators’ requests for SAR information and communicate with the regulators with respect to any concerns that either FinCEN or the regulators identify with respect to the use and protection of SARs by an SRO. In light of the above considerations, the final rule for those industries with SROs now reads to allow disclosure to ‘‘* * * any SRO that examines [the institution] for compliance with the requirements of this section, upon the request of [the Federal agency responsible for its oversight].’’ d. Civil Enforcement Authorities One commenter also argued that the SEC and CFTC, in their capacity of civil enforcement of laws applicable to all persons (including institutions they do not examine for compliance with the BSA), should have the authority to request SAR information (specifically, supporting documentation) from all financial institutions in the same manner as law enforcement agencies. FinCEN is not amending the first rule of construction to allow this for two reasons. First, limiting the ability of the SEC or the CFTC to obtain information that would reveal that a SAR has been filed only from the types of institutions E:\FR\FM\03DER2.SGM 03DER2 75598 Federal Register / Vol. 75, No. 232 / Friday, December 3, 2010 / Rules and Regulations emcdonald on DSK2BSOYB1PROD with RULES2 they examine for compliance with the BSA is consistent with the treatment under the final rule of all other Federal regulatory authorities, many of which also possess civil enforcement authorities. Second, although FinCEN recognizes the civil enforcement authority of the SEC and CFTC, FinCEN believes both agencies have been adequately empowered with requisite subpoena powers to obtain relevant data from financial institutions they do not examine for BSA compliance. That data includes the underlying facts, transactions, and documents upon which a SAR is based, pursuant to the second rule of construction. For example, if a bank receives a subpoena from the SEC or the CFTC that does not refer to a SAR, but merely requests certain transactional documents, then it would be permissible for the bank to respond to the subpoena with relevant documents, so long as the disclosure of any such document would not reveal the existence of a SAR. FinCEN understands that there may be situations in which documentation revealing the existence of a SAR will be responsive to an SEC or CFTC subpoena. In such situations, a financial institution should contact FinCEN with any questions concerning its ability under the SAR rules to provide information in response to a subpoena. In situations where the SEC or CFTC deem a subpoena to be imprudent, FinCEN notes the ability of those agencies to make a request for supporting documentation through FinCEN or the primary Federal regulator for that institution. e. Other Requests for SAR Information One commenter brought to FinCEN’s attention examples of ‘‘dual filing requirements’’ imposed by State regulatory authorities that do not meet the criteria in the first rule of construction of administering a State law that requires the financial institution to comply with the BSA or otherwise authorizes the State authority to ensure that the institution complies with the BSA. According to the commenter, these State agencies request that copies of SARs filed with FinCEN be provided to the State authority.20 The confidentiality provision and first rule of construction, as finalized, explicitly prohibit an institution from complying with such a request. Institutions should provide SAR information to only those 20 Such ‘‘dual filing’’ requirements, regardless of whether the State authority examines for compliance with State laws requiring compliance with the BSA, are inherently inconsistent with 31 U.S.C. 5318(g)(4), which clearly intends that all SARs be filed to a single government agency designated by the Secretary of the Treasury. VerDate Mar<15>2010 18:12 Dec 02, 2010 Jkt 223001 entities specifically included in the rules of construction. In the event that a State agency that is not described in the rules of construction requires access to SAR information to exercise its authorities, that agency should seek access from FinCEN for such information. Institutions that are subject to such ‘‘dual filing requirements’’ from an unauthorized entity should contact FinCEN in accordance with the procedures of this rule. Finally, multiple commenters requested assistance from FinCEN in discerning whether a request for SAR information comes from an appropriate party. For example, one commenter suggested that FinCEN develop a ‘‘standard request form’’ for law enforcement to use when requesting SAR information. Due to the variety of authorities to whom a SAR may be disclosed, the variety of purposes for which they may require SAR information, and the greater clarity already provided in the first rule of construction, FinCEN believes such a request to be impractical and unnecessary. Another commenter suggested FinCEN issue standard verification procedures for an institution to follow to determine who is an ‘‘appropriate’’ authority. In both the proposed rules and final rules, FinCEN has removed the term ‘‘appropriate’’ from the list of entities that could receive SAR information. This change from the previous SAR rules indicates FinCEN’s intention to list explicitly in the first rule of construction all categories of authorities to whom an institution may provide SAR information without a subpoena. FinCEN believes this should greatly reduce the ambiguity surrounding requests. One commenter, however, requested confirmation that when an institution receives a request for disclosure of SAR information and contacts FinCEN and its regulator because of uncertainty regarding the requesting entity’s status as an authority authorized by the first rule of construction, that the SAR should continue to be kept confidential as prescribed by the regulation. FinCEN agrees, but urges institutions in such a situation to quickly contact FinCEN for resolution. 2. The Second Rule of Construction The second proposed rule of construction provided that the phrase, ‘‘a SAR or information that would reveal the existence of a SAR’’ does not include ‘‘the underlying facts, transactions, and documents upon which a SAR is based,’’ which therefore are not subject to the confidentiality provision. PO 00000 Frm 00026 Fmt 4701 Sfmt 4700 This proposed rule of construction included illustrative examples of situations where the underlying facts, transactions, and documents upon which a SAR is based may be disclosed. One commenter suggested that FinCEN clarify that the illustrative examples are not exhaustive, and that there may be other situations not prescribed in the rule where an institution may disclose the underlying facts, transactions, and documents upon which a SAR is based. FinCEN did not intend for these examples to be exhaustive and does not believe the text, as proposed, implies that the examples are exhaustive. The preamble to the proposed rules, for example, expressly stated that ‘‘these two examples are not intended to be an exhaustive list of all possible scenarios in which the disclosure of underlying information is permissible’’ and included a discussion of disclosure of underlying information that was not explicitly listed in the rule text. It stated that ‘‘while a financial institution is prohibited from producing documents in discovery that evidence the existence of a SAR, factual documents created in the ordinary course of business (for example, business records and account information upon which a SAR is based), may be discoverable in civil litigation under the Federal Rules of Civil Procedure.21 For purposes of clarity, however, FinCEN is modifying the final rule language to read ‘‘* * * the underlying facts, transactions, and documents upon which a SAR is based, including but not limited to, disclosures’’ expressly listed as illustrative examples in the rule. Accordingly, with respect to the SAR confidentiality provision only,22 institutions may disclose underlying facts, transactions, and documents for any purpose, provided that no person involved in the transaction is notified and none of the underlying information reveals the existence of a SAR. The first illustrative example in the proposed rules clarified that underlying information 23 may be disclosed to another financial institution, or any director, officer, employee, or agent of the financial institution, for the preparation of a joint SAR. This text is being adopted in the final rule, as 21 See Cotton, 235 F. Supp. 2d at 815. sentence does not speak to any other laws or regulations governing a financial institution’s responsibilities to maintain and protect information. 23 FinCEN reminds institutions that the underlying facts, transactions, and documents upon which a SAR is based may include or reference previously filed SARs or other information that would reveal the existence of a SAR. Such underlying information could not be disclosed under this rule of construction. 22 This E:\FR\FM\03DER2.SGM 03DER2 Federal Register / Vol. 75, No. 232 / Friday, December 3, 2010 / Rules and Regulations emcdonald on DSK2BSOYB1PROD with RULES2 proposed, and clarifies the authority for all institutions with a SAR requirement to jointly file SARs with any other institution with a SAR requirement.24 The second illustrative example in the proposed rule was included only in the final SAR rules for depository institutions, securities broker-dealers, futures commission merchants, and introducing brokers in commodities, and provided that such underlying information may be disclosed in certain written employment references and termination notices as authorized by section 351 of the USA PATRIOT Act.25 One commenter suggested that this illustrative example should be placed in the SAR rules for all industries. The statutory authority for this provision, however, extends only to entities governed by either section 18(w) of the Federal Deposit Insurance Act or relevant rules of SROs registered with the SEC or the CFTC.26 One commenter asked FinCEN to allow the disclosure of SAR information to a party that has expressed interest in purchasing an institution. While FinCEN believes generally that such a disclosure is inconsistent with the purposes of the BSA, certain information, such as statistics or other underlying information that does not reveal the existence of a SAR, could be provided to such parties under the second rule of construction and could assist such purchasers with their due diligence obligations. Another commenter suggested that FinCEN include another illustrative example of the disclosure of underlying facts, transactions, and documents not prohibited by the confidentiality provision. Specifically, this commenter asked that we explicitly authorize such information to be disclosed within an institution’s corporate organizational 24 On December 21, 2006, FinCEN and the Federal bank regulatory agencies announced that the format for the SAR form for depository institutions had been revised to support a new joint filing initiative to reduce the number of duplicate SARs filed for a single suspicious transaction. ‘‘Suspicious Activity Report (SAR) Revised to Support Joint Filings and Reduce Duplicate SARs,’’ Joint Release issued by FinCEN, the FRB, the OCC, the OTS, the FDIC, and NCUA (Dec. 21, 2006). On February 17, 2006, FinCEN and the Federal bank regulatory agencies published a joint Federal Register notice seeking comment on proposed revisions to the SAR form. See 71 FR 8640. On April 26, 2007, FinCEN announced a delay in implementation of the revised SAR form until further notice. See 72 FR 23891. Until such time as a new SAR form is available that facilitates joint filing, institutions authorized to jointly file should follow FinCEN’s guidance to use the words ‘‘joint filing’’ in the narrative of the SAR and ensure that both institutions maintain a copy of the SAR and any supporting documentation (See, e.g., http://www.fincen.gov/statutes_regs/guidance/ html/guidance_faqs_sar_10042006.html). 25 31 U.S.C. 5318(g)(2)(B). 26 See, 31 U.S.C. 5318(g)(2(B). VerDate Mar<15>2010 18:12 Dec 02, 2010 Jkt 223001 structure for enterprise-wide risk management and the identification and reporting of suspicious activity. Provided that such information does not disclose a SAR or information that would reveal the existence of a SAR, FinCEN agrees that such disclosure of underlying information is not prohibited by the final rule or any previous SAR rules. Given the greater clarity provided by the phrase ‘‘including but not limited to’’ discussed previously, and the unnecessarily limited universe of entities to whom an institution could disclose underlying information suggested by the commenter,27 FinCEN is reluctant to introduce the complex and potentially limiting concept of ‘‘corporate organizational structure’’ within this intentionally broad rule of construction. 75599 with respect to both the parties permitted to share and the parties with whom SAR information could be shared. Most commenters provided a clear rationale for how expanded SAR sharing would benefit their institutions by increasing efficiency, cutting costs, and enhancing the detection and reporting of suspicious activity. Most commenters, however, failed to sufficiently address how they would mitigate effectively the risk of unauthorized disclosure of SAR information if the sharing authority was expanded to the extent requested. Multiple commenters requested the expansion of the SAR sharing authority to all industries that currently have a SAR requirement, not just to depository institutions and the securities and futures industries. However, these commenters failed to address the disparity in regulatory oversight between those industries with a primary Federal functional regulator (industries to whom the proposed rules granted the authority to share) and those without. Accordingly, FinCEN is taking a phased approach in the final rule to granting additional industries the ability to share within their corporate organizational structure. To allow for potential future expansion of the sharing guidance, we are including the third rule of construction in the final rule text for all industries. As discussed further in the notice of availability of guidance, however, we have not at this time included those industries without a primary Federal functional regulator in the guidance authorizing sharing with affiliates. This approach establishes the regulatory framework for those industries potentially to share SAR information within their corporate structure in the future, as prescribed by FinCEN in regulation or guidance, without necessarily requiring an amendment to the SAR confidentiality provision in each industry’s SAR rules.28 3. The Third Rule of Construction As proposed, the third rule of construction applied only to depository institutions, securities broker-dealers, mutual funds, futures commission merchants, and introducing brokers in commodities, and made clear that the prohibition against the disclosure of SAR information did not preclude the sharing by any of those financial institutions, or any director, officer, employee, or agent of those institutions, of a SAR or information that would reveal the existence of the SAR within the institution’s corporate organizational structure, for purposes that are consistent with Title II of the BSA, as determined by regulation or in guidance. This proposed rule of construction recognized that these financial institutions may find it necessary to share SAR information to fulfill reporting obligations under the BSA, and to facilitate more effective enterprise-wide BSA monitoring, reporting, and general risk-management. The term ‘‘share’’ used in this rule of construction was an acknowledgement that sharing within a corporate organization for purposes consistent with Title II of the BSA is distinguishable from a prohibited disclosure. FinCEN received substantial comment about the issue of SAR sharing, much of which is addressed in the separate notice of availability of guidance published in today’s Federal Register. In general, the comments requested an expansion of the sharing authorities D. Disclosures by Government Authorities In the proposed rule, FinCEN included a regulatory prohibition in each industry’s SAR rule that created a prohibition against disclosure by all Federal, State, local, territorial, or Tribal government authorities, and any director, officer, employee, or agent of those authorities. The proposed rule 27 Disclosure of underlying facts, transactions, and documents for compliance purposes to an entity outside of an institution’s corporate organizational structure may be warranted and would not be prohibited, provided that a SAR or information that would reveal the existence of a SAR was not disclosed. 28 At this time, we are also not expanding the 2006 guidance on sharing with head offices and controlling companies to additional industries. The regulatory framework provided in the final rule, however, also would facilitate the potential expansion of this authority to those industries in the future. PO 00000 Frm 00027 Fmt 4701 Sfmt 4700 E:\FR\FM\03DER2.SGM 03DER2 75600 Federal Register / Vol. 75, No. 232 / Friday, December 3, 2010 / Rules and Regulations emcdonald on DSK2BSOYB1PROD with RULES2 tracked the statutory language 29 closely by clarifying that any officer or employee of the government may not disclose a SAR or information that would reveal the existence of the SAR, ‘‘except as necessary to fulfill official duties consistent with Title II of the Bank Secrecy Act.’’ This standard would permit, for example, official disclosures responsive to a grand jury subpoena; a request from an appropriate Federal or State law enforcement or regulatory agency; a request from an appropriate Congressional committee or subcommittees; and prosecutorial disclosures mandated by statute or the Constitution, in connection with the statement of a government witness to be called at trial, the impeachment of a government witness, or as material exculpatory of a criminal defendant.30 This proposed interpretation of section 5318(g)(2)(A)(ii) would ensure that SAR information will not be disclosed for a reason that is unrelated to the purposes of the BSA. For example, this standard would not permit the disclosure of SAR information to the media. The proposed rules also specifically provide that ‘‘official duties consistent with Title II of the BSA’’ shall not include the disclosure of SAR information in response to a request for disclosure of non-public information 31 or a request for use in a private legal proceeding, including a request pursuant to 31 CFR 1.11. The BSA exists, in part, to protect the public’s interest in an effective reporting system that benefits the nation by helping to assure that the U.S. financial system will not be used for criminal activity or to support terrorism. FinCEN believes that this purpose would be undermined by the disclosure of SAR information to a private litigant for use in a civil lawsuit for the reasons described earlier, including the reason that such disclosures could negatively impact full and candid reporting by financial institutions. FinCEN is adopting the text, as proposed, while clarifying that the rule should not be read to preclude intergovernmental sharing of SAR information. For example, while a FinCEN employee would be precluded under this provision from disclosing SAR information if requested by the 29 See 31 U.S.C. 5318(g)(2)(A)(ii). e.g., Giglio v. United States, 405 U.S. 150, 153–54 (1972); Brady v. State of Maryland, 373 U.S. 83, 86–87 (1963); Jencks v. United States, 353 U.S. 657, 668 (1957). 31 For purposes of this rulemaking, ‘‘non-public information’’ refers to information that is exempt from disclosure under the Freedom of Information Act. 30 See, VerDate Mar<15>2010 18:12 Dec 02, 2010 Jkt 223001 press under the Freedom of Information Act, it would not necessarily be outside of the FinCEN employee’s official duties to provide that information to another government agency. E. Disclosures by Self-Regulatory Organizations In the proposed rules governing entities which may be examined for compliance with their SAR requirements by an SRO, FinCEN included a provision regarding disclosures by SROs that closely paralleled the provision regarding government disclosures. The language differed, however, to reflect the fact that self-regulatory organizations are not governmental entities. One commenter suggested that because SROs are not governmental entities but rather are subject to oversight by the SEC and CFTC, they cannot possess ‘‘official duties’’ in the same capacity as a government representative. Another comment submitted by an SRO requested that FinCEN expand, rather than limit, an SRO’s authority to use and disclose SARs for all self-regulatory purposes. While FinCEN agrees that SROs are not government agencies, FinCEN believes it is not necessary to define the extent to which SROs possess ‘‘official duties’’ under 31 U.S.C. 5318(g)(2)(A)(ii) at this time. Instead, FinCEN has modified the language of the final rule text to comport with language from the first rule of construction by stating that SROs ‘‘shall not disclose * * * except as necessary to fulfill self-regulatory duties upon the request of [the Federal agency responsible for its oversight], in a manner consistent with title II of the BSA.’’ For consistency, we also are removing ‘‘official duties’’ from the subsequent sentences in the final rule (regarding the appropriate SRO response to requests for use in a private legal proceeding or for disclosure of non-public information) and using the same replacement language. F. Limitation on Liability In Section 351 of the USA PATRIOT Act, Congress amended section 5318(g)(3) to clarify that the scope of the safe harbor provision also includes the voluntary disclosure of possible violations of law and regulations to a government agency, and to expand the scope of the limit on liability to include any liability which may exist ‘‘under any contract or other legally enforceable agreement (including any arbitration agreement).’’ FinCEN tracked more closely the statutory language in the proposed rules, particularly by stating PO 00000 Frm 00028 Fmt 4701 Sfmt 4700 that the safe harbor applies to ‘‘disclosures’’ (and not ‘‘reports’’ as in some previous rulemakings) made by institutions. Additionally, to comport with the authorization to jointly file SARs in the second rule of construction, FinCEN clarified that the safe harbor also applies to ‘‘a disclosure made jointly with another institution.’’ This concept exists currently in those SAR rules where joint filing had been explicitly referenced, but has been revised to track more closely the statutory language. It was also inserted for the sake of consistency into those SAR rules where it had been absent previously, clarifying that all parties to a joint filing, and not simply the party that provides the form to FinCEN, fall within the scope of the safe harbor. For consistency, FinCEN also separated the provision for confidentiality of reports and limitation of liability into two separate provisions in those rules for industries which previously contained both provisions under the single heading ‘‘confidentiality of reports; limitation of liability.’’ All comments received about the safe harbor provision encouraged making the provision as strong as possible. One commenter identified the statutory phrase, ‘‘to any person,’’ that was not included in the proposed rules, and which FinCEN believes would strengthen the safe harbor provided by the final rule. The commenter correctly pointed out that the statutory safe harbor provision protects persons from liability not only to the person involved in the transaction, but also to any other person. Accordingly the final rule is being amended to insert the phrase ‘‘shall be protected from liability to any person, for any such disclosure * * *’’ and is otherwise being adopted as proposed, without change. Another commenter requested that FinCEN expressly grant safe harbor to an institution that makes a determination not to file a SAR after investigating potentially suspicious activity. The statutory safe harbor provision, however, is clearly intended to protect persons involved in the filing of a voluntary or required SAR from civil liability only for filing the SAR and for refusing to provide notice of such filing. FinCEN cannot provide additional protection from liability for other actions. G. Compliance In the proposed rule, FinCEN streamlined the compliance provision by providing only that (1) FinCEN or its E:\FR\FM\03DER2.SGM 03DER2 Federal Register / Vol. 75, No. 232 / Friday, December 3, 2010 / Rules and Regulations delegatees 32 may examine the institution for compliance with the SAR requirement; (2) that a failure to satisfy the requirements of the SAR rule may constitute a violation of the BSA or BSA regulations; and (3) for depository institutions with parallel Title 12 SAR requirements, that failure to comply with FinCEN’s SAR requirement may also constitute a violation of the parallel Title 12 rules. For consistency, the proposed rules also used only the heading ‘‘Compliance’’ for this provision in each of the SAR rules.33 In the absence of any comments objecting to any of the proposed changes to the Compliance provision, FinCEN is adopting them as proposed, without change, in the final rule. emcdonald on DSK2BSOYB1PROD with RULES2 H. Technical Corrections and Harmonization In addition to the changes described above in the Section-by-Section analysis, the final rule incorporates the proposed technical corrections to harmonize, where appropriate, each of FinCEN’s seven SAR rules with each other and with those being issued by some of the Federal bank regulatory agencies. FinCEN believes that such efforts will simplify compliance with SAR reporting requirements. In the final rule for each industry, FinCEN is making one such change that had not been proposed. FinCEN is amending the paragraph entitled ‘‘retention of records’’ so that the standard for the disclosure of a SAR’s supporting documentation to appropriate governmental authorities comports with the standard found in the first rule of construction. Because the supporting documentation is deemed to have been filed with the SAR but kept in custody by the financial institution, this change is necessary to ensure that all types of SAR information are subject to the same standard of confidentiality. This comporting change is consistent with the substance of the proposed rule text, as addressed through public comment. For the mutual fund SAR rule only, this comporting change results in striking language regarding supporting documentation for a SAR jointly filed with a broker-dealer in securities being made available by the mutual fund to the SRO of the broker-dealer. This change is consistent with FinCEN’s treatment elsewhere in the final rule of regulatory authorities’ ability to request 32 In the case of the SEC and the CFTC, that authority may be further delegated to SROs. 33 Identical section in separate SAR rules had been titled ‘‘Compliance’’ or ‘‘Examination and Enforcement’’ prior to the proposed rule. VerDate Mar<15>2010 18:12 Dec 02, 2010 Jkt 223001 SAR information from entities they do not regulate.34 V. Other Issues A. Requests for Guidance One commenter requested additional guidance from FinCEN regarding additional situations under which a SAR could be disclosed, but did not provide any examples of the ‘‘unclear and vague’’ issues that remained. It is FinCEN’s intent, and one of the underlying motivations for this rulemaking, that the rules of construction, as finalized, constitute clearly all of the circumstances under which an institution may disclose SAR information to, or share SAR information with, a third party. Additional commenters requested guidance regarding the appropriate use of SARs by agents of financial institutions. Examples of such agents suggested by one commenter included independent auditors or other contracted service providers (information technology, legal counsel, etc.). Another commenter requested similar clarification regarding the use of SAR information by transfer agents or other third party service providers in the context of mutual funds. FinCEN reiterates from the notices that nothing in the final rule or accompanying guidance supersedes any of FinCEN’s previous written guidance or the adopting release for the mutual fund SAR rule.35 FinCEN also recognizes, particularly in the context of the money services business (‘‘MSB’’) industry, potential concerns regarding confidentiality and the principal-agent relationship when both parties are subject to a SAR rule. Nothing in the final rule is intended to 34 See the earlier preamble discussion of ‘‘civil enforcement authorities’’ under the first rule of construction, including the ability of a regulator to obtain supporting documentation from FinCEN or the supervisor of an institution in cases where its own authorities are limited. 35 Specifically, we note that in both the mutual fund SAR rule adopting release (71 FR 26213) and the October 2006 guidance, (http://www.fincen.gov/ statutes_regs/guidance/pdf/guidance_faqs _sar_10042006.pdf), FinCEN acknowledged the role of transfer agents and other service providers and their access to SAR information in the context of the suspicious activity monitoring, detection, and reporting obligations of mutual funds. These service providers may be unaffiliated or affiliated with the mutual funds. The October 2006 guidance and adopting release clarified that a mutual fund may contractually delegate its SAR functions to such an agent, although the mutual fund remains responsible for assuring compliance with the rule, and therefore must monitor actively the performance of its reporting obligations. In those same documents, FinCEN acknowledged the role of an investment adviser that controls a mutual fund and its access to SAR information in the context of enterprise-wide risk management and compliance functions. PO 00000 Frm 00029 Fmt 4701 Sfmt 4700 75601 preclude the disclosure of SAR information within the United States between an agent-MSB and its principal-MSB.36 FinCEN is considering additional guidance on each of these matters. Until such guidance is issued, however, FinCEN reminds institutions of their ultimate responsibility to protect, through reasonable controls or agreements with such agents, the confidentiality of a SAR, or any information that would reveal the existence of a SAR, as prescribed in the final rule. B. Comments Outside the Scope of This Rulemaking FinCEN received multiple comments making suggestions relevant to, but outside the scope of, this final rule. One commenter, for example, requested that FinCEN grant greater electronic access of all BSA data to certain SROs. Similarly, one government agency requested an expansion of the universe of BSA data available to them electronically. Prior to the issuance of the proposed rules, FinCEN was considering each of these issues in a context other than within this rulemaking. FinCEN will continue such efforts apart from this rulemaking. Another commenter’s suggestion for FinCEN-issued guidance regarding what constitutes ‘‘supporting documentation’’ of a SAR also had been addressed outside this rulemaking.37 Finally, one commenter from a large trade organization stated that the organization interpreted the proposals to have authorized international outsourcing of compliance functions related to suspicious activity reporting. FinCEN was intentionally silent on the issue in the proposed rules, and has been studying the issue while considering additional future guidance with respect to outsourcing. Like the proposed rules, this final rulemaking takes no position on the matter. VI. Location in Chapter X As discussed in Federal Register Notice, 75 FR 65806, October 26, 2010, FinCEN will be removing Part 103 of 36 An agent and principal should only disclose SAR information with respect to transactions common to both parties. For example, an independent currency exchanger may not disclose suspicious activity regarding currency exchange to its principal MSB for money transmission, unless there is a nexus between the currency exchange and money transmission activity. Additionally, FinCEN has not authorized at this time the sharing of SAR information between multiple agents of the same principal MSB. 37 See Suspicious Activity Report Supporting Documentation. June 13, 2007. http:// www.fincen.gov/statutes_regs/guidance/html/ Supporting_Documentation_Guidance.html. E:\FR\FM\03DER2.SGM 03DER2 75602 Federal Register / Vol. 75, No. 232 / Friday, December 3, 2010 / Rules and Regulations Chapter I of Title 31, Code of Federal Regulations, and adding Parts 1000 to 1099 (Chapter X) effective March 1, 2011. Per that final rule, the changes in the present rule will be reorganized according to Chapter X within a separate technical amendment to Chapter X in advance of the March 1, 2011 effective date. The upcoming reorganization will have no substantive effect on the regulatory changes herein. The regulatory changes of this specific rulemaking would be renumbered according to Chapter X as follows: • § 103.15 would be moved to § 1024.320; • § 103.16 would be moved to § 1025.320; • § 103.17 would be moved to § 1026.320; • § 103.18 would be moved to § 1020.320; • § 103.19 would be moved to § 1023.320; • § 103.20 would be moved to § 1022.320; and • § 103.21 would be moved to § 1021.320. VII. Regulatory Matters A. Executive Order 12866 The final rule is a significant regulatory action for purposes of Executive Order 12866. emcdonald on DSK2BSOYB1PROD with RULES2 C. Regulatory Flexibility Act Pursuant to the Regulatory Flexibility Act (5 U.S.C. 601 et seq.), FinCEN certifies that this final regulation will not have a significant economic impact on a substantial number of small entities. The regulatory changes in this rulemaking affect only the disclosure provisions of the current rules relating to the reporting of suspicious activity by financial institutions, and do not change any requirement to file or maintain a report. In the context of disclosure, the rulemaking clarifies, rather than adding to, existing regulatory provisions regarding the confidentiality of suspicious activity reports. FinCEN therefore expects little or no economic impact to result from the final rule. Accordingly, a regulatory flexibility analysis is not required. VerDate Mar<15>2010 18:12 Dec 02, 2010 Jkt 223001 List of Subjects in 31 CFR Part 103 Administrative practice and procedure, Authority delegations (government agencies), Crime, Currency, Investigations, Law enforcement, Reporting and recordkeeping requirements, Security measures. Authority and Issuance B. Paperwork Reduction Act Notices The final rule does not contain any ‘‘collections of information’’ as defined in the Paperwork Reduction Act of 1995 (44 U.S.C. 3506; 5 CFR 1320, Appendix A.1). D. Unfunded Mandates Reform Act of 1995 Section 202 of the Unfunded Mandates Reform Act of 1995, Public Law 104–4 (2 U.S.C. 1532) (Unfunded Mandates Act), requires that an agency prepare a budgetary impact statement before promulgating any rule likely to result in a Federal mandate that may result in the expenditure by State, local, and Tribal governments, in the aggregate, or by the private sector of $100 million or more in any one year. The current inflation-adjusted expenditure threshold is $133 million. If a budgetary impact statement is required, § 205 of the Unfunded Mandates Act also requires an agency to identify and consider a reasonable number of regulatory alternatives before promulgating a rule. FinCEN has determined that the proposed rules will not result in expenditures by State, local, and Tribal governments, or by the private sector, of $133 million or more in any one year. Accordingly, this proposal is not subject to section 202 of the Unfunded Mandates Act. For the reasons set forth in the preamble, 31 CFR Part 103 is amended as follows: ■ PART 103—FINANCIAL RECORDKEEPING AND REPORTING OF CURRENCY AND FOREIGN TRANSACTIONS 1. The authority citation for part 103 continues to read as follows: ■ Authority: 12 U.S.C. 1829b and 1951–1959; 31 U.S.C. 5311–5314 and 5316–5332; title III, sec. 314 Pub. L. 107–56, 115 Stat. 307. 2. Section 103.15 is amended by: a. Revising the last sentence of paragraph (c); and ■ b. Revising paragraphs (d), (e), and (f), to read as follows: ■ ■ § 103.15 Reports by mutual funds of suspicious transactions. * * * * * (c) * * * The mutual fund shall make all supporting documentation available to FinCEN or any Federal, State, or local law enforcement agency, or any Federal regulatory authority that examines the mutual fund for compliance with the Bank Secrecy Act, upon request.. (d) Confidentiality of SARs. A SAR, and any information that would reveal the existence of a SAR, are confidential and shall not be disclosed except as authorized in this paragraph (d). For PO 00000 Frm 00030 Fmt 4701 Sfmt 4700 purposes of this paragraph (d) only, a SAR shall include any suspicious activity report filed with FinCEN pursuant to any regulation in this part. (1) Prohibition on disclosures by mutual funds. (i) General rule. No mutual fund, and no director, officer, employee, or agent of any mutual fund, shall disclose a SAR or any information that would reveal the existence of a SAR. Any mutual fund, and any director, officer, employee, or agent of any mutual fund that is subpoenaed or otherwise requested to disclose a SAR or any information that would reveal the existence of a SAR, shall decline to produce the SAR or such information, citing this section and 31 U.S.C. 5318(g)(2)(A)(i), and shall notify FinCEN of any such request and the response thereto. (ii) Rules of construction. Provided that no person involved in any reported suspicious transaction is notified that the transaction has been reported, this paragraph (d)(1) shall not be construed as prohibiting: (A) The disclosure by a mutual fund, or any director, officer, employee, or agent of a mutual fund, of: (1) A SAR, or any information that would reveal the existence of a SAR, to FinCEN or any Federal, State, or local law enforcement agency, or any Federal regulatory authority that examines the mutual fund for compliance with the Bank Secrecy Act; or (2) The underlying facts, transactions, and documents upon which a SAR is based, including but not limited to, disclosures to another financial institution, or any director, officer, employee, or agent of a financial institution, for the preparation of a joint SAR; or (B) The sharing by a mutual fund, or any director, officer, employee, or agent of the mutual fund, of a SAR, or any information that would reveal the existence of a SAR, within the mutual fund’s corporate organizational structure for purposes consistent with Title II of the Bank Secrecy Act as determined by regulation or in guidance. (2) Prohibition on disclosures by government authorities. A Federal, State, local, territorial, or Tribal government authority, or any director, officer, employee, or agent of any of the foregoing, shall not disclose a SAR, or any information that would reveal the existence of a SAR, except as necessary to fulfill official duties consistent with Title II of the Bank Secrecy Act. For purposes of this section, ‘‘official duties’’ shall not include the disclosure of a SAR, or any information that would reveal the existence of a SAR, in E:\FR\FM\03DER2.SGM 03DER2 Federal Register / Vol. 75, No. 232 / Friday, December 3, 2010 / Rules and Regulations response to a request for disclosure of non-public information or a request for use in a private legal proceeding, including a request pursuant to 31 CFR 1.11. (e) Limitation on liability. A mutual fund, and any director, officer, employee, or agent of any mutual fund, that makes a voluntary disclosure of any possible violation of law or regulation to a government agency or makes a disclosure pursuant to this section or any other authority, including a disclosure made jointly with another institution, shall be protected from liability to any person for any such disclosure, or for failure to provide notice of such disclosure to any person identified in the disclosure, or both, to the full extent provided by 31 U.S.C. 5318(g)(3). (f) Compliance. Mutual funds shall be examined by FinCEN or its delegatees for compliance with this section. Failure to satisfy the requirements of this section may be a violation of the Bank Secrecy Act and of this part. * * * * * ■ 3. Section 103.16 is amended by: ■ a. Revising the last sentence of paragraph (e); ■ b. Revising paragraph (f); ■ c. Redesignating paragraphs (g) through (i) as paragraphs (h) through (j); ■ d. Adding new paragraph (g); and ■ e. Revising newly designated paragraph (h), to read as follows: § 103.16 Reports by insurance companies of suspicious transactions. emcdonald on DSK2BSOYB1PROD with RULES2 * * * * * (e) * * * An insurance company shall make all supporting documentation available to FinCEN or any Federal, State, or local law enforcement agency, or any Federal regulatory authority that examines the insurance company for compliance with the Bank Secrecy Act, or any State regulatory authority administering a State law that requires the insurance company to comply with the Bank Secrecy Act or otherwise authorizes the State authority to ensure that the institution complies with the Bank Secrecy Act, upon request. (f) Confidentiality of SARs. A SAR, and any information that would reveal the existence of a SAR, are confidential and shall not be disclosed except as authorized in this paragraph (f). For purposes of this paragraph (f) only, a SAR shall include any suspicious activity report filed with FinCEN pursuant to any regulation in this part. (1) Prohibition on disclosures by insurance companies. (i) General rule. No insurance company, and no director, officer, employee, or agent of any insurance company, shall disclose a VerDate Mar<15>2010 18:12 Dec 02, 2010 Jkt 223001 SAR or any information that would reveal the existence of a SAR. Any insurance company, and any director, officer, employee, or agent of any insurance company that is subpoenaed or otherwise requested to disclose a SAR or any information that would reveal the existence of a SAR, shall decline to produce the SAR or such information, citing this section and 31 U.S.C. 5318(g)(2)(A)(i), and shall notify FinCEN of any such request and the response thereto. (ii) Rules of Construction. Provided that no person involved in any reported suspicious transaction is notified that the transaction has been reported, this paragraph (f)(1) shall not be construed as prohibiting: (A) The disclosure by an insurance company, or any director, officer, employee, or agent of an insurance company, of: (1) A SAR, or any information that would reveal the existence of a SAR, to FinCEN or any Federal, State, or local law enforcement agency, or any Federal regulatory authority that examines the insurance company for compliance with the Bank Secrecy Act, or any State regulatory authority administering a State law that requires the insurance company to comply with the Bank Secrecy Act or otherwise authorizes the State authority to ensure that the institution complies with the Bank Secrecy Act; or (2) The underlying facts, transactions, and documents upon which a SAR is based, including but not limited to, disclosures to another financial institution, or any director, officer, employee, or agent of a financial institution, for the preparation of a joint SAR. (B) The sharing by an insurance company, or any director, officer, employee, or agent of the insurance company, of a SAR, or any information that would reveal the existence of a SAR, within the insurance company’s corporate organizational structure for purposes consistent with Title II of the Bank Secrecy Act as determined by regulation or in guidance. (2) Prohibition on disclosures by government authorities. A Federal, State, local, territorial, or Tribal government authority, or any director, officer, employee, or agent of any of the foregoing, shall not disclose a SAR, or any information that would reveal the existence of a SAR, except as necessary to fulfill official duties consistent with Title II of the Bank Secrecy Act. For purposes of this section, ‘‘official duties’’ shall not include the disclosure of a SAR, or any information that would reveal the existence of a SAR, in PO 00000 Frm 00031 Fmt 4701 Sfmt 4700 75603 response to a request for disclosure of non-public information or a request for use in a private legal proceeding, including a request pursuant to 31 CFR 1.11. (g) Limitation on liability. An insurance company, and any director, officer, employee, or agent of any insurance company, that makes a voluntary disclosure of any possible violation of law or regulation to a government agency or makes a disclosure pursuant to this section or any other authority, including a disclosure made jointly with another institution, shall be protected from liability to any person for any such disclosure, or for failure to provide notice of such disclosure to any person identified in the disclosure, or both, to the full extent provided by 31 U.S.C. 5318(g)(3). (h) Compliance. Insurance companies shall be examined by FinCEN or its delegatees for compliance with this section. Failure to satisfy the requirements of this section may be a violation of the Bank Secrecy Act and of this part. * * * * * ■ 4. Section 103.17 is amended by revising the last sentence in paragraph (d), and all of paragraphs (e), (f), and (g) to read as follows: § 103.17 Reports by futures commission merchants and introducing brokers in commodities of suspicious transactions. * * * * * (d) * * * An FCM or IB–C shall make all supporting documentation available to FinCEN or any Federal, State, or local law enforcement agency, or any Federal regulatory authority that examines the FCM or IB–C for compliance with the BSA, upon request; or to any registered futures association or registered entity (as defined in the Commodity Exchange Act, 7 U.S.C. 21 and 7 U.S.C. 1(a)(29)) (collectively, a self-regulatory organization (‘‘SRO’’)) that examines the FCM or IB–C for compliance with the requirements of this section, upon the request of the Commodity Futures Trading Commission. (e) Confidentiality of SARs. A SAR, and any information that would reveal the existence of a SAR, are confidential and shall not be disclosed except as authorized in this paragraph (e). For purposes of this paragraph (e) only, a SAR shall include any suspicious activity report filed with FinCEN pursuant to any regulation in this part. (1) Prohibition on disclosures by futures commission merchants and introducing brokers in commodities. (i) General rule. No FCM or IB–C, and no director, officer, employee, or agent of E:\FR\FM\03DER2.SGM 03DER2 emcdonald on DSK2BSOYB1PROD with RULES2 75604 Federal Register / Vol. 75, No. 232 / Friday, December 3, 2010 / Rules and Regulations any FCM or IB–C, shall disclose a SAR or any information that would reveal the existence of a SAR. Any FCM or IB–C, and any director, officer, employee, or agent of any FCM or IB–C that is subpoenaed or otherwise requested to disclose a SAR or any information that would reveal the existence of a SAR, shall decline to produce the SAR or such information, citing this section and 31 U.S.C. 5318(g)(2)(A)(i), and shall notify FinCEN of any such request and the response thereto. (ii) Rules of Construction. Provided that no person involved in any reported suspicious transaction is notified that the transaction has been reported, this paragraph (e)(1) shall not be construed as prohibiting: (A) The disclosure by an FCM or IB– C, or any director, officer, employee, or agent of an FCM or IB–C, of: (1) A SAR, or any information that would reveal the existence of a SAR, to FinCEN or any Federal, State, or local law enforcement agency, or any Federal regulatory authority that examines the FCM or IB–C for compliance with the BSA; or to any SRO that examines the FCM or IB–C for compliance with the requirements of this section, upon the request of the Commodity Futures Trading Commission; or (2) The underlying facts, transactions, and documents upon which a SAR is based, including but not limited to, disclosures: (i) To another financial institution, or any director, officer, employee, or agent of a financial institution, for the preparation of a joint SAR; or (ii) In connection with certain employment references or termination notices, to the full extent authorized in 31 U.S.C. 5318(g)(2)(B); or (B) The sharing by an FCM or IB–C, or any director, officer, employee, or agent of the FCM or IB–C, of a SAR, or any information that would reveal the existence of a SAR, within the FCM’s or IB–C’s corporate organizational structure for purposes consistent with Title II of the BSA as determined by regulation or in guidance. (2) Prohibition on disclosures by government authorities. A Federal, State, local, territorial, or Tribal government authority, or any director, officer, employee, or agent of any of the foregoing, shall not disclose a SAR, or any information that would reveal the existence of a SAR, except as necessary to fulfill official duties consistent with Title II of the BSA. For purposes of this section, ‘‘official duties’’ shall not include the disclosure of a SAR, or any information that would reveal the existence of a SAR, in response to a request for disclosure of non-public VerDate Mar<15>2010 18:12 Dec 02, 2010 Jkt 223001 information or a request for use in a private legal proceeding, including a request pursuant to 31 CFR 1.11. (3) Prohibition on disclosures by SelfRegulatory Organizations. Any selfregulatory organization registered with or designated by the Commodity Futures Trading Commission, or any director, officer, employee, or agent of any of the foregoing, shall not disclose a SAR, or any information that would reveal the existence of a SAR except as necessary to fulfill self-regulatory duties upon the request of the Commodity Futures Trading Commission, in a manner consistent with Title II of the BSA. For purposes of this section, ‘‘selfregulatory duties’’ shall not include the disclosure of a SAR, or any information that would reveal the existence of a SAR, in response to a request for disclosure of non-public information or a request for use in a private legal proceeding. (f) Limitation on liability. An FCM or IB–C, and any director, officer, employee, or agent of any FCM or IB– C, that makes a voluntary disclosure of any possible violation of law or regulation to a government agency or makes a disclosure pursuant to this section or any other authority, including a disclosure made jointly with another institution, shall be protected from liability to any person for any such disclosure, or for failure to provide notice of such disclosure to any person identified in the disclosure, or both, to the full extent provided by 31 U.S.C. 5318(g)(3). (g) Compliance. FCMs or IB–Cs shall be examined by FinCEN or its delegatees for compliance with this section. Failure to satisfy the requirements of this section may be a violation of the Bank Secrecy Act and of this part. * * * * * ■ 5. Section 103.18 is amended by: ■ a. Revising the last sentence of paragraph (d); and ■ b. Revising paragraphs (e) and (f); and ■ c. Adding new paragraph (g), to read as follows: § 103.18 Reports by banks of suspicious transactions. * * * * * (d) * * * A bank shall make all supporting documentation available to FinCEN or any Federal, State, or local law enforcement agency, or any Federal regulatory authority that examines the bank for compliance with the Bank Secrecy Act, or any State regulatory authority administering a State law that requires the bank to comply with the Bank Secrecy Act or otherwise authorizes the State authority to ensure PO 00000 Frm 00032 Fmt 4701 Sfmt 4700 that the institution complies with the Bank Secrecy Act, upon request. (e) Confidentiality of SARs. A SAR, and any information that would reveal the existence of a SAR, are confidential and shall not be disclosed except as authorized in this paragraph (e). For purposes of this paragraph (e) only, a SAR shall include any suspicious activity report filed with FinCEN pursuant to any regulation in this part. (1) Prohibition on disclosures by banks. (i) General rule. No bank, and no director, officer, employee, or agent of any bank, shall disclose a SAR or any information that would reveal the existence of a SAR. Any bank, and any director, officer, employee, or agent of any bank that is subpoenaed or otherwise requested to disclose a SAR or any information that would reveal the existence of a SAR, shall decline to produce the SAR or such information, citing this section and 31 U.S.C. 5318(g)(2)(A)(i), and shall notify FinCEN of any such request and the response thereto. (ii) Rules of Construction. Provided that no person involved in any reported suspicious transaction is notified that the transaction has been reported, this paragraph (e)(1) shall not be construed as prohibiting: (A) The disclosure by a bank, or any director, officer, employee, or agent of a bank, of: (1) A SAR, or any information that would reveal the existence of a SAR, to FinCEN or any Federal, State, or local law enforcement agency, or any Federal regulatory authority that examines the bank for compliance with the Bank Secrecy Act, or any State regulatory authority administering a State law that requires the bank to comply with the Bank Secrecy Act or otherwise authorizes the State authority to ensure that the bank complies with the Bank Secrecy Act; or (2) The underlying facts, transactions, and documents upon which a SAR is based, including but not limited to, disclosures: (i) To another financial institution, or any director, officer, employee, or agent of a financial institution, for the preparation of a joint SAR; or (ii) In connection with certain employment references or termination notices, to the full extent authorized in 31 U.S.C. 5318(g)(2)(B); or (B) The sharing by a bank, or any director, officer, employee, or agent of the bank, of a SAR, or any information that would reveal the existence of a SAR, within the bank’s corporate organizational structure for purposes consistent with Title II of the Bank E:\FR\FM\03DER2.SGM 03DER2 Federal Register / Vol. 75, No. 232 / Friday, December 3, 2010 / Rules and Regulations Secrecy Act as determined by regulation or in guidance. (2) Prohibition on disclosures by government authorities. A Federal, State, local, territorial, or Tribal government authority, or any director, officer, employee, or agent of any of the foregoing, shall not disclose a SAR, or any information that would reveal the existence of a SAR, except as necessary to fulfill official duties consistent with Title II of the Bank Secrecy Act. For purposes of this section, ‘‘official duties’’ shall not include the disclosure of a SAR, or any information that would reveal the existence of a SAR, in response to a request for disclosure of non-public information or a request for use in a private legal proceeding, including a request pursuant to 31 CFR 1.11. (f) Limitation on liability. A bank, and any director, officer, employee, or agent of any bank, that makes a voluntary disclosure of any possible violation of law or regulation to a government agency or makes a disclosure pursuant to this section or any other authority, including a disclosure made jointly with another institution, shall be protected from liability to any person for any such disclosure, or for failure to provide notice of such disclosure to any person identified in the disclosure, or both, to the full extent provided by 31 U.S.C. 5318(g)(3). (g) Compliance. Banks shall be examined by FinCEN or its delegatees for compliance with this section. Failure to satisfy the requirements of this section may be a violation of the Bank Secrecy Act and of this part. Such failure may also violate provisions of Title 12 of the Code of Federal Regulations. 6. Section 103.19 is amended by revising the last sentence in paragraph (d), and all of paragraphs (e), (f), and (g) to read as follows: ■ § 103.19 Reports by brokers or dealers in securities of suspicious transactions. emcdonald on DSK2BSOYB1PROD with RULES2 * * * * * (d) * * * A broker-dealer shall make all supporting documentation available to FinCEN or any Federal, State, or local law enforcement agency, or any Federal regulatory authority that examines the broker-dealer for compliance with the Bank Secrecy Act, upon request; or to any SRO that examines the brokerdealer for compliance with the requirements of this section, upon the request of the Securities and Exchange Commission. (e) Confidentiality of SARs. A SAR, and any information that would reveal the existence of a SAR, are confidential VerDate Mar<15>2010 18:12 Dec 02, 2010 Jkt 223001 and shall not be disclosed except as authorized in this paragraph (e). For purposes of this paragraph (e) only, a SAR shall include any suspicious activity report filed with FinCEN pursuant to any regulation in this part. (1) Prohibition on disclosures by brokers or dealers in securities. (i) General rule. No broker-dealer, and no director, officer, employee, or agent of any broker-dealer, shall disclose a SAR or any information that would reveal the existence of a SAR. Any broker-dealer, and any director, officer, employee, or agent of any broker-dealer that is subpoenaed or otherwise requested to disclose a SAR or any information that would reveal the existence of a SAR, shall decline to produce the SAR or such information, citing this section and 31 U.S.C. 5318(g)(2)(A)(i), and shall notify FinCEN of any such request and the response thereto. (ii) Rules of Construction. Provided that no person involved in any reported suspicious transaction is notified that the transaction has been reported, this paragraph (e)(1) shall not be construed as prohibiting: (A) The disclosure by a broker-dealer, or any director, officer, employee, or agent of a broker-dealer, of: (1) A SAR, or any information that would reveal the existence of a SAR, to FinCEN or any Federal, State, or local law enforcement agency, or any Federal regulatory authority that examines the broker-dealer for compliance with the Bank Secrecy Act; or to any SRO that examines the broker-dealer for compliance with the requirements of this section, upon the request of the Securities Exchange Commission; or (2) The underlying facts, transactions, and documents upon which a SAR is based, including but not limited to, disclosures: (i) To another financial institution, or any director, officer, employee, or agent of a financial institution, for the preparation of a joint SAR; or (ii) In connection with certain employment references or termination notices, to the full extent authorized in 31 U.S.C. 5318(g)(2)(B); or (B) The sharing by a broker-dealer, or any director, officer, employee, or agent of the broker-dealer, of a SAR, or any information that would reveal the existence of a SAR, within the brokerdealer’s corporate organizational structure for purposes consistent with Title II of the Bank Secrecy Act as determined by regulation or in guidance. (2) Prohibition on disclosures by government authorities. A Federal, State, local, territorial, or Tribal government authority, or any director, PO 00000 Frm 00033 Fmt 4701 Sfmt 4700 75605 officer, employee, or agent of any of the foregoing, shall not disclose a SAR, or any information that would reveal the existence of a SAR, except as necessary to fulfill official duties consistent with Title II of the Bank Secrecy Act. For purposes of this section, ‘‘official duties’’ shall not include the disclosure of a SAR, or any information that would reveal the existence of a SAR, in response to a request for disclosure of non-public information or a request for use in a private legal proceeding, including a request pursuant to 31 CFR 1.11. (3) Prohibition on disclosures by SelfRegulatory Organizations. Any selfregulatory organization registered with the Securities and Exchange Commission, or any director, officer, employee, or agent of any of the foregoing, shall not disclose a SAR, or any information that would reveal the existence of a SAR except as necessary to fulfill self-regulatory duties with the consent of the Securities Exchange Commission, in a manner consistent with Title II of the Bank Secrecy Act. For purposes of this section, ‘‘selfregulatory duties’’ shall not include the disclosure of a SAR, or any information that would reveal the existence of a SAR, in response to a request for disclosure of non-public information or a request for use in a private legal proceeding. (f) Limitation on liability. A brokerdealer, and any director, officer, employee, or agent of any broker-dealer, that makes a voluntary disclosure of any possible violation of law or regulation to a government agency or makes a disclosure pursuant to this section or any other authority, including a disclosure made jointly with another institution, shall be protected from liability to any person for any such disclosure, or for failure to provide notice of such disclosure to any person identified in the disclosure, or both, to the full extent provided by 31 U.S.C. 5318(g)(3). (g) Compliance. Broker-dealers shall be examined by FinCEN or its delegatees for compliance with this section. Failure to satisfy the requirements of this section may be a violation of the Bank Secrecy Act and of this part. * * * * * ■ 7. Section 103.20 is amended by: ■ a. Revising the last sentence of paragraph (c); ■ b. Revising paragraph (d); ■ c. Redesignating paragraphs (e) and (f) as paragraphs (f) and (g); ■ d. Adding new paragraph (e); and ■ e. Revising newly designated paragraph (f), to read as follows: E:\FR\FM\03DER2.SGM 03DER2 75606 Federal Register / Vol. 75, No. 232 / Friday, December 3, 2010 / Rules and Regulations § 103.20 Reports by money services businesses of suspicious transactions. emcdonald on DSK2BSOYB1PROD with RULES2 * * * * * (c) * * * A money services business shall make all supporting documentation available to FinCEN or any Federal, State, or local law enforcement agency, or any Federal regulatory authority that examines the money services business for compliance with the Bank Secrecy Act, or any State regulatory authority administering a State law that requires the money services business to comply with the Bank Secrecy Act or otherwise authorizes the State authority to ensure that the money services business complies with the Bank Secrecy Act. (d) Confidentiality of SARs. A SAR, and any information that would reveal the existence of a SAR, are confidential and shall not be disclosed except as authorized in this paragraph (d). For purposes of this paragraph (d) only, a SAR shall include any suspicious activity report filed with FinCEN pursuant to any regulation in this part. (1) Prohibition on disclosures by money services businesses. (i) General rule. No money services business, and no director, officer, employee, or agent of any money services business, shall disclose a SAR or any information that would reveal the existence of a SAR. Any money services business, and any director, officer, employee, or agent of any money services business that is subpoenaed or otherwise requested to disclose a SAR or any information that would reveal the existence of a SAR, shall decline to produce the SAR or such information, citing this section and 31 U.S.C. 5318(g)(2)(A)(i), and shall notify FinCEN of any such request and the response thereto. (ii) Rules of Construction. Provided that no person involved in any reported suspicious transaction is notified that the transaction has been reported, this paragraph (d)(1) shall not be construed as prohibiting: (A) The disclosure by a money services business, or any director, officer, employee, or agent of a money services business, of: (1) A SAR, or any information that would reveal the existence of a SAR, to FinCEN or any Federal, State, or local law enforcement agency, or any Federal regulatory authority that examines the money services business for compliance with the Bank Secrecy Act, or any State regulatory authority administering a State law that requires the money services business to comply with the Bank Secrecy Act or otherwise authorizes the State authority to ensure that the money services business complies with the Bank Secrecy Act; or VerDate Mar<15>2010 18:12 Dec 02, 2010 Jkt 223001 (2) The underlying facts, transactions, and documents upon which a SAR is based, including but not limited to, disclosures to another financial institution, or any director, officer, employee, or agent of a financial institution, for the preparation of a joint SAR. (B) The sharing by a money services business, or any director, officer, employee, or agent of the money services business, of a SAR, or any information that would reveal the existence of a SAR, within the money services business’s corporate organizational structure for purposes consistent with Title II of the Bank Secrecy Act as determined by regulation or in guidance. (2) Prohibition on disclosures by government authorities. A Federal, State, local, territorial, or Tribal government authority, or any director, officer, employee, or agent of any of the foregoing, shall not disclose a SAR, or any information that would reveal the existence of a SAR, except as necessary to fulfill official duties consistent with Title II of the Bank Secrecy Act. For purposes of this section, ‘‘official duties’’ shall not include the disclosure of a SAR, or any information that would reveal the existence of a SAR, in response to a request for disclosure of non-public information or a request for use in a private legal proceeding, including a request pursuant to 31 CFR 1.11. (e) Limitation on liability. A money services business, and any director, officer, employee, or agent of any money services business, that makes a voluntary disclosure of any possible violation of law or regulation to a government agency or makes a disclosure pursuant to this section or any other authority, including a disclosure made jointly with another institution, shall be protected from liability to any person for any such disclosure, or for failure to provide notice of such disclosure to any person identified in the disclosure, or both, to the full extent provided by 31 U.S.C. 5318(g)(3). (f) Compliance. Money services businesses shall be examined by FinCEN or its delegatees for compliance with this section. Failure to satisfy the requirements of this section may be a violation of the Bank Secrecy Act and of this part. * * * * * ■ 8. Section 103.21 is amended by: ■ a. Revising the last sentence of paragraph (d); ■ b. Revising paragraph (e); ■ c. Redesignating paragraphs (f) and (g) as paragraphs (g) and (h); PO 00000 Frm 00034 Fmt 4701 Sfmt 4700 d. Adding new paragraph (f); and e. Revising newly designated paragraph (g). ■ ■ § 103.21 Reports by casinos of suspicious transactions. * * * * * (d) * * * A casino shall make all supporting documentation available to FinCEN or any Federal, State, or local law enforcement agency, or any Federal regulatory authority that examines the casino for compliance with the Bank Secrecy Act, or any State regulatory authority administering a State law that requires the casino to comply with the Bank Secrecy Act or otherwise authorizes the State authority to ensure that the casino complies with the Bank Secrecy Act, or any Tribal regulatory authority administering a Tribal law that requires the casino to comply with the Bank Secrecy Act or otherwise authorizes the Tribal regulatory authority to ensure that the casino complies with the Bank Secrecy Act, upon request. (e) Confidentiality of SARs. A SAR, and any information that would reveal the existence of a SAR, are confidential and shall not be disclosed except as authorized in this paragraph (e). For purposes of this paragraph (e) only, a SAR shall include any suspicious activity report filed with FinCEN pursuant to any regulation in this part. (1) Prohibition on disclosures by casinos. (i) General rule. No casino, and no director, officer, employee, or agent of any casino, shall disclose a SAR or any information that would reveal the existence of a SAR. Any casino, and any director, officer, employee, or agent of any casino that is subpoenaed or otherwise requested to disclose a SAR or any information that would reveal the existence of a SAR, shall decline to produce the SAR or such information, citing this section and 31 U.S.C. 5318(g)(2)(A)(i), and shall notify FinCEN of any such request and the response thereto. (ii) Rules of Construction. Provided that no person involved in any reported suspicious transaction is notified that the transaction has been reported, this paragraph (e)(1) shall not be construed as prohibiting: (A) The disclosure by a casino, or any director, officer, employee, or agent of a casino, of: (1) A SAR, or any information that would reveal the existence of a SAR, to FinCEN or any Federal, State, or local law enforcement agency, or any Federal regulatory authority that examines the casino for compliance with the Bank Secrecy Act, or any State regulatory authority administering a State law that E:\FR\FM\03DER2.SGM 03DER2 emcdonald on DSK2BSOYB1PROD with RULES2 Federal Register / Vol. 75, No. 232 / Friday, December 3, 2010 / Rules and Regulations requires the casino to comply with the Bank Secrecy Act or otherwise authorizes the State authority to ensure that the casino complies with the Bank Secrecy Act, or any Tribal regulatory authority administering a Tribal law that requires the casino to comply with the Bank Secrecy Act or otherwise authorizes the Tribal regulatory authority to ensure that casino complies with the Bank Secrecy Act; or (2) The underlying facts, transactions, and documents upon which a SAR is based, including but not limited to, disclosures to another financial institution, or any director, officer, employee, or agent of a financial institution, for the preparation of a joint SAR. (B) The sharing by a casino, or any director, officer, employee, or agent of the casino, of a SAR, or any information that would reveal the existence of a SAR, within the casino’s corporate organizational structure for purposes consistent with Title II of the Bank Secrecy Act as determined by regulation or in guidance. (2) Prohibition on disclosures by government authorities. A Federal, State, local, territorial, or Tribal government authority, or any director, officer, employee, or agent of any of the foregoing, shall not disclose a SAR, or any information that would reveal the existence of a SAR, except as necessary to fulfill official duties consistent with Title II of the Bank Secrecy Act (BSA). For purposes of this section, ‘‘official duties’’ shall not include the disclosure of a SAR, or any information that would reveal the existence of a SAR, in response to a request for disclosure of non-public information or a request for use in a private legal proceeding, including a request pursuant to 31 CFR 1.11. (f) Limitation on liability. A casino, and any director, officer, employee, or agent of any casino, that makes a voluntary disclosure of any possible violation of law or regulation to a government agency or makes a disclosure pursuant to this section or any other authority, including a disclosure made jointly with another institution, shall be protected from liability to any person for any such disclosure, or for failure to provide notice of such disclosure to any person identified in the disclosure, or both, to the full extent provided by 31 U.S.C. 5318(g)(3). (g) Compliance. Casinos shall be examined by FinCEN or its delegatees for compliance with this section. Failure to satisfy the requirements of this VerDate Mar<15>2010 18:12 Dec 02, 2010 Jkt 223001 section may be a violation of the Bank Secrecy Act and of this part. * * * * * Dated: November 22, 2010. James H. Freis, Jr., Director, Financial Crimes Enforcement Network. [FR Doc. 2010–29869 Filed 12–2–10; 8:45 am] BILLING CODE 4810–02–P 31 CFR Part 103 [Docket Number: Treas-FinCEN–2008–0022] Notice of Availability of Final Interpretative Guidance—Sharing Suspicious Activity Reports by Depository Institutions and Securities Broker-Dealers, Mutual Funds, Futures Commission Merchants, or Introducing Brokers in Commodities With Certain U.S. Affiliates Financial Crimes Enforcement Network (‘‘FinCEN’’), Treasury. ACTION: Interpretive guidance. AGENCY: By this notice, FinCEN announces the availability of two related pieces of guidance that apply to depository institutions and to securities broker-dealers, mutual funds, futures commission merchants, and introducing brokers in commodities (collectively referred to as ‘‘final guidance’’) interpreting the final rule published elsewhere in this part of today’s Federal Register. Among other things, the final rule clarifies the scope of the statutory prohibition on the disclosure by a financial institution of a report of a suspicious transaction set forth in the Bank Secrecy Act (‘‘BSA’’) by stating that the confidentiality provision does not apply when a depository institution, securities broker-dealer, mutual fund, futures commission merchant, or introducing broker in commodities (hereafter, ‘‘an authorized institution’’) shares a suspicious activity report (‘‘SAR’’), or any information that would reveal the existence of a SAR, within its corporate organizational structure for purposes consistent with Title II of the BSA, as determined by regulation or guidance. The final guidance interprets this provision to permit an authorized institution to share a SAR, or information that would reveal the existence of a SAR (collectively, ‘‘SAR information’’), with certain affiliates. DATES: This final guidance is effective January 3, 2011. ADDRESSES: The final guidance is available in the U.S. Government’s electronic docket site at http:// SUMMARY: Frm 00035 Fmt 4701 www.regulations.gov under the under docket number TREAS–2008–0022 and on FinCEN’s Web site at http:// www.fincen.gov. FOR FURTHER INFORMATION CONTACT: FinCEN’s Regulatory Helpline, (800) 949–2732. SUPPLEMENTARY INFORMATION: I. Background DEPARTMENT OF THE TREASURY PO 00000 75607 Sfmt 4700 FinCEN, through its authority under the BSA, as delegated by the Secretary of the Treasury, may require financial institutions to keep records and file reports that FinCEN determines have a high degree of usefulness in criminal, tax, or regulatory investigations or proceedings, or for intelligence or counter-intelligence activities to protect against international terrorism. In particular, the BSA and its implementing regulations require financial institutions in certain industries 1 to file a SAR when they detect a known or suspected violation of Federal law or regulation, or a suspicious activity related to money laundering, terrorist financing, or other criminal activity.2 II. The Notice of Proposed Guidance and Related Actions On March 9, 2009, FinCEN published in the Federal Register a notice of proposed rulemaking (‘‘the proposed rule’’) and two separate notices and requests for comment on proposed guidance (‘‘the proposed guidance’’) (collectively, ‘‘the notices’’). In the proposed rule, FinCEN proposed amendments to each of FinCEN’s SAR rules 3 to include key changes that would, among other things, clarify the scope of the statutory prohibition against the disclosure by a financial institution of a SAR. 1 FinCEN has implemented regulations for suspicious activity reporting at 31 CFR 103.15 (for mutual funds); 31 CFR 103.16 (for insurance companies); 31 CFR 103.17 (for futures commission merchants and introducing brokers in commodities); 31 CFR 103.18 (for banks); 31 CFR 103.19 (for broker-dealers in securities); 31 CFR 103.20 (for money services businesses); 31 CFR 103.21 (for casinos). 2 The Annunzio-Wylie Anti-Money Laundering Act of 1992 (the Annunzio-Wylie Act), amended the BSA and authorized the Secretary of the Treasury to require financial institutions to report suspicious transactions relevant to a possible violation of law or regulation. See Public Law 102–550, Title XV, § 1517(b), 106 Stat. 4055, 4058–9 (1992); 31 U.S.C. 5318(g)(1). 3 FinCEN’s SAR rules include 31 CFR 103.15 (for mutual funds); 31 CFR 103.16 (for insurance companies); 31 CFR 103.17 (for futures commission merchants and introducing brokers in commodities); 31 CFR 103.18 (for banks); 31 CFR 103.19 (for broker-dealers in securities); 31 CFR 103.20 (for money services businesses); 31 CFR 103.21 (for casinos). E:\FR\FM\03DER2.SGM 03DER2

Agencies

[Federal Register Volume 75, Number 232 (Friday, December 3, 2010)]
[Rules and Regulations]
[Pages 75593-75607]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 2010-29869]


-----------------------------------------------------------------------

DEPARTMENT OF THE TREASURY

31 CFR Part 103

RIN 1506-AA99


Financial Crimes Enforcement Network; Confidentiality of 
Suspicious Activity Reports

AGENCY: The Financial Crimes Enforcement Network (``FinCEN''), 
Treasury.

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: FinCEN is issuing this final rule to amend the Bank Secrecy 
Act (``BSA'') regulations regarding the confidentiality of a report of 
suspicious activity (``SAR'') to: Clarify the scope of the statutory 
prohibition against the disclosure by a financial institution of a SAR; 
address the statutory prohibition against the disclosure by the 
government of a SAR; clarify that the exclusive standard applicable to 
the disclosure of a SAR by the government is to fulfill official duties 
consistent with the purposes of the BSA; modify the safe harbor 
provision to include changes made by the Uniting and Strengthening 
America by Providing the Appropriate Tools Required to Intercept and 
Obstruct Terrorism Act of 2001 (``USA PATRIOT Act''); and make minor 
technical revisions for consistency and harmonization among the 
different SAR rules. These amendments are part of the Department of the 
Treasury's continuing effort to increase the efficiency and 
effectiveness of its anti-money laundering and counter-terrorist

[[Page 75594]]

financing policies. These amendments are consistent with similar 
proposals to be issued by some of the Federal bank regulatory agencies 
in conjunction with FinCEN.\1\
---------------------------------------------------------------------------

    \1\ The Federal bank regulatory agencies have parallel SAR 
requirements for their supervised entities: See 12 CFR 208.62, 12 
CFR 211.24(f), and 12 CFR 225.4(f) (the Board of Governors of the 
Federal Reserve System) (``Fed'')); 12 CFR 353.3 (the Federal 
Deposit Insurance Corporation (``FDIC'')); 12 CFR 748.1 (the 
National Credit Union Administration (``NCUA'')); 12 CFR 21.11 (the 
Office of the Comptroller of Currency (``OCC'')) and 12 CFR 563.180 
(the Office of Thrift Supervision (``OTS'')).

---------------------------------------------------------------------------
DATES: Effective Date: January 3, 2011.

FOR FURTHER INFORMATION CONTACT: The FinCEN regulatory helpline at 
(800) 949-2732.

SUPPLEMENTARY INFORMATION: 

I. Background

    The BSA requires financial institutions to keep certain records and 
make certain reports that have been determined to be useful in 
criminal, tax, or regulatory investigations or proceedings, and for 
intelligence or counter-intelligence activities to protect against 
international terrorism. In particular, the BSA and its implementing 
regulations require financial institutions in certain industries \2\ to 
file a SAR when they detect a known or suspected violation of Federal 
law or regulation, or a suspicious activity related to money 
laundering, terrorist financing, or other criminal activity.\3\
---------------------------------------------------------------------------

    \2\ FinCEN has implemented regulations for suspicious activity 
reporting at 31 CFR 103.15 (for mutual funds); 31 CFR 103.16 (for 
insurance companies); 31 CFR 103.17 (for futures commission 
merchants and introducing brokers in commodities); 31 CFR 103.18 
(for banks); 31 CFR 103.19 (for broker-dealers in securities); 31 
CFR 103.20 (for money services businesses); 31 CFR 103.21 (for 
casinos).
    \3\ The Annunzio-Wylie Anti-Money Laundering Act of 1992 (the 
Annunzio-Wylie Act), amended the BSA and authorized the Secretary of 
the Treasury to require financial institutions to report suspicious 
transactions relevant to a possible violation of law or regulation. 
See Public Law 102-550, Title XV, 1517(b), 106 Stat. 4055, 4058-9 
(1992); 31 U.S.C. 5318(g)(1).
---------------------------------------------------------------------------

    SARs generally are unproven reports of possible violations of law 
or regulation, or of suspicious activities, that are used for law 
enforcement or regulatory purposes. The BSA provides that a financial 
institution and its officers, directors, employees, and agents are 
prohibited from notifying any person involved in a suspicious 
transaction that the transaction was reported.\4\ FinCEN implemented 
this provision in its SAR regulations for each industry through an 
explicit prohibition that closely mirrored the enacting statutory 
language. Specifically, we clarified that disclosure could not be made 
to the person involved in the transaction, but that the SAR could be 
provided to FinCEN, law enforcement, and the financial institution's 
supervisory or examining authority. In certain SAR rules, we have 
expressly provided for the possibility of institutions jointly filing a 
SAR regarding suspicious activity that occurred at multiple 
institutions.\5\
---------------------------------------------------------------------------

    \4\ See 31 U.S.C. 5318(g)(2).
    \5\ Bank Secrecy Act regulations expressly permitting the filing 
of a joint SAR when multiple financial transactions are involved in 
a common transaction or series of transactions involving suspicious 
activity can be found at 31 CFR 103.15(a)(3) (for mutual funds); 31 
CFR 103.16(b)(3)(ii) (for insurance companies); 31 CFR 103.17(a)(3) 
(for futures commission merchants and introducing brokers in 
commodities); 31 CFR 103.19(a)(3) (for broker-dealers in 
securities); and 31 CFR 103.20(a)(4) (for money services 
businesses).
---------------------------------------------------------------------------

    The USA PATRIOT Act strengthened the confidentiality of SARs by 
adding to the BSA a new provision that prohibits officers or employees 
of the Federal government or any State, local, Tribal, or territorial 
government within the United States with knowledge of a SAR from 
disclosing to any person involved in a suspicious transaction that the 
transaction was reported, other than as necessary to fulfill the 
official duties of such officer or employee.\6\
---------------------------------------------------------------------------

    \6\ See USA PATRIOT Act, section 351(b). Public Law 107-56, 
Title III, Sec.  351, 115 Stat. 272, 321(2001); 31 U.S.C. 
5318(g)(2).
---------------------------------------------------------------------------

    To encourage the reporting of possible violations of law or 
regulation, and the filing of SARs, the BSA contains a safe harbor 
provision that shields financial institutions making such reports from 
civil liability in connection with the report. In 2001, the USA PATRIOT 
Act clarified that the safe harbor also covers voluntary disclosure of 
possible violations of law and regulations to a government agency and 
expanded the scope of the limit on liability to cover any civil 
liability that may exist ``under any contract or other legally 
enforceable agreement (including any arbitration agreement).'' \7\
---------------------------------------------------------------------------

    \7\ See USA PATRIOT Act, section 351(a). Public Law 107-56, 
Title III, Sec.  351, 115 Stat. 272, 321(2001); 31 U.S.C. 
5318(g)(3).
---------------------------------------------------------------------------

II. The Notice of Proposed Rulemaking and Related Actions

    On March 9, 2009, FinCEN published in the Federal Register a notice 
of proposed rulemaking (``the proposed rule'') and two separate notices 
and requests for comment on proposed guidance (``the proposed 
guidance'') (collectively, ``the notices''). In the proposed rule, 
FinCEN proposed amendments to each of FinCEN's SAR rules to include key 
changes that would (1) clarify the scope of the statutory prohibition 
against the disclosure by a financial institution of a SAR; (2) address 
the statutory prohibition against the disclosure by the government of a 
SAR; (3) clarify that the exclusive standard applicable to the 
disclosure of a SAR, or any information that would reveal the existence 
of a SAR by the government is ``to fulfill official duties consistent 
with Title II of the BSA,'' in order to ensure that SAR information is 
protected from inappropriate disclosures unrelated to the BSA purposes 
for which SARs are filed; (4) modify the safe harbor provision to 
include changes made by the USA PATRIOT Act; and (5) where possible, 
harmonize minor technical differences that exist among the 
confidentiality, safe harbor, and compliance provisions of our 
rulemakings for different industries. The proposed guidance interpreted 
one of the provisions of the proposed rules relating to (1) above, to 
clarify that SARs could be shared, subject to certain qualifications, 
within an institution's corporate organizational structure.
    In separate but contemporaneous rulemakings, some of the Federal 
bank regulatory agencies proposed amending their SAR rules to 
incorporate comparable provisions to FinCEN's proposed rules, and 
amending their information disclosure regulations \8\ to clarify that 
the exclusive standard governing the release of a SAR, or any 
information that would reveal the existence of a SAR, is set forth in 
the confidentiality provisions of their respective SAR rules.
---------------------------------------------------------------------------

    \8\ Generally, these regulations are known as ``Touhy 
regulations,'' after the Supreme Court's decision in United States 
ex rel. Touhy v. Ragen, 340 U.S. 462 (1951). In that case, the 
Supreme Court held that an agency employee could not be held in 
contempt for refusing to disclose agency records or information when 
following the instructions of his or her supervisor regarding the 
disclosure. As such, an agency's Touhy regulations are the 
instructions agency employees must follow when those employees 
receive requests or demands to testify or otherwise disclose agency 
records or information.
---------------------------------------------------------------------------

    The notices and related Federal bank regulatory agency actions were 
published together in their own separate part of the Federal Register 
to encourage commenters to take into account all relevant provisions.

III. Comments on the Notices--Overview and General Issues

    The comment period for the notices ended on June 8, 2009. We 
received a total of 26 submissions from 25 distinct entities.\9\ Of 
these, 15 were submitted by trade groups or associations, four were 
submitted by individual financial

[[Page 75595]]

institutions, three were submitted by Federal, Tribal, or foreign 
government agencies, three were submitted by consultants or attorneys 
not affiliated with a specific financial institution, and one was 
submitted by a self-regulatory organization (``SRO''). The comments 
generally supported the proposed rules while requesting the broadening 
of the proposed sharing guidance.\10\ Several of the comments specific 
to the proposed rules provided suggestions for additionally 
strengthening or clarifying the general confidentiality provision, as 
well as the specific confidentiality provisions for institutions, 
governments, and SROs. Due to the broad and varied topics raised during 
comment, the majority of comments are addressed in the section-by-
section analysis, below.
---------------------------------------------------------------------------

    \9\ All comments to the notices are available for public viewing 
at http://www.regulations.gov or http://www.fincen.gov/statutes_regs/bsa/regs_proposal_comment.html.
    \10\ Comments about the sharing guidance are addressed 
separately in a related ``notice of availability of guidance'' 
published by FinCEN in today's Federal Register.
---------------------------------------------------------------------------

IV. Section-by-Section Analysis

A. Confidentiality of SARs

    FinCEN proposed clarifying the general introduction to the 
confidentiality provision in each of its SAR rules to read, ``A SAR, 
and any information that would reveal the existence of a SAR, are 
confidential and shall not be disclosed except as authorized in this 
paragraph.'' FinCEN proposed this change to be more comprehensive than 
the previous language that, on face value, was limited only to the 
person involved in the transaction and applied only with respect to the 
SAR form itself. The phrase ``SAR[s] are confidential'' also was 
consistent with the existing Federal bank regulatory agency SAR rules, 
while the application of confidentiality to ``a SAR, and information 
that would reveal the existence of a SAR'' (``SAR information'') was 
consistent with both FinCEN and case law interpretations \11\ of the 
previous non-disclosure provision. In the final rule, FinCEN is 
adopting this language as proposed, without change.
---------------------------------------------------------------------------

    \11\ See, e.g., Whitney Nat'l Bank v. Karam, 306 F. Supp. 2d 
678, 682 (S.D. Tex. 2004); Cotton v. Private Bank and Trust Co., 235 
F. Supp. 2d 809, 815 (N.D. Ill. 2002).
---------------------------------------------------------------------------

    Some commenters asked that FinCEN clarify the term ``information 
that would reveal the existence of a SAR'' for the purpose of defining 
the scope of SAR confidentiality. One commenter specifically asked 
whether that term only includes information that affirmatively states 
that a SAR was filed. Another commenter urged that FinCEN formally 
recognize that documents prepared by a financial institution when 
complying with its SAR obligations should be afforded confidentiality.
    Clearly, any document or other information that affirmatively 
states that a SAR has been filed constitutes information that would 
reveal the existence of a SAR and should be kept confidential. By 
extension, an institution also should afford confidentiality to any 
document stating that a SAR has not been filed. Were FinCEN to allow 
disclosure of information when a SAR is not filed, institutions would 
implicitly reveal the existence of a SAR any time they were unable to 
produce records because a SAR was filed.\12\
---------------------------------------------------------------------------

    \12\ For example, a private litigant may serve a discovery 
request on a bank in civil litigation that calls for the bank to 
produce the underlying documentation on companies A, B, and C, where 
the bank has filed a SAR on company A but not companies B or C, and 
the underlying documentation reflects the SAR filing decisions. If 
the bank then produces the underlying documentation for companies B 
and C, but neither confirms nor denies the existence of a SAR when 
declining to provide similar documentation for company A, by 
negative implication it may have revealed the existence of the SAR 
filed on company A.
---------------------------------------------------------------------------

    The more difficult situation is when a document or other 
information is silent as to whether a SAR has or has not been filed. 
Documents that may identify suspicious activity but that do not reveal 
whether a SAR exists (e.g., a document memorializing a customer 
transaction, such as an account statement indicating a cash deposit or 
a record of a funds transfer), should be treated as falling within the 
underlying facts, transactions, and documents upon which a SAR may be 
based, and should not be afforded confidentiality.\13\ This distinction 
is set forth in the final rule's second rule of construction and 
reflects relevant case law.\14\
---------------------------------------------------------------------------

    \13\ As one commenter correctly suggested, information produced 
in the ordinary course of business may contain sufficient 
information that a reasonable and prudent person familiar with SAR 
filing requirements could use to conclude that an institution likely 
filed a SAR (e.g., a copy of a fraudulent check, or a cash 
transaction log showing a clear pattern of structured deposits). 
Such information, alone, does not constitute information that would 
reveal the existence of a SAR.
    \14\ See, e.g., Whitney Nat. Bank v. Karam, 306 F. Supp. 2d 678, 
682 (S.D. Tex. 2004) (noting that courts have ``allowed the 
production of supporting documentation that was generated or 
received in the ordinary course of the banks' business, on which the 
report of suspicious activity was based''); Cotton v. Private Bank 
and Trust Co., 235 F. Supp. 2d 809, 815 (N.D. Ill. 2002) (holding 
that the ``factual documents which give rise to suspicious conduct * 
* * are to be produced in the ordinary course of discovery because 
they are business records made in the ordinary course of 
business'').
---------------------------------------------------------------------------

    However, the strong public policy that underlies the SAR system as 
a whole--namely, the creation of an environment that encourages 
financial institutions to report suspicious activity without fear of 
reprisal--leans heavily in favor of applying SAR confidentiality not 
only to a SAR itself, but also in appropriate circumstances to material 
prepared by the financial institution as part of its process to detect 
and report suspicious activity, regardless of whether a SAR ultimately 
was filed or not. This interpretation also reflects relevant case 
law.\15\
---------------------------------------------------------------------------

    \15\ See, e.g., Whitney at 682-83 (holding that the SAR 
confidentiality provision protects, inter alia, ``communications 
preceding the filing of a SAR and preparatory or preliminary to it; 
communications that follow the filing of a SAR and are explanations 
or follow-up discussion; or oral communications or suspected or 
possible violations that did not culminate in the filing of a 
SAR''); Cotton at 815 (holding that ``documents representing the 
drafts of SARs or other work product or privileged communications 
that relate to the SAR itself * * * are not to be produced [in 
discovery] because they would disclose whether a SAR has been 
prepared or filed''); Union Bank of California, N.A. v. Superior 
Court, 130 Cal. App. 4th 378, 391 (2005) (holding that ``a draft SAR 
or internal memorandum prepared as part of a financial institution's 
process for complying with Federal reporting requirements is 
generated for the specific purpose of fulfilling the institution's 
reporting obligation * * * [and] fall within the scope of SAR 
[confidentiality] because they may reveal the contents of a SAR and 
disclose whether `a SAR has been prepared or filed' '').
---------------------------------------------------------------------------

    As explained in more detail in the proposed rule, the primary 
purpose for clarifying the scope of the confidentiality provision is to 
ensure that, due to potentially serious consequences, the persons 
involved in the transaction and identified in the SAR cannot be 
notified, directly or indirectly, of the report. Accordingly, FinCEN 
proposed replacing the previous rule text prohibiting disclosure of the 
SAR to the person involved in the transaction with a broad general 
confidentiality provision for all SAR information applicable to all 
persons not authorized in the rules of construction to receive such 
information. With respect to ``information that would reveal the 
existence of a SAR,'' therefore, institutions should distinguish 
between certain types of statistical or abstract information or general 
discussions of suspicious activity that may indicate that an 
institution has filed SARs,\16\ and information that would reveal the 
existence of a SAR in a manner that could enable the person involved in 
the

[[Page 75596]]

transaction potentially to be notified, whether directly or indirectly.
---------------------------------------------------------------------------

    \16\ One example of such information could include summary 
information commonly provided by banks in the ``notification to the 
board'' required by the various Federal bank regulatory agency SAR 
rules. Banks subject to the requirement are encouraged to be 
cautious in the production of relevant portions of board minutes or 
other records to avoid the risk of potentially exposing SAR 
information to the subject, either directly or indirectly, in the 
event such records are subject to future subpoena.
---------------------------------------------------------------------------

    FinCEN also proposed modifying this introductory section to clarify 
that ``for purposes of [the confidentiality provision] only, a SAR 
shall include any suspicious activity report filed with FinCEN pursuant 
to any regulation in this part'' and eliminating references in the 
confidentiality provisions of certain rules to specific versions of the 
SAR form like the SAR-SF (for use by the securities and futures 
industries) or SAR-MSB (for use by money services businesses). This 
change clarified that the confidentiality provisions of our SAR rules 
apply with respect to any type of SAR in the filing institution's 
possession, which, since it may result from the joint filing or sharing 
of a SAR with another type of financial institution in accordance with 
the provisions of these proposed rules, could include a type of SAR 
form not used by the institution. This provision is also being adopted 
as proposed, without change.

B. Disclosure by Financial Institutions

    The proposed rule provided that any financial institution, or any 
director, officer, employee, or agent of a financial institution, that 
is subpoenaed or otherwise requested to disclose a SAR, or information 
that would reveal the existence of a SAR, must decline to provide the 
information, citing this section of the rules and 31 U.S.C. 
5318(g)(2)(A)(i), and must provide notification of the request and its 
response thereto to FinCEN and, in the rules for those industries with 
parallel SAR requirements administered by a primary Federal functional 
regulator,\17\ notification to that regulator as well.
---------------------------------------------------------------------------

    \17\ Primary Federal functional regulator, for purposes of this 
final rule, means the Federal bank regulatory agencies, the 
Securities and Exchange Commission (``SEC''), and the Commodity 
Futures Trading Commission (``CFTC''). Only the Federal bank 
regulatory agencies administer parallel SAR requirements.
---------------------------------------------------------------------------

    One commenter suggested that FinCEN adjust the SAR rule for banks 
to remove the ``duplicative'' requirement for a bank to notify both 
FinCEN and its primary Federal functional regulator when SAR 
information is inappropriately requested. FinCEN disagrees with the 
characterization of the requirement as ``duplicative'' since the 
entities in question have separate SAR rules issued and administered by 
separate agencies. The joint notification requirement in FinCEN's rule, 
therefore, simply acknowledges the notification requirement of multiple 
SAR regulations issued under multiple authorities.
    Because FinCEN's jurisdiction is limited to the Title 31 SAR rules, 
however, FinCEN is removing the requirement from its bank SAR rule that 
an institution notify its primary Federal regulator in addition to 
notifying FinCEN in the event of an inappropriate request for SAR 
information. While this will create greater consistency within FinCEN's 
SAR rules for multiple industries and between FinCEN's rules and most 
of the primary Federal regulator bank SAR rules with respect to the 
requirement to notify only the agency administering that rule, it does 
not relieve institutions from their requirement to comply with the 
provisions of similar but distinct rules administered by separate 
agencies. FinCEN will continue to explore the possibility of 
streamlining the process of notification under separate legal 
authorities.\18\
---------------------------------------------------------------------------

    \18\ In the interim, upon notification by a financial 
institution, FinCEN will ensure that an institution's primary 
Federal regulator has been notified of such a request and the 
institution's response thereto.
---------------------------------------------------------------------------

    Another commenter asked FinCEN to establish procedures by which an 
institution, if it thought it would benefit the institution, could 
petition FinCEN to authorize the disclosure of SAR information for in 
camera review during a private legal proceeding. As discussed elsewhere 
in this rulemaking, the protection of the filing institution is not the 
only reason for the SAR confidentiality provision. Further, FinCEN 
believes that in most legal proceedings, a filing institution that 
would benefit from the disclosure of a SAR would benefit comparably 
with evidence from underlying facts, transactions, and documents. 
Consequently, FinCEN does not intend to establish procedures for 
submitting such a request in this rulemaking.

C. Rules of Construction

    FinCEN proposed rules of construction that clarify the scope of the 
SAR disclosure prohibition and implement statutory modifications to the 
BSA made by the USA PATRIOT Act. The proposed rules of construction 
primarily describe situations that are not covered by the prohibition 
against the disclosure of SAR information. The introduction to these 
rules makes clear that the rules of construction are each qualified by 
and subordinate to the statutory mandate that no person involved in any 
reported suspicious transaction can be notified that the transaction 
has been reported. This introductory sentence is being adopted as 
proposed, without change, in the final rule.
1. The First Rule of Construction
    The first proposed rule of construction clarified the 
permissibility of disclosures to governmental authorities or other 
examining authorities that are otherwise entitled by law to receive 
SARs and to examine for or investigate suspicious activity. For most 
industries, the rule stated that a financial institution, or any 
director, officer, employee, or agent of a financial institution, may 
disclose a SAR, or information that would reveal the existence of a 
SAR, to FinCEN or any Federal, State, or local law enforcement agency 
or any Federal or State regulatory authority that examines the 
financial institution for compliance with the BSA.
a. State Regulatory Authorities
    FinCEN is adjusting the language slightly in the final rule to make 
a technical correction in the SAR rule text for some industries. While 
the original SAR rules provided for requests for disclosure from 
``appropriate law enforcement [and] supervisory agenc[ies],'' the 
proposed rules sought to expand these terms by describing explicitly 
the types of entities that fit into those categories. Accordingly, some 
of the proposed rules used the phrase ``* * * state regulatory 
authority that examines [the institution] for compliance with the 
BSA.'' FinCEN believes that commenters clearly understood and consented 
to the intent of this language, but will use the more technically 
accurate phrase ``* * * state regulatory authority administering a 
state law that requires [the institution] to comply with the BSA or 
otherwise authorizes the state authority to ensure that the institution 
complies with the BSA'' in the final rule.
    This change recognizes that State regulatory authorities are 
generally authorized by State law to examine for compliance with the 
BSA in one of two ways: (1) The law authorizes the State authority to 
examine the institution for compliance with all Federal laws and 
regulations generally or with the BSA explicitly, or (2) the law 
requires a financial institution to comply with all Federal laws and 
regulations generally or with the BSA explicitly, and authorizes the 
State authority to examine for compliance with the State law. An 
institution may provide SAR information to a State regulatory authority 
meeting either criterion.
    Commenters pointed out that some, but not all of the rules, 
provided for a financial institution to disclose SAR information to 
these State regulatory authorities. While one of FinCEN's goals

[[Page 75597]]

for the final rule is to create consistency between the various 
industry SAR rules where appropriate, FinCEN intentionally omitted 
State regulatory agencies from this rule of construction for the 
securities and futures industries. FinCEN has not delegated, and 
Congress has not authorized, State regulation for compliance with the 
BSA to these industries. Accordingly, the provision regarding 
disclosures to State regulatory authorities has been incorporated into 
the final rule for all industries other than securities broker-dealers, 
futures commission merchants, introducing brokers in commodities, and 
mutual funds.
    For each of those industries excluded from the aforementioned 
``state regulatory'' provision, FinCEN also has made a comporting 
change in the final rule to the paragraph entitled ``Retention of 
Records.'' With respect to an institution's obligation to provide the 
supporting documentation to a SAR only to appropriate parties upon 
request, the final rule text includes Federal regulatory agencies, but 
not State regulatory agencies.
b. Tribal Regulatory Authorities
    FinCEN received a similar comment regarding Tribal casinos that may 
be regulated by a Tribal regulatory authority. As with State agencies, 
FinCEN believes disclosures to such authorities should be limited only 
to an entity with authority to examine for compliance with laws 
requiring compliance with the BSA. Accordingly, FinCEN is incorporating 
a technical change similar to that described for State regulatory 
authorities, above, to more accurately describe the methods by which 
Tribal regulatory authorities obtain jurisdiction to examine for BSA 
compliance. The first rule of construction in the final rule for 
casinos now reads, ``* * * or any tribal regulatory authority 
administering a tribal law that requires the casino to comply with the 
BSA or otherwise authorizes the tribal regulatory authority to ensure 
that the casino complies with tribal law.''
c. Self-Regulatory Organizations
    For the proposed rules governing securities broker-dealers, futures 
commission merchants, and introducing brokers in commodities, an 
institution's ability to disclose under the first rule of construction 
also was extended to a self-regulatory organization that is examining 
the institution for compliance with the requirements ``of this 
section,'' a phrase FinCEN interpreted in the preamble as meaning the 
SAR rules. FinCEN received multiple and conflicting comments on this 
provision. Commenters correctly noted that this language differs from 
the standard used for Federal and State regulatory authorities.
    One comment received from a government agency supported this 
different standard, stating that while Congress directed FinCEN to make 
SARs available to certain SROs in Section 358(c) of the USA PATRIOT Act 
(amending 31 U.S.C. 5319), Congress's simultaneous expansion in Section 
358(a) of the ``declaration of purpose'' for the data collected under 
the BSA in Chapter 53 of Title 31 of the U.S.C. did not include self-
regulatory purposes. Another comment from an SRO argued, however, that 
limiting SRO access to SAR information only in conjunction with an 
examination for BSA compliance was inconsistent with the aims of the 
BSA.
    The language in the proposed rule limiting SRO use of SARs was 
consistent with the uses originally described in the previous SAR 
rules.\19\ As such, the proposed rule did not propose restricting, but 
rather declined to expand, the existing SRO authority to use SARs. In 
the final rule, however, FinCEN is emphasizing the important role of 
BSA data in the support of supervisory functions to promote the 
integrity of financial markets and mitigate risks of financial crime. 
Accordingly, the final rule text regarding SROs more closely models the 
language used for government regulatory authorities. At the same time, 
the final rule recognizes the relationship of SROs and the Federal 
agencies responsible for their oversight, upon whom FinCEN relies for 
the purpose of helping to ensure that the SROs are operating in a 
manner consistent with FinCEN's mission.
---------------------------------------------------------------------------

    \19\ For example, prior to this final rule, the existing SAR 
rule for securities broker-dealers at 31 CFR 103.19(g) stated that 
``[r]eports filed under this section shall be made available to an 
SRO registered with the [SEC] examining a broker-dealer for 
compliance with the requirements of this section.''
---------------------------------------------------------------------------

    SROs are not governmental entities, but do play a significant role 
in regulating segments of the financial industry under the close 
supervision and regulatory oversight by specific Federal agencies. The 
SEC regulates the Financial Industry Regulatory Authority (``FINRA'') 
and other SROs, while the CFTC regulates the National Futures 
Association (``NFA'') and a number of other SROs. FinCEN relies on the 
close supervision by the Federal functional regulators of those 
industries also subject to SRO oversight to assist FinCEN in ensuring 
that SROs appropriately use and handle BSA information. As these 
agencies are in a position to understand the needs of the SROs for BSA 
information and are also in a position to monitor the SROs' interaction 
with the entities subject to both the regulators' and the SROs' 
purview, FinCEN has determined that SROs should obtain SARs and 
supporting documentation from the entities that they examine in a 
manner and for purposes that the Federal agency responsible for its 
oversight deems appropriate. Thus, the final rule makes it clear that a 
financial institution examined by an SRO can provide SAR information to 
the SRO, upon the request of the Federal agency responsible for its 
oversight.
    This request may apply to the SRO in an isolated context or in a 
broad context to cover a variety of situations and understood uses, as 
determined appropriate by that agency. FinCEN expects the Federal 
agency responsible for the SRO's oversight to provide this request 
either to the institution in writing, or to the SRO in the form of a 
writing that is available for the SRO to share with the institution. 
Given the fact that many institutions may come under the jurisdiction 
of more than one regulator and more than one SRO, a record of the 
relevant Federal regulator's request is important to avoid confusion.
    In keeping with its cooperative relationships with the relevant 
Federal regulators, FinCEN will monitor the regulators' requests for 
SAR information and communicate with the regulators with respect to any 
concerns that either FinCEN or the regulators identify with respect to 
the use and protection of SARs by an SRO.
    In light of the above considerations, the final rule for those 
industries with SROs now reads to allow disclosure to ``* * * any SRO 
that examines [the institution] for compliance with the requirements of 
this section, upon the request of [the Federal agency responsible for 
its oversight].''
d. Civil Enforcement Authorities
    One commenter also argued that the SEC and CFTC, in their capacity 
of civil enforcement of laws applicable to all persons (including 
institutions they do not examine for compliance with the BSA), should 
have the authority to request SAR information (specifically, supporting 
documentation) from all financial institutions in the same manner as 
law enforcement agencies. FinCEN is not amending the first rule of 
construction to allow this for two reasons. First, limiting the ability 
of the SEC or the CFTC to obtain information that would reveal that a 
SAR has been filed only from the types of institutions

[[Page 75598]]

they examine for compliance with the BSA is consistent with the 
treatment under the final rule of all other Federal regulatory 
authorities, many of which also possess civil enforcement authorities. 
Second, although FinCEN recognizes the civil enforcement authority of 
the SEC and CFTC, FinCEN believes both agencies have been adequately 
empowered with requisite subpoena powers to obtain relevant data from 
financial institutions they do not examine for BSA compliance. That 
data includes the underlying facts, transactions, and documents upon 
which a SAR is based, pursuant to the second rule of construction. For 
example, if a bank receives a subpoena from the SEC or the CFTC that 
does not refer to a SAR, but merely requests certain transactional 
documents, then it would be permissible for the bank to respond to the 
subpoena with relevant documents, so long as the disclosure of any such 
document would not reveal the existence of a SAR. FinCEN understands 
that there may be situations in which documentation revealing the 
existence of a SAR will be responsive to an SEC or CFTC subpoena. In 
such situations, a financial institution should contact FinCEN with any 
questions concerning its ability under the SAR rules to provide 
information in response to a subpoena. In situations where the SEC or 
CFTC deem a subpoena to be imprudent, FinCEN notes the ability of those 
agencies to make a request for supporting documentation through FinCEN 
or the primary Federal regulator for that institution.
e. Other Requests for SAR Information
    One commenter brought to FinCEN's attention examples of ``dual 
filing requirements'' imposed by State regulatory authorities that do 
not meet the criteria in the first rule of construction of 
administering a State law that requires the financial institution to 
comply with the BSA or otherwise authorizes the State authority to 
ensure that the institution complies with the BSA. According to the 
commenter, these State agencies request that copies of SARs filed with 
FinCEN be provided to the State authority.\20\ The confidentiality 
provision and first rule of construction, as finalized, explicitly 
prohibit an institution from complying with such a request. 
Institutions should provide SAR information to only those entities 
specifically included in the rules of construction. In the event that a 
State agency that is not described in the rules of construction 
requires access to SAR information to exercise its authorities, that 
agency should seek access from FinCEN for such information. 
Institutions that are subject to such ``dual filing requirements'' from 
an unauthorized entity should contact FinCEN in accordance with the 
procedures of this rule.
---------------------------------------------------------------------------

    \20\ Such ``dual filing'' requirements, regardless of whether 
the State authority examines for compliance with State laws 
requiring compliance with the BSA, are inherently inconsistent with 
31 U.S.C. 5318(g)(4), which clearly intends that all SARs be filed 
to a single government agency designated by the Secretary of the 
Treasury.
---------------------------------------------------------------------------

    Finally, multiple commenters requested assistance from FinCEN in 
discerning whether a request for SAR information comes from an 
appropriate party. For example, one commenter suggested that FinCEN 
develop a ``standard request form'' for law enforcement to use when 
requesting SAR information. Due to the variety of authorities to whom a 
SAR may be disclosed, the variety of purposes for which they may 
require SAR information, and the greater clarity already provided in 
the first rule of construction, FinCEN believes such a request to be 
impractical and unnecessary. Another commenter suggested FinCEN issue 
standard verification procedures for an institution to follow to 
determine who is an ``appropriate'' authority. In both the proposed 
rules and final rules, FinCEN has removed the term ``appropriate'' from 
the list of entities that could receive SAR information. This change 
from the previous SAR rules indicates FinCEN's intention to list 
explicitly in the first rule of construction all categories of 
authorities to whom an institution may provide SAR information without 
a subpoena. FinCEN believes this should greatly reduce the ambiguity 
surrounding requests. One commenter, however, requested confirmation 
that when an institution receives a request for disclosure of SAR 
information and contacts FinCEN and its regulator because of 
uncertainty regarding the requesting entity's status as an authority 
authorized by the first rule of construction, that the SAR should 
continue to be kept confidential as prescribed by the regulation. 
FinCEN agrees, but urges institutions in such a situation to quickly 
contact FinCEN for resolution.
2. The Second Rule of Construction
    The second proposed rule of construction provided that the phrase, 
``a SAR or information that would reveal the existence of a SAR'' does 
not include ``the underlying facts, transactions, and documents upon 
which a SAR is based,'' which therefore are not subject to the 
confidentiality provision.
    This proposed rule of construction included illustrative examples 
of situations where the underlying facts, transactions, and documents 
upon which a SAR is based may be disclosed. One commenter suggested 
that FinCEN clarify that the illustrative examples are not exhaustive, 
and that there may be other situations not prescribed in the rule where 
an institution may disclose the underlying facts, transactions, and 
documents upon which a SAR is based. FinCEN did not intend for these 
examples to be exhaustive and does not believe the text, as proposed, 
implies that the examples are exhaustive. The preamble to the proposed 
rules, for example, expressly stated that ``these two examples are not 
intended to be an exhaustive list of all possible scenarios in which 
the disclosure of underlying information is permissible'' and included 
a discussion of disclosure of underlying information that was not 
explicitly listed in the rule text. It stated that ``while a financial 
institution is prohibited from producing documents in discovery that 
evidence the existence of a SAR, factual documents created in the 
ordinary course of business (for example, business records and account 
information upon which a SAR is based), may be discoverable in civil 
litigation under the Federal Rules of Civil Procedure.\21\
---------------------------------------------------------------------------

    \21\ See Cotton, 235 F. Supp. 2d at 815.
---------------------------------------------------------------------------

    For purposes of clarity, however, FinCEN is modifying the final 
rule language to read ``* * * the underlying facts, transactions, and 
documents upon which a SAR is based, including but not limited to, 
disclosures'' expressly listed as illustrative examples in the rule. 
Accordingly, with respect to the SAR confidentiality provision 
only,\22\ institutions may disclose underlying facts, transactions, and 
documents for any purpose, provided that no person involved in the 
transaction is notified and none of the underlying information reveals 
the existence of a SAR.
---------------------------------------------------------------------------

    \22\ This sentence does not speak to any other laws or 
regulations governing a financial institution's responsibilities to 
maintain and protect information.
---------------------------------------------------------------------------

    The first illustrative example in the proposed rules clarified that 
underlying information \23\ may be disclosed to another financial 
institution, or any director, officer, employee, or agent of the 
financial institution, for the preparation of a joint SAR. This text is 
being adopted in the final rule, as

[[Page 75599]]

proposed, and clarifies the authority for all institutions with a SAR 
requirement to jointly file SARs with any other institution with a SAR 
requirement.\24\
---------------------------------------------------------------------------

    \23\ FinCEN reminds institutions that the underlying facts, 
transactions, and documents upon which a SAR is based may include or 
reference previously filed SARs or other information that would 
reveal the existence of a SAR. Such underlying information could not 
be disclosed under this rule of construction.
    \24\ On December 21, 2006, FinCEN and the Federal bank 
regulatory agencies announced that the format for the SAR form for 
depository institutions had been revised to support a new joint 
filing initiative to reduce the number of duplicate SARs filed for a 
single suspicious transaction. ``Suspicious Activity Report (SAR) 
Revised to Support Joint Filings and Reduce Duplicate SARs,'' Joint 
Release issued by FinCEN, the FRB, the OCC, the OTS, the FDIC, and 
NCUA (Dec. 21, 2006). On February 17, 2006, FinCEN and the Federal 
bank regulatory agencies published a joint Federal Register notice 
seeking comment on proposed revisions to the SAR form. See 71 FR 
8640. On April 26, 2007, FinCEN announced a delay in implementation 
of the revised SAR form until further notice. See 72 FR 23891. Until 
such time as a new SAR form is available that facilitates joint 
filing, institutions authorized to jointly file should follow 
FinCEN's guidance to use the words ``joint filing'' in the narrative 
of the SAR and ensure that both institutions maintain a copy of the 
SAR and any supporting documentation (See, e.g., http://www.fincen.gov/statutes_regs/guidance/html/guidance_faqs_sar_10042006.html).
---------------------------------------------------------------------------

    The second illustrative example in the proposed rule was included 
only in the final SAR rules for depository institutions, securities 
broker-dealers, futures commission merchants, and introducing brokers 
in commodities, and provided that such underlying information may be 
disclosed in certain written employment references and termination 
notices as authorized by section 351 of the USA PATRIOT Act.\25\ One 
commenter suggested that this illustrative example should be placed in 
the SAR rules for all industries. The statutory authority for this 
provision, however, extends only to entities governed by either section 
18(w) of the Federal Deposit Insurance Act or relevant rules of SROs 
registered with the SEC or the CFTC.\26\
---------------------------------------------------------------------------

    \25\ 31 U.S.C. 5318(g)(2)(B).
    \26\ See, 31 U.S.C. 5318(g)(2(B).
---------------------------------------------------------------------------

    One commenter asked FinCEN to allow the disclosure of SAR 
information to a party that has expressed interest in purchasing an 
institution. While FinCEN believes generally that such a disclosure is 
inconsistent with the purposes of the BSA, certain information, such as 
statistics or other underlying information that does not reveal the 
existence of a SAR, could be provided to such parties under the second 
rule of construction and could assist such purchasers with their due 
diligence obligations.
    Another commenter suggested that FinCEN include another 
illustrative example of the disclosure of underlying facts, 
transactions, and documents not prohibited by the confidentiality 
provision. Specifically, this commenter asked that we explicitly 
authorize such information to be disclosed within an institution's 
corporate organizational structure for enterprise-wide risk management 
and the identification and reporting of suspicious activity. Provided 
that such information does not disclose a SAR or information that would 
reveal the existence of a SAR, FinCEN agrees that such disclosure of 
underlying information is not prohibited by the final rule or any 
previous SAR rules. Given the greater clarity provided by the phrase 
``including but not limited to'' discussed previously, and the 
unnecessarily limited universe of entities to whom an institution could 
disclose underlying information suggested by the commenter,\27\ FinCEN 
is reluctant to introduce the complex and potentially limiting concept 
of ``corporate organizational structure'' within this intentionally 
broad rule of construction.
---------------------------------------------------------------------------

    \27\ Disclosure of underlying facts, transactions, and documents 
for compliance purposes to an entity outside of an institution's 
corporate organizational structure may be warranted and would not be 
prohibited, provided that a SAR or information that would reveal the 
existence of a SAR was not disclosed.
---------------------------------------------------------------------------

3. The Third Rule of Construction
    As proposed, the third rule of construction applied only to 
depository institutions, securities broker-dealers, mutual funds, 
futures commission merchants, and introducing brokers in commodities, 
and made clear that the prohibition against the disclosure of SAR 
information did not preclude the sharing by any of those financial 
institutions, or any director, officer, employee, or agent of those 
institutions, of a SAR or information that would reveal the existence 
of the SAR within the institution's corporate organizational structure, 
for purposes that are consistent with Title II of the BSA, as 
determined by regulation or in guidance. This proposed rule of 
construction recognized that these financial institutions may find it 
necessary to share SAR information to fulfill reporting obligations 
under the BSA, and to facilitate more effective enterprise-wide BSA 
monitoring, reporting, and general risk-management. The term ``share'' 
used in this rule of construction was an acknowledgement that sharing 
within a corporate organization for purposes consistent with Title II 
of the BSA is distinguishable from a prohibited disclosure.
    FinCEN received substantial comment about the issue of SAR sharing, 
much of which is addressed in the separate notice of availability of 
guidance published in today's Federal Register. In general, the 
comments requested an expansion of the sharing authorities with respect 
to both the parties permitted to share and the parties with whom SAR 
information could be shared. Most commenters provided a clear rationale 
for how expanded SAR sharing would benefit their institutions by 
increasing efficiency, cutting costs, and enhancing the detection and 
reporting of suspicious activity. Most commenters, however, failed to 
sufficiently address how they would mitigate effectively the risk of 
unauthorized disclosure of SAR information if the sharing authority was 
expanded to the extent requested.
    Multiple commenters requested the expansion of the SAR sharing 
authority to all industries that currently have a SAR requirement, not 
just to depository institutions and the securities and futures 
industries. However, these commenters failed to address the disparity 
in regulatory oversight between those industries with a primary Federal 
functional regulator (industries to whom the proposed rules granted the 
authority to share) and those without. Accordingly, FinCEN is taking a 
phased approach in the final rule to granting additional industries the 
ability to share within their corporate organizational structure. To 
allow for potential future expansion of the sharing guidance, we are 
including the third rule of construction in the final rule text for all 
industries. As discussed further in the notice of availability of 
guidance, however, we have not at this time included those industries 
without a primary Federal functional regulator in the guidance 
authorizing sharing with affiliates. This approach establishes the 
regulatory framework for those industries potentially to share SAR 
information within their corporate structure in the future, as 
prescribed by FinCEN in regulation or guidance, without necessarily 
requiring an amendment to the SAR confidentiality provision in each 
industry's SAR rules.\28\
---------------------------------------------------------------------------

    \28\ At this time, we are also not expanding the 2006 guidance 
on sharing with head offices and controlling companies to additional 
industries. The regulatory framework provided in the final rule, 
however, also would facilitate the potential expansion of this 
authority to those industries in the future.
---------------------------------------------------------------------------

D. Disclosures by Government Authorities

    In the proposed rule, FinCEN included a regulatory prohibition in 
each industry's SAR rule that created a prohibition against disclosure 
by all Federal, State, local, territorial, or Tribal government 
authorities, and any director, officer, employee, or agent of those 
authorities. The proposed rule

[[Page 75600]]

tracked the statutory language \29\ closely by clarifying that any 
officer or employee of the government may not disclose a SAR or 
information that would reveal the existence of the SAR, ``except as 
necessary to fulfill official duties consistent with Title II of the 
Bank Secrecy Act.''
---------------------------------------------------------------------------

    \29\ See 31 U.S.C. 5318(g)(2)(A)(ii).
---------------------------------------------------------------------------

    This standard would permit, for example, official disclosures 
responsive to a grand jury subpoena; a request from an appropriate 
Federal or State law enforcement or regulatory agency; a request from 
an appropriate Congressional committee or subcommittees; and 
prosecutorial disclosures mandated by statute or the Constitution, in 
connection with the statement of a government witness to be called at 
trial, the impeachment of a government witness, or as material 
exculpatory of a criminal defendant.\30\ This proposed interpretation 
of section 5318(g)(2)(A)(ii) would ensure that SAR information will not 
be disclosed for a reason that is unrelated to the purposes of the BSA. 
For example, this standard would not permit the disclosure of SAR 
information to the media.
---------------------------------------------------------------------------

    \30\ See, e.g., Giglio v. United States, 405 U.S. 150, 153-54 
(1972); Brady v. State of Maryland, 373 U.S. 83, 86-87 (1963); 
Jencks v. United States, 353 U.S. 657, 668 (1957).
---------------------------------------------------------------------------

    The proposed rules also specifically provide that ``official duties 
consistent with Title II of the BSA'' shall not include the disclosure 
of SAR information in response to a request for disclosure of non-
public information \31\ or a request for use in a private legal 
proceeding, including a request pursuant to 31 CFR 1.11. The BSA 
exists, in part, to protect the public's interest in an effective 
reporting system that benefits the nation by helping to assure that the 
U.S. financial system will not be used for criminal activity or to 
support terrorism. FinCEN believes that this purpose would be 
undermined by the disclosure of SAR information to a private litigant 
for use in a civil lawsuit for the reasons described earlier, including 
the reason that such disclosures could negatively impact full and 
candid reporting by financial institutions.
---------------------------------------------------------------------------

    \31\ For purposes of this rulemaking, ``non-public information'' 
refers to information that is exempt from disclosure under the 
Freedom of Information Act.
---------------------------------------------------------------------------

    FinCEN is adopting the text, as proposed, while clarifying that the 
rule should not be read to preclude inter-governmental sharing of SAR 
information. For example, while a FinCEN employee would be precluded 
under this provision from disclosing SAR information if requested by 
the press under the Freedom of Information Act, it would not 
necessarily be outside of the FinCEN employee's official duties to 
provide that information to another government agency.

E. Disclosures by Self-Regulatory Organizations

    In the proposed rules governing entities which may be examined for 
compliance with their SAR requirements by an SRO, FinCEN included a 
provision regarding disclosures by SROs that closely paralleled the 
provision regarding government disclosures. The language differed, 
however, to reflect the fact that self-regulatory organizations are not 
governmental entities. One commenter suggested that because SROs are 
not governmental entities but rather are subject to oversight by the 
SEC and CFTC, they cannot possess ``official duties'' in the same 
capacity as a government representative. Another comment submitted by 
an SRO requested that FinCEN expand, rather than limit, an SRO's 
authority to use and disclose SARs for all self-regulatory purposes. 
While FinCEN agrees that SROs are not government agencies, FinCEN 
believes it is not necessary to define the extent to which SROs possess 
``official duties'' under 31 U.S.C. 5318(g)(2)(A)(ii) at this time. 
Instead, FinCEN has modified the language of the final rule text to 
comport with language from the first rule of construction by stating 
that SROs ``shall not disclose * * * except as necessary to fulfill 
self-regulatory duties upon the request of [the Federal agency 
responsible for its oversight], in a manner consistent with title II of 
the BSA.''
    For consistency, we also are removing ``official duties'' from the 
subsequent sentences in the final rule (regarding the appropriate SRO 
response to requests for use in a private legal proceeding or for 
disclosure of non-public information) and using the same replacement 
language.

F. Limitation on Liability

    In Section 351 of the USA PATRIOT Act, Congress amended section 
5318(g)(3) to clarify that the scope of the safe harbor provision also 
includes the voluntary disclosure of possible violations of law and 
regulations to a government agency, and to expand the scope of the 
limit on liability to include any liability which may exist ``under any 
contract or other legally enforceable agreement (including any 
arbitration agreement).'' FinCEN tracked more closely the statutory 
language in the proposed rules, particularly by stating that the safe 
harbor applies to ``disclosures'' (and not ``reports'' as in some 
previous rulemakings) made by institutions.
    Additionally, to comport with the authorization to jointly file 
SARs in the second rule of construction, FinCEN clarified that the safe 
harbor also applies to ``a disclosure made jointly with another 
institution.'' This concept exists currently in those SAR rules where 
joint filing had been explicitly referenced, but has been revised to 
track more closely the statutory language. It was also inserted for the 
sake of consistency into those SAR rules where it had been absent 
previously, clarifying that all parties to a joint filing, and not 
simply the party that provides the form to FinCEN, fall within the 
scope of the safe harbor.
    For consistency, FinCEN also separated the provision for 
confidentiality of reports and limitation of liability into two 
separate provisions in those rules for industries which previously 
contained both provisions under the single heading ``confidentiality of 
reports; limitation of liability.''
    All comments received about the safe harbor provision encouraged 
making the provision as strong as possible. One commenter identified 
the statutory phrase, ``to any person,'' that was not included in the 
proposed rules, and which FinCEN believes would strengthen the safe 
harbor provided by the final rule. The commenter correctly pointed out 
that the statutory safe harbor provision protects persons from 
liability not only to the person involved in the transaction, but also 
to any other person. Accordingly the final rule is being amended to 
insert the phrase ``shall be protected from liability to any person, 
for any such disclosure * * *'' and is otherwise being adopted as 
proposed, without change.
    Another commenter requested that FinCEN expressly grant safe harbor 
to an institution that makes a determination not to file a SAR after 
investigating potentially suspicious activity. The statutory safe 
harbor provision, however, is clearly intended to protect persons 
involved in the filing of a voluntary or required SAR from civil 
liability only for filing the SAR and for refusing to provide notice of 
such filing. FinCEN cannot provide additional protection from liability 
for other actions.

G. Compliance

    In the proposed rule, FinCEN streamlined the compliance provision 
by providing only that (1) FinCEN or its

[[Page 75601]]

delegatees \32\ may examine the institution for compliance with the SAR 
requirement; (2) that a failure to satisfy the requirements of the SAR 
rule may constitute a violation of the BSA or BSA regulations; and (3) 
for depository institutions with parallel Title 12 SAR requirements, 
that failure to comply with FinCEN's SAR requirement may also 
constitute a violation of the parallel Title 12 rules. For consistency, 
the proposed rules also used only the heading ``Compliance'' for this 
provision in each of the SAR rules.\33\ In the absence of any comments 
objecting to any of the proposed changes to the Compliance provision, 
FinCEN is adopting them as proposed, without change, in the final rule.
---------------------------------------------------------------------------

    \32\ In the case of the SEC and the CFTC, that authority may be 
further delegated to SROs.
    \33\ Identical section in separate SAR rules had been titled 
``Compliance'' or ``Examination and Enforcement'' prior to the 
proposed rule.
---------------------------------------------------------------------------

H. Technical Corrections and Harmonization

    In addition to the changes described above in the Section-by-
Section analysis, the final rule incorporates the proposed technical 
corrections to harmonize, where appropriate, each of FinCEN's seven SAR 
rules with each other and with those being issued by some of the 
Federal bank regulatory agencies. FinCEN believes that such efforts 
will simplify compliance with SAR reporting requirements.
    In the final rule for each industry, FinCEN is making one such 
change that had not been proposed. FinCEN is amending the paragraph 
entitled ``retention of records'' so that the standard for the 
disclosure of a SAR's supporting documentation to appropriate 
governmental authorities comports with the standard found in the first 
rule of construction. Because the supporting documentation is deemed to 
have been filed with the SAR but kept in custody by the financial 
institution, this change is necessary to ensure that all types of SAR 
information are subject to the same standard of confidentiality. This 
comporting change is consistent with the substance of the proposed rule 
text, as addressed through public comment.
    For the mutual fund SAR rule only, this comporting change results 
in striking language regarding supporting documentation for a SAR 
jointly filed with a broker-dealer in securities being made available 
by the mutual fund to the SRO of the broker-dealer. This change is 
consistent with FinCEN's treatment elsewhere in the final rule of 
regulatory authorities' ability to request SAR information from 
entities they do not regulate.\34\
---------------------------------------------------------------------------

    \34\ See the earlier preamble discussion of ``civil enforcement 
authorities'' under the first rule of construction, including the 
ability of a regulator to obtain supporting documentation from 
FinCEN or the supervisor of an institution in cases where its own 
authorities are limited.
---------------------------------------------------------------------------

V. Other Issues

A. Requests for Guidance

    One commenter requested additional guidance from FinCEN regarding 
additional situations under which a SAR could be disclosed, but did not 
provide any examples of the ``unclear and vague'' issues that remained. 
It is FinCEN's intent, and one of the underlying motivations for this 
rulemaking, that the rules of construction, as finalized, constitute 
clearly all of the