Confidentiality of Suspicious Activity Reports, 75576-75583 [2010-29880]

Download as PDF 75576 Federal Register / Vol. 75, No. 232 / Friday, December 3, 2010 / Rules and Regulations V. OCC Regulatory Analysis Regulatory Flexibility Act The Regulatory Flexibility Act (RFA) generally requires an agency that is issuing a final rule to prepare and make available a final regulatory flexibility analysis that describes the impact of the final rule on small entities, 5 U.S.C. 604. However, the RFA provides that an agency is not required to prepare and make available a final regulatory flexibility analysis if the agency certifies that the final rule will not have a significant economic impact on a substantial number of small entities and publishes its certification and a short, explanatory statement in the Federal Register along with its final rule. 5 U.S.C. 605(b). For purposes of the RFA and OCC-regulated entities, a ‘‘small entity’’ is a national bank with assets of $175 million or less (small national bank). The OCC has determined that this final rule will not have a significant economic impact on a substantial number of small entities. The final rule’s changes to the OCC’s internal standards, which were prompted by a statutory change, apply to the OCC, and its internal deliberations regarding the agency’s ability to disclose a SAR, and not to any other entities. Therefore, pursuant to section 605(b) of the RFA, the OCC certifies that this final rule will not have a significant economic impact on a substantial number of small entities. Accordingly, the requirement to prepare and publish a final regulatory flexibility analysis does not apply to this final rule. Paperwork Reduction Act We have reviewed the final rule in accordance with the Paperwork Reduction Act of 1995 (44 U.S.C. 3506; 5 CFR 1320, Appendix A.1) (PRA) and have determined that the final rule does not contain any ‘‘collections of information’’ as defined by the PRA. emcdonald on DSK2BSOYB1PROD with RULES2 Unfunded Mandates Reform Act of 1995 Section 202 of the Unfunded Mandates Reform Act of 1995, Public Law 104–4 (2 U.S.C. 1532) (Unfunded Mandates Act), requires that an agency prepare a budgetary impact statement before promulgating any rule likely to result in a Federal mandate that may result in the expenditure by State, local, and tribal governments, in the aggregate, or by the private sector of $100 million or more (adjusted for inflation) in any one year. If a budgetary impact statement is required, section 205 of the Unfunded Mandates Act also requires an agency to identify and consider a VerDate Mar<15>2010 18:12 Dec 02, 2010 Jkt 223001 reasonable number of regulatory alternatives before promulgating a rule. The OCC has determined that this final rule, which amends the standards the OCC will apply when determining whether to release a SAR, will not result in expenditures by State, local, and tribal governments, or by the private sector, of $100 million or more (adjusted for inflation) in any one year. Accordingly, this final rule is not subject to section 202 of the Unfunded Mandates Act. List of Subjects in 12 CFR Part 4 Administrative practice and procedure, Freedom of information, Individuals with disabilities, Minority businesses, Organization and functions (Government agencies), Reporting and recordkeeping requirements, Women. Authority and Issuance ■ b. Adding the word ‘‘and’’ at the end of paragraph (b)(1)(v); and ■ c. Removing, at the end of paragraph (b)(1)(vi), ‘‘; and’’ and adding a period in its place. ■ 4. Amend § 4.35(a)(2) by: ■ a. Removing the word ‘‘or’’ at the end of paragraph (a)(2)(iv); ■ b. Removing, in paragraph (a)(2)(v), the period and by adding in lieu thereof ‘‘; or’’; and ■ c. Adding a new paragraph (a)(2)(vi) to read as follows: § 4.35 Consideration of requests. (a) * * * (2) * * * (vi) When prohibited by law. * * * * * § 4.37 [Amended] 5. In § 4.37(c), remove the reference to ‘‘§ 4.37’’ in the last sentence and add in lieu thereof ‘‘§ 4.38.’’ [This Signature Page Relates to the Final Rule on Standards Governing the Release of a Suspicious Activity Report—Part 4.] ■ For the reasons set forth in the preamble, part 4, subpart C, of title 12 of the Code of Federal Regulations is amended as follows: ■ PART 4—ORGANIZATION AND FUNCTIONS, AVAILABILITY AND RELEASE OF INFORMATION, CONTRACTING OUTREACH PROGRAM, POST-EMPLOYMENT RESTRICTIONS FOR SENIOR EXAMINERS 1. Revise the authority citation for part 4 to read as follows: Dated: August 16, 2010. John Walsh, Acting Comptroller of the Currency. [FR Doc. 2010–29883 Filed 12–2–10; 8:45 am] BILLING CODE P ■ Authority: 12 U.S.C. 93a. Subpart A also issued under 5 U.S.C. 552. Subpart B also issued under 5 U.S.C. 552; E.O. 12600 (3 CFR 1987 Comp., p. 235). Subpart C also issued under 5 U.S.C. 301, 552; 12 U.S.C. 161, 481, 482, 484(a), 1442, 1817(a)(2) and (3), 1818(u) and (v), 1820(d)(6), 1820(k), 1821(c), 1821(o), 1821(t), 1831m, 1831p–1, 1831o, 1867, 1951 et seq., 2601 et seq., 2801 et seq., 2901 et seq., 3101 et seq., 3401 et seq.; 15 U.S.C. 77uu(b), 78q(c)(3); 18 U.S.C. 641, 1905, 1906; 29 U.S.C. 1204; 31 U.S.C. 5318(g)(2), 9701; 42 U.S.C. 3601; 44 U.S.C. 3506, 3510. Subpart D also issued under 12 U.S.C. 1833e. ■ 2. Add § 4.31(b)(4) to read as follows: § 4.31 * * * * (b) * * * (4) For purposes of §§ 4.35(a)(1), 4.36(a) and 4.37(c) of this part, the OCC’s decision to disclose records or testimony involving a Suspicious Activity Report (SAR) filed pursuant to the regulations implementing 12 U.S.C. 5318(g), or any information that would reveal the existence of a SAR, is governed by 12 CFR 21.11(k). ■ ■ [Amended] 3. Amend § 4.32(b) by: a. Removing paragraph (b)(1)(vii). PO 00000 Frm 00004 Fmt 4701 Sfmt 4700 Office of the Comptroller of the Currency 12 CFR Part 21 [Docket ID OCC–2010–0019] RIN 1557–AD17 Confidentiality of Suspicious Activity Reports The Office of the Comptroller of the Currency (OCC), Treasury. ACTION: Final rule. AGENCY: The OCC is issuing this final rule to amend its regulations implementing the Bank Secrecy Act (BSA) governing the confidentiality of a suspicious activity report (SAR) to: clarify the scope of the statutory prohibition on the disclosure by a financial institution of a SAR, as it applies to national banks; address the statutory prohibition on the disclosure by the government of a SAR, as that prohibition applies to the OCC’s standards governing the disclosure of SARs; clarify that the exclusive standard applicable to the disclosure of a SAR, or any information that would reveal the SUMMARY: Purpose and scope. * § 4.32 DEPARTMENT OF THE TREASURY E:\FR\FM\03DER2.SGM 03DER2 Federal Register / Vol. 75, No. 232 / Friday, December 3, 2010 / Rules and Regulations existence of a SAR, by the OCC is to fulfill official duties consistent with Title II of the BSA; and modify the safe harbor provision in the OCC’s SAR rules to include changes made by the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA PATRIOT) Act. These amendments are consistent with a final rule being contemporaneously issued by the Financial Crimes Enforcement Network (FinCEN). DATES: This rule is effective on January 3, 2011. FOR FURTHER INFORMATION CONTACT: James Vivenzio, Senior Counsel for BSA/AML, (202) 874–5200; Ellen Warwick, Assistant Director, Litigation, (202) 874–5280; or Patrick T. Tierney, Counsel, Legislative and Regulatory Activities, (202) 874–5090; Office of the Comptroller of the Currency, 250 E Street, SW., Washington, DC 20219. SUPPLEMENTARY INFORMATION: I. Background emcdonald on DSK2BSOYB1PROD with RULES2 The BSA requires financial institutions, including national banks regulated by the OCC, to keep certain records and make certain reports that have been determined to be useful in criminal, tax, or regulatory investigations or proceedings, and for intelligence or counter intelligence activities to protect against international terrorism. In particular, the BSA and its implementing regulations require a financial institution to file a SAR when it detects a known or suspected violation of Federal law or a suspicious activity related to money laundering, terrorist financing, or other criminal activity.1 SARs are used for law enforcement or regulatory purposes to combat terrorism, terrorist financing, money laundering and other financial crimes. For this reason, the BSA provides that a financial institution, and its officers, directors, employees, and agents are prohibited from notifying any person involved in a suspicious transaction that 1 The Annunzio-Wylie Anti-Money Laundering Act (the Annunzio-Wylie Act) amended the BSA and authorized the Secretary of the Treasury to require financial institutions to report suspicious transactions relevant to a possible violation of law or regulation. See Public Law 102–550, Title XV, section 1517(b), 106 Stat. 4044, 4059–60 (1992); 31 U.S.C. 5318(g)(1). The OCC, Board of Governors of the Federal Reserve System (FRB), Federal Deposit Insurance Corporation (FDIC), Office of Thrift Supervision (OTS), and National Credit Union Administration (NCUA), (collectively referred to as the Federal bank regulatory agencies) subsequently issued virtually identical implementing regulations on suspicious activity reporting. See 12 CFR 21.11 (OCC); 12 CFR 208.62 (FRB); 12 CFR 353.3 (FDIC); 12 CFR 563.180 (OTS); and 12 CFR 748.1 (NCUA). VerDate Mar<15>2010 18:12 Dec 02, 2010 Jkt 223001 the transaction was reported.2 To encourage the voluntary reporting of possible violations of law and regulation, and the filing of SARs, the BSA also contains a safe harbor provision, which shields financial institutions making such reports from civil liability. FinCEN 3 has issued rules implementing the SAR confidentiality provisions for various types of financial institutions that closely mirror the statutory language.4 In addition, the Federal bank regulatory agencies implemented these provisions through similar regulations that provide SARs are confidential and generally no information about or contained in a SAR may be disclosed.5 The regulations issued by FinCEN and the Federal bank regulatory agencies also describe the applicability of the BSA’s safe harbor provision 6 to both voluntary reports of possible and known violations of law and the required filing of SARs. The USA PATRIOT Act of 2001 strengthened the confidentiality of SARs by adding to the BSA a new provision that prohibits officers or employees of the Federal government or any State, local, Tribal, or territorial government within the United States with knowledge of a SAR from disclosing to any person involved in a suspicious transaction that the transaction was reported, other than as necessary to fulfill the official duties of such officer or employee.7 The USA PATRIOT Act also clarified that the safe harbor shielding financial institutions from liability covers voluntary disclosures of possible violations of law and regulations to a government agency and expanded the scope of the limit on liability to cover any civil liability that may exist ‘‘under any contract or other legally enforceable agreement (including any arbitration agreement).’’ 8 FinCEN is issuing a final rule to modify its SAR rules to interpret or further interpret the provisions of the 2 31 U.S.C. 5318(g)(2)(A)(i). is the agency designated by the Department of the Treasury to administer the BSA and with which SARs must be filed. See 31 U.S.C. 5318; 12 CFR 21.11(c). 4 See, e.g., 31 CFR 103.18(e) (SAR confidentiality rule for banks); 31 CFR 103.19(e) (SAR confidentiality rule for brokers or dealers in securities). 5 See 12 CFR 21.11(k) (OCC); 12 CFR 208.62(j) (FRB); 12 CFR 353.3(g) (FDIC); 12 CFR 563.180(d)(12) (OTS); and 12 CFR 748.1(c)(5) (NCUA). 6 31 U.S.C. 5318(g)(3). 7 See USA PATRIOT Act, section 351(b); Pub. L. 107–56, Title III, section 351; 115 Stat. 272, 320– 21 (2001); 31 U.S.C. 5318(g)(2). 8 See USA PATRIOT Act, section 351(a); Public Law 107–56, Title III, section 351; 115 Stat. 272, 321 (2001); 31 U.S.C. 5318(g)(3). 3 FinCEN PO 00000 Frm 00005 Fmt 4701 Sfmt 4700 75577 BSA that relate to the confidentiality of SARs and the safe harbor for such reporting. The OCC is amending its SAR rules contemporaneously, consistent with the final rule being issued by FinCEN, to clarify the manner in which these provisions apply to national banks and to the OCC’s own standards governing the disclosure of a SAR and any information that would reveal the existence of a SAR (referred to in this SUPPLEMENTARY INFORMATION as ‘‘SAR information’’). In a separate rulemaking action from the part 21 proposal, the OCC also simultaneously proposed to amend its information disclosure regulation set forth in 12 CFR part 4, subpart C, to clarify that the exclusive standard governing the release of SAR information is set forth in 12 CFR 21.11.9 The OCC issued that proposed amendment to 12 CFR part 4, subpart C, at the same time as the part 21 proposal, to make clear that the OCC will disclose SAR information only when necessary to satisfy the BSA purposes for which SARs are filed. Today, the OCC also is adopting the part 4 proposal as final without change. II. Overview of the Proposed Rule and Related Actions On March 9, 2009, the OCC published proposed amendments to its rules 10 to include key changes that would: (1) Clarify the scope of the statutory prohibition on the disclosure by a financial institution of a SAR, as it applies to national banks; (2) address the statutory prohibition on the disclosure by the government of a SAR, which was added to the BSA by section 351(b) of the USA PATRIOT Act of 2001, as that prohibition applies to the OCC’s standards governing the disclosure of SAR information; and (3) clarify that the exclusive standard applicable to the disclosure of SAR information by the OCC is to fulfill official duties consistent with Title II of the BSA, in order to ensure that SAR information is protected from inappropriate disclosures unrelated to the BSA purposes for which SARs are filed. In addition, the proposed amendments would modify the safe harbor provision in the OCC’s SAR rules 11 to include changes made by the USA PATRIOT Act. Contemporaneously with the publication of, and as described in the OCC’s proposal, FinCEN issued for notice and comment proposed guidance regarding the sharing of SARs with 9 74 FR 10136 (Mar. 9, 2009). FR 10130 (Mar. 9, 2009). 11 12 CFR 21.11(l). 10 74 E:\FR\FM\03DER2.SGM 03DER2 75578 Federal Register / Vol. 75, No. 232 / Friday, December 3, 2010 / Rules and Regulations affiliates.12 That proposed guidance may be used to interpret a provision of the OCC’s proposed rulemaking. III. Comments on the Proposed Rule The comment period for the proposed rulemakings ended on June 8, 2009. OCC received a total of five comments.13 Of these, three were submitted by bank trade associations, one was submitted by a bank holding company, and one was submitted by an individual. The comments generally supported the OCC’s proposed rule while requesting broadening of FinCEN’s proposed sharing guidance.14 Comments specific to the OCC’s proposed rule provided suggestions related to the disclosure of the ‘‘underlying facts, transactions, and documents upon which a SAR is based;’’ the requirement to reveal a SAR request to both OCC and FinCEN; and the proposed modification to the safe harbor provision in the OCC’s SAR rules 15 to include changes made by the USA PATRIOT Act. These comments are addressed in the Section-by-Section Analysis section of this SUPPLEMENTARY INFORMATION. IV. Section-by-Section Analysis Section 21.11(b) Definition of a SAR The primary purpose of the OCC’s SAR rule is to ensure that a national bank files a SAR when it detects a known or suspected violation of a Federal law or a suspicious transaction related to money laundering activity or a violation of the BSA. See 12 CFR 21.11(a). Incidental to this purpose, the OCC’s SAR rule includes a section that addresses the confidentiality of SARs. Under the current SAR rule, the term ‘‘SAR’’ means ‘‘a Suspicious Activity Report on the form prescribed by the OCC.’’ 16 The proposed rule would have defined a ‘‘SAR’’ generically as ‘‘a Suspicious Activity Report.’’ This change would extend the confidentiality provisions of the OCC’s SAR rule to all SARs, including those filed on forms prescribed by FinCEN.17 As a consequence, a national bank that obtained a SAR, for example, from a non-bank affiliate pursuant to the 12 74 FR 10158 (Mar. 9, 2009). of the comments received by the OCC directly addressed the proposed revisions to the OCC’s information disclosure regulation set forth in 12 CFR part 4, subpart C. 14 Comments about the sharing guidance are addressed separately in a related ‘‘notice of availability of guidance’’ published by FinCEN elsewhere in today’s Federal Register together with FinCEN’s final rules. 15 12 CFR 21.11(l). 16 12 CFR 21.11(b)(3). 17 See, e.g., 31 CFR 103.19(b) (FinCEN regulations requiring brokers or dealers in securities to file reports of suspicious transactions on a SAR–S–F). emcdonald on DSK2BSOYB1PROD with RULES2 13 None VerDate Mar<15>2010 18:12 Dec 02, 2010 Jkt 223001 provisions of the proposed rule, would be required to safeguard the confidentiality of the SAR, even if the SAR had not been filed on a form prescribed by the OCC. The OCC received no comments on the proposed revised definition of SAR and adopts the definition as proposed. Section 21.11(c) SARs Required To clarify that a national bank must file a SAR on a form ‘‘prescribed by the OCC,’’ the OCC proposed to add that phrase to the introductory language of the section of the OCC’s SAR rule that describes the procedures for the filing of a SAR. Accordingly, the proposed rule would have required a national bank to file a SAR with the appropriate Federal law enforcement agencies and the Department of the Treasury on the form prescribed by the OCC in accordance with the form’s instructions, by sending a completed SAR to FinCEN in particular circumstances.18 The OCC received no comments on the proposal to add the phrase ‘‘prescribed by the OCC’’ to the introductory language of that section of the OCC’s SAR rule and adopts the change as proposed. Section 21.11(k) Confidentiality of SARs Prior to this rulemaking, § 21.11(k) specified that SARs are confidential and any national bank or person: (1) Must not disclose a SAR or the information contained in SAR; (2) must not provide any information that would disclose that a SAR has been prepared or filed; and (3) must notify the OCC of any subpoena or request received by a national bank or person to make such a SAR-related disclosure. The OCC proposed to amend its rules regarding SAR confidentiality 19 by modifying the introductory sentence regarding SAR confidentiality and dividing the remainder of the current provision into two sections. The first section would describe the prohibition on disclosure of SAR information by national banks and the rules of construction applicable to this prohibition. The second section would describe the prohibition on the OCC’s disclosure of SAR information. Prior to this final rulemaking action, the OCC’s rules prohibiting the disclosure of SARs began with the statement that SARs are confidential. Over the years, the OCC has received 18 OCC’s current provision, at 12 CFR 21.11(c), requires a national bank to ‘‘file a SAR with the appropriate Federal law enforcement agencies and the Department of the Treasury in accordance with the form’s instructions * * *,’’ but does not specify which form. 19 12 CFR 21.11(k). PO 00000 Frm 00006 Fmt 4701 Sfmt 4700 numerous questions regarding the scope of the prohibition on the disclosure of a SAR in its current rules. Accordingly, the OCC proposed to clarify the scope of SAR confidentiality by more clearly describing the information that is subject to the prohibition. Like FinCEN, the OCC believes that all of the reasons for maintaining the confidentiality of SARs are equally applicable to any information that would reveal the existence of a SAR. The OCC, like FinCEN, recognizes that in order to protect the confidentiality of a SAR, any information that would reveal the existence of a SAR must be afforded the same protection from disclosure. The confidentiality of SARs must be maintained for a number of compelling reasons. For example, the disclosure of a SAR could result in notification to persons involved in the transaction that is being reported and compromise any investigations being conducted in connection with the SAR. In addition, the OCC believes that even the occasional disclosure of a SAR could chill the willingness of a national bank to file SARs and to provide the degree of detail and completeness in describing suspicious activity in SARs that will be of use to law enforcement. If banks believe that a SAR can be used for purposes unrelated to the law enforcement and regulatory purposes of the BSA, the disclosure of such information could adversely affect the timely, appropriate, and candid reporting of suspicious transactions. Banks also may be reluctant to report suspicious transactions, or may delay making such reports, for fear that the disclosure of a SAR will interfere with the bank’s relationship with its customer. Further, a SAR may provide insight into how a bank uncovers potential criminal conduct that can be used by others to circumvent detection. The disclosure of a SAR also could compromise personally identifiable information or commercially sensitive information or damage the reputation of individuals or companies that may be named. Finally, the disclosure of a SAR for uses unrelated to the law enforcement and regulatory purposes for which SARs are intended increases the risk that bank employees or others who are involved in the preparation or filing of a SAR could become targets for retaliation by persons whose criminal conduct has been reported. These reasons for maintaining the confidentiality of SARs also apply to any information that would reveal the existence of a SAR. Therefore, like FinCEN, the OCC proposed to modify the general introduction in its rules to E:\FR\FM\03DER2.SGM 03DER2 Federal Register / Vol. 75, No. 232 / Friday, December 3, 2010 / Rules and Regulations emcdonald on DSK2BSOYB1PROD with RULES2 state that confidential treatment also must be afforded to ‘‘any information that would reveal the existence of a SAR.’’ The introduction also would indicate that SAR information may not be disclosed, except as authorized in the narrow circumstances that follow. Some commenters asked that the OCC clarify the phrase ‘‘information that would reveal the existence of a SAR’’ for the purpose of defining the scope of SAR confidentiality. One commenter specifically asked whether that term only includes information that affirmatively states that a SAR was filed. Another commenter urged that the OCC formally recognize that material contained in a reporting institution’s files supporting its decision to file or not file a SAR is confidential. Any document or other information that affirmatively states that a SAR has been filed constitutes information that would reveal the existence of a SAR and must be kept confidential. By extension, a national bank also must afford confidentiality to any document stating that a SAR has not been filed. Were the OCC to allow disclosure of information when a SAR is not filed, institutions would implicitly reveal the existence of a SAR any time they were unable to produce records because a SAR was filed.20 Documents that may identify suspicious activity, but that do not reveal whether a SAR exists (e.g., a document memorializing a customer transaction such as an account statement indicating a cash deposit or a record of a funds transfer), should be considered as falling within the underlying facts, transactions, and documents upon which a SAR is based, and need not be afforded confidentiality.21 This distinction is set forth in the final rule’s second rule of construction discussed in this Section20 For example, a private litigant may serve a discovery request on a bank in civil litigation that calls for the bank to produce the underlying documentation on companies A, B, and C, where the bank has filed a SAR on company A, but not companies B or C, and the underlying documentation reflects the SAR filing decisions. If the bank then produces the underlying documentation for companies B and C, but neither confirms nor denies the existence of a SAR when declining to provide similar documentation for company A, by negative implication it may have revealed the existence of the SAR filed on company A. 21 As one commenter noted, information produced in the ordinary course of business may contain sufficient information that a reasonable and prudent person familiar with SAR filing requirements could use to conclude that an institution likely filed a SAR (e.g., a copy of a fraudulent check or a cash transaction log showing a clear pattern of structured deposits). Such information alone does not constitute information that would reveal the existence of a SAR. VerDate Mar<15>2010 18:12 Dec 02, 2010 Jkt 223001 by-Section Analysis and reflects relevant case law.22 However, the strong public policy that underlies the SAR system as a whole— namely, the creation of an environment that encourages a national bank to report suspicious activity without fear of reprisal—leans heavily in favor of applying SAR confidentiality not only to a SAR itself, but also in appropriate circumstances to material prepared by the national bank as part of its process to detect and report suspicious activity, regardless of whether a SAR ultimately was filed or not. This interpretation also reflects relevant case law.23 As explained in more detail in the proposed rule,24 the primary purpose for clarifying the scope of the confidentiality provision is to ensure that, due to potentially serious consequences, the persons involved in the transaction and identified in the SAR cannot be notified, directly or indirectly, of the report. Accordingly, like FinCEN, the OCC proposed replacing the previous rule text prohibiting disclosure of the SAR to the person involved in the transaction with a broad general confidentiality provision for all SAR information applicable to all persons not authorized in the rules of construction to receive such information. With respect to ‘‘information that would reveal the existence of a SAR,’’ therefore, institutions should distinguish between 22 See, e.g., Whitney Nat. Bank v. Karam, 306 F. Supp. 2d 678, 682 (S.D. Tex. 2004) (noting that courts have ‘‘allowed the production of supporting documentation that was generated or received in the ordinary course of the bank’s business, on which the report of suspicious activity was based’’); Cotton v. Private Bank and Trust Co., 235 F. Supp. 2d 809, 815 (N.D. Ill. 2002) (holding that the ‘‘factual documents which give rise to suspicious conduct * * * are to be produced in the ordinary course of discovery because they are business records made in the ordinary course of business’’). 23 See, e.g., Whitney at 682–83 (holding that the SAR confidentiality provision protects, inter alia, ‘‘communications preceding the filing of a SAR and preparatory or preliminary to it; communications that follow the filing of a SAR and are explanations or follow-up discussion; or oral communications or suspected or possible violations that did not culminate in the filing of a SAR’’); Cotton at 815 (holding that ‘‘documents representing the drafts of SARs or other work product or privileged communications that relate to the SAR itself * * * are not to be produced [in discovery] because they would disclose whether a SAR has been prepared or filed’’); Union Bank of California, N.A. v. Superior Court, 29 Cal. Rptr. 2d 894, 902 (2005) (holding that ‘‘a draft SAR or internal memorandum prepared as part of a financial institution’s process for complying with Federal reporting requirements is generated for the specific purpose of fulfilling the institution’s reporting obligation * * * [and] fall within the scope of the SAR [confidentiality] privilege because they may reveal the contents of a SAR and disclose whether ‘a SAR has been prepared or filed’ ’’ (quoting 12 CFR 21.11(k) (2005)). 24 74 FR 10131–32 (Mar. 9, 2009). PO 00000 Frm 00007 Fmt 4701 Sfmt 4700 75579 certain types of statistical or abstract information or general discussions of suspicious activity that may indicate that an institution has filed SARs,25 and information that would reveal the existence of a SAR in a manner that could enable the person involved in the transaction potentially to be notified, whether directly or indirectly. Like FinCEN, and for the reasons discussed in this section, the OCC is adopting the proposed introductory language to the Confidentiality of SARs provision (§ 21.11(k)) as final without change. Section 21.11(k)(1)(i) Prohibition on Disclosure by National Banks The OCC’s current rules provide that any national bank or person subpoenaed or otherwise requested to disclose a SAR or the information contained in a SAR must: (1) Decline to produce the SAR or to provide any information that would disclose that a SAR has been prepared or filed and (2) notify the OCC. The proposed rule more specifically addressed the prohibition on the disclosure of a SAR by a national bank. The proposed rule provided that the prohibition includes ‘‘any information that would reveal the existence of a SAR’’ instead of using the phrase ‘‘any information that would disclose that a SAR has been prepared or filed.’’ The OCC, like FinCEN, believes that the proposed phrase more clearly describes the type of information that is covered by the prohibition on the disclosure of a SAR. In addition, the proposed rule incorporated the specific reference in 31 U.S.C. 5318(g)(2)(A)(i) to a ‘‘director, officer, employee, or agent,’’ in order to clarify that the prohibition on disclosure extends to those individuals in a national bank who may have access to SAR information. Although 31 U.S.C. 5318(g)(2)(A)(i) provides that a person involved in the transaction may not be notified that the transaction has been reported, the proposed rule reflected case law that has consistently concluded, in accordance with applicable regulations, that financial institutions are broadly prohibited from disclosing SAR information to any person. Accordingly, these cases have held that, in the context of discovery in connection with 25 One example of such information could include summary information commonly provided by banks in the ‘‘notification to the board’’ required by the various Federal bank regulatory agency SAR rules. National banks subject to the requirement are encouraged to be cautious in the production of relevant portions of board minutes or other records to avoid the risk of potentially exposing SAR information to the subject, either directly or indirectly, in the event such records are subpoenaed. E:\FR\FM\03DER2.SGM 03DER2 75580 Federal Register / Vol. 75, No. 232 / Friday, December 3, 2010 / Rules and Regulations emcdonald on DSK2BSOYB1PROD with RULES2 civil lawsuits, financial institutions are prohibited from disclosing SAR information because section 5318(g) and its implementing regulations have created an unqualified discovery and evidentiary privilege for such information that cannot be waived by financial institutions.26 Consistent with case law and the current regulation, the text of the proposed rule did not limit the prohibition on disclosure only to the person involved in the transaction. Permitting disclosure to any outside party may make it likely that SAR information would be disclosed to a person involved in the transaction, which the BSA absolutely prohibits. The proposed rule continued to provide that any national bank, or any director, officer, employee or agent of a national bank, subpoenaed or otherwise requested to disclose SAR information must decline to provide the information, citing that section of the rule and 31 U.S.C. 5318(g)(2)(A)(i), and must give notice of the request to the OCC. In addition, the proposed rule required the bank to notify the OCC of its response to the request and required the bank to provide the same information to FinCEN. Two commenters suggested that OCC adjust its SAR rule to remove the ‘‘duplicative’’ requirement for a bank to notify both OCC and FinCEN when SAR information is inappropriately requested. OCC, like FinCEN, disagrees with the commenter’s characterization of the notification requirement as ‘‘duplicative’’ because OCC and FinCEN each have issued, and separately administers, its own separate SAR rule.27 The joint notification requirement in the OCC’s final rule, therefore, simply acknowledges the notification requirement of different SAR regulations issued by separate agencies. Therefore, the OCC adopts proposed § 21.11(k)(1)(i) as final without change. 26 See, e.g., Whitney Nat’l Bank v. Karam, 306 F. Supp. 2d 678, 682 (S.D. Tex. 2004); Cotton v. Private Bank and Trust Co., 235 F. Supp. 2d 809, 815 (N.D. Ill. 2002). 27 Because FinCEN’s jurisdiction is limited to Title 31 of the Code of Federal Regulations, FinCEN’s final rule removes the requirement that a financial institution notify its primary Federal regulator in addition to notifying FinCEN in the event of an inappropriate request for SAR information. However, the OCC’s final rule maintains the requirement that any national bank, and any director, officer, employee, or agent of any national bank, that is subpoenaed or otherwise requested to disclose SAR information, shall decline to produce the SAR or such information, citing 12 CFR Part 21 of the OCC’s rules and 31 U.S.C. 5318(g)(2)(A)(i), and shall notify both the OCC and FinCEN. VerDate Mar<15>2010 18:12 Dec 02, 2010 Jkt 223001 Section 21.11(k)(1)(ii): Rules of Construction The OCC, like FinCEN, proposed rules of construction to address issues that have arisen over the years about the scope of the SAR disclosure prohibition and to implement statutory modifications to the BSA made by the USA PATRIOT Act. The proposed rules of construction primarily describe situations that are not covered by the prohibition on bank disclosure of SAR information. The introduction to the proposed rules of construction makes clear that they are qualified by the statutory mandate that no person involved in any reported suspicious transaction can be notified that the transaction has been reported. The OCC received no comments on the proposed introductory language to the rules of construction and is adopting the language in the final rule as proposed. The first proposed rule of construction builds on existing language to clarify that a national bank, or any director, officer, employee, or agent 28 of a national bank may disclose SAR information to FinCEN or any Federal, State, or local law enforcement agency; or any Federal or State regulatory agency that examines the financial institution for compliance with the BSA. Although the permissibility of such disclosures may be readily apparent, the proposal contained this statement to clarify that a national bank cannot use the prohibition on bank disclosure of SAR information to withhold this information from governmental authorities that are otherwise entitled by law to receive SARs and to examine for and investigate suspicious activity. The first rule of construction is adopted as final with one change to reflect that State regulatory authorities do not examine national banks for compliance with the BSA. Thus, the final rule revises § 21.11(k)(1)(ii)(A)(1) to read, in relevant part, that § 21.11(k)(1) does not prohibit the disclosure by a national bank, or any director, officer, employee, or agent of a national bank, of a ‘‘SAR, or any information that would reveal the existence of a SAR, to the OCC, FinCEN, 28 Some commenters requested guidance related to the appropriate use of SARs by agents of national banks. In the Supplementary Information section of FinCEN’s final rule issued today, FinCEN states that it is considering additional guidance on the appropriate us of SARs by agents of financial institutions. Until such guidance is issued, however, the OCC and FinCEN remind national banks of their requirement to protect, through reasonable controls or agreements with their agents, the confidentiality of SAR information, as prescribed by the OCC and FinCEN final rules. PO 00000 Frm 00008 Fmt 4701 Sfmt 4700 or any Federal, State, or local law enforcement agency. * * *’’ The second proposed rule of construction provided that SAR information does not include the underlying facts, transactions, and documents upon which a SAR is based. This statement reflects case law, which has recognized that, while a financial institution is prohibited from producing documents in discovery that evidence the existence of a SAR, factual documents created in the ordinary course of business (for example, business records and account information, upon which a SAR is based) may be discoverable in civil litigation under the Federal Rules of Civil Procedure.29 The second proposed rule of construction included some examples of situations where a national bank may disclose the underlying facts, transactions, and documents upon which a SAR is based. The first example clarifies that a national bank, or any director, officer, employee or agent of a national bank, may disclose this information 30 to another financial institution, or any director, officer, employee, or agent of a financial institution, for the preparation of a joint SAR.31 The second example simply codifies a rule of construction added to the BSA by section 351 of the USA PATRIOT Act, which provides that such underlying information may be disclosed in certain written employment references and termination notices.32 One commenter suggested that the OCC clarify that the illustrative 29 See Cotton v. Private Bank and Trust Co., 235 F. Supp. 2d 809, 815 (N.D. Ill. 2002). 30 Although the underlying facts, transactions, and documents upon which a SAR is based may include previously filed SARs or other information that would reveal the existence of a SAR, these materials cannot be disclosed as underlying documents. 31 On December 21, 2006, FinCEN and the Federal bank regulatory agencies announced that the format for the SAR form for depository institutions had been revised to support a new joint filing initiative to reduce the number of duplicate SARs filed for a single suspicious transaction. ‘‘Suspicious Activity Report (SAR) Revised to Support Joint Filings and Reduce Duplicate SARs,’’ Joint Release issued by FinCEN, the FRB, the OCC, the OTS, the FDIC, and the NCUA (Dec. 21, 2006). On February 17, 2006, FinCEN and the Federal bank regulatory agencies published a joint Federal Register notice seeking comment on proposed revisions to the SAR form. See 71 FR 8640. On May 1, 2007, FinCEN announced a delay in implementation of the revised SAR form until further notice. See 72 FR 23891. Until such time as a new SAR form is available that facilitates joint filing, institutions authorized to jointly file should follow FinCEN’s guidance to use the words ‘‘joint filing’’ in the narrative of the SAR and ensure that both institutions maintain a copy of the SAR and any supporting documentation (See, e.g., http://www.fincen.gov/statutes_regs/guidance/ html/guidance_faqs_sar_10042006.html). 32 31 U.S.C. 5318(g)(2)(B). E:\FR\FM\03DER2.SGM 03DER2 emcdonald on DSK2BSOYB1PROD with RULES2 Federal Register / Vol. 75, No. 232 / Friday, December 3, 2010 / Rules and Regulations examples are not exhaustive, and that there may be other situations not prescribed in the rule where an institution may disclose the underlying facts, transactions, and documents upon which a SAR is based. The OCC did not intend for these examples to be exhaustive and does not believe the text, as proposed, implies that the examples are exhaustive. For purposes of clarity, however, like FinCEN, the OCC is revising the final rule’s language at § 21.11(k)(2) to read ‘‘* * * [t]he underlying facts, transactions, and documents upon which a SAR is based, including but not limited to, disclosures’’ expressly listed as illustrative examples in the rule. Accordingly, with respect to the SAR confidentiality provision only,33 national banks may disclose underlying facts, transactions, and documents for any purpose, provided that no person involved in the transaction is notified that the transaction has been reported and none of the underlying information reveals the existence of a SAR. Another commenter suggested that the rules of construction include a provision expressly authorizing the disclosure of facts, transactions, or documents to affiliates wherever located and clarify that such authority may be exercised independently of the authority to share SAR information with affiliates. Provided that no person involved in any reported suspicious transaction is notified that the transaction has been reported and the underlying facts, transactions, and documents do not disclose SAR information, the OCC agrees that such disclosure by a national bank to its affiliates, wherever located, is not prohibited by the final rule. Furthermore, the OCC agrees that the authorization for national banks to disclose underlying information to affiliates in § 21.11(k)(1)(ii)(A)(2) is independent of the authority to share SAR information with affiliates in § 21.11(k)(1)(ii)(B). The OCC believes that the final rule and the BSA already address that commenter’s concerns and that further revision to the rule is unnecessary. The third proposed rule of construction clarified that the prohibition on the disclosure of SAR information by a national bank does not include the sharing by a national bank, or any director, officer, employee or agent of a bank, of SAR information 33 However, other applicable laws or regulations governing a national bank’s responsibilities to maintain and protect information continue to apply, for example, information covered by part 4 of the OCC’s rules regarding the release of non-public OCC information. VerDate Mar<15>2010 18:12 Dec 02, 2010 Jkt 223001 within the bank’s corporate organizational structure for purposes consistent with Title II of the BSA as determined by regulation or in guidance. The proposed third rule of construction recognizes that a national bank may find it necessary to share SAR information to fulfill its reporting obligations under the BSA, and to facilitate more effective enterprise-wide BSA monitoring and reporting, consistent with Title II of the BSA. The term ‘‘share’’ used in the third rule of construction is an acknowledgement that sharing within a corporate organization for purposes consistent with Title II of the BSA, as determined by regulation or guidance, is distinguishable from a prohibited disclosure. FinCEN and the Federal bank regulatory agencies already have issued joint guidance making clear that the U.S. branch or agency of a foreign bank may share a SAR with its head office and that a U.S. bank or savings association may share a SAR with its controlling company (whether domestic or foreign). This guidance stated that the sharing of a SAR with a head office or controlling company both facilitates compliance with the applicable requirements of the BSA and enables the head office or controlling company to discharge its oversight responsibilities with respect to enterprise-wide risk management and compliance with applicable laws and regulations.34 Elsewhere in this issue of the Federal Register, FinCEN is issuing additional final guidance that further elaborates on sharing of SAR information within a corporate organization that FinCEN considers to be ‘‘consistent with the purposes of the BSA.’’ The final guidance generally permits the sharing of SAR information by depository institutions with their affiliates 35 that are subject to a SAR rule.36 In addition, four of the five comments received by the OCC on the proposed rule raised issues related to FinCEN’s proposed guidance, much of which is addressed in FinCEN’s separate notice of availability of guidance published elsewhere in today’s Federal Register. In general, the commenters requested an expansion of the sharing authorities 34 ‘‘Interagency Guidance on Sharing Suspicious Activity Reports with Head Offices and Controlling Companies,’’ Joint Release issued by FinCEN, the FRB, the FDIC, the OCC, and the OTS (Jan. 20, 2006). 35 Under FinCEN’s final guidance, an ‘‘affiliate’’ of a depository institution means any company under common control with, or controlled by, that depository institution. 36 See, e.g., 12 CFR 21.11 (SAR rule applicable to national banks). PO 00000 Frm 00009 Fmt 4701 Sfmt 4700 75581 with respect to both the parties permitted to share and the parties with whom SAR information could be shared. Most commenters provided a clear rationale for how expanded SAR sharing would benefit their institutions by increasing efficiency, cutting costs, and enhancing the detection and reporting of suspicious activity. However, like FinCEN, the OCC notes that most commenters, however, failed to sufficiently address how they would effectively mitigate the risk of unauthorized disclosure of SAR information if the sharing authority was expanded to the extent they requested. FinCEN has taken the position that due to the risk of unauthorized disclosure of SAR information, broad sharing would not be consistent with the purposes of the BSA. Should FinCEN decide in the future to expand the sharing authority, the rule will allow for such expansion. Therefore, the third rule of construction is adopted as proposed without change. Section 21.11(k)(2) Prohibition on Disclosure by the OCC As previously noted, section 351 of the USA PATRIOT Act, 31 U.S.C. 5318(g)(2)(A)(ii), amended the BSA, and added a new provision prohibiting officers and employees of the government from disclosing a SAR to any person involved in the transaction that the transaction has been reported, except ‘‘as necessary to fulfill the official duties of such officer or employee.’’ Section 21.11(k)(2) of the OCC’s proposed rule addressed this new provision of the BSA and is comparable to FinCEN’s proposal. The proposed section provided that the OCC will not, and no officer, employee or agent of the OCC, shall disclose SAR information, except as necessary to fulfill official duties consistent with Title II of the BSA. As stated in section 5318(g)(2)(A)(i), which prohibits a financial institution’s disclosure of a SAR, section 5318(g)(2)(A)(ii) also prohibits the government from disclosing a SAR to ‘‘any person involved in the transaction.’’ The OCC, like FinCEN, proposed to address sections 5318(g)(2)(A)(i) and (A)(ii) in a consistent manner, because disclosure by a governmental authority of SAR information to any outside party may make it more likely that the information will be disclosed to a person involved in the transaction. Accordingly, the proposed rule would generally bar disclosures of SAR information by OCC officers, employees, or agents. However, section 5318(g)(2)(A)(ii) also narrowly permits governmental disclosures as necessary to ‘‘fulfill E:\FR\FM\03DER2.SGM 03DER2 emcdonald on DSK2BSOYB1PROD with RULES2 75582 Federal Register / Vol. 75, No. 232 / Friday, December 3, 2010 / Rules and Regulations official duties,’’ a phrase that is not defined in the BSA. Consistent with the rules being proposed by FinCEN, the OCC proposed to construe this phrase in the context of the BSA, in light of the purpose for which SARs are filed. Accordingly, the proposed rule interpreted ‘‘official duties’’ to mean ‘‘official duties consistent with Title II of the Bank Secrecy Act.’’ 37 When disclosure is necessary to fulfill official duties, the OCC will make a determination, through its internal processes, that a SAR may be disclosed to fulfill official duties consistent with Title II of the BSA. This standard would permit, for example, disclosures responsive to a grand jury subpoena; a request from an appropriate Federal or State law enforcement agency; a request from an appropriate Congressional committee or subcommittee; and prosecutorial disclosures mandated by statute or the Constitution in connection with the statement of a government witness to be called at trial, the impeachment of a government witness, or as material exculpatory of a criminal defendant.38 This proposed interpretation of section 5318(g)(2)(A)(ii) would ensure that SAR information will not be disclosed for a reason that is unrelated to the purposes of the BSA. For example, this standard would not permit disclosure of SAR information to the media. The proposed rule also specifically provided that ‘‘official duties’’ shall not include the disclosure of SAR information in response to a request for use in a private legal proceeding or in response to a request for disclosure of non-public information under 12 CFR 4.33. This statement, which corresponded to a similar provision in FinCEN’s proposed rules, establishes that the OCC will not disclose SAR information to a private litigant for use in a private legal proceeding, or pursuant to 12 CFR 4.33, because such a request cannot be consistent with any of the purposes enumerated in Title II of the BSA.39 The BSA exists, in part, to protect the public’s interest in an effective reporting system that benefits the nation by helping to ensure that the U.S. financial system will not be used for criminal activity or to support terrorism. The OCC, like FinCEN, believes that this purpose would be undermined by the disclosure of SAR information to a private litigant for use in a civil lawsuit for the reasons described earlier, including that such disclosures will chill full and candid reporting by national banks and other financial institutions. Finally, the proposed rule applied to the OCC, in addition to its officers, employees, and agents. Comparable to a provision being proposed by FinCEN, the OCC proposed to include the agency itself in the scope of coverage, because requests for SAR information are typically directed to the agency, rather than to individuals within the OCC with authority to respond to the request. In addition, agents of the OCC were included in proposed § 21.11(k)(2) because they may have access to SAR information. Accordingly, the proposed interpretation would more comprehensively cover disclosures by the OCC or agents of the OCC and protect the confidentiality of SAR information. The OCC did not receive comments on proposed § 21.11(k)(2) and is adopting this provision as final without change. Section 21.11(l) Limitation on Liability In 1992, the Annunzio-Wylie Act amended the BSA by providing a safe harbor for financial institutions and their employees from civil liability for the reporting of known or suspected criminal offenses or suspicious activity through the filing of a SAR.40 FinCEN and the OCC incorporated the safe harbor provisions of the 1992 law into their SAR rules.41 Section 351 of the USA PATRIOT Act amended section 5318(g)(3) to clarify that the scope of the safe harbor provision includes the voluntary disclosure of possible violations of law and regulations to a government agency and to expand the scope of the limit on civil liability to include any liability that may exist ‘‘under any contract or other legally enforceable agreement (including any arbitration agreement).’’ 42 The OCC, like FinCEN, incorporated the statutory expansion of the safe harbor by crossreferencing section 5318(g)(3) in the proposed rule. In addition, consistent with the proposed rule issued by FinCEN, this provision makes clear that the safe harbor also applies to a disclosure by a bank made jointly with another 40 See supra note 1. 31 CFR 103.18(e) and 12 CFR 21.11(l). The safe harbor regulations also are applicable to oral reports of violations. (In situations requiring immediate attention, a national bank must immediately notify its regulator and appropriate law enforcement by telephone, in addition to filing a SAR. See, e.g., 12 CFR 21.11(d).) 42 31 U.S.C. 5318(g)(3). 41 See 37 31 U.S.C. 5311 (setting forth the purposes of the BSA). 38 See, e.g., Giglio v. United States, 405 U.S. 150, 153–54 (1972); Brady v. Maryland, 373 U.S. 83, 86– 87 (1963); Jencks v. United States, 353 U.S. 657, 668 (1957). 39 31 U.S.C. 5311. VerDate Mar<15>2010 18:12 Dec 02, 2010 Jkt 223001 PO 00000 Frm 00010 Fmt 4701 Sfmt 4700 financial institution for purposes of filing a joint SAR. The OCC received no comments on the proposed safe harbor provision. However, one comment received by FinCEN noted that the statutory safe harbor provision protects any person from liability, not just the person involved in the transaction. Accordingly, like FinCEN, the OCC is amending the proposed safe harbor language by inserting the phrase ‘‘shall be protected from liability to any person for any such disclosure * * *’’ and is otherwise adopting the proposed § 21.11(l) safe harbor provision as final. Conforming Amendments to 12 CFR Part 4, Subpart C Today, the OCC also is publishing a final rule to amend its information disclosure rule set forth in 12 CFR part 4, subpart C. Among other things, the final rule clarifies that the OCC’s disclosure of SAR information will be governed exclusively by the standards set forth in the amendments to the OCC’s part 21 SAR rule.43 The effect of these final part 4 amendments is that the OCC: (1) Will not release SAR information to private litigants and (2) will only release SAR information to other government agencies, in response to a request pursuant to 12 CFR 4.37(c) or in the exercise of its discretion as described in 12 CFR 4.36, when necessary to fulfill official duties consistent with Title II of the BSA. V. OCC Regulatory Analysis Regulatory Flexibility Act The Regulatory Flexibility Act (RFA) generally requires an agency that is issuing a final rule to prepare and make available a final regulatory flexibility analysis that describes the impact of the final rule on small entities. 5 U.S.C. 604. However, the RFA provides that an agency is not required to prepare and make available a final regulatory flexibility analysis if the agency certifies that the final rule will not have a significant economic impact on a substantial number of small entities and publishes its certification and a short, explanatory statement in the Federal Register along with its final rule. 5 U.S.C. 605(b). For purposes of the RFA and OCC-regulated entities, a ‘‘small entity’’ is a national bank with assets of $175 million or less (small national bank). The OCC has determined that the costs, if any, associated with the final rule are de minimis. The final rule simply clarifies the scope of the 43 See elsewhere in this issue of the Federal Register. E:\FR\FM\03DER2.SGM 03DER2 Federal Register / Vol. 75, No. 232 / Friday, December 3, 2010 / Rules and Regulations statutory prohibition against the disclosure by financial institutions and by the government of SAR information and clarifies the scope of the safe harbor from liability for institutions that report suspicious activities. Therefore, pursuant to section 605(b) of the RFA, the OCC hereby certifies that this final rule will not have a significant economic impact on a substantial number of small entities. Accordingly, a regulatory flexibility analysis is not needed. Paperwork Reduction Act We have reviewed the final rule in accordance with the Paperwork Reduction Act of 1995 (44 U.S.C. 3506; 5 CFR 1320, Appendix A.1) (PRA) and have determined that it does not contain any ‘‘collections of information’’ as defined by the PRA. Unfunded Mandates Reform Act of 1995 Section 202 of the Unfunded Mandates Reform Act of 1995, Public Law 104–4 (2 U.S.C. 1532) (Unfunded Mandates Act), requires that an agency prepare a budgetary impact statement before promulgating any rule likely to result in a Federal mandate that may result in the expenditure by State, local, and Tribal governments, in the aggregate, or by the private sector of $100 million or more in any one year. If a budgetary impact statement is required, section 205 of the Unfunded Mandates Act also requires an agency to identify and consider a reasonable number of regulatory alternatives before promulgating a rule. The OCC has determined that this final rule will not result in expenditures by State, local, and Tribal governments, or by the private sector, of $100 million or more in any one year. Accordingly, this proposal is not subject to section 202 of the Unfunded Mandates Act. List of Subjects in 12 CFR Part 21 Crime, Currency, National banks, Reporting and recordkeeping requirements, Security measures. Authority and Issuance For the reasons set forth in the preamble, part 21 of title 12 of the Code of Federal Regulations is amended as follows: emcdonald on DSK2BSOYB1PROD with RULES2 ■ PART 21—MINIMUM SECURITY DEVICES AND PROCEDURES, REPORTS OF SUSPICIOUS ACTIVITIES, AND BANK SECRECY ACT COMPLIANCE PROGRAM 1. The authority citation for part 21 continues to read as follows: ■ VerDate Mar<15>2010 18:12 Dec 02, 2010 Jkt 223001 Authority: 12 U.S.C. 93a, 1818, 1881–1884, and 3401–3422; and 31 U.S.C. 5318. 2. Section 21.11 is amended by revising paragraphs (b)(3), (c) introductory text, (k) and (l) to read as follows: ■ § 21.11 Suspicious Activity Report. * * * * * (b) * * * (3) SAR means a Suspicious Activity Report. (c) SARs required. A national bank shall file a SAR with the appropriate Federal law enforcement agencies and the Department of the Treasury on the form prescribed by the OCC and in accordance with the form’s instructions. The bank shall send the completed SAR to FinCEN in the following circumstances: * * * * * (k) Confidentiality of SARs. A SAR, and any information that would reveal the existence of a SAR, are confidential, and shall not be disclosed except as authorized in this paragraph (k). (1) Prohibition on disclosure by national banks. (i) General rule. No national bank, and no director, officer, employee, or agent of a national bank, shall disclose a SAR or any information that would reveal the existence of a SAR. Any national bank, and any director, officer, employee, or agent of any national bank that is subpoenaed or otherwise requested to disclose a SAR, or any information that would reveal the existence of a SAR, shall decline to produce the SAR or such information, citing this section and 31 U.S.C. 5318(g)(2)(A)(i), and shall notify the following of any such request and the response thereto: (A) Director, Litigation Division, Office of the Comptroller of the Currency; and (B) The Financial Crimes Enforcement Network (FinCEN). (ii) Rules of construction. Provided that no person involved in any reported suspicious transaction is notified that the transaction has been reported, this paragraph (k)(1) shall not be construed as prohibiting: (A) The disclosure by a national bank, or any director, officer, employee or agent of a national bank of: (1) A SAR, or any information that would reveal the existence of a SAR, to the OCC, FinCEN, or any Federal, State, or local law enforcement agency; or (2) The underlying facts, transactions, and documents upon which a SAR is based, including, but not limited to, disclosures: (i) To another financial institution, or any director, officer, employee or agent PO 00000 Frm 00011 Fmt 4701 Sfmt 4700 75583 of a financial institution, for the preparation of a joint SAR; or (ii) In connection with certain employment references or termination notices, to the full extent authorized in 31 U.S.C. 5318(g)(2)(B); or (B) The sharing by a national bank, or any director, officer, employee, or agent of a national bank, of a SAR, or any information that would reveal the existence of a SAR, within the bank’s corporate organizational structure for purposes consistent with Title II of the Bank Secrecy Act as determined by regulation or in guidance. (2) Prohibition on disclosure by the OCC. The OCC will not, and no officer, employee or agent of the OCC, shall disclose a SAR, or any information that would reveal the existence of a SAR, except as necessary to fulfill official duties consistent with Title II of the Bank Secrecy Act. For purposes of this section, official duties shall not include the disclosure of a SAR, or any information that would reveal the existence of a SAR, in response to a request for use in a private legal proceeding or in response to a request for disclosure of non-public OCC information under 12 CFR 4.33. (l) Limitation on liability. A national bank and any director, officer, employee or agent of a national bank that makes a voluntary disclosure of any possible violation of law or regulation to a government agency or makes a disclosure pursuant to this section or any other authority, including a disclosure made jointly with another financial institution, shall be protected from liability to any person for any such disclosure, or for failure to provide notice of such disclosure to any person identified in the disclosure, or both, to the full extent provided by 31 U.S.C. 5318(g)(3). Dated: August 16, 2010. John Walsh, Acting Comptroller of the Currency. [FR Doc. 2010–29880 Filed 12–2–10; 8:45 am] BILLING CODE 4810–33–P DEPARTMENT OF THE TREASURY Office of Thrift Supervision 12 CFR Part 510 [Docket ID OTS–2010–0016] RIN 1550–AC28 Standards Governing the Release of a Suspicious Activity Report Office of Thrift Supervision, Treasury. AGENCY: E:\FR\FM\03DER2.SGM 03DER2

Agencies

[Federal Register Volume 75, Number 232 (Friday, December 3, 2010)]
[Rules and Regulations]
[Pages 75576-75583]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 2010-29880]


-----------------------------------------------------------------------

DEPARTMENT OF THE TREASURY

Office of the Comptroller of the Currency

12 CFR Part 21

[Docket ID OCC-2010-0019]
RIN 1557-AD17


Confidentiality of Suspicious Activity Reports

AGENCY: The Office of the Comptroller of the Currency (OCC), Treasury.

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: The OCC is issuing this final rule to amend its regulations 
implementing the Bank Secrecy Act (BSA) governing the confidentiality 
of a suspicious activity report (SAR) to: clarify the scope of the 
statutory prohibition on the disclosure by a financial institution of a 
SAR, as it applies to national banks; address the statutory prohibition 
on the disclosure by the government of a SAR, as that prohibition 
applies to the OCC's standards governing the disclosure of SARs; 
clarify that the exclusive standard applicable to the disclosure of a 
SAR, or any information that would reveal the

[[Page 75577]]

existence of a SAR, by the OCC is to fulfill official duties consistent 
with Title II of the BSA; and modify the safe harbor provision in the 
OCC's SAR rules to include changes made by the Uniting and 
Strengthening America by Providing Appropriate Tools Required to 
Intercept and Obstruct Terrorism (USA PATRIOT) Act. These amendments 
are consistent with a final rule being contemporaneously issued by the 
Financial Crimes Enforcement Network (FinCEN).

DATES: This rule is effective on January 3, 2011.

FOR FURTHER INFORMATION CONTACT: James Vivenzio, Senior Counsel for 
BSA/AML, (202) 874-5200; Ellen Warwick, Assistant Director, Litigation, 
(202) 874-5280; or Patrick T. Tierney, Counsel, Legislative and 
Regulatory Activities, (202) 874-5090; Office of the Comptroller of the 
Currency, 250 E Street, SW., Washington, DC 20219.

SUPPLEMENTARY INFORMATION: 

I. Background

    The BSA requires financial institutions, including national banks 
regulated by the OCC, to keep certain records and make certain reports 
that have been determined to be useful in criminal, tax, or regulatory 
investigations or proceedings, and for intelligence or counter 
intelligence activities to protect against international terrorism. In 
particular, the BSA and its implementing regulations require a 
financial institution to file a SAR when it detects a known or 
suspected violation of Federal law or a suspicious activity related to 
money laundering, terrorist financing, or other criminal activity.\1\
---------------------------------------------------------------------------

    \1\ The Annunzio-Wylie Anti-Money Laundering Act (the Annunzio-
Wylie Act) amended the BSA and authorized the Secretary of the 
Treasury to require financial institutions to report suspicious 
transactions relevant to a possible violation of law or regulation. 
See Public Law 102-550, Title XV, section 1517(b), 106 Stat. 4044, 
4059-60 (1992); 31 U.S.C. 5318(g)(1). The OCC, Board of Governors of 
the Federal Reserve System (FRB), Federal Deposit Insurance 
Corporation (FDIC), Office of Thrift Supervision (OTS), and National 
Credit Union Administration (NCUA), (collectively referred to as the 
Federal bank regulatory agencies) subsequently issued virtually 
identical implementing regulations on suspicious activity reporting. 
See 12 CFR 21.11 (OCC); 12 CFR 208.62 (FRB); 12 CFR 353.3 (FDIC); 12 
CFR 563.180 (OTS); and 12 CFR 748.1 (NCUA).
---------------------------------------------------------------------------

    SARs are used for law enforcement or regulatory purposes to combat 
terrorism, terrorist financing, money laundering and other financial 
crimes. For this reason, the BSA provides that a financial institution, 
and its officers, directors, employees, and agents are prohibited from 
notifying any person involved in a suspicious transaction that the 
transaction was reported.\2\ To encourage the voluntary reporting of 
possible violations of law and regulation, and the filing of SARs, the 
BSA also contains a safe harbor provision, which shields financial 
institutions making such reports from civil liability.
---------------------------------------------------------------------------

    \2\ 31 U.S.C. 5318(g)(2)(A)(i).
---------------------------------------------------------------------------

    FinCEN \3\ has issued rules implementing the SAR confidentiality 
provisions for various types of financial institutions that closely 
mirror the statutory language.\4\ In addition, the Federal bank 
regulatory agencies implemented these provisions through similar 
regulations that provide SARs are confidential and generally no 
information about or contained in a SAR may be disclosed.\5\ The 
regulations issued by FinCEN and the Federal bank regulatory agencies 
also describe the applicability of the BSA's safe harbor provision \6\ 
to both voluntary reports of possible and known violations of law and 
the required filing of SARs.
---------------------------------------------------------------------------

    \3\ FinCEN is the agency designated by the Department of the 
Treasury to administer the BSA and with which SARs must be filed. 
See 31 U.S.C. 5318; 12 CFR 21.11(c).
    \4\ See, e.g., 31 CFR 103.18(e) (SAR confidentiality rule for 
banks); 31 CFR 103.19(e) (SAR confidentiality rule for brokers or 
dealers in securities).
    \5\ See 12 CFR 21.11(k) (OCC); 12 CFR 208.62(j) (FRB); 12 CFR 
353.3(g) (FDIC); 12 CFR 563.180(d)(12) (OTS); and 12 CFR 748.1(c)(5) 
(NCUA).
    \6\ 31 U.S.C. 5318(g)(3).
---------------------------------------------------------------------------

    The USA PATRIOT Act of 2001 strengthened the confidentiality of 
SARs by adding to the BSA a new provision that prohibits officers or 
employees of the Federal government or any State, local, Tribal, or 
territorial government within the United States with knowledge of a SAR 
from disclosing to any person involved in a suspicious transaction that 
the transaction was reported, other than as necessary to fulfill the 
official duties of such officer or employee.\7\ The USA PATRIOT Act 
also clarified that the safe harbor shielding financial institutions 
from liability covers voluntary disclosures of possible violations of 
law and regulations to a government agency and expanded the scope of 
the limit on liability to cover any civil liability that may exist 
``under any contract or other legally enforceable agreement (including 
any arbitration agreement).'' \8\
---------------------------------------------------------------------------

    \7\ See USA PATRIOT Act, section 351(b); Pub. L. 107-56, Title 
III, section 351; 115 Stat. 272, 320-21 (2001); 31 U.S.C. 
5318(g)(2).
    \8\ See USA PATRIOT Act, section 351(a); Public Law 107-56, 
Title III, section 351; 115 Stat. 272, 321 (2001); 31 U.S.C. 
5318(g)(3).
---------------------------------------------------------------------------

    FinCEN is issuing a final rule to modify its SAR rules to interpret 
or further interpret the provisions of the BSA that relate to the 
confidentiality of SARs and the safe harbor for such reporting. The OCC 
is amending its SAR rules contemporaneously, consistent with the final 
rule being issued by FinCEN, to clarify the manner in which these 
provisions apply to national banks and to the OCC's own standards 
governing the disclosure of a SAR and any information that would reveal 
the existence of a SAR (referred to in this SUPPLEMENTARY INFORMATION 
as ``SAR information'').
    In a separate rulemaking action from the part 21 proposal, the OCC 
also simultaneously proposed to amend its information disclosure 
regulation set forth in 12 CFR part 4, subpart C, to clarify that the 
exclusive standard governing the release of SAR information is set 
forth in 12 CFR 21.11.\9\ The OCC issued that proposed amendment to 12 
CFR part 4, subpart C, at the same time as the part 21 proposal, to 
make clear that the OCC will disclose SAR information only when 
necessary to satisfy the BSA purposes for which SARs are filed. Today, 
the OCC also is adopting the part 4 proposal as final without change.
---------------------------------------------------------------------------

    \9\ 74 FR 10136 (Mar. 9, 2009).
---------------------------------------------------------------------------

II. Overview of the Proposed Rule and Related Actions

    On March 9, 2009, the OCC published proposed amendments to its 
rules \10\ to include key changes that would: (1) Clarify the scope of 
the statutory prohibition on the disclosure by a financial institution 
of a SAR, as it applies to national banks; (2) address the statutory 
prohibition on the disclosure by the government of a SAR, which was 
added to the BSA by section 351(b) of the USA PATRIOT Act of 2001, as 
that prohibition applies to the OCC's standards governing the 
disclosure of SAR information; and (3) clarify that the exclusive 
standard applicable to the disclosure of SAR information by the OCC is 
to fulfill official duties consistent with Title II of the BSA, in 
order to ensure that SAR information is protected from inappropriate 
disclosures unrelated to the BSA purposes for which SARs are filed. In 
addition, the proposed amendments would modify the safe harbor 
provision in the OCC's SAR rules \11\ to include changes made by the 
USA PATRIOT Act.
---------------------------------------------------------------------------

    \10\ 74 FR 10130 (Mar. 9, 2009).
    \11\ 12 CFR 21.11(l).
---------------------------------------------------------------------------

    Contemporaneously with the publication of, and as described in the 
OCC's proposal, FinCEN issued for notice and comment proposed guidance 
regarding the sharing of SARs with

[[Page 75578]]

affiliates.\12\ That proposed guidance may be used to interpret a 
provision of the OCC's proposed rulemaking.
---------------------------------------------------------------------------

    \12\ 74 FR 10158 (Mar. 9, 2009).
---------------------------------------------------------------------------

III. Comments on the Proposed Rule

    The comment period for the proposed rulemakings ended on June 8, 
2009. OCC received a total of five comments.\13\ Of these, three were 
submitted by bank trade associations, one was submitted by a bank 
holding company, and one was submitted by an individual. The comments 
generally supported the OCC's proposed rule while requesting broadening 
of FinCEN's proposed sharing guidance.\14\ Comments specific to the 
OCC's proposed rule provided suggestions related to the disclosure of 
the ``underlying facts, transactions, and documents upon which a SAR is 
based;'' the requirement to reveal a SAR request to both OCC and 
FinCEN; and the proposed modification to the safe harbor provision in 
the OCC's SAR rules \15\ to include changes made by the USA PATRIOT 
Act. These comments are addressed in the Section-by-Section Analysis 
section of this SUPPLEMENTARY INFORMATION.
---------------------------------------------------------------------------

    \13\ None of the comments received by the OCC directly addressed 
the proposed revisions to the OCC's information disclosure 
regulation set forth in 12 CFR part 4, subpart C.
    \14\ Comments about the sharing guidance are addressed 
separately in a related ``notice of availability of guidance'' 
published by FinCEN elsewhere in today's Federal Register together 
with FinCEN's final rules.
    \15\ 12 CFR 21.11(l).
---------------------------------------------------------------------------

IV. Section-by-Section Analysis

Section 21.11(b) Definition of a SAR

    The primary purpose of the OCC's SAR rule is to ensure that a 
national bank files a SAR when it detects a known or suspected 
violation of a Federal law or a suspicious transaction related to money 
laundering activity or a violation of the BSA. See 12 CFR 21.11(a). 
Incidental to this purpose, the OCC's SAR rule includes a section that 
addresses the confidentiality of SARs.
    Under the current SAR rule, the term ``SAR'' means ``a Suspicious 
Activity Report on the form prescribed by the OCC.'' \16\ The proposed 
rule would have defined a ``SAR'' generically as ``a Suspicious 
Activity Report.'' This change would extend the confidentiality 
provisions of the OCC's SAR rule to all SARs, including those filed on 
forms prescribed by FinCEN.\17\ As a consequence, a national bank that 
obtained a SAR, for example, from a non-bank affiliate pursuant to the 
provisions of the proposed rule, would be required to safeguard the 
confidentiality of the SAR, even if the SAR had not been filed on a 
form prescribed by the OCC. The OCC received no comments on the 
proposed revised definition of SAR and adopts the definition as 
proposed.
---------------------------------------------------------------------------

    \16\ 12 CFR 21.11(b)(3).
    \17\ See, e.g., 31 CFR 103.19(b) (FinCEN regulations requiring 
brokers or dealers in securities to file reports of suspicious 
transactions on a SAR-S-F).
---------------------------------------------------------------------------

Section 21.11(c) SARs Required

    To clarify that a national bank must file a SAR on a form 
``prescribed by the OCC,'' the OCC proposed to add that phrase to the 
introductory language of the section of the OCC's SAR rule that 
describes the procedures for the filing of a SAR. Accordingly, the 
proposed rule would have required a national bank to file a SAR with 
the appropriate Federal law enforcement agencies and the Department of 
the Treasury on the form prescribed by the OCC in accordance with the 
form's instructions, by sending a completed SAR to FinCEN in particular 
circumstances.\18\ The OCC received no comments on the proposal to add 
the phrase ``prescribed by the OCC'' to the introductory language of 
that section of the OCC's SAR rule and adopts the change as proposed.
---------------------------------------------------------------------------

    \18\ OCC's current provision, at 12 CFR 21.11(c), requires a 
national bank to ``file a SAR with the appropriate Federal law 
enforcement agencies and the Department of the Treasury in 
accordance with the form's instructions * * *,'' but does not 
specify which form.
---------------------------------------------------------------------------

 Section 21.11(k) Confidentiality of SARs

    Prior to this rulemaking, Sec.  21.11(k) specified that SARs are 
confidential and any national bank or person: (1) Must not disclose a 
SAR or the information contained in SAR; (2) must not provide any 
information that would disclose that a SAR has been prepared or filed; 
and (3) must notify the OCC of any subpoena or request received by a 
national bank or person to make such a SAR-related disclosure.
    The OCC proposed to amend its rules regarding SAR confidentiality 
\19\ by modifying the introductory sentence regarding SAR 
confidentiality and dividing the remainder of the current provision 
into two sections. The first section would describe the prohibition on 
disclosure of SAR information by national banks and the rules of 
construction applicable to this prohibition. The second section would 
describe the prohibition on the OCC's disclosure of SAR information.
---------------------------------------------------------------------------

    \19\ 12 CFR 21.11(k).
---------------------------------------------------------------------------

    Prior to this final rulemaking action, the OCC's rules prohibiting 
the disclosure of SARs began with the statement that SARs are 
confidential. Over the years, the OCC has received numerous questions 
regarding the scope of the prohibition on the disclosure of a SAR in 
its current rules. Accordingly, the OCC proposed to clarify the scope 
of SAR confidentiality by more clearly describing the information that 
is subject to the prohibition. Like FinCEN, the OCC believes that all 
of the reasons for maintaining the confidentiality of SARs are equally 
applicable to any information that would reveal the existence of a SAR.
    The OCC, like FinCEN, recognizes that in order to protect the 
confidentiality of a SAR, any information that would reveal the 
existence of a SAR must be afforded the same protection from 
disclosure. The confidentiality of SARs must be maintained for a number 
of compelling reasons. For example, the disclosure of a SAR could 
result in notification to persons involved in the transaction that is 
being reported and compromise any investigations being conducted in 
connection with the SAR. In addition, the OCC believes that even the 
occasional disclosure of a SAR could chill the willingness of a 
national bank to file SARs and to provide the degree of detail and 
completeness in describing suspicious activity in SARs that will be of 
use to law enforcement. If banks believe that a SAR can be used for 
purposes unrelated to the law enforcement and regulatory purposes of 
the BSA, the disclosure of such information could adversely affect the 
timely, appropriate, and candid reporting of suspicious transactions. 
Banks also may be reluctant to report suspicious transactions, or may 
delay making such reports, for fear that the disclosure of a SAR will 
interfere with the bank's relationship with its customer. Further, a 
SAR may provide insight into how a bank uncovers potential criminal 
conduct that can be used by others to circumvent detection. The 
disclosure of a SAR also could compromise personally identifiable 
information or commercially sensitive information or damage the 
reputation of individuals or companies that may be named. Finally, the 
disclosure of a SAR for uses unrelated to the law enforcement and 
regulatory purposes for which SARs are intended increases the risk that 
bank employees or others who are involved in the preparation or filing 
of a SAR could become targets for retaliation by persons whose criminal 
conduct has been reported.
    These reasons for maintaining the confidentiality of SARs also 
apply to any information that would reveal the existence of a SAR. 
Therefore, like FinCEN, the OCC proposed to modify the general 
introduction in its rules to

[[Page 75579]]

state that confidential treatment also must be afforded to ``any 
information that would reveal the existence of a SAR.'' The 
introduction also would indicate that SAR information may not be 
disclosed, except as authorized in the narrow circumstances that 
follow.
    Some commenters asked that the OCC clarify the phrase ``information 
that would reveal the existence of a SAR'' for the purpose of defining 
the scope of SAR confidentiality. One commenter specifically asked 
whether that term only includes information that affirmatively states 
that a SAR was filed. Another commenter urged that the OCC formally 
recognize that material contained in a reporting institution's files 
supporting its decision to file or not file a SAR is confidential.
    Any document or other information that affirmatively states that a 
SAR has been filed constitutes information that would reveal the 
existence of a SAR and must be kept confidential. By extension, a 
national bank also must afford confidentiality to any document stating 
that a SAR has not been filed. Were the OCC to allow disclosure of 
information when a SAR is not filed, institutions would implicitly 
reveal the existence of a SAR any time they were unable to produce 
records because a SAR was filed.\20\
---------------------------------------------------------------------------

    \20\ For example, a private litigant may serve a discovery 
request on a bank in civil litigation that calls for the bank to 
produce the underlying documentation on companies A, B, and C, where 
the bank has filed a SAR on company A, but not companies B or C, and 
the underlying documentation reflects the SAR filing decisions. If 
the bank then produces the underlying documentation for companies B 
and C, but neither confirms nor denies the existence of a SAR when 
declining to provide similar documentation for company A, by 
negative implication it may have revealed the existence of the SAR 
filed on company A.
---------------------------------------------------------------------------

    Documents that may identify suspicious activity, but that do not 
reveal whether a SAR exists (e.g., a document memorializing a customer 
transaction such as an account statement indicating a cash deposit or a 
record of a funds transfer), should be considered as falling within the 
underlying facts, transactions, and documents upon which a SAR is 
based, and need not be afforded confidentiality.\21\ This distinction 
is set forth in the final rule's second rule of construction discussed 
in this Section-by-Section Analysis and reflects relevant case law.\22\
---------------------------------------------------------------------------

    \21\ As one commenter noted, information produced in the 
ordinary course of business may contain sufficient information that 
a reasonable and prudent person familiar with SAR filing 
requirements could use to conclude that an institution likely filed 
a SAR (e.g., a copy of a fraudulent check or a cash transaction log 
showing a clear pattern of structured deposits). Such information 
alone does not constitute information that would reveal the 
existence of a SAR.
    \22\ See, e.g., Whitney Nat. Bank v. Karam, 306 F. Supp. 2d 678, 
682 (S.D. Tex. 2004) (noting that courts have ``allowed the 
production of supporting documentation that was generated or 
received in the ordinary course of the bank's business, on which the 
report of suspicious activity was based''); Cotton v. Private Bank 
and Trust Co., 235 F. Supp. 2d 809, 815 (N.D. Ill. 2002) (holding 
that the ``factual documents which give rise to suspicious conduct * 
* * are to be produced in the ordinary course of discovery because 
they are business records made in the ordinary course of 
business'').
---------------------------------------------------------------------------

    However, the strong public policy that underlies the SAR system as 
a whole--namely, the creation of an environment that encourages a 
national bank to report suspicious activity without fear of reprisal--
leans heavily in favor of applying SAR confidentiality not only to a 
SAR itself, but also in appropriate circumstances to material prepared 
by the national bank as part of its process to detect and report 
suspicious activity, regardless of whether a SAR ultimately was filed 
or not. This interpretation also reflects relevant case law.\23\
---------------------------------------------------------------------------

    \23\ See, e.g., Whitney at 682-83 (holding that the SAR 
confidentiality provision protects, inter alia, ``communications 
preceding the filing of a SAR and preparatory or preliminary to it; 
communications that follow the filing of a SAR and are explanations 
or follow-up discussion; or oral communications or suspected or 
possible violations that did not culminate in the filing of a 
SAR''); Cotton at 815 (holding that ``documents representing the 
drafts of SARs or other work product or privileged communications 
that relate to the SAR itself * * * are not to be produced [in 
discovery] because they would disclose whether a SAR has been 
prepared or filed''); Union Bank of California, N.A. v. Superior 
Court, 29 Cal. Rptr. 2d 894, 902 (2005) (holding that ``a draft SAR 
or internal memorandum prepared as part of a financial institution's 
process for complying with Federal reporting requirements is 
generated for the specific purpose of fulfilling the institution's 
reporting obligation * * * [and] fall within the scope of the SAR 
[confidentiality] privilege because they may reveal the contents of 
a SAR and disclose whether `a SAR has been prepared or filed' '' 
(quoting 12 CFR 21.11(k) (2005)).
---------------------------------------------------------------------------

    As explained in more detail in the proposed rule,\24\ the primary 
purpose for clarifying the scope of the confidentiality provision is to 
ensure that, due to potentially serious consequences, the persons 
involved in the transaction and identified in the SAR cannot be 
notified, directly or indirectly, of the report. Accordingly, like 
FinCEN, the OCC proposed replacing the previous rule text prohibiting 
disclosure of the SAR to the person involved in the transaction with a 
broad general confidentiality provision for all SAR information 
applicable to all persons not authorized in the rules of construction 
to receive such information. With respect to ``information that would 
reveal the existence of a SAR,'' therefore, institutions should 
distinguish between certain types of statistical or abstract 
information or general discussions of suspicious activity that may 
indicate that an institution has filed SARs,\25\ and information that 
would reveal the existence of a SAR in a manner that could enable the 
person involved in the transaction potentially to be notified, whether 
directly or indirectly.
---------------------------------------------------------------------------

    \24\ 74 FR 10131-32 (Mar. 9, 2009).
    \25\ One example of such information could include summary 
information commonly provided by banks in the ``notification to the 
board'' required by the various Federal bank regulatory agency SAR 
rules. National banks subject to the requirement are encouraged to 
be cautious in the production of relevant portions of board minutes 
or other records to avoid the risk of potentially exposing SAR 
information to the subject, either directly or indirectly, in the 
event such records are subpoenaed.
---------------------------------------------------------------------------

    Like FinCEN, and for the reasons discussed in this section, the OCC 
is adopting the proposed introductory language to the Confidentiality 
of SARs provision (Sec.  21.11(k)) as final without change.

Section 21.11(k)(1)(i) Prohibition on Disclosure by National Banks

    The OCC's current rules provide that any national bank or person 
subpoenaed or otherwise requested to disclose a SAR or the information 
contained in a SAR must: (1) Decline to produce the SAR or to provide 
any information that would disclose that a SAR has been prepared or 
filed and (2) notify the OCC.
    The proposed rule more specifically addressed the prohibition on 
the disclosure of a SAR by a national bank. The proposed rule provided 
that the prohibition includes ``any information that would reveal the 
existence of a SAR'' instead of using the phrase ``any information that 
would disclose that a SAR has been prepared or filed.'' The OCC, like 
FinCEN, believes that the proposed phrase more clearly describes the 
type of information that is covered by the prohibition on the 
disclosure of a SAR. In addition, the proposed rule incorporated the 
specific reference in 31 U.S.C. 5318(g)(2)(A)(i) to a ``director, 
officer, employee, or agent,'' in order to clarify that the prohibition 
on disclosure extends to those individuals in a national bank who may 
have access to SAR information.
    Although 31 U.S.C. 5318(g)(2)(A)(i) provides that a person involved 
in the transaction may not be notified that the transaction has been 
reported, the proposed rule reflected case law that has consistently 
concluded, in accordance with applicable regulations, that financial 
institutions are broadly prohibited from disclosing SAR information to 
any person. Accordingly, these cases have held that, in the context of 
discovery in connection with

[[Page 75580]]

civil lawsuits, financial institutions are prohibited from disclosing 
SAR information because section 5318(g) and its implementing 
regulations have created an unqualified discovery and evidentiary 
privilege for such information that cannot be waived by financial 
institutions.\26\ Consistent with case law and the current regulation, 
the text of the proposed rule did not limit the prohibition on 
disclosure only to the person involved in the transaction. Permitting 
disclosure to any outside party may make it likely that SAR information 
would be disclosed to a person involved in the transaction, which the 
BSA absolutely prohibits.
---------------------------------------------------------------------------

    \26\ See, e.g., Whitney Nat'l Bank v. Karam, 306 F. Supp. 2d 
678, 682 (S.D. Tex. 2004); Cotton v. Private Bank and Trust Co., 235 
F. Supp. 2d 809, 815 (N.D. Ill. 2002).
---------------------------------------------------------------------------

    The proposed rule continued to provide that any national bank, or 
any director, officer, employee or agent of a national bank, subpoenaed 
or otherwise requested to disclose SAR information must decline to 
provide the information, citing that section of the rule and 31 U.S.C. 
5318(g)(2)(A)(i), and must give notice of the request to the OCC. In 
addition, the proposed rule required the bank to notify the OCC of its 
response to the request and required the bank to provide the same 
information to FinCEN.
    Two commenters suggested that OCC adjust its SAR rule to remove the 
``duplicative'' requirement for a bank to notify both OCC and FinCEN 
when SAR information is inappropriately requested. OCC, like FinCEN, 
disagrees with the commenter's characterization of the notification 
requirement as ``duplicative'' because OCC and FinCEN each have issued, 
and separately administers, its own separate SAR rule.\27\ The joint 
notification requirement in the OCC's final rule, therefore, simply 
acknowledges the notification requirement of different SAR regulations 
issued by separate agencies. Therefore, the OCC adopts proposed Sec.  
21.11(k)(1)(i) as final without change.
---------------------------------------------------------------------------

    \27\ Because FinCEN's jurisdiction is limited to Title 31 of the 
Code of Federal Regulations, FinCEN's final rule removes the 
requirement that a financial institution notify its primary Federal 
regulator in addition to notifying FinCEN in the event of an 
inappropriate request for SAR information. However, the OCC's final 
rule maintains the requirement that any national bank, and any 
director, officer, employee, or agent of any national bank, that is 
subpoenaed or otherwise requested to disclose SAR information, shall 
decline to produce the SAR or such information, citing 12 CFR Part 
21 of the OCC's rules and 31 U.S.C. 5318(g)(2)(A)(i), and shall 
notify both the OCC and FinCEN.
---------------------------------------------------------------------------

Section 21.11(k)(1)(ii): Rules of Construction

    The OCC, like FinCEN, proposed rules of construction to address 
issues that have arisen over the years about the scope of the SAR 
disclosure prohibition and to implement statutory modifications to the 
BSA made by the USA PATRIOT Act. The proposed rules of construction 
primarily describe situations that are not covered by the prohibition 
on bank disclosure of SAR information. The introduction to the proposed 
rules of construction makes clear that they are qualified by the 
statutory mandate that no person involved in any reported suspicious 
transaction can be notified that the transaction has been reported. The 
OCC received no comments on the proposed introductory language to the 
rules of construction and is adopting the language in the final rule as 
proposed.
    The first proposed rule of construction builds on existing language 
to clarify that a national bank, or any director, officer, employee, or 
agent \28\ of a national bank may disclose SAR information to FinCEN or 
any Federal, State, or local law enforcement agency; or any Federal or 
State regulatory agency that examines the financial institution for 
compliance with the BSA. Although the permissibility of such 
disclosures may be readily apparent, the proposal contained this 
statement to clarify that a national bank cannot use the prohibition on 
bank disclosure of SAR information to withhold this information from 
governmental authorities that are otherwise entitled by law to receive 
SARs and to examine for and investigate suspicious activity.
---------------------------------------------------------------------------

    \28\ Some commenters requested guidance related to the 
appropriate use of SARs by agents of national banks. In the 
Supplementary Information section of FinCEN's final rule issued 
today, FinCEN states that it is considering additional guidance on 
the appropriate us of SARs by agents of financial institutions. 
Until such guidance is issued, however, the OCC and FinCEN remind 
national banks of their requirement to protect, through reasonable 
controls or agreements with their agents, the confidentiality of SAR 
information, as prescribed by the OCC and FinCEN final rules.
---------------------------------------------------------------------------

    The first rule of construction is adopted as final with one change 
to reflect that State regulatory authorities do not examine national 
banks for compliance with the BSA. Thus, the final rule revises Sec.  
21.11(k)(1)(ii)(A)(1) to read, in relevant part, that Sec.  21.11(k)(1) 
does not prohibit the disclosure by a national bank, or any director, 
officer, employee, or agent of a national bank, of a ``SAR, or any 
information that would reveal the existence of a SAR, to the OCC, 
FinCEN, or any Federal, State, or local law enforcement agency. * * *''
    The second proposed rule of construction provided that SAR 
information does not include the underlying facts, transactions, and 
documents upon which a SAR is based. This statement reflects case law, 
which has recognized that, while a financial institution is prohibited 
from producing documents in discovery that evidence the existence of a 
SAR, factual documents created in the ordinary course of business (for 
example, business records and account information, upon which a SAR is 
based) may be discoverable in civil litigation under the Federal Rules 
of Civil Procedure.\29\
---------------------------------------------------------------------------

    \29\ See Cotton v. Private Bank and Trust Co., 235 F. Supp. 2d 
809, 815 (N.D. Ill. 2002).
---------------------------------------------------------------------------

    The second proposed rule of construction included some examples of 
situations where a national bank may disclose the underlying facts, 
transactions, and documents upon which a SAR is based. The first 
example clarifies that a national bank, or any director, officer, 
employee or agent of a national bank, may disclose this information 
\30\ to another financial institution, or any director, officer, 
employee, or agent of a financial institution, for the preparation of a 
joint SAR.\31\ The second example simply codifies a rule of 
construction added to the BSA by section 351 of the USA PATRIOT Act, 
which provides that such underlying information may be disclosed in 
certain written employment references and termination notices.\32\
---------------------------------------------------------------------------

    \30\ Although the underlying facts, transactions, and documents 
upon which a SAR is based may include previously filed SARs or other 
information that would reveal the existence of a SAR, these 
materials cannot be disclosed as underlying documents.
    \31\ On December 21, 2006, FinCEN and the Federal bank 
regulatory agencies announced that the format for the SAR form for 
depository institutions had been revised to support a new joint 
filing initiative to reduce the number of duplicate SARs filed for a 
single suspicious transaction. ``Suspicious Activity Report (SAR) 
Revised to Support Joint Filings and Reduce Duplicate SARs,'' Joint 
Release issued by FinCEN, the FRB, the OCC, the OTS, the FDIC, and 
the NCUA (Dec. 21, 2006). On February 17, 2006, FinCEN and the 
Federal bank regulatory agencies published a joint Federal Register 
notice seeking comment on proposed revisions to the SAR form. See 71 
FR 8640. On May 1, 2007, FinCEN announced a delay in implementation 
of the revised SAR form until further notice. See 72 FR 23891. Until 
such time as a new SAR form is available that facilitates joint 
filing, institutions authorized to jointly file should follow 
FinCEN's guidance to use the words ``joint filing'' in the narrative 
of the SAR and ensure that both institutions maintain a copy of the 
SAR and any supporting documentation (See, e.g., http://www.fincen.gov/statutes_regs/guidance/html/guidance_faqs_sar_10042006.html).
    \32\ 31 U.S.C. 5318(g)(2)(B).
---------------------------------------------------------------------------

    One commenter suggested that the OCC clarify that the illustrative

[[Page 75581]]

examples are not exhaustive, and that there may be other situations not 
prescribed in the rule where an institution may disclose the underlying 
facts, transactions, and documents upon which a SAR is based. The OCC 
did not intend for these examples to be exhaustive and does not believe 
the text, as proposed, implies that the examples are exhaustive. For 
purposes of clarity, however, like FinCEN, the OCC is revising the 
final rule's language at Sec.  21.11(k)(2) to read ``* * * [t]he 
underlying facts, transactions, and documents upon which a SAR is 
based, including but not limited to, disclosures'' expressly listed as 
illustrative examples in the rule. Accordingly, with respect to the SAR 
confidentiality provision only,\33\ national banks may disclose 
underlying facts, transactions, and documents for any purpose, provided 
that no person involved in the transaction is notified that the 
transaction has been reported and none of the underlying information 
reveals the existence of a SAR.
---------------------------------------------------------------------------

    \33\ However, other applicable laws or regulations governing a 
national bank's responsibilities to maintain and protect information 
continue to apply, for example, information covered by part 4 of the 
OCC's rules regarding the release of non-public OCC information.
---------------------------------------------------------------------------

    Another commenter suggested that the rules of construction include 
a provision expressly authorizing the disclosure of facts, 
transactions, or documents to affiliates wherever located and clarify 
that such authority may be exercised independently of the authority to 
share SAR information with affiliates. Provided that no person involved 
in any reported suspicious transaction is notified that the transaction 
has been reported and the underlying facts, transactions, and documents 
do not disclose SAR information, the OCC agrees that such disclosure by 
a national bank to its affiliates, wherever located, is not prohibited 
by the final rule. Furthermore, the OCC agrees that the authorization 
for national banks to disclose underlying information to affiliates in 
Sec.  21.11(k)(1)(ii)(A)(2) is independent of the authority to share 
SAR information with affiliates in Sec.  21.11(k)(1)(ii)(B). The OCC 
believes that the final rule and the BSA already address that 
commenter's concerns and that further revision to the rule is 
unnecessary.
    The third proposed rule of construction clarified that the 
prohibition on the disclosure of SAR information by a national bank 
does not include the sharing by a national bank, or any director, 
officer, employee or agent of a bank, of SAR information within the 
bank's corporate organizational structure for purposes consistent with 
Title II of the BSA as determined by regulation or in guidance. The 
proposed third rule of construction recognizes that a national bank may 
find it necessary to share SAR information to fulfill its reporting 
obligations under the BSA, and to facilitate more effective enterprise-
wide BSA monitoring and reporting, consistent with Title II of the BSA. 
The term ``share'' used in the third rule of construction is an 
acknowledgement that sharing within a corporate organization for 
purposes consistent with Title II of the BSA, as determined by 
regulation or guidance, is distinguishable from a prohibited 
disclosure.
    FinCEN and the Federal bank regulatory agencies already have issued 
joint guidance making clear that the U.S. branch or agency of a foreign 
bank may share a SAR with its head office and that a U.S. bank or 
savings association may share a SAR with its controlling company 
(whether domestic or foreign). This guidance stated that the sharing of 
a SAR with a head office or controlling company both facilitates 
compliance with the applicable requirements of the BSA and enables the 
head office or controlling company to discharge its oversight 
responsibilities with respect to enterprise-wide risk management and 
compliance with applicable laws and regulations.\34\
---------------------------------------------------------------------------

    \34\ ``Interagency Guidance on Sharing Suspicious Activity 
Reports with Head Offices and Controlling Companies,'' Joint Release 
issued by FinCEN, the FRB, the FDIC, the OCC, and the OTS (Jan. 20, 
2006).
---------------------------------------------------------------------------

    Elsewhere in this issue of the Federal Register, FinCEN is issuing 
additional final guidance that further elaborates on sharing of SAR 
information within a corporate organization that FinCEN considers to be 
``consistent with the purposes of the BSA.'' The final guidance 
generally permits the sharing of SAR information by depository 
institutions with their affiliates \35\ that are subject to a SAR 
rule.\36\
---------------------------------------------------------------------------

    \35\ Under FinCEN's final guidance, an ``affiliate'' of a 
depository institution means any company under common control with, 
or controlled by, that depository institution.
    \36\ See, e.g., 12 CFR 21.11 (SAR rule applicable to national 
banks).
---------------------------------------------------------------------------

    In addition, four of the five comments received by the OCC on the 
proposed rule raised issues related to FinCEN's proposed guidance, much 
of which is addressed in FinCEN's separate notice of availability of 
guidance published elsewhere in today's Federal Register. In general, 
the commenters requested an expansion of the sharing authorities with 
respect to both the parties permitted to share and the parties with 
whom SAR information could be shared. Most commenters provided a clear 
rationale for how expanded SAR sharing would benefit their institutions 
by increasing efficiency, cutting costs, and enhancing the detection 
and reporting of suspicious activity. However, like FinCEN, the OCC 
notes that most commenters, however, failed to sufficiently address how 
they would effectively mitigate the risk of unauthorized disclosure of 
SAR information if the sharing authority was expanded to the extent 
they requested. FinCEN has taken the position that due to the risk of 
unauthorized disclosure of SAR information, broad sharing would not be 
consistent with the purposes of the BSA. Should FinCEN decide in the 
future to expand the sharing authority, the rule will allow for such 
expansion. Therefore, the third rule of construction is adopted as 
proposed without change.

Section 21.11(k)(2) Prohibition on Disclosure by the OCC

    As previously noted, section 351 of the USA PATRIOT Act, 31 U.S.C. 
5318(g)(2)(A)(ii), amended the BSA, and added a new provision 
prohibiting officers and employees of the government from disclosing a 
SAR to any person involved in the transaction that the transaction has 
been reported, except ``as necessary to fulfill the official duties of 
such officer or employee.'' Section 21.11(k)(2) of the OCC's proposed 
rule addressed this new provision of the BSA and is comparable to 
FinCEN's proposal. The proposed section provided that the OCC will not, 
and no officer, employee or agent of the OCC, shall disclose SAR 
information, except as necessary to fulfill official duties consistent 
with Title II of the BSA.
    As stated in section 5318(g)(2)(A)(i), which prohibits a financial 
institution's disclosure of a SAR, section 5318(g)(2)(A)(ii) also 
prohibits the government from disclosing a SAR to ``any person involved 
in the transaction.'' The OCC, like FinCEN, proposed to address 
sections 5318(g)(2)(A)(i) and (A)(ii) in a consistent manner, because 
disclosure by a governmental authority of SAR information to any 
outside party may make it more likely that the information will be 
disclosed to a person involved in the transaction. Accordingly, the 
proposed rule would generally bar disclosures of SAR information by OCC 
officers, employees, or agents.
    However, section 5318(g)(2)(A)(ii) also narrowly permits 
governmental disclosures as necessary to ``fulfill

[[Page 75582]]

official duties,'' a phrase that is not defined in the BSA. Consistent 
with the rules being proposed by FinCEN, the OCC proposed to construe 
this phrase in the context of the BSA, in light of the purpose for 
which SARs are filed. Accordingly, the proposed rule interpreted 
``official duties'' to mean ``official duties consistent with Title II 
of the Bank Secrecy Act.'' \37\ When disclosure is necessary to fulfill 
official duties, the OCC will make a determination, through its 
internal processes, that a SAR may be disclosed to fulfill official 
duties consistent with Title II of the BSA. This standard would permit, 
for example, disclosures responsive to a grand jury subpoena; a request 
from an appropriate Federal or State law enforcement agency; a request 
from an appropriate Congressional committee or subcommittee; and 
prosecutorial disclosures mandated by statute or the Constitution in 
connection with the statement of a government witness to be called at 
trial, the impeachment of a government witness, or as material 
exculpatory of a criminal defendant.\38\ This proposed interpretation 
of section 5318(g)(2)(A)(ii) would ensure that SAR information will not 
be disclosed for a reason that is unrelated to the purposes of the BSA. 
For example, this standard would not permit disclosure of SAR 
information to the media.
---------------------------------------------------------------------------

    \37\ 31 U.S.C. 5311 (setting forth the purposes of the BSA).
    \38\ See, e.g., Giglio v. United States, 405 U.S. 150, 153-54 
(1972); Brady v. Maryland, 373 U.S. 83, 86-87 (1963); Jencks v. 
United States, 353 U.S. 657, 668 (1957).
---------------------------------------------------------------------------

    The proposed rule also specifically provided that ``official 
duties'' shall not include the disclosure of SAR information in 
response to a request for use in a private legal proceeding or in 
response to a request for disclosure of non-public information under 12 
CFR 4.33. This statement, which corresponded to a similar provision in 
FinCEN's proposed rules, establishes that the OCC will not disclose SAR 
information to a private litigant for use in a private legal 
proceeding, or pursuant to 12 CFR 4.33, because such a request cannot 
be consistent with any of the purposes enumerated in Title II of the 
BSA.\39\ The BSA exists, in part, to protect the public's interest in 
an effective reporting system that benefits the nation by helping to 
ensure that the U.S. financial system will not be used for criminal 
activity or to support terrorism. The OCC, like FinCEN, believes that 
this purpose would be undermined by the disclosure of SAR information 
to a private litigant for use in a civil lawsuit for the reasons 
described earlier, including that such disclosures will chill full and 
candid reporting by national banks and other financial institutions.
---------------------------------------------------------------------------

    \39\ 31 U.S.C. 5311.
---------------------------------------------------------------------------

    Finally, the proposed rule applied to the OCC, in addition to its 
officers, employees, and agents. Comparable to a provision being 
proposed by FinCEN, the OCC proposed to include the agency itself in 
the scope of coverage, because requests for SAR information are 
typically directed to the agency, rather than to individuals within the 
OCC with authority to respond to the request. In addition, agents of 
the OCC were included in proposed Sec.  21.11(k)(2) because they may 
have access to SAR information. Accordingly, the proposed 
interpretation would more comprehensively cover disclosures by the OCC 
or agents of the OCC and protect the confidentiality of SAR 
information.
    The OCC did not receive comments on proposed Sec.  21.11(k)(2) and 
is adopting this provision as final without change.

Section 21.11(l) Limitation on Liability

    In 1992, the Annunzio-Wylie Act amended the BSA by providing a safe 
harbor for financial institutions and their employees from civil 
liability for the reporting of known or suspected criminal offenses or 
suspicious activity through the filing of a SAR.\40\ FinCEN and the OCC 
incorporated the safe harbor provisions of the 1992 law into their SAR 
rules.\41\ Section 351 of the USA PATRIOT Act amended section 
5318(g)(3) to clarify that the scope of the safe harbor provision 
includes the voluntary disclosure of possible violations of law and 
regulations to a government agency and to expand the scope of the limit 
on civil liability to include any liability that may exist ``under any 
contract or other legally enforceable agreement (including any 
arbitration agreement).'' \42\ The OCC, like FinCEN, incorporated the 
statutory expansion of the safe harbor by cross-referencing section 
5318(g)(3) in the proposed rule.
---------------------------------------------------------------------------

    \40\ See supra note 1.
    \41\ See 31 CFR 103.18(e) and 12 CFR 21.11(l). The safe harbor 
regulations also are applicable to oral reports of violations. (In 
situations requiring immediate attention, a national bank must 
immediately notify its regulator and appropriate law enforcement by 
telephone, in addition to filing a SAR. See, e.g., 12 CFR 21.11(d).)
    \42\ 31 U.S.C. 5318(g)(3).
---------------------------------------------------------------------------

    In addition, consistent with the proposed rule issued by FinCEN, 
this provision makes clear that the safe harbor also applies to a 
disclosure by a bank made jointly with another financial institution 
for purposes of filing a joint SAR.
    The OCC received no comments on the proposed safe harbor provision. 
However, one comment received by FinCEN noted that the statutory safe 
harbor provision protects any person from liability, not just the 
person involved in the transaction. Accordingly, like FinCEN, the OCC 
is amending the proposed safe harbor language by inserting the phrase 
``shall be protected from liability to any person for any such 
disclosure * * *'' and is otherwise adopting the proposed Sec.  
21.11(l) safe harbor provision as final.

Conforming Amendments to 12 CFR Part 4, Subpart C

    Today, the OCC also is publishing a final rule to amend its 
information disclosure rule set forth in 12 CFR part 4, subpart C. 
Among other things, the final rule clarifies that the OCC's disclosure 
of SAR information will be governed exclusively by the standards set 
forth in the amendments to the OCC's part 21 SAR rule.\43\ The effect 
of these final part 4 amendments is that the OCC: (1) Will not release 
SAR information to private litigants and (2) will only release SAR 
information to other government agencies, in response to a request 
pursuant to 12 CFR 4.37(c) or in the exercise of its discretion as 
described in 12 CFR 4.36, when necessary to fulfill official duties 
consistent with Title II of the BSA.
---------------------------------------------------------------------------

    \43\ See elsewhere in this issue of the Federal Register.
---------------------------------------------------------------------------

V. OCC Regulatory Analysis

Regulatory Flexibility Act

    The Regulatory Flexibility Act (RFA) generally requires an agency 
that is issuing a final rule to prepare and make available a final 
regulatory flexibility analysis that describes the impact of the final 
rule on small entities. 5 U.S.C. 604. However, the RFA provides that an 
agency is not required to prepare and make available a final regulatory 
flexibility analysis if the agency certifies that the final rule will 
not have a significant economic impact on a substantial number of small 
entities and publishes its certification and a short, explanatory 
statement in the Federal Register along with its final rule. 5 U.S.C. 
605(b). For purposes of the RFA and OCC-regulated entities, a ``small 
entity'' is a national bank with assets of $175 million or less (small 
national bank).
    The OCC has determined that the costs, if any, associated with the 
final rule are de minimis. The final rule simply clarifies the scope of 
the

[[Page 75583]]

statutory prohibition against the disclosure by financial institutions 
and by the government of SAR information and clarifies the scope of the 
safe harbor from liability for institutions that report suspicious 
activities. Therefore, pursuant to section 605(b) of the RFA, the OCC 
hereby certifies that this final rule will not have a significant 
economic impact on a substantial number of small entities. Accordingly, 
a regulatory flexibility analysis is not needed.

Paperwork Reduction Act

    We have reviewed the final rule in accordance with the Paperwork 
Reduction Act of 1995 (44 U.S.C. 3506; 5 CFR 1320, Appendix A.1) (PRA) 
and have determined that it does not contain any ``collections of 
information'' as defined by the PRA.

Unfunded Mandates Reform Act of 1995

    Section 202 of the Unfunded Mandates Reform Act of 1995, Public Law 
104-4 (2 U.S.C. 1532) (Unfunded Mandates Act), requires that an agency 
prepare a budgetary impact statement before promulgating any rule 
likely to result in a Federal mandate that may result in the 
expenditure by State, local, and Tribal governments, in the aggregate, 
or by the private sector of $100 million or more in any one year. If a 
budgetary impact statement is required, section 205 of the Unfunded 
Mandates Act also requires an agency to identify and consider a 
reasonable number of regulatory alternatives before promulgating a 
rule.
    The OCC has determined that this final rule will not result in 
expenditures by State, local, and Tribal governments, or by the private 
sector, of $100 million or more in any one year. Accordingly, this 
proposal is not subject to section 202 of the Unfunded Mandates Act.

List of Subjects in 12 CFR Part 21

    Crime, Currency, National banks, Reporting and recordkeeping 
requirements, Security measures.

Authority and Issuance

0
For the reasons set forth in the preamble, part 21 of title 12 of the 
Code of Federal Regulations is amended as follows:

PART 21--MINIMUM SECURITY DEVICES AND PROCEDURES, REPORTS OF 
SUSPICIOUS ACTIVITIES, AND BANK SECRECY ACT COMPLIANCE PROGRAM

0
1. The authority citation for part 21 continues to read as follows:

    Authority: 12 U.S.C. 93a, 1818, 1881-1884, and 3401-3422; and 31 
U.S.C. 5318.


0
2. Section 21.11 is amended by revising paragraphs (b)(3), (c) 
introductory text, (k) and (l) to read as follows:


Sec.  21.11  Suspicious Activity Report.

* * * * *
    (b) * * *
    (3) SAR means a Suspicious Activity Report.
    (c) SARs required. A national bank shall file a SAR with the 
appropriate Federal law enforcement agencies and the Department of the 
Treasury on the form prescribed by the OCC and in accordance with the 
form's instructions. The bank shall send the completed SAR to FinCEN in 
the following circumstances:
* * * * *
    (k) Confidentiality of SARs. A SAR, and any information that would 
reveal the existence of a SAR, are confidential, and shall not be 
disclosed except as authorized in this paragraph (k).
    (1) Prohibition on disclosure by national banks. (i) General rule. 
No national bank, and no director, officer, employee, or agent of a 
national bank, shall disclose a SAR or any information that would 
reveal the existence of a SAR. Any national bank, and any director, 
officer, employee, or agent of any national bank that is subpoenaed or 
otherwise requested to disclose a SAR, or any information that would 
reveal the existence of a SAR, shall decline to produce the SAR or such 
information, citing this section and 31 U.S.C. 5318(g)(2)(A)(i), and 
shall notify the following of any such request and the response 
thereto:
    (A) Director, Litigation Division, Office of the Comptroller of the 
Currency; and
    (B) The Financial Crimes Enforcement Network (FinCEN).
    (ii) Rules of construction. Provided that no person involved in any 
reported suspicious transaction is notified that the transaction has 
been reported, this paragraph (k)(1) shall not be construed as 
prohibiting:
    (A) The disclosure by a national bank, or any director, officer, 
employee or agent of a national bank of:
    (1) A SAR, or any information that would reveal the existence of a 
SAR, to the OCC, FinCEN, or any Federal, State, or local law 
enforcement agency; or
    (2) The underlying facts, transactions, and documents upon which a 
SAR is based, including, but not limited to, disclosures:
    (i) To another financial institution, or any director, officer, 
employee or agent of a financial institution, for the preparation of a 
joint SAR; or
    (ii) In connection with certain employment references or 
termination notices, to the full extent authorized in 31 U.S.C. 
5318(g)(2)(B); or
    (B) The sharing by a national bank, or any director, officer, 
employee, or agent of a national bank, of a SAR, or any information 
that would reveal the existence of a SAR, within the bank's corporate 
organizational structure for purposes consistent with Title II of the 
Bank Secrecy Act as determined by regulation or in guidance.
    (2) Prohibition on disclosure by the OCC. The OCC will not, and no 
officer, employee or agent of the OCC, shall disclose a SAR, or any 
information that would reveal the existence of a SAR, except as 
necessary to fulfill official duties consistent with Title II of the 
Bank Secrecy Act. For purposes of this section, official duties shall 
not include the disclosure of a SAR, or any information that would 
reveal the existence of a SAR, in response to a request for use in a 
private legal proceeding or in response to a request for disclosure of 
non-public OCC information under 12 CFR 4.33.
    (l) Limitation on liability. A national bank and any director, 
officer, employee or agent of a national bank that makes a voluntary 
disclosure of any possible violation of law or regulation to a 
government agency or makes a disclosure pursuant to this section or any 
other authority, including a disclosure made jointly with another 
financial institution, shall be protected from liability to any person 
for any such disclosure, or for failure to provide notice of such 
disclosure to any person identified in the disclosure, or both, to the 
full extent provided by 31 U.S.C. 5318(g)(3).

    Dated: August 16, 2010.
John Walsh,
Acting Comptroller of the Currency.
[FR Doc. 2010-29880 Filed 12-2-10; 8:45 am]
BILLING CODE 4810-33-P