FIN-2016-A005 Cyber-Events and Cyber-Related Crime Reporting

On October 25, 2016, FinCEN released FIN-2016-A005, Advisory to Financial Institutions on Cyber-Events and Cyber-Enabled Crime. It serves as a refresher of the credit union’s SAR filing obligations when encountering cyber-events.

A financial institution is required to report a suspicious transaction conducted or attempted by, at, or through the institution that involves or aggregates to $5,000 or more in funds or other assets.
If a financial institution knows, suspects, or has reason to suspect that a cyber-event was intended, in whole or in part, to conduct, facilitate, or affect a transaction or a series of transactions, it should be considered part of an attempt to conduct a suspicious transaction or series of transactions. Cyber-events targeting financial institutions that could affect a transaction or series of transactions would be reportable as suspicious transactions because they are unauthorized, relevant to a possible violation of law or regulation, and regularly involve efforts to acquire funds through illegal activities.
In determining whether a cyber-event should be reported, a financial institution should consider all available information surrounding the cyber-event, including its nature and the information and systems targeted. Similarly, to determine monetary amounts involved in the transactions or attempted transactions, a financial institution should consider in aggregate the funds and assets involved in or put at risk by the cyber-event.

Along with the Advisory, FinCEN also published a list of Frequently Asked Questions regarding the reporting of cyber-events. Many of the questions address how the credit union should complete the SAR form for these situations.

Credit unions should review the Advisory and the FAQs to ensure that they are properly reporting cyber-events.

https://www.fincen.gov/sites/default/files/shared/FAQ_Cyber_Threats_508_FINAL.PDF
https://www.fincen.gov/sites/default/files/shared/FAQ_Cyber_Threats_508_FINAL.PDF
NCUA Regulatory Alert 97-RA-12; Guidance for Reporting Computer Related Crimes
Cybersecurity Information Sharing Act of 2015 blog post

Passwords to access the blog posts, and blog posts are only for NWCG owners and retained clients. These should not be shared outside of the credit union. Blog posts generally contain only a summary of any requirements, and do not represent all potential impact on the credit unions. For further details on any blog post, contact NWCG or references cited in the blog post. The information contained on this site is provided for informational purposes only, and should not be construed as legal advice.

Leave a Reply

Your email address will not be published. Required fields are marked *