FinCEN has published a notice of proposed changes to the SAR form.  The notice does not propose any new regulatory requirements or changes to the requirements related to suspicious activity reporting other than changes to the data fields provided in the SAR filings.  Most of the proposed changes would alter the “checklist” of violations in Part II, including the addition of several fields related to cyber events.

Comments are due by April 3, 2017

The following updates are proposed;

1. Type of filing, 1e remove the reference to “document control number”
2. Add new item 2 “Filing Institution Note to FinCEN” followed by a text field with 100-character limit. This item allows the filer to identify reports filed in response to geographical targeting orders and BSA advisories etc.
3. Part I, item 24j, remove “no relationship to institution” option. No other changes.
4. Part II, Items 32a and b, add “or cancels” to the current item, item 32c, remove the current item.
5. Item 34b add “Advanced Fee” and remove “Business loan”, item 34i, remove mass marketing and replace with “Ponzi Scheme,” item 34l, add “Securities Fraud.”
6. Item 35, change the section title to “Gaming Activities” item 35a, replace the current item with “Chip walking”, item 35b, replace the current item with “Minimal gaming with large transactions” item 35d, add “Unknown source of chips.
7. Item 36b, remove the current item and replace with “Funnel account.”
8. Item 37d, add “Provided questionable or false identification”.
9. Item 38g, insert “Human Trafficking/Smuggling,” 38i, remove the current item. Item 38p, add “Transaction(s) involving foreign high risk jurisdiction”, item 38q, remove the current entry.
10. Item 40b, remove “wash trading” from current item and add as a new item e.
11. Item 41a add new “Application Fraud,” item 41c, add Foreclosure/Short sale fraud, item 41e, add origination fraud, and remove “reverse mortgage fraud.”
12. Item 42, Add as new category “Cyber-event,” add new 42a “Against the Financial Institution(s),” 42b “Against the Financial Institutions customer(s),” add 42z, “Other” with the associated text field.
13. Item 43n, remove the term “Penny Stocks”
14. Item 48 IP Address, add item 48a, Date field (yyyy/mm/dd), and 48b Time field (hh:mm:ss in UTC).
15. Add new item 49 Cyber-event Indicator (Multiple entries up to 99), add 49a, Command & Control IP Address, 49a1, value Text field,[5] 49a2, Date associated with the event, 49a3, UTC time hh:mm:ss, add 49b, Command & Control URL/Domain, 49b1, Value text field, add 49c, Malware MD5, Malware SHA-1, or Malware SHA-256, 49c1, Value text field, add 49d Media Access Control (MAC) Address, 49d1, Value text field, add 49e, Port, 49e1, Value text field, add 49f Suspicious E-Mail Address, 49f1, Value text field, add 49g, Suspicious Filename, 49g1, Value text field, add 49h, Suspicious IP Address, 49h1, Value text field, 49h2, Date associated with the event, 49h3, UTC time hh:mm:ss, add 49i Suspicious URL/Domain, 49i1, Value text field, add 49j, Targeted System, 49j1, Value text field, add 49z Other, Text field, 49z1, Value text field.
16. Part III, no change to the data items.
17. Part IV, increase the field length for Part IV, Item 93, “Designated contact office,” to 50 characters.

A comprehensive summary of the proposed SAR data fields appears as an appendix to the notice.