Information Sharing With Financial Institutions: Should You? Or Maybe Not!
Under our banking laws and regulations, a financial institution that suspected one of its account holders to be engaging in possible terrorist or money laundering activities or fraud would initiate an investigation into the transactions taking place on the account. If in the process of its investigation it discovered another financial institution involved, it could not legally share information with that institution for fear of violating privacy requirements.
Section 314(b) of the USA PATRIOT Act of 2001 tries to enable financial institutions to more quickly investigate and report some of that activity by cooperating with each other and sharing the information they have. The section includes 'safe harbor' for the participants.
First, Certify
FinCEN has adopted an interim final rule which establishes procedures under which information sharing can take place. In order to take advantage of these procedures, the bankers must first access the FinCEN web page and fill out a certification form online, or use the form included with the regulation in paper format, giving notice of their intent to share information with another financial institution. This certification is good for one year.
The certification form includes a statement that there will be adequate procedures to safeguard the shared information. It is imperative, therefore, that the financial institution has established adequate procedures to protect the confidentiality and security of the shared information. Institutions may wish to incorporate this into their overall information security program. Access to the information should be restricted to a need-to-know basis.
Questions
Bankers' Hotline advisor Mary Beth Guard raised a few questions about Section 314(b) "What happens," she said, "if you are certified and have adequate procedures in place, but the institution you want to share with is not certified? Are you required to check their certification status and/or their procedures to safeguard information? FinCEN says they're not going to maintain a list of certified entities, so it may be up to you to find out if the other institution has applied for certification.""And what happens after a year? You'll have to keep track and re-certify, or you have a potential compliance violation."
Not for Fraud
Although the filing of the certification form allows the sharing of information, that information, according to the form to be filled out and filed, "...will not be used for any purpose other than identifying and reporting on activities that may involve terrorist or money laundering activities." Security officers should not assume this certification frees them to share information about fraudulent activities other than those specified.
Requires SAR
If shared information leads an institution to believe that an individual, entity, or organization is, or may be, involved in terrorist activity, the rule states that the information should be reported to FinCEN by calling (866) 556-3974, and a SAR should also be filed, if appropriate. If the information sharing leads an institution to suspect that an individual, entity, or organization is, or may be, involved in money laundering, a SAR should be filed. If expedited reporting is deemed necessary, the FinCEN hotline number should be called.
The comment period has closed on FinCEN's interim final rule, but the final rule itself has not been announced or hit the Federal Register. We'll keep you posted.
Copyright © 2002 Bankers' Hotline. Originally appeared in Bankers' Hotline, Vol. 12, No. 6, 7/02