Skip to Content

Rule

Confidentiality of Suspicious Activity Reports

Document Details

Information about this document as published in the Federal Register.

Published Document

This document has been published in the Federal Register. Use the PDF linked in the document sidebar for the official electronic format.

Start Preamble

AGENCY:

The Office of the Comptroller of the Currency (OCC), Treasury.

ACTION:

Final rule.

SUMMARY:

The OCC is issuing this final rule to amend its regulations implementing the Bank Secrecy Act (BSA) governing the confidentiality of a suspicious activity report (SAR) to: clarify the scope of the statutory prohibition on the disclosure by a financial institution of a SAR, as it applies to national banks; address the statutory prohibition on the disclosure by the government of a SAR, as that prohibition applies to the OCC's standards governing the disclosure of SARs; clarify that the exclusive standard applicable to the disclosure of a SAR, or any information that would reveal the Start Printed Page 75577existence of a SAR, by the OCC is to fulfill official duties consistent with Title II of the BSA; and modify the safe harbor provision in the OCC's SAR rules to include changes made by the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA PATRIOT) Act. These amendments are consistent with a final rule being contemporaneously issued by the Financial Crimes Enforcement Network (FinCEN).

DATES:

This rule is effective on January 3, 2011.

Start Further Info

FOR FURTHER INFORMATION CONTACT:

James Vivenzio, Senior Counsel for BSA/AML, (202) 874-5200; Ellen Warwick, Assistant Director, Litigation, (202) 874-5280; or Patrick T. Tierney, Counsel, Legislative and Regulatory Activities, (202) 874-5090; Office of the Comptroller of the Currency, 250 E Street, SW., Washington, DC 20219.

End Further Info End Preamble Start Supplemental Information

SUPPLEMENTARY INFORMATION:

I. Background

The BSA requires financial institutions, including national banks regulated by the OCC, to keep certain records and make certain reports that have been determined to be useful in criminal, tax, or regulatory investigations or proceedings, and for intelligence or counter intelligence activities to protect against international terrorism. In particular, the BSA and its implementing regulations require a financial institution to file a SAR when it detects a known or suspected violation of Federal law or a suspicious activity related to money laundering, terrorist financing, or other criminal activity.[1]

SARs are used for law enforcement or regulatory purposes to combat terrorism, terrorist financing, money laundering and other financial crimes. For this reason, the BSA provides that a financial institution, and its officers, directors, employees, and agents are prohibited from notifying any person involved in a suspicious transaction that the transaction was reported.[2] To encourage the voluntary reporting of possible violations of law and regulation, and the filing of SARs, the BSA also contains a safe harbor provision, which shields financial institutions making such reports from civil liability.

FinCEN [3] has issued rules implementing the SAR confidentiality provisions for various types of financial institutions that closely mirror the statutory language.[4] In addition, the Federal bank regulatory agencies implemented these provisions through similar regulations that provide SARs are confidential and generally no information about or contained in a SAR may be disclosed.[5] The regulations issued by FinCEN and the Federal bank regulatory agencies also describe the applicability of the BSA's safe harbor provision [6] to both voluntary reports of possible and known violations of law and the required filing of SARs.

The USA PATRIOT Act of 2001 strengthened the confidentiality of SARs by adding to the BSA a new provision that prohibits officers or employees of the Federal government or any State, local, Tribal, or territorial government within the United States with knowledge of a SAR from disclosing to any person involved in a suspicious transaction that the transaction was reported, other than as necessary to fulfill the official duties of such officer or employee.[7] The USA PATRIOT Act also clarified that the safe harbor shielding financial institutions from liability covers voluntary disclosures of possible violations of law and regulations to a government agency and expanded the scope of the limit on liability to cover any civil liability that may exist “under any contract or other legally enforceable agreement (including any arbitration agreement).” [8]

FinCEN is issuing a final rule to modify its SAR rules to interpret or further interpret the provisions of the BSA that relate to the confidentiality of SARs and the safe harbor for such reporting. The OCC is amending its SAR rules contemporaneously, consistent with the final rule being issued by FinCEN, to clarify the manner in which these provisions apply to national banks and to the OCC's own standards governing the disclosure of a SAR and any information that would reveal the existence of a SAR (referred to in this SUPPLEMENTARY INFORMATION as “SAR information”).

In a separate rulemaking action from the part 21 proposal, the OCC also simultaneously proposed to amend its information disclosure regulation set forth in 12 CFR part 4, subpart C, to clarify that the exclusive standard governing the release of SAR information is set forth in 12 CFR 21.11.[9] The OCC issued that proposed amendment to 12 CFR part 4, subpart C, at the same time as the part 21 proposal, to make clear that the OCC will disclose SAR information only when necessary to satisfy the BSA purposes for which SARs are filed. Today, the OCC also is adopting the part 4 proposal as final without change.

II. Overview of the Proposed Rule and Related Actions

On March 9, 2009, the OCC published proposed amendments to its rules [10] to include key changes that would: (1) Clarify the scope of the statutory prohibition on the disclosure by a financial institution of a SAR, as it applies to national banks; (2) address the statutory prohibition on the disclosure by the government of a SAR, which was added to the BSA by section 351(b) of the USA PATRIOT Act of 2001, as that prohibition applies to the OCC's standards governing the disclosure of SAR information; and (3) clarify that the exclusive standard applicable to the disclosure of SAR information by the OCC is to fulfill official duties consistent with Title II of the BSA, in order to ensure that SAR information is protected from inappropriate disclosures unrelated to the BSA purposes for which SARs are filed. In addition, the proposed amendments would modify the safe harbor provision in the OCC's SAR rules [11] to include changes made by the USA PATRIOT Act.

Contemporaneously with the publication of, and as described in the OCC's proposal, FinCEN issued for notice and comment proposed guidance regarding the sharing of SARs with Start Printed Page 75578affiliates.[12] That proposed guidance may be used to interpret a provision of the OCC's proposed rulemaking.

III. Comments on the Proposed Rule

The comment period for the proposed rulemakings ended on June 8, 2009. OCC received a total of five comments.[13] Of these, three were submitted by bank trade associations, one was submitted by a bank holding company, and one was submitted by an individual. The comments generally supported the OCC's proposed rule while requesting broadening of FinCEN's proposed sharing guidance.[14] Comments specific to the OCC's proposed rule provided suggestions related to the disclosure of the “underlying facts, transactions, and documents upon which a SAR is based;” the requirement to reveal a SAR request to both OCC and FinCEN; and the proposed modification to the safe harbor provision in the OCC's SAR rules [15] to include changes made by the USA PATRIOT Act. These comments are addressed in the Section-by-Section Analysis section of this SUPPLEMENTARY INFORMATION.

IV. Section-by-Section Analysis

Section 21.11(b) Definition of a SAR

The primary purpose of the OCC's SAR rule is to ensure that a national bank files a SAR when it detects a known or suspected violation of a Federal law or a suspicious transaction related to money laundering activity or a violation of the BSA. See 12 CFR 21.11(a). Incidental to this purpose, the OCC's SAR rule includes a section that addresses the confidentiality of SARs.

Under the current SAR rule, the term “SAR” means “a Suspicious Activity Report on the form prescribed by the OCC.” [16] The proposed rule would have defined a “SAR” generically as “a Suspicious Activity Report.” This change would extend the confidentiality provisions of the OCC's SAR rule to all SARs, including those filed on forms prescribed by FinCEN.[17] As a consequence, a national bank that obtained a SAR, for example, from a non-bank affiliate pursuant to the provisions of the proposed rule, would be required to safeguard the confidentiality of the SAR, even if the SAR had not been filed on a form prescribed by the OCC. The OCC received no comments on the proposed revised definition of SAR and adopts the definition as proposed.

Section 21.11(c) SARs Required

To clarify that a national bank must file a SAR on a form “prescribed by the OCC,” the OCC proposed to add that phrase to the introductory language of the section of the OCC's SAR rule that describes the procedures for the filing of a SAR. Accordingly, the proposed rule would have required a national bank to file a SAR with the appropriate Federal law enforcement agencies and the Department of the Treasury on the form prescribed by the OCC in accordance with the form's instructions, by sending a completed SAR to FinCEN in particular circumstances.[18] The OCC received no comments on the proposal to add the phrase “prescribed by the OCC” to the introductory language of that section of the OCC's SAR rule and adopts the change as proposed.

Section 21.11(k) Confidentiality of SARs

Prior to this rulemaking, § 21.11(k) specified that SARs are confidential and any national bank or person: (1) Must not disclose a SAR or the information contained in SAR; (2) must not provide any information that would disclose that a SAR has been prepared or filed; and (3) must notify the OCC of any subpoena or request received by a national bank or person to make such a SAR-related disclosure.

The OCC proposed to amend its rules regarding SAR confidentiality [19] by modifying the introductory sentence regarding SAR confidentiality and dividing the remainder of the current provision into two sections. The first section would describe the prohibition on disclosure of SAR information by national banks and the rules of construction applicable to this prohibition. The second section would describe the prohibition on the OCC's disclosure of SAR information.

Prior to this final rulemaking action, the OCC's rules prohibiting the disclosure of SARs began with the statement that SARs are confidential. Over the years, the OCC has received numerous questions regarding the scope of the prohibition on the disclosure of a SAR in its current rules. Accordingly, the OCC proposed to clarify the scope of SAR confidentiality by more clearly describing the information that is subject to the prohibition. Like FinCEN, the OCC believes that all of the reasons for maintaining the confidentiality of SARs are equally applicable to any information that would reveal the existence of a SAR.

The OCC, like FinCEN, recognizes that in order to protect the confidentiality of a SAR, any information that would reveal the existence of a SAR must be afforded the same protection from disclosure. The confidentiality of SARs must be maintained for a number of compelling reasons. For example, the disclosure of a SAR could result in notification to persons involved in the transaction that is being reported and compromise any investigations being conducted in connection with the SAR. In addition, the OCC believes that even the occasional disclosure of a SAR could chill the willingness of a national bank to file SARs and to provide the degree of detail and completeness in describing suspicious activity in SARs that will be of use to law enforcement. If banks believe that a SAR can be used for purposes unrelated to the law enforcement and regulatory purposes of the BSA, the disclosure of such information could adversely affect the timely, appropriate, and candid reporting of suspicious transactions. Banks also may be reluctant to report suspicious transactions, or may delay making such reports, for fear that the disclosure of a SAR will interfere with the bank's relationship with its customer. Further, a SAR may provide insight into how a bank uncovers potential criminal conduct that can be used by others to circumvent detection. The disclosure of a SAR also could compromise personally identifiable information or commercially sensitive information or damage the reputation of individuals or companies that may be named. Finally, the disclosure of a SAR for uses unrelated to the law enforcement and regulatory purposes for which SARs are intended increases the risk that bank employees or others who are involved in the preparation or filing of a SAR could become targets for retaliation by persons whose criminal conduct has been reported.

These reasons for maintaining the confidentiality of SARs also apply to any information that would reveal the existence of a SAR. Therefore, like FinCEN, the OCC proposed to modify the general introduction in its rules to Start Printed Page 75579state that confidential treatment also must be afforded to “any information that would reveal the existence of a SAR.” The introduction also would indicate that SAR information may not be disclosed, except as authorized in the narrow circumstances that follow.

Some commenters asked that the OCC clarify the phrase “information that would reveal the existence of a SAR” for the purpose of defining the scope of SAR confidentiality. One commenter specifically asked whether that term only includes information that affirmatively states that a SAR was filed. Another commenter urged that the OCC formally recognize that material contained in a reporting institution's files supporting its decision to file or not file a SAR is confidential.

Any document or other information that affirmatively states that a SAR has been filed constitutes information that would reveal the existence of a SAR and must be kept confidential. By extension, a national bank also must afford confidentiality to any document stating that a SAR has not been filed. Were the OCC to allow disclosure of information when a SAR is not filed, institutions would implicitly reveal the existence of a SAR any time they were unable to produce records because a SAR was filed.[20]

Documents that may identify suspicious activity, but that do not reveal whether a SAR exists (e.g., a document memorializing a customer transaction such as an account statement indicating a cash deposit or a record of a funds transfer), should be considered as falling within the underlying facts, transactions, and documents upon which a SAR is based, and need not be afforded confidentiality.[21] This distinction is set forth in the final rule's second rule of construction discussed in this Section-by-Section Analysis and reflects relevant case law.[22]

However, the strong public policy that underlies the SAR system as a whole—namely, the creation of an environment that encourages a national bank to report suspicious activity without fear of reprisal—leans heavily in favor of applying SAR confidentiality not only to a SAR itself, but also in appropriate circumstances to material prepared by the national bank as part of its process to detect and report suspicious activity, regardless of whether a SAR ultimately was filed or not. This interpretation also reflects relevant case law.[23]

As explained in more detail in the proposed rule,[24] the primary purpose for clarifying the scope of the confidentiality provision is to ensure that, due to potentially serious consequences, the persons involved in the transaction and identified in the SAR cannot be notified, directly or indirectly, of the report. Accordingly, like FinCEN, the OCC proposed replacing the previous rule text prohibiting disclosure of the SAR to the person involved in the transaction with a broad general confidentiality provision for all SAR information applicable to all persons not authorized in the rules of construction to receive such information. With respect to “information that would reveal the existence of a SAR,” therefore, institutions should distinguish between certain types of statistical or abstract information or general discussions of suspicious activity that may indicate that an institution has filed SARs,[25] and information that would reveal the existence of a SAR in a manner that could enable the person involved in the transaction potentially to be notified, whether directly or indirectly.

Like FinCEN, and for the reasons discussed in this section, the OCC is adopting the proposed introductory language to the Confidentiality of SARs provision (§ 21.11(k)) as final without change.

Section 21.11(k)(1)(i) Prohibition on Disclosure by National Banks

The OCC's current rules provide that any national bank or person subpoenaed or otherwise requested to disclose a SAR or the information contained in a SAR must: (1) Decline to produce the SAR or to provide any information that would disclose that a SAR has been prepared or filed and (2) notify the OCC.

The proposed rule more specifically addressed the prohibition on the disclosure of a SAR by a national bank. The proposed rule provided that the prohibition includes “any information that would reveal the existence of a SAR” instead of using the phrase “any information that would disclose that a SAR has been prepared or filed.” The OCC, like FinCEN, believes that the proposed phrase more clearly describes the type of information that is covered by the prohibition on the disclosure of a SAR. In addition, the proposed rule incorporated the specific reference in 31 U.S.C. 5318(g)(2)(A)(i) to a “director, officer, employee, or agent,” in order to clarify that the prohibition on disclosure extends to those individuals in a national bank who may have access to SAR information.

Although 31 U.S.C. 5318(g)(2)(A)(i) provides that a person involved in the transaction may not be notified that the transaction has been reported, the proposed rule reflected case law that has consistently concluded, in accordance with applicable regulations, that financial institutions are broadly prohibited from disclosing SAR information to any person. Accordingly, these cases have held that, in the context of discovery in connection with Start Printed Page 75580civil lawsuits, financial institutions are prohibited from disclosing SAR information because section 5318(g) and its implementing regulations have created an unqualified discovery and evidentiary privilege for such information that cannot be waived by financial institutions.[26] Consistent with case law and the current regulation, the text of the proposed rule did not limit the prohibition on disclosure only to the person involved in the transaction. Permitting disclosure to any outside party may make it likely that SAR information would be disclosed to a person involved in the transaction, which the BSA absolutely prohibits.

The proposed rule continued to provide that any national bank, or any director, officer, employee or agent of a national bank, subpoenaed or otherwise requested to disclose SAR information must decline to provide the information, citing that section of the rule and 31 U.S.C. 5318(g)(2)(A)(i), and must give notice of the request to the OCC. In addition, the proposed rule required the bank to notify the OCC of its response to the request and required the bank to provide the same information to FinCEN.

Two commenters suggested that OCC adjust its SAR rule to remove the “duplicative” requirement for a bank to notify both OCC and FinCEN when SAR information is inappropriately requested. OCC, like FinCEN, disagrees with the commenter's characterization of the notification requirement as “duplicative” because OCC and FinCEN each have issued, and separately administers, its own separate SAR rule.[27] The joint notification requirement in the OCC's final rule, therefore, simply acknowledges the notification requirement of different SAR regulations issued by separate agencies. Therefore, the OCC adopts proposed § 21.11(k)(1)(i) as final without change.

Section 21.11(k)(1)(ii): Rules of Construction

The OCC, like FinCEN, proposed rules of construction to address issues that have arisen over the years about the scope of the SAR disclosure prohibition and to implement statutory modifications to the BSA made by the USA PATRIOT Act. The proposed rules of construction primarily describe situations that are not covered by the prohibition on bank disclosure of SAR information. The introduction to the proposed rules of construction makes clear that they are qualified by the statutory mandate that no person involved in any reported suspicious transaction can be notified that the transaction has been reported. The OCC received no comments on the proposed introductory language to the rules of construction and is adopting the language in the final rule as proposed.

The first proposed rule of construction builds on existing language to clarify that a national bank, or any director, officer, employee, or agent [28] of a national bank may disclose SAR information to FinCEN or any Federal, State, or local law enforcement agency; or any Federal or State regulatory agency that examines the financial institution for compliance with the BSA. Although the permissibility of such disclosures may be readily apparent, the proposal contained this statement to clarify that a national bank cannot use the prohibition on bank disclosure of SAR information to withhold this information from governmental authorities that are otherwise entitled by law to receive SARs and to examine for and investigate suspicious activity.

The first rule of construction is adopted as final with one change to reflect that State regulatory authorities do not examine national banks for compliance with the BSA. Thus, the final rule revises § 21.11(k)(1)(ii)(A)(1) to read, in relevant part, that § 21.11(k)(1) does not prohibit the disclosure by a national bank, or any director, officer, employee, or agent of a national bank, of a “SAR, or any information that would reveal the existence of a SAR, to the OCC, FinCEN, or any Federal, State, or local law enforcement agency. * * *”

The second proposed rule of construction provided that SAR information does not include the underlying facts, transactions, and documents upon which a SAR is based. This statement reflects case law, which has recognized that, while a financial institution is prohibited from producing documents in discovery that evidence the existence of a SAR, factual documents created in the ordinary course of business (for example, business records and account information, upon which a SAR is based) may be discoverable in civil litigation under the Federal Rules of Civil Procedure.[29]

The second proposed rule of construction included some examples of situations where a national bank may disclose the underlying facts, transactions, and documents upon which a SAR is based. The first example clarifies that a national bank, or any director, officer, employee or agent of a national bank, may disclose this information [30] to another financial institution, or any director, officer, employee, or agent of a financial institution, for the preparation of a joint SAR.[31] The second example simply codifies a rule of construction added to the BSA by section 351 of the USA PATRIOT Act, which provides that such underlying information may be disclosed in certain written employment references and termination notices.[32]

One commenter suggested that the OCC clarify that the illustrative Start Printed Page 75581examples are not exhaustive, and that there may be other situations not prescribed in the rule where an institution may disclose the underlying facts, transactions, and documents upon which a SAR is based. The OCC did not intend for these examples to be exhaustive and does not believe the text, as proposed, implies that the examples are exhaustive. For purposes of clarity, however, like FinCEN, the OCC is revising the final rule's language at § 21.11(k)(2) to read “* * * [t]he underlying facts, transactions, and documents upon which a SAR is based, including but not limited to, disclosures” expressly listed as illustrative examples in the rule. Accordingly, with respect to the SAR confidentiality provision only,[33] national banks may disclose underlying facts, transactions, and documents for any purpose, provided that no person involved in the transaction is notified that the transaction has been reported and none of the underlying information reveals the existence of a SAR.

Another commenter suggested that the rules of construction include a provision expressly authorizing the disclosure of facts, transactions, or documents to affiliates wherever located and clarify that such authority may be exercised independently of the authority to share SAR information with affiliates. Provided that no person involved in any reported suspicious transaction is notified that the transaction has been reported and the underlying facts, transactions, and documents do not disclose SAR information, the OCC agrees that such disclosure by a national bank to its affiliates, wherever located, is not prohibited by the final rule. Furthermore, the OCC agrees that the authorization for national banks to disclose underlying information to affiliates in § 21.11(k)(1)(ii)(A)(2) is independent of the authority to share SAR information with affiliates in § 21.11(k)(1)(ii)(B). The OCC believes that the final rule and the BSA already address that commenter's concerns and that further revision to the rule is unnecessary.

The third proposed rule of construction clarified that the prohibition on the disclosure of SAR information by a national bank does not include the sharing by a national bank, or any director, officer, employee or agent of a bank, of SAR information within the bank's corporate organizational structure for purposes consistent with Title II of the BSA as determined by regulation or in guidance. The proposed third rule of construction recognizes that a national bank may find it necessary to share SAR information to fulfill its reporting obligations under the BSA, and to facilitate more effective enterprise-wide BSA monitoring and reporting, consistent with Title II of the BSA. The term “share” used in the third rule of construction is an acknowledgement that sharing within a corporate organization for purposes consistent with Title II of the BSA, as determined by regulation or guidance, is distinguishable from a prohibited disclosure.

FinCEN and the Federal bank regulatory agencies already have issued joint guidance making clear that the U.S. branch or agency of a foreign bank may share a SAR with its head office and that a U.S. bank or savings association may share a SAR with its controlling company (whether domestic or foreign). This guidance stated that the sharing of a SAR with a head office or controlling company both facilitates compliance with the applicable requirements of the BSA and enables the head office or controlling company to discharge its oversight responsibilities with respect to enterprise-wide risk management and compliance with applicable laws and regulations.[34]

Elsewhere in this issue of the Federal Register, FinCEN is issuing additional final guidance that further elaborates on sharing of SAR information within a corporate organization that FinCEN considers to be “consistent with the purposes of the BSA.” The final guidance generally permits the sharing of SAR information by depository institutions with their affiliates [35] that are subject to a SAR rule.[36]

In addition, four of the five comments received by the OCC on the proposed rule raised issues related to FinCEN's proposed guidance, much of which is addressed in FinCEN's separate notice of availability of guidance published elsewhere in today's Federal Register. In general, the commenters requested an expansion of the sharing authorities with respect to both the parties permitted to share and the parties with whom SAR information could be shared. Most commenters provided a clear rationale for how expanded SAR sharing would benefit their institutions by increasing efficiency, cutting costs, and enhancing the detection and reporting of suspicious activity. However, like FinCEN, the OCC notes that most commenters, however, failed to sufficiently address how they would effectively mitigate the risk of unauthorized disclosure of SAR information if the sharing authority was expanded to the extent they requested. FinCEN has taken the position that due to the risk of unauthorized disclosure of SAR information, broad sharing would not be consistent with the purposes of the BSA. Should FinCEN decide in the future to expand the sharing authority, the rule will allow for such expansion. Therefore, the third rule of construction is adopted as proposed without change.

Section 21.11(k)(2) Prohibition on Disclosure by the OCC

As previously noted, section 351 of the USA PATRIOT Act, 31 U.S.C. 5318(g)(2)(A)(ii), amended the BSA, and added a new provision prohibiting officers and employees of the government from disclosing a SAR to any person involved in the transaction that the transaction has been reported, except “as necessary to fulfill the official duties of such officer or employee.” Section 21.11(k)(2) of the OCC's proposed rule addressed this new provision of the BSA and is comparable to FinCEN's proposal. The proposed section provided that the OCC will not, and no officer, employee or agent of the OCC, shall disclose SAR information, except as necessary to fulfill official duties consistent with Title II of the BSA.

As stated in section 5318(g)(2)(A)(i), which prohibits a financial institution's disclosure of a SAR, section 5318(g)(2)(A)(ii) also prohibits the government from disclosing a SAR to “any person involved in the transaction.” The OCC, like FinCEN, proposed to address sections 5318(g)(2)(A)(i) and (A)(ii) in a consistent manner, because disclosure by a governmental authority of SAR information to any outside party may make it more likely that the information will be disclosed to a person involved in the transaction. Accordingly, the proposed rule would generally bar disclosures of SAR information by OCC officers, employees, or agents.

However, section 5318(g)(2)(A)(ii) also narrowly permits governmental disclosures as necessary to “fulfill Start Printed Page 75582official duties,” a phrase that is not defined in the BSA. Consistent with the rules being proposed by FinCEN, the OCC proposed to construe this phrase in the context of the BSA, in light of the purpose for which SARs are filed. Accordingly, the proposed rule interpreted “official duties” to mean “official duties consistent with Title II of the Bank Secrecy Act.” [37] When disclosure is necessary to fulfill official duties, the OCC will make a determination, through its internal processes, that a SAR may be disclosed to fulfill official duties consistent with Title II of the BSA. This standard would permit, for example, disclosures responsive to a grand jury subpoena; a request from an appropriate Federal or State law enforcement agency; a request from an appropriate Congressional committee or subcommittee; and prosecutorial disclosures mandated by statute or the Constitution in connection with the statement of a government witness to be called at trial, the impeachment of a government witness, or as material exculpatory of a criminal defendant.[38] This proposed interpretation of section 5318(g)(2)(A)(ii) would ensure that SAR information will not be disclosed for a reason that is unrelated to the purposes of the BSA. For example, this standard would not permit disclosure of SAR information to the media.

The proposed rule also specifically provided that “official duties” shall not include the disclosure of SAR information in response to a request for use in a private legal proceeding or in response to a request for disclosure of non-public information under 12 CFR 4.33. This statement, which corresponded to a similar provision in FinCEN's proposed rules, establishes that the OCC will not disclose SAR information to a private litigant for use in a private legal proceeding, or pursuant to 12 CFR 4.33, because such a request cannot be consistent with any of the purposes enumerated in Title II of the BSA.[39] The BSA exists, in part, to protect the public's interest in an effective reporting system that benefits the nation by helping to ensure that the U.S. financial system will not be used for criminal activity or to support terrorism. The OCC, like FinCEN, believes that this purpose would be undermined by the disclosure of SAR information to a private litigant for use in a civil lawsuit for the reasons described earlier, including that such disclosures will chill full and candid reporting by national banks and other financial institutions.

Finally, the proposed rule applied to the OCC, in addition to its officers, employees, and agents. Comparable to a provision being proposed by FinCEN, the OCC proposed to include the agency itself in the scope of coverage, because requests for SAR information are typically directed to the agency, rather than to individuals within the OCC with authority to respond to the request. In addition, agents of the OCC were included in proposed § 21.11(k)(2) because they may have access to SAR information. Accordingly, the proposed interpretation would more comprehensively cover disclosures by the OCC or agents of the OCC and protect the confidentiality of SAR information.

The OCC did not receive comments on proposed § 21.11(k)(2) and is adopting this provision as final without change.

Section 21.11(l) Limitation on Liability

In 1992, the Annunzio-Wylie Act amended the BSA by providing a safe harbor for financial institutions and their employees from civil liability for the reporting of known or suspected criminal offenses or suspicious activity through the filing of a SAR.[40] FinCEN and the OCC incorporated the safe harbor provisions of the 1992 law into their SAR rules.[41] Section 351 of the USA PATRIOT Act amended section 5318(g)(3) to clarify that the scope of the safe harbor provision includes the voluntary disclosure of possible violations of law and regulations to a government agency and to expand the scope of the limit on civil liability to include any liability that may exist “under any contract or other legally enforceable agreement (including any arbitration agreement).” [42] The OCC, like FinCEN, incorporated the statutory expansion of the safe harbor by cross-referencing section 5318(g)(3) in the proposed rule.

In addition, consistent with the proposed rule issued by FinCEN, this provision makes clear that the safe harbor also applies to a disclosure by a bank made jointly with another financial institution for purposes of filing a joint SAR.

The OCC received no comments on the proposed safe harbor provision. However, one comment received by FinCEN noted that the statutory safe harbor provision protects any person from liability, not just the person involved in the transaction. Accordingly, like FinCEN, the OCC is amending the proposed safe harbor language by inserting the phrase “shall be protected from liability to any person for any such disclosure * * *” and is otherwise adopting the proposed § 21.11(l) safe harbor provision as final.

Conforming Amendments to 12 CFR Part 4, Subpart C

Today, the OCC also is publishing a final rule to amend its information disclosure rule set forth in 12 CFR part 4, subpart C. Among other things, the final rule clarifies that the OCC's disclosure of SAR information will be governed exclusively by the standards set forth in the amendments to the OCC's part 21 SAR rule.[43] The effect of these final part 4 amendments is that the OCC: (1) Will not release SAR information to private litigants and (2) will only release SAR information to other government agencies, in response to a request pursuant to 12 CFR 4.37(c) or in the exercise of its discretion as described in 12 CFR 4.36, when necessary to fulfill official duties consistent with Title II of the BSA.

V. OCC Regulatory Analysis

Regulatory Flexibility Act

The Regulatory Flexibility Act (RFA) generally requires an agency that is issuing a final rule to prepare and make available a final regulatory flexibility analysis that describes the impact of the final rule on small entities. 5 U.S.C. 604. However, the RFA provides that an agency is not required to prepare and make available a final regulatory flexibility analysis if the agency certifies that the final rule will not have a significant economic impact on a substantial number of small entities and publishes its certification and a short, explanatory statement in the Federal Register along with its final rule. 5 U.S.C. 605(b). For purposes of the RFA and OCC-regulated entities, a “small entity” is a national bank with assets of $175 million or less (small national bank).

The OCC has determined that the costs, if any, associated with the final rule are de minimis. The final rule simply clarifies the scope of the Start Printed Page 75583statutory prohibition against the disclosure by financial institutions and by the government of SAR information and clarifies the scope of the safe harbor from liability for institutions that report suspicious activities. Therefore, pursuant to section 605(b) of the RFA, the OCC hereby certifies that this final rule will not have a significant economic impact on a substantial number of small entities. Accordingly, a regulatory flexibility analysis is not needed.

Paperwork Reduction Act

We have reviewed the final rule in accordance with the Paperwork Reduction Act of 1995 (44 U.S.C. 3506; 5 CFR 1320, Appendix A.1) (PRA) and have determined that it does not contain any “collections of information” as defined by the PRA.

Unfunded Mandates Reform Act of 1995

Section 202 of the Unfunded Mandates Reform Act of 1995, Public Law 104-4 (2 U.S.C. 1532) (Unfunded Mandates Act), requires that an agency prepare a budgetary impact statement before promulgating any rule likely to result in a Federal mandate that may result in the expenditure by State, local, and Tribal governments, in the aggregate, or by the private sector of $100 million or more in any one year. If a budgetary impact statement is required, section 205 of the Unfunded Mandates Act also requires an agency to identify and consider a reasonable number of regulatory alternatives before promulgating a rule.

The OCC has determined that this final rule will not result in expenditures by State, local, and Tribal governments, or by the private sector, of $100 million or more in any one year. Accordingly, this proposal is not subject to section 202 of the Unfunded Mandates Act.

Start List of Subjects

List of Subjects in 12 CFR Part 21

End List of Subjects

Authority and Issuance

Start Amendment Part

For the reasons set forth in the preamble, part 21 of title 12 of the Code of Federal Regulations is amended as follows:

End Amendment Part Start Part

PART 21—MINIMUM SECURITY DEVICES AND PROCEDURES, REPORTS OF SUSPICIOUS ACTIVITIES, AND BANK SECRECY ACT COMPLIANCE PROGRAM

End Part Start Amendment Part

1. The authority citation for part 21 continues to read as follows:

End Amendment Part Start Authority

Authority: 12 U.S.C. 93a, 1818, 1881-1884, and 3401-3422; and 31 U.S.C. 5318.

End Authority Start Amendment Part

2. Section 21.11 is amended by revising paragraphs (b)(3), (c) introductory text, (k) and (l) to read as follows:

End Amendment Part
Suspicious Activity Report.
* * * * *

(b) * * *

(3) SAR means a Suspicious Activity Report.

(c) SARs required. A national bank shall file a SAR with the appropriate Federal law enforcement agencies and the Department of the Treasury on the form prescribed by the OCC and in accordance with the form's instructions. The bank shall send the completed SAR to FinCEN in the following circumstances:

* * * * *

(k) Confidentiality of SARs. A SAR, and any information that would reveal the existence of a SAR, are confidential, and shall not be disclosed except as authorized in this paragraph (k).

(1) Prohibition on disclosure by national banks. (i) General rule. No national bank, and no director, officer, employee, or agent of a national bank, shall disclose a SAR or any information that would reveal the existence of a SAR. Any national bank, and any director, officer, employee, or agent of any national bank that is subpoenaed or otherwise requested to disclose a SAR, or any information that would reveal the existence of a SAR, shall decline to produce the SAR or such information, citing this section and 31 U.S.C. 5318(g)(2)(A)(i), and shall notify the following of any such request and the response thereto:

(A) Director, Litigation Division, Office of the Comptroller of the Currency; and

(B) The Financial Crimes Enforcement Network (FinCEN).

(ii) Rules of construction. Provided that no person involved in any reported suspicious transaction is notified that the transaction has been reported, this paragraph (k)(1) shall not be construed as prohibiting:

(A) The disclosure by a national bank, or any director, officer, employee or agent of a national bank of:

(1) A SAR, or any information that would reveal the existence of a SAR, to the OCC, FinCEN, or any Federal, State, or local law enforcement agency; or

(2) The underlying facts, transactions, and documents upon which a SAR is based, including, but not limited to, disclosures:

(i) To another financial institution, or any director, officer, employee or agent of a financial institution, for the preparation of a joint SAR; or

(ii) In connection with certain employment references or termination notices, to the full extent authorized in 31 U.S.C. 5318(g)(2)(B); or

(B) The sharing by a national bank, or any director, officer, employee, or agent of a national bank, of a SAR, or any information that would reveal the existence of a SAR, within the bank's corporate organizational structure for purposes consistent with Title II of the Bank Secrecy Act as determined by regulation or in guidance.

(2) Prohibition on disclosure by the OCC. The OCC will not, and no officer, employee or agent of the OCC, shall disclose a SAR, or any information that would reveal the existence of a SAR, except as necessary to fulfill official duties consistent with Title II of the Bank Secrecy Act. For purposes of this section, official duties shall not include the disclosure of a SAR, or any information that would reveal the existence of a SAR, in response to a request for use in a private legal proceeding or in response to a request for disclosure of non-public OCC information under 12 CFR 4.33.

(l) Limitation on liability. A national bank and any director, officer, employee or agent of a national bank that makes a voluntary disclosure of any possible violation of law or regulation to a government agency or makes a disclosure pursuant to this section or any other authority, including a disclosure made jointly with another financial institution, shall be protected from liability to any person for any such disclosure, or for failure to provide notice of such disclosure to any person identified in the disclosure, or both, to the full extent provided by 31 U.S.C. 5318(g)(3).

Start Signature

Dated: August 16, 2010.

John Walsh,

Acting Comptroller of the Currency.

End Signature End Supplemental Information

Footnotes

1.  The Annunzio-Wylie Anti-Money Laundering Act (the Annunzio-Wylie Act) amended the BSA and authorized the Secretary of the Treasury to require financial institutions to report suspicious transactions relevant to a possible violation of law or regulation. See Public Law 102-550, Title XV, section 1517(b), 106 Stat. 4044, 4059-60 (1992); 31 U.S.C. 5318(g)(1). The OCC, Board of Governors of the Federal Reserve System (FRB), Federal Deposit Insurance Corporation (FDIC), Office of Thrift Supervision (OTS), and National Credit Union Administration (NCUA), (collectively referred to as the Federal bank regulatory agencies) subsequently issued virtually identical implementing regulations on suspicious activity reporting. See 12 CFR 21.11 (OCC); 12 CFR 208.62 (FRB); 12 CFR 353.3 (FDIC); 12 CFR 563.180 (OTS); and 12 CFR 748.1 (NCUA).

Back to Citation

3.  FinCEN is the agency designated by the Department of the Treasury to administer the BSA and with which SARs must be filed. See 31 U.S.C. 5318; 12 CFR 21.11(c).

Back to Citation

4.  See, e.g., 31 CFR 103.18(e) (SAR confidentiality rule for banks); 31 CFR 103.19(e) (SAR confidentiality rule for brokers or dealers in securities).

Back to Citation

5.  See 12 CFR 21.11(k) (OCC); 12 CFR 208.62(j) (FRB); 12 CFR 353.3(g) (FDIC); 12 CFR 563.180(d)(12) (OTS); and 12 CFR 748.1(c)(5) (NCUA).

Back to Citation

7.  See USA PATRIOT Act, section 351(b); Pub. L. 107-56, Title III, section 351; 115 Stat. 272, 320-21 (2001); 31 U.S.C. 5318(g)(2).

Back to Citation

8.  See USA PATRIOT Act, section 351(a); Public Law 107-56, Title III, section 351; 115 Stat. 272, 321 (2001); 31 U.S.C. 5318(g)(3).

Back to Citation

9.  74 FR 10136 (Mar. 9, 2009).

Back to Citation

10.  74 FR 10130 (Mar. 9, 2009).

Back to Citation

12.  74 FR 10158 (Mar. 9, 2009).

Back to Citation

13.  None of the comments received by the OCC directly addressed the proposed revisions to the OCC's information disclosure regulation set forth in 12 CFR part 4, subpart C.

Back to Citation

14.  Comments about the sharing guidance are addressed separately in a related “notice of availability of guidance” published by FinCEN elsewhere in today's Federal Register together with FinCEN's final rules.

Back to Citation

17.  See, e.g., 31 CFR 103.19(b) (FinCEN regulations requiring brokers or dealers in securities to file reports of suspicious transactions on a SAR-S-F).

Back to Citation

18.  OCC's current provision, at 12 CFR 21.11(c), requires a national bank to “file a SAR with the appropriate Federal law enforcement agencies and the Department of the Treasury in accordance with the form's instructions * * *,” but does not specify which form.

Back to Citation

20.  For example, a private litigant may serve a discovery request on a bank in civil litigation that calls for the bank to produce the underlying documentation on companies A, B, and C, where the bank has filed a SAR on company A, but not companies B or C, and the underlying documentation reflects the SAR filing decisions. If the bank then produces the underlying documentation for companies B and C, but neither confirms nor denies the existence of a SAR when declining to provide similar documentation for company A, by negative implication it may have revealed the existence of the SAR filed on company A.

Back to Citation

21.  As one commenter noted, information produced in the ordinary course of business may contain sufficient information that a reasonable and prudent person familiar with SAR filing requirements could use to conclude that an institution likely filed a SAR (e.g., a copy of a fraudulent check or a cash transaction log showing a clear pattern of structured deposits). Such information alone does not constitute information that would reveal the existence of a SAR.

Back to Citation

22.  See, e.g., Whitney Nat. Bank v. Karam, 306 F. Supp. 2d 678, 682 (S.D. Tex. 2004) (noting that courts have “allowed the production of supporting documentation that was generated or received in the ordinary course of the bank's business, on which the report of suspicious activity was based”); Cotton v. Private Bank and Trust Co., 235 F. Supp. 2d 809, 815 (N.D. Ill. 2002) (holding that the “factual documents which give rise to suspicious conduct * * * are to be produced in the ordinary course of discovery because they are business records made in the ordinary course of business”).

Back to Citation

23.  See, e.g., Whitney at 682-83 (holding that the SAR confidentiality provision protects, inter alia, “communications preceding the filing of a SAR and preparatory or preliminary to it; communications that follow the filing of a SAR and are explanations or follow-up discussion; or oral communications or suspected or possible violations that did not culminate in the filing of a SAR”); Cotton at 815 (holding that “documents representing the drafts of SARs or other work product or privileged communications that relate to the SAR itself * * * are not to be produced [in discovery] because they would disclose whether a SAR has been prepared or filed”); Union Bank of California, N.A. v. Superior Court, 29 Cal. Rptr. 2d 894, 902 (2005) (holding that “a draft SAR or internal memorandum prepared as part of a financial institution's process for complying with Federal reporting requirements is generated for the specific purpose of fulfilling the institution's reporting obligation * * * [and] fall within the scope of the SAR [confidentiality] privilege because they may reveal the contents of a SAR and disclose whether `a SAR has been prepared or filed' ” (quoting 12 CFR 21.11(k) (2005)).

Back to Citation

24.  74 FR 10131-32 (Mar. 9, 2009).

Back to Citation

25.  One example of such information could include summary information commonly provided by banks in the “notification to the board” required by the various Federal bank regulatory agency SAR rules. National banks subject to the requirement are encouraged to be cautious in the production of relevant portions of board minutes or other records to avoid the risk of potentially exposing SAR information to the subject, either directly or indirectly, in the event such records are subpoenaed.

Back to Citation

26.  See, e.g., Whitney Nat'l Bank v. Karam, 306 F. Supp. 2d 678, 682 (S.D. Tex. 2004); Cotton v. Private Bank and Trust Co., 235 F. Supp. 2d 809, 815 (N.D. Ill. 2002).

Back to Citation

27.  Because FinCEN's jurisdiction is limited to Title 31 of the Code of Federal Regulations, FinCEN's final rule removes the requirement that a financial institution notify its primary Federal regulator in addition to notifying FinCEN in the event of an inappropriate request for SAR information. However, the OCC's final rule maintains the requirement that any national bank, and any director, officer, employee, or agent of any national bank, that is subpoenaed or otherwise requested to disclose SAR information, shall decline to produce the SAR or such information, citing 12 CFR Part 21 of the OCC's rules and 31 U.S.C. 5318(g)(2)(A)(i), and shall notify both the OCC and FinCEN.

Back to Citation

28.  Some commenters requested guidance related to the appropriate use of SARs by agents of national banks. In the Supplementary Information section of FinCEN's final rule issued today, FinCEN states that it is considering additional guidance on the appropriate us of SARs by agents of financial institutions. Until such guidance is issued, however, the OCC and FinCEN remind national banks of their requirement to protect, through reasonable controls or agreements with their agents, the confidentiality of SAR information, as prescribed by the OCC and FinCEN final rules.

Back to Citation

29.  See Cotton v. Private Bank and Trust Co., 235 F. Supp. 2d 809, 815 (N.D. Ill. 2002).

Back to Citation

30.  Although the underlying facts, transactions, and documents upon which a SAR is based may include previously filed SARs or other information that would reveal the existence of a SAR, these materials cannot be disclosed as underlying documents.

Back to Citation

31.  On December 21, 2006, FinCEN and the Federal bank regulatory agencies announced that the format for the SAR form for depository institutions had been revised to support a new joint filing initiative to reduce the number of duplicate SARs filed for a single suspicious transaction. “Suspicious Activity Report (SAR) Revised to Support Joint Filings and Reduce Duplicate SARs,” Joint Release issued by FinCEN, the FRB, the OCC, the OTS, the FDIC, and the NCUA (Dec. 21, 2006). On February 17, 2006, FinCEN and the Federal bank regulatory agencies published a joint Federal Register notice seeking comment on proposed revisions to the SAR form. See 71 FR 8640. On May 1, 2007, FinCEN announced a delay in implementation of the revised SAR form until further notice. See 72 FR 23891. Until such time as a new SAR form is available that facilitates joint filing, institutions authorized to jointly file should follow FinCEN's guidance to use the words “joint filing” in the narrative of the SAR and ensure that both institutions maintain a copy of the SAR and any supporting documentation (See, e.g., http://www.fincen.gov/​statutes_​regs/​guidance/​html/​guidance_​faqs_​sar_​10042006.html).

Back to Citation

33.  However, other applicable laws or regulations governing a national bank's responsibilities to maintain and protect information continue to apply, for example, information covered by part 4 of the OCC's rules regarding the release of non-public OCC information.

Back to Citation

34.  “Interagency Guidance on Sharing Suspicious Activity Reports with Head Offices and Controlling Companies,” Joint Release issued by FinCEN, the FRB, the FDIC, the OCC, and the OTS (Jan. 20, 2006).

Back to Citation

35.  Under FinCEN's final guidance, an “affiliate” of a depository institution means any company under common control with, or controlled by, that depository institution.

Back to Citation

36.  See, e.g., 12 CFR 21.11 (SAR rule applicable to national banks).

Back to Citation

37.  31 U.S.C. 5311 (setting forth the purposes of the BSA).

Back to Citation

38.  See, e.g., Giglio v. United States, 405 U.S. 150, 153-54 (1972); Brady v. Maryland, 373 U.S. 83, 86-87 (1963); Jencks v. United States, 353 U.S. 657, 668 (1957).

Back to Citation

40.  See supra note 1.

Back to Citation

41.  See 31 CFR 103.18(e) and 12 CFR 21.11(l). The safe harbor regulations also are applicable to oral reports of violations. (In situations requiring immediate attention, a national bank must immediately notify its regulator and appropriate law enforcement by telephone, in addition to filing a SAR. See, e.g., 12 CFR 21.11(d).)

Back to Citation

43.  See elsewhere in this issue of the Federal Register.

Back to Citation

[FR Doc. 2010-29880 Filed 12-2-10; 8:45 am]

BILLING CODE 4810-33-P