Financial institutions often encounter suspicious transactions that warrant the filing of a suspicious activity report (“SAR”). When this occurs, the Bank Secrecy Act (“BSA”) and federal regulations specifically prohibit the unauthorized disclosure of the SAR, or any information that may reveal the existence of the SAR. This confidentiality requirement may place certain employees, especially those holding close relationships with customers who are the subject of a SAR, in a difficult position. Significant work may have gone into developing the relationship, which may be a source of substantial current or future revenue for the institution.
Loyalty to a revenue-generating customer, however, should never trump one’s legal obligation of confidentiality. The penalties are simply too severe. Federal law provides for civil penalties of up to $100,000 for each violation, and criminal penalties that include fines of up to $250,000 and/or imprisonment of up to 5 years. Further, enforcement actions for sub-standard AML compliance often go hand-in-hand with charges of an unauthorized SAR disclosure.
And while much focus is placed on not disclosing SARS (e.g., SARs should never be provided in response to a civil litigation subpoena absent a court order), confusion often exists regarding certain government agencies’ right to this information.
If the OCC calls wanting information about a SAR, should you disclose it? What about the CFPB? If you receive a grand jury subpoena seeking SAR-related information, is disclosure allowed?
The BSA and operative regulations require financial institutions to disclose documentation supporting the filing of a SAR to federal, state, and local law enforcement agencies, upon request, provided the agencies have jurisdiction over the entity implicated by the SAR. Further, financial institutions may share the SAR itself, or the information it contains, with an appropriate federal, state, or local law enforcement agency. In addition to law enforcement requests, the same exception applies for regulatory/supervisory agencies having authority to examine the financial institution receiving the request for BSA compliance. For depository institutions, federal and state bank supervisory agencies are proper requestors.
The difficulty lies in determining whether the requestor is a government agency that is entitled to the information (not all are). This is often a fact-specific inquiry, with multiple regulations to consider, and different answers for different types of financial institutions
The key is always to err on the side of non-disclosure. Once a SAR is disclosed, it can’t be undone, and if disclosure was improper, penalties could follow. Make certain you have a valid government requestor before disclosing any SAR-related information, and seek guidance where there is any uncertainty.
Search terms for this post: Suspicious Activity Report, SAR, Bank Secrecy Act, BSA, Financial Crimes Enforcement Network, FinCEN
 See 31 U.S.C. §§ 5318(g)(2), 5321, and 5322; see also Dep’t of Treasury, FinCEN Advisory, SAR Confidentiality Reminder for Internal and External Counsel of Financial Institutions, (FIN-2012-A002, March 2, 2012).
 Specific regulations apply when a financial institution receives a subpoena for a SAR. See 31 C.F.R. § 103.17(e) (futures commissions merchants and introducing brokers in commodities); 31 C.F.R. § 103.18(e) (banks); 31 C.F.R. § 103.19(e) (brokers or dealers in securities); 31 C.F.R. § 103.20(d) (money services businesses); and 31C.F.R. § 103.21(e) (casinos).
 See The SAR Activity Review: Trends, Tips & Issues, Issue 9 at 43-45 (Oct. 2009); Dep’t of Treasury, FinCEN Guidance, Sharing Suspicious Activity Reports by Depository Institutions with Certain U.S. Affiliates (FIN-2010-G006, Nov. 23, 2010).