CUNA Comment Letter

Revised Suspicious Activity Report by Depository Institutions

April 18, 2006

Mr. Neil M. McNamara
Clearance Officer
National Credit Union Administration
1775 Duke Street
Alexandria, VA 22314-3428

Dear Mr. McNamara:

The Credit Union National Association (CUNA) appreciates the opportunity to provide our views in response to the revisions to the Suspicious Activity Report (SAR) form proposed by the Financial Crimes Enforcement Network (FinCEN) and the Banking Supervisory Agencies. According to the notice and request for comments, the SAR form is being modified and reformatted to standardize that report with SARs being filed by other financial institutions. The SAR form is also being revised to support joint filing by providing the necessary data blocks and instructions for completing a jointly filed SAR. In addition, the list of information that should be included in the Narrative section would be expanded to aid the filing institution in the completion of the SAR, which would improve the form’s utility to law enforcement. By way of background, CUNA represents approximately 90% of our nation’s 8,900 state and federal credit unions, which serve nearly 87 million members.

Summary of CUNA’s Comments

Discussion of CUNA’s Comments

CUNA welcomes the continuing efforts of the regulators agencies to simplify, shorten and clarify the SAR form in order to assist institutions in completing and filing SARs. As the proposed changes are designed to contribute to this effort, CUNA generally supports the modifications and revisions as indicated in the draft SAR. While we believe that very few, if any, credit unions have filed a joint SAR with another financial institution up to this point, we think that the instructions/procedures are sufficiently understandable in the event that a credit union needs to file jointly. We also agree that most of the reformatting is appropriate. However, set out below, we have several suggestions to make the SAR form more user-friendly and the filing process less burdensome.

The filing of SARs remains a problematic issue for a number of financial institutions. In that regard, CUNA offers some recommendations to reduce the burden of filing SARs. CUNA strongly urges the regulators to issue further guidance to clarify examination procedures/standards for SARs in order to lessen the pressure institutions may feel to file "defensive" SARs. Such guidance would both save institution staff time preparing paperwork and allow law enforcement to more readily focus on those SARs with valuable information/leads which should be investigated.

CUNA also recommends changes to the timeframe for SAR filings. We feel the time for filing a SAR should be increased from no later than 60 days after the date of the initial detection of facts, which includes a delay for an additional 30 days if needed to identify a suspect. It can prove burdensome to investigate and prepare SARs in such a short timeframe. Consequently, we urge the regulators to consider extending the filing time to 60 days, 90 if necessary to identify a suspect. This would allow institutions more time to conduct a thorough investigation and would result in more complete SARs and fewer amended SARs. We believe that this would not unduly burden law enforcement, as they may not review SARs for a period of months after they are filed.

Finally, FinCEN guidelines suggest that institutions report continuing suspicious activity by filing a report at least every 90 days (Federal Financial Institutions Examination Council’s BSA/AML Examination Manual). It is very burdensome administratively to file a follow-up SAR every 90 days if the reportable activity continues. To alleviate some of this burden, we encourage the regulators to consider eliminating this 90-day rule to instead require a follow-up SAR only if and when the activity pattern changes. This change has been proposed in H.R. 3505, the Financial Services Regulatory Relief Act of 2005. Whether the 90-day guideline remains in place or another guideline is adopted, it would be helpful to include the appropriate guideline for continuing suspicious activity in Part A (When to file) or to add this information to Instructions Item 21 where it states "A new report must be filed for other related suspicious transactions committed after the initial detection period."

In terms of the SAR form itself, CUNA agrees that the information in the expanded list of items in the Narrative Section (Part V) would assist institutions in filing out the form. As the most crucial part of the form, we have some recommendations to increase the accuracy and completeness of the Narrative Section, thereby enhancing that section’s usefulness.

First, we suggest moving the information requested in item l (indicate whether U.S. or foreign currency) to Section II – Suspicious Activity Information. When indicating the total amount of money involved in the suspicious activity, it makes sense to note whether the money is in U.S. or foreign denomination. Second, the instructions below the block with letters "a" through "r" to the end of the page seems rather disjointed and may be somewhat confusing. Therefore, we recommend moving the blocks with those instructions up to the block titled Explanation/description of suspicious activity(ies). In order to make the words "Supporting documentation should not be filed with this report. Maintain the information for your files." stand out as prominently as possible, we recommend placing that verbiage as the only instructions in the block right above the narrative block.

The draft SAR would modify existing data item 1, the check box for correcting a prior SAR. Instead, on the new SAR form there would be 2 check boxes – one box for amending or correcting a prior report (data item 1) and one box for updating a prior report (data item 1a). It would be beneficial to provide more guidance as to what each box is intended to encompass. Therefore, we encourage the regulators to explain in greater detail in the Instructions section the type of new information that would be deemed an amended/corrected report and what new information would represent an updated report. Further, we suggest including instructions underneath boxes 1 and 1a stating "If box 1 or 1a is checked, complete sections I-IV and note any changes in Part V." Accompanying that addition, letter r in the Narrative section could be changed to: "If correcting or amending a prior report, it is not necessary to repeat the previous narrative. Note only the changes here in Part V."

CUNA also has two specific recommendations for the General Instructions section. While the draft SAR still contains the check box titled "Computer Intrusion" in the Summary of Characterization of Suspicious Activity section (Part II – Suspicious Activity Information), the definition of what that term encompasses for purposes of the SAR reporting requirement has been eliminated. While a very detailed explanation may not be necessary, we believe that it would be valuable to define "computer intrusion" as a computer-related security event involving unauthorized individual(s) gaining access to ("hacking into") the institution’s computer system (mainframe). The definition should clarify that the breach of a member’s/customer’s personal computer does not constitute a "computer intrusion" for purposes of SAR reporting. Further, a breach of the institution’s website or spoofing would not be covered under the definition, nor would phishing or spamming.

Thank you for the opportunity to share our comments. If you have any further questions, please contact me at corr@cuna.com or at (202) 508-6743.

Sincerely,

Catherine Orr
Senior Regulatory Counsel