CUNA Comment Letter
Revised Suspicious Activity Report by Depository Institutions
April 18, 2006
Mr. Neil M. McNamara
National Credit Union Administration
1775 Duke Street
Alexandria, VA 22314-3428
Dear Mr. McNamara:
The Credit Union National Association (CUNA) appreciates the opportunity to provide our views in response to the revisions to the Suspicious Activity Report (SAR) form proposed by the Financial Crimes Enforcement Network (FinCEN) and the Banking Supervisory Agencies. According to the notice and request for comments, the SAR form is being modified and reformatted to standardize that report with SARs being filed by other financial institutions. The SAR form is also being revised to support joint filing by providing the necessary data blocks and instructions for completing a jointly filed SAR. In addition, the list of information that should be included in the Narrative section would be expanded to aid the filing institution in the completion of the SAR, which would improve the forms utility to law enforcement. By way of background, CUNA represents approximately 90% of our nations 8,900 state and federal credit unions, which serve nearly 87 million members.
Summary of CUNAs Comments
- It would be helpful for the regulators to issue additional guidance on when to file a SAR to lessen the number of "defensive" SAR filings.
- CUNA generally supports the draft SAR revisions, as they should make the form more understandable and user-friendly.
- We suggest that the timeframe for filing a SAR be extended to 60 days, 90 if necessary to identify a suspect.
- To help alleviate burden, CUNA advocates for the elimination of the 90-day filing requirement for recurring suspicious activity on an account unless there has been a subsequent change in the activity pattern on the account.
- In the Narrative Section (Part V), we recommend that the instructions be modified so they are more orderly and the words "Supporting documentation should not be filed with this report." are as prominent as possible. We also think that the block that asks for the total amount involved in the known or suspicious activity is the logical spot to indicate U.S. or foreign currency as opposed to the narrative section.
- We urge the regulators to provide more detailed guidance as to the difference between an "amended or corrected" SAR and an "updated" SAR.
- The General Instructions section should still define the term "computer intrusion" for purposes of SAR reporting.
Discussion of CUNAs Comments
CUNA welcomes the continuing efforts of the regulators agencies to simplify, shorten and clarify the SAR form in order to assist institutions in completing and filing SARs. As the proposed changes are designed to contribute to this effort, CUNA generally supports the modifications and revisions as indicated in the draft SAR. While we believe that very few, if any, credit unions have filed a joint SAR with another financial institution up to this point, we think that the instructions/procedures are sufficiently understandable in the event that a credit union needs to file jointly. We also agree that most of the reformatting is appropriate. However, set out below, we have several suggestions to make the SAR form more user-friendly and the filing process less burdensome.
The filing of SARs remains a problematic issue for a number of financial institutions. In that regard, CUNA offers some recommendations to reduce the burden of filing SARs. CUNA strongly urges the regulators to issue further guidance to clarify examination procedures/standards for SARs in order to lessen the pressure institutions may feel to file "defensive" SARs. Such guidance would both save institution staff time preparing paperwork and allow law enforcement to more readily focus on those SARs with valuable information/leads which should be investigated.
CUNA also recommends changes to the timeframe for SAR filings. We feel the time for filing a SAR should be increased from no later than 60 days after the date of the initial detection of facts, which includes a delay for an additional 30 days if needed to identify a suspect. It can prove burdensome to investigate and prepare SARs in such a short timeframe. Consequently, we urge the regulators to consider extending the filing time to 60 days, 90 if necessary to identify a suspect. This would allow institutions more time to conduct a thorough investigation and would result in more complete SARs and fewer amended SARs. We believe that this would not unduly burden law enforcement, as they may not review SARs for a period of months after they are filed.
Finally, FinCEN guidelines suggest that institutions report continuing suspicious activity by filing a report at least every 90 days (Federal Financial Institutions Examination Councils BSA/AML Examination Manual). It is very burdensome administratively to file a follow-up SAR every 90 days if the reportable activity continues. To alleviate some of this burden, we encourage the regulators to consider eliminating this 90-day rule to instead require a follow-up SAR only if and when the activity pattern changes. This change has been proposed in H.R. 3505, the Financial Services Regulatory Relief Act of 2005. Whether the 90-day guideline remains in place or another guideline is adopted, it would be helpful to include the appropriate guideline for continuing suspicious activity in Part A (When to file) or to add this information to Instructions Item 21 where it states "A new report must be filed for other related suspicious transactions committed after the initial detection period."
In terms of the SAR form itself, CUNA agrees that the information in the expanded list of items in the Narrative Section (Part V) would assist institutions in filing out the form. As the most crucial part of the form, we have some recommendations to increase the accuracy and completeness of the Narrative Section, thereby enhancing that sections usefulness.
First, we suggest moving the information requested in item l (indicate whether U.S. or foreign currency) to Section II Suspicious Activity Information. When indicating the total amount of money involved in the suspicious activity, it makes sense to note whether the money is in U.S. or foreign denomination. Second, the instructions below the block with letters "a" through "r" to the end of the page seems rather disjointed and may be somewhat confusing. Therefore, we recommend moving the blocks with those instructions up to the block titled Explanation/description of suspicious activity(ies). In order to make the words "Supporting documentation should not be filed with this report. Maintain the information for your files." stand out as prominently as possible, we recommend placing that verbiage as the only instructions in the block right above the narrative block.
The draft SAR would modify existing data item 1, the check box for correcting a prior SAR. Instead, on the new SAR form there would be 2 check boxes one box for amending or correcting a prior report (data item 1) and one box for updating a prior report (data item 1a). It would be beneficial to provide more guidance as to what each box is intended to encompass. Therefore, we encourage the regulators to explain in greater detail in the Instructions section the type of new information that would be deemed an amended/corrected report and what new information would represent an updated report. Further, we suggest including instructions underneath boxes 1 and 1a stating "If box 1 or 1a is checked, complete sections I-IV and note any changes in Part V." Accompanying that addition, letter r in the Narrative section could be changed to: "If correcting or amending a prior report, it is not necessary to repeat the previous narrative. Note only the changes here in Part V."
CUNA also has two specific recommendations for the General Instructions section. While the draft SAR still contains the check box titled "Computer Intrusion" in the Summary of Characterization of Suspicious Activity section (Part II Suspicious Activity Information), the definition of what that term encompasses for purposes of the SAR reporting requirement has been eliminated. While a very detailed explanation may not be necessary, we believe that it would be valuable to define "computer intrusion" as a computer-related security event involving unauthorized individual(s) gaining access to ("hacking into") the institutions computer system (mainframe). The definition should clarify that the breach of a members/customers personal computer does not constitute a "computer intrusion" for purposes of SAR reporting. Further, a breach of the institutions website or spoofing would not be covered under the definition, nor would phishing or spamming.
Thank you for the opportunity to share our comments. If you have any further questions, please contact me at email@example.com or at (202) 508-6743.
Senior Regulatory Counsel