Q: The FinCEN SAR does not include the suspicious activity characterization of “computer intrusion” that was provided in the legacy SAR-DI. Is that definition still valid?
A: How does it differ from “account takeover” and how should I apply previous FinCEN guidance on this topic within the FinCEN SAR?
For purposes of the FinCEN SAR, the term “computer intrusion” has been replaced by the term “unauthorized electronic intrusion”; but that new term continues to be defined as gaining access to a computer system of a financial institution to:
a. Remove, steal, procure, or otherwise affect funds of the institution or the institution’s customers.
b. Remove, steal, procure or otherwise affect critical information of the institution including customer account information.
c. Damage, disable or otherwise affect critical systems of the institution.
For purposes of this reporting requirement, unauthorized electronic intrusion does not mean attempted intrusions of websites or other non-critical information systems of the institution that provide no access to institution or customer financial or other critical information. Please note: the term “unauthorized electronic intrusion” does not include incidents that temporarily interrupt or suspend online services, which are commonly referred to as “Distributed Denial of Service (DDoS)” attacks. FinCEN intends to issue further guidance on the reporting of DDoS attacks.
When completing the FinCEN SAR on activity that previously would have been identified as “computer intrusion,” financial institutions now should check 35q “Unauthorized electronic intrusion.” Since more than one type of suspicious activity may apply, the financial institutions should check all boxes that apply when completing Items 29 through 38. In addition, financial institutions should provide a detailed description of the activity in the narrative section of the SAR.
“Account takeover” activity differs from other forms of computer intrusion, as the customer, rather than the financial institution maintaining the account, is the primary target. In an account takeover, at least one of the targets is a customer holding an account at the financial institution and the ultimate goal is to remove, steal, procure or otherwise affect funds of the targeted customer.
The following explains how to apply the guidance provided in FinCEN advisory FIN-2011-A016
when using the FinCEN SAR:
- Financial institutions should select box 35a (Account takeover) to report that type of suspicious activity. If the account takeover involved computer intrusion/unauthorized electronic intrusion, institutions also should check box 35q (Unauthorized electronic intrusion).
- If the account takeover involved other delivery channels such as telephone banking or fraudulent activities such as social engineering, financial institutions can check box 35a (Account takeover) and other appropriate suspicious activity characterizations; for example, the involvement of mass marketing fraud could be identified by checking box 31h.
- If the account takeover involved a wire transfer, then in addition to selecting box 35a (Account takeover), box 31j for "Wire fraud" should be checked.
- If the account takeover involved an ACH transfer, financial institutions should select box 35a (Account takeover) and box 31a for “ACH fraud.”
- Account takeovers often involve unauthorized access to PINs, account numbers, and other identifying information. Financial institutions may need to check box 35g for "Identity theft," in addition to selecting box 35a (Account takeover).
- In addition to the above guidance, financial institutions should select any other characterization boxes appropriate to the identified suspicious activities (e.g., box 30a or 30z for "Terrorist financing"). If there is other related activity for which there is not a clear characterization selection, check box 31z (Other) if the activity is related to fraud or box 35z (Other) if it is related to other suspicious activity. Include a short description of the additional information in the space provided with those selections.
FAQs associated with Part III of the FinCEN SAR
This FAQ was obtained from FinCEN’s website, FinCEN SAR FAQs section, which may be found here: