Six Things to Know About FinCEN’s Proposed SAR Sharing Pilot Program

March.14.2022

The Financial Crimes Enforcement Network (“FinCEN”) published a notice of proposed rulemaking (the “Proposed Rule”) in late January seeking public comment on a proposed pilot program that would expand financial institutions’ authority to share Suspicious Activity Reports (“SARs”), and information that would reveal the existence of SARs (“SAR information”), with certain limited non-US affiliates.[1] The pilot program is required by the Anti-Money Laundering Act of 2020 (the “AML Act”) that was enacted last year, on January 1, 2021.[2]

While broader authority to share SARs and SAR information with their non-U.S. affiliates may be welcome news for some financial institutions, the pilot program would impose requirements that many financial institutions may find burdensome. Financial institutions have an opportunity to comment on the Proposed Rule until March 28, 2022.[3]

Here are six things to know now about the proposed program to prepare for its implementation:

  1. What’s new?
  2. What compliance obligations would the program impose on participants?
  3. How would financial institutions participate?
  4. How long would the pilot program last?
  5. What limitations would there be?
  6. Should my financial institution participate in the pilot program?

1. What’s new? 

Prior FinCEN guidance permits financial institutions to share SARs and SAR information with certain “affiliates,” as variously defined in prior guidance, but not their non-U.S. branches and affiliates.[4] Under the pilot program, certain “eligible financial institutions”[5] that are approved by FinCEN would be permitted to share SARs and SAR information with those non-US entities,[6] subject to certain monitoring, requirements, and limitations described below.[7] 

2. What compliance obligations would the program impose on participants? 

In order to participate, financial institutions would be required to meet a number of new requirements and undergo review by FinCEN to determine their suitability.[8] Participants could seek modifications to these requirements, which would require approval by FinCEN.[9]

Proposed participants would be required to develop and share with FinCEN their new policies and internal controls.[10] Subject to expansion by FinCEN, the policies and internal controls would include:

  • Policies, procedures, and internal controls to ensure foreign affiliates do not permit unauthorized disclosures of SARs and SAR information, including confidentiality agreements or other arrangements that require affiliates to safeguard the information; and a method to securely transmit the SARs and SAR information to their affiliates;[11]
  • Policies, procedures, and internal controls to ensure that suspicious activity reported to a participant by its foreign affiliates is treated with the same confidentiality requirements as SARs and SAR information;[12]

In addition to new policies and internal controls, there would be other new obligations for participants, including to:

  • Develop a mechanism to inform FinCEN in the event of any unauthorized disclosure to or requests by foreign parties for SARs or SAR information;[13]
  • Identify a point of contact for any pilot program-related correspondence;[14]
  • Complete in-depth quarterly reporting to FinCEN regarding details of the participant’s use of the pilot program—including about legal and compliance issues and inefficiencies—which FinCEN has the option to report to other regulators;[15]
  • Keep records of the foreign jurisdictions in which participants have shared any specific SAR or SAR information in a manner that can be shared with FinCEN on request;[16]
  • Maintain personnel within the United States to review requests or demands from the participant’s foreign affiliates for SAR and SAR information;[17] and
  • Immediately (1) notify FinCEN if foreign law enforcement, foreign regulators, or any other outside foreign party requests or demands SARs or SAR information; and (2) direct the party to contact FinCEN about the request and to use appropriate methods for obtaining U.S. records, including through a request pursuant to a mutual legal assistance treaty.[18]

3. How would financial institutions participate?  

To participate in the pilot program, a financial institution would be required to submit an application to FinCEN that describes the applicant’s compliance with the requirements summarized above.[19] FinCEN indicates that it would also share the application information with other regulators.[20]

In reviewing the application, FinCEN would determine suitability based on its “assessment of the financial institution’s internal controls, as well as the entities with which it intends to share information and corresponding jurisdictions in which the entities are located.”[21] FinCEN would “seek to provide responses within 90 days.”[22] Once approved, participants would provide FinCEN with a commencement date for their programs.[23] FinCEN would be authorized to terminate the financial institution’s participation in the program at any time, at its sole discretion.[24]

4. How long would the pilot program last? 

The program would terminate on January 1, 2024, unless the Treasury Secretary (the “Secretary”) extends it for a maximum of two years after submitting a request to Congress.[25]

5. What limitations would there be? 

  • Prohibited Jurisdictions: Participants would not be permitted to share SARs or SAR information with affiliates in prohibited jurisdictions. Those include: (1) China; (2) Russia;[26] (3) any state sponsor of terrorism; (4) any jurisdiction that is subject to U.S. sanctions; (5) any jurisdiction identified by FinCEN as a primary money laundering concern;[27] and (6) jurisdictions the Secretary determines cannot reasonably protect the security and confidentiality of the relevant information.[28]
  • Prohibition on “Offshoring Compliance:” “Participant financial institutions are prohibited from establishing or maintaining any operation located outside of the United States the primary purpose of which is to ensure compliance with the Bank Secrecy Act as a result of the information sharing granted by this pilot program.”[29]
  • Possible Law Enforcement Limitations: FinCEN reserves the ability to limit sharing based on federal and state law enforcement operations and the needs of the intelligence community.[30]
  • Non-FinCEN SARs Not Covered: SARs filed under the regulations of the Federal banking agencies, such as SARs filed on insider abuse, would be excluded from the pilot program.[31]

6. Should my financial institution participate in the pilot program?  

As with any new initiative, the proposal for this pilot program comes with potential benefits and shortcomings. The ability to share SARs and SAR information could be an attractive compliance tool for financial institutions, but some may find that the burdens outweigh any potential advantages to their BSA compliance programs.

Many financial institutions operate in regions of the world with increased risk. The ability to have more flexibility when sharing SARs and SAR information could help those financial institutions better mitigate that risk. AML compliance programs could be more effective at detecting and preventing money laundering through access to an increased pool of shared information regarding suspicious activity. To the extent that the pilot program would provide that benefit, it could bolster many AML compliance programs.

There could be ancillary benefits as well.  Regulators may view favorably a financial institution’s demonstrated desire to mitigate overseas money laundering risk. Regulators could consider a financial institution’s participation when they are evaluating the sufficiency of a financial institution’s risk-based AML compliance measures or the institution’s commitment to detecting and preventing money laundering. Additionally, FinCEN states that it intends to use the participant reporting requirements in its reports to Congress and any proposal to extend the program.[32] Financial institutions who want the program to become permanent may have an opportunity to exert their influence not only through this comment process, but also through implementation of the program and reports to FinCEN.

In spite of these possible benefits, though, new regulatory obligations could prove onerous, particularly in light of the size, compliance resources, and AML risk of a participant. The burden could be compounded by the uncertainty created through FinCEN’s option to impose additional control requirements after a participant signs up for the program. 

Apart from the time commitment, these obligations, including information sharing and disclosure requirements, could also create risk of increased regulatory scrutiny. For example, the program requires a mechanism to self-report unauthorized disclosure.[33] Unauthorized disclosure of SARs is illegal,[34] and the Proposed Rule includes additional civil and criminal penalties for the foreign affiliate in the event of such a disclosure.[35] Additionally, the quarterly reporting requirements include obligations for participants to disclose “legal and compliance issues” and “lessons learned” identified during their participation. In other words, if participants have difficulty successfully implementing the pilot program, they are required to notify regulators, which may subject them to criticism. And while all regulated financial institutions are subject to and should expect periodic examiner scrutiny, participation in this pilot program invites certainty that FinCEN and other regulators will examine the sufficiency of at least some of financial institutions’ AML policies and internal controls.

When balancing whether their effort is worth these burdens and risks, participants could consider that the program may not be in effect for very long. Given that the rulemaking process is only beginning now, and FinCEN may ultimately have three months to approve applications, the program is likely to be in existence for significantly less than two years (barring an extension). After the pilot program ends, the AML Act is silent on whether Congress and FinCEN will consider its permanent implementation or what might come next.

Given the program’s potentially short duration, uncertainty about its future, regulatory burdens, and increased examiner scrutiny, eligible financial institutions will have to consider carefully the potential benefits and whether participation in the program is an efficient use of their limited resources.



[1] 87 Fed. Reg. 3719 (proposed Jan. 25, 2022) (to be codified at 31 C.F.R. pt. 1010); see also FinCEN Issues Proposed Rule for Suspicious Activity Report Sharing Pilot Program to Combat Illicit Finance Risks, FinCEN (Jan. 24, 2022), https://www.fincen.gov/news/news-releases/fincen-issues-proposed-rule-suspicious-activity-report-sharing-pilot-program.

[2] 31 U.S.C. § 5318(g)(8); see The William (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021, Pub. L. No. 116-283, 134 Stat. 3388, 4547-4633 (codified in sections of 31 U.S.C. § 5311 et seq.), https://www.congress.gov/116/plaws/publ283/PLAW-116publ283.pdf.

[3] 87 Fed. Reg. at 3719.

[4] Unauthorized sharing of SAR information is generally a crime. 31 U.S.C. § 5318(g)(2); 31 CFR § 1020.320(e); 31 U.S.C. § 5322; 1 U.S.C. § 1 (defining “Person”).  Prior guidance from FinCEN, the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the Office of the Comptroller of the Currency, and the Office of Thrift Supervision (collectively, the “Federal Banking Agencies”) allows U.S. banks, U.S. branches of foreign banks, securities broker-dealers, futures commission merchants, introducing brokers in commodities, U.S. mutual funds, and casinos to share SARs and SAR information with certain U.S. affiliates subject to SAR regulations, and limited categories of foreign parents, head offices, and controlling companies (“affiliated companies”).

On January 20, 2006, FinCEN and the Federal Banking Agencies stated that “(1) a U.S. branch or agency of a foreign bank may disclose a Suspicious Activity Report to its head office outside the United States; and (2) a U.S. bank or savings association (“depository institution”) may disclose a Suspicious Activity Report to controlling companies.” U.S. Dep’t Treasury, Fin. Crimes Enf’t Network et al., Interagency Guidance on Sharing Suspicious Activity Reports with Head Offices and Controlling Companies (2006), https://www.fincen.gov/resources/statutes-regulations/guidance/interagency-guidance-sharing-suspicious-activity-reports. The guidance defined a controlling company as “a) a bank holding company, as defined in Section 2 of the Bank Holding Company Act; b) a savings and loan holding company, as defined in Section 10(a) of the Home Owners’ Loan Act [including] … a company having the power directly or indirectly, to direct the management or policies of an industrial loan company or a parent company or to vote 25% or more of any class of voting shares of an industrial loan company or a parent company.” Id.

FinCEN simultaneously released guidance for securities broker-dealers, futures commission merchants, and introducing brokers in commodities providing that they “may share Suspicious Activity Reports with parent entities, both domestic and foreign.” U.S. Dep’t Treasury, Fin. Crimes Enf’t Network, Guidance on Sharing of Suspicious Activity Reports by Securities Broker-Dealers, Futures Commission Merchants, and Introducing Brokers in Commodities (2006), https://www.fincen.gov/resources/statutes-regulations/guidance/guidance-sharing-suspicious-activity-reports-securities.

On October 4, 2006, FinCEN provided additional guidance for mutual funds, stating that “a U.S. mutual fund may share a Suspicious Activity Report with the investment adviser that controls the fund, whether domestic or foreign, [to implement enterprise-wide risk management and compliance functions, and exercise oversight]. In the event that the corporate structure of an investment adviser includes multiple parent companies, the filing institution’s Suspicious Activity Report may be shared with each entity in the chain of control.” U.S. Dep’t Treasury, Fin. Crimes Enf’t Network, FIN-2006-G013, Frequently Asked Questions Suspicious Activity Reporting Requirements for Mutual Funds, (2006), https://www.fincen.gov/resources/statutes-regulations/guidance/frequently-asked-questions-suspicious-activity-reporting.

On November 23, 2010, FinCEN issued additional guidance that reaffirmed the 2006 depository institution guidance and provided that depository institutions may share SARs and SAR information with certain affiliates that are subject to SAR regulation. U.S. Dep’t Treasury, Fin. Crimes Enf’t Network, FIN-2010-G006, Sharing Suspicious Activity Reports by Depository Institutions with Certain U.S. Affiliates (2010), https://www.fincen.gov/sites/default/files/shared/fin-2010-g006.pdf. FinCEN defined an affiliate of a depository institution to mean “any company under common control with, or controlled by, that depository institution.”  Id.

In the same guidance, FinCEN stated that foreign branches of U.S. banks are affiliates that are not subject to SAR regulation. Id.Accordingly, a U.S. bank that has filed a SAR may not share the SAR, or any information that would reveal the existence of the SAR, with its foreign branches.” Id. (emphasis added).

Also on November 23, 2010, FinCEN released guidance providing that securities broker-dealers, mutual funds, futures commission merchants, and introducing brokers in commodities can share SARs and SAR information with certain “affiliates,” as defined in the guidance. U.S. Dep’t Treasury, Fin. Crimes Enf’t Network, FIN-2010-G005, Sharing Suspicious Activity Reports by Securities Broker-Dealers, Mutual Funds, Futures Commission Merchants, and Introducing Brokers in Commodities with Certain U.S. Affiliates (2010), https://www.fincen.gov/resources/statutes-regulations/guidance/sharing-suspicious-activity-reports-securities-broker. Id.

On January 4, 2017, FinCEN released additional guidance that stated a casino could share SARs and SAR information “with each office or other place of business located within the United States of either the casino itself or a parent or affiliate of the casino.” U.S. Dep’t Treasury, Fin. Crimes Enf’t Network, FIN-2017-G001, Sharing Suspicious Activity Reports with U.S. Parents and Affiliates of Casinos (2017), (citations omitted), https://www.fincen.gov/sites/default/files/2017-01/FinCEN%20Guidance%20Jan%204_508%20FINAL.pdf.

[5] The NPRM states that “[t]he term ‘eligible financial institution’ means a financial institution as described in 31 U.S.C. 5312(a)(2) that is obligated to report suspicious activity under 31 U.S.C. 5318(g), including without limitation: (i) Banks, as defined at 31 CFR 1010.100(d); (ii) Casinos and card clubs, as defined at 31 CFR 1010.100(t)(5) and (6), respectively; (iii) Money services businesses, as defined at 31 CFR 1010.100(ff); (iv) Brokers or dealers in securities, as defined at 31 CFR 1010.100(h); (v) Mutual funds, as defined at 31 CFR 1010.100(gg); (vi) Insurance companies, as defined at 31 CFR 1025.100(g); (vii) Futures commission merchants and introducing brokers in commodities, as defined at 31 CFR 1010.100(x) and (bb), respectively; (viii) Loan or finance companies, as defined at 31 CFR 1010.100(lll); and (ix) Housing government sponsored enterprises, as defined at 31 CFR 1010.100(mmm).” 87 Fed. Reg. at 3727.

[6]In the Proposed Rule, FinCEN notes that “U.S. affiliates of depository institutions that are subject to SAR filing obligations include brokers or dealers in securities, futures commission merchants and introducing brokers in commodities, money services businesses, and residential mortgage lenders or originators.” 87 Fed. Reg. at 3720 (citing 31 CFR 1023.320 (brokers or dealers in securities); 1026.320 (futures commission merchants and introducing brokers in commodities); 1022.320 (money services businesses); and 1029.320 (loan or finance companies).

[7] 87 Fed. Reg. at 3727-29.

[8] 87 Fed. Reg. at 3721-23.

[9] 87 Fed. Reg. at 3722.

[10] 87 Fed. Reg. at 3727.

[11] Id.

[12] 87 Fed. Reg. at 3728-29.

[13] 87 Fed. Reg. at 3728.

[14] 87 Fed. Reg. at 3727.

[15] Participant financial institutions would be required to report on a quarterly basis to FinCEN: (1) the total number of SARs and related information shared; (2) the name and jurisdiction of each entity that received SARs and related information, the relationship between the entity and the participant financial institution, and the intended purposes and uses for which the SARs and related information were shared; (3) legal and compliance issues encountered; (4) technical difficulties and challenges; (5) enhancements to the financial institution’s anti-money laundering (“AML”)/countering the financing of terrorism (“CFT”) program enabled as a result of participating in the pilot program; and, (6) lessons learned, to include any identified inefficiencies in the institution’s AML/CFT program. 87 Fed. Reg. at 3723.

[16] 87 Fed. Reg. at 3722.

[17] 87 Fed. Reg. at 3728.

[18] Id.

[19] The application must (1) identify the institution's point of contact for pilot program-related correspondence; (2) specify the foreign branches, subsidiaries and affiliates with which the financial institution intends to share SARs and SAR information; (3) describe the purposes for which foreign affiliates will use SARs and SAR information, including the “operational jurisdiction” of such affiliates and whether they will reciprocate to the applying financial institution; (4) provide an estimated commencement date; and (5) describe the internal controls in place to prevent unauthorized disclosures of SARs and related information and ensure data security and confidentiality of personally identifiable information. 87 Fed. Reg. at 3722.

[20] 87 Fed. Reg. at 3727.

[21] 87 Fed. Reg. at 3722.

[22] 87 Fed. Reg. at 3723.

[23] 87 Fed. Reg. at 3728.

[24] Id.

[25] To extend the program, the Secretary must submit a report to the Senate Committee on Banking, Housing, and Urban Affairs and the House Committee on Financial Services that includes: (1) A certification and a detailed explanation of why the extension is in the interest of the U.S.; (2) an evaluation of the usefulness of the pilot program, including a detailed analysis of any illicit activity identified or prevented; and (3) a detailed legislative proposal providing for a long-term extension of activities under the program, including measures to ensure data security and confidentiality of personally identifiable information. 87 Fed. Reg. at 3721.

[26] The Secretary may make exceptions, on a case-by-case basis, for sharing with foreign affiliates based in China and Russia. 87 Fed. Reg. at 3721.

[27] See § 311 of the USA PATRIOT Act (Pub. L. 107–56); § 9714 of the Combating Russian Money Laundering Act (Pub. L. 116–283); see also Special Measures for Jurisdictions, Financial Institutions, or International Transactions of Primary Money Laundering Concern, FinCEN 311 Special Measures, https://www.fincen.gov/resources/statutes-and-regulations/311-special-measures (last viewed Mar. 11, 2022).

[28] 87 Fed. Reg. at 3728.

[29] 87 Fed. Reg. at 3729 (incorporating verbatim 31 U.S.C. 5318(g)(10) of the AML Act).

[30] 87 Fed. Reg. at 3728.

[31] 87 Fed. Reg. at 3723.

[32] 87 Fed. Reg. at 3721.

[33] 87 Fed. Reg. at 3728.

[34] 1 U.S.C. § 5318(g)(2); 31 CFR § 1020.320(e); 31 U.S.C. § 5322.

[35] 87 Fed. Reg. at 3729.