FinCEN Proposes Permitting Broader Sharing of SAR Reporting

FinCEN issued a Notice of Proposed Rulemaking ("NPRM") for a limited-duration pilot program to allow U.S. financial institutions to share suspicious activity reports ("SARs") with non-U.S. branches, subsidiaries and affiliates.

U.S. financial institutions seeking to participate in the pilot must first submit a written application to FinCEN specifying, among other things, (i) the jurisdiction of the non-U.S. entities with which it plans to share SARs, (ii) how the shared SAR information will be used, and (iii) the internal controls in place to prevent unauthorized disclosures of shared SAR information.

Commentary by Christian Larson

Under current FinCEN guidance, U.S. financial institutions may share SAR information outside the U.S. only in limited circumstances with a head office or controlling entity. The newly proposed pilot program implements Section 6212 of the Anti-Money Laundering Act of 2020, which requires Treasury to test drive broader SAR sharing between U.S. financial institutions and their non-U.S. branches, subsidiaries, and affiliates.

Certainly some financial institutions will view the pilot program as an opportunity to build rapport with a key regulator. But any participation also entails risk, particularly due to thorny issues of foreign law. For example, once a U.S. financial institution has shared SAR information with a foreign branch, subsidiary, or affiliate, a foreign regulator may request, or even have a right under foreign law, to view the information. A U.S. financial institution may have little ability to protect SAR confidentiality in such a situation, and the NPRM provides no safe harbor.

SEC Chair Gensler Highlights Agency Consideration of New Cybersecurity Requirements

SEC Chair Gary Gensler honed in on three policy areas concerning the SEC's role in protecting the financial sector from cyber risks: (i) cyber hygiene and preparedness, (ii) reporting of certain cyber incidents to the government, and (iii) disclosure of certain cyber incidents to the public.

In his address, Mr. Gensler analyzed SEC cybersecurity policy development in the context of four affected groups: (i) SEC registrants; (ii) public companies; (iii) service providers that work with SEC registrants; and (iv) the SEC itself.

For registrants, Mr. Gensler called for broadening and strengthening Regulation Systems Compliance and Integrity ("Reg SCI"), the core goal of which has been to limit the frequency of systems issues. Mr. Gensler recommended cyber hygiene reforms concerning compliance, and bookkeeping rules affecting funds, advisors and broker-dealers, and to expand and modernize Regulation S-P to improve incident reporting and strengthen data privacy protections.

For public companies, Mr. Gensler recommended reforms to cybersecurity practices and risk disclosures, including practices with respect to governance, strategy and risk management. Mr. Gensler called for the standardization of cyber incident disclosures to promote consistency, and emphasized that public companies already have the responsibility to disclose cyber incidents when such events are material to investors.

For service providers that work with SEC registrants, Mr. Gensler noted the variety of providers that have access to registrant data, though they may not themselves be registered with the SEC. He reported that the SEC was considering requirements to identify service providers that might pose cybersecurity risks and holding registrants accountable for the cybersecurity measures of their service providers.

For the SEC itself, Mr. Gensler stated that the agency was taking measures to secure its own information and data technology, while improving data collection processes to collect only the data needed to fulfill the Commission's mission.

FDIC Simplifies Deposit Insurance Rules for Trust and Mortgage Servicing Accounts

The FDIC adopted a final rule amending the deposit insurance regulations for trust accounts and mortgage servicing accounts.

The final rule is intended to: (i) make the deposit insurance rules easier to understand; (ii) facilitate timely insurance determinations for trust accounts in the event of a bank failure; and (iii) enhance the consistency of insurance coverage for mortgage servicing account deposits.

Highlights of the final rule include:

• the merging of revocable and irrevocable trust deposit insurance categories into a new "trust accounts" category;

• the establishment of a simple formula for calculating deposit insurance coverage for all trust accounts; and

• the insuring of up to $250,000 per beneficiary (not to exceed five beneficiaries) as to a trust account and, in the case of mortgage servicing accounts, $250,000 per mortgagor.

The final rule will take effect on April 1, 2024 and applies to all FDIC-insured financial institutions.

FFIEC Members Commit to "Principles on Examination Information Requests"

The Federal Financial Institutions Examination Council ("FFIEC") issued a statement of principles on examination information requests.

In the statement, member agencies committed to the joint principles and to a "common authentication mechanism for external access to the FFIEC members’ respective supervision systems." The highlighted best practices follow from feedback on FFIEC's Examination Modernization Project, an initiative that "considered practices for safety and soundness examinations for community financial institutions, as well as for consumer compliance examinations for all supervised financial institutions." The best practices for requesting examination information from financial institutions include:

• risk-focused information requests that are relevant to the examination;

• providing sufficient time to supervised institutions to produce new or additional requested information;

• coordinating information requests between examiners and the examination team to avoid duplicative and/or redundant requests;

• making information requests through the supervised institution's designated regulatory examination point of contact (if applicable) to avoid placing a burden on other institutional staff; and

• clearly articulating information requests in writing.

OFAC Again Extends Authorization of Specified Transactions Involving Sanctioned Venezuelan Entity

OFAC authorized all transactions on or after January 20, 2023, related to the Petróleos de Venezuela, S.A. 2020 8.5 Percent Bond that otherwise would be prohibited by Section 1(a)(iii) of Executive Order ("EO") 13835 ("Prohibiting Certain Additional Transactions With Respect to Venezuela"), as amended by EO 13857.

OFAC specified that General License ("GL") No. 5I does not authorize any transactions otherwise prohibited by the Venezuela Sanctions Regulations. GL 5I supersedes GL 5H (see previous coverage here), and, as described in updated FAQ 595, thereby delays the date of effectiveness until January 20, 2023.

Primary Sources

1. FinCEN Press Release: FinCEN Issues Proposed Rule for Suspicious Activity Report Sharing Pilot Program to Combat Illicit Finance Risks

2. FinCEN NPRM: Pilot Program on Sharing of Suspicious Activity Reports and Related Information with Foreign Branches, Subsidiaries, and Affiliates

3. Speech by SEC Chair Gary Gensler: Cybersecurity and Securities Laws

4. FDIC Final Rule: Simplification of Deposit Insurance Rules

5. FDIC Fact Sheet: Final Rule on Simplification of Deposit Insurance Rules for Trust and Mortgage Servicing Accounts

6. FDIC Press Release: Final Rulemaking on Simplification of Deposit Insurance Rules for Trust and Mortgage Servicing Accounts

7. Federal Financial Institutions Examination Council Issues Statement of Principles on Examination Information Requests

8. FFIEC Statement of Principles on Examination Information Requests

9. OFAC (Venezuela) General License No. 5I: Authorizing Certain Transactions Related to the Petróleos de Venezuela, S.A. 2020 8.5 Percent Bond on or After January 20, 2023

10. OFAC Sanctions Regulations FAQs