Back To Top

BSA/AML and the IT Department

The banking world is a dynamic and complex place. When I first began performing IT audits a dozen years ago, the IT world was a bit of a silo, relegated to the back room. The past few years, however, have seen the profile of IT rise to the Board room level through the increased electronic banking delivery methods and the pervasiveness of high profile cybersecurity breaches.

It’s through that lens of pervasiveness of the IT function that I want to ensure the bankers of our group are aware of three documents from FinCEN (Financial Crimes Enforcement Network). FinCEN is the section of the U.S. Treasury that fights financial crime. A financial institution is required to report certain types of suspicious looking transaction activity through a Suspicious Activity Report (SAR), and when necessary, FinCEN investigates those potential crimes.


Because financial crimes have become so reliant on electronic means to misappropriate assets, in Q4 2016 FinCEN released three documents that speak to reporting cybersecurity information in SARs. They are:

  • FIN-2016-A003 Advisory to Financial Institutions on E-Mail Compromise Fraud Schemes
  • FIN-2016-A005 Advisory to Financial Institutions on Cyber-Events and Cyber-Enabled Crime
  • Frequently Asked Questions (FAQ) regarding reporting of Cyber-Events


The implication of these three documents is that when the BSA/AML groups file a SAR, it must include applicable cyber-related information. The FAQ referenced above suggests including the following types of cyber-related information when filing a SAR:

  • Source and destination information: IP addresses, port information, URL, attack vectors, and command and control servers
  • File information: suspected malware filenames, hash information, email content
  • Subject User Names: email addresses, social media accounts
  • System Modifications: registry modifications, indicators of compromise, Common Vulnerabilities and Exposures (CVEs)
  • Involved account information: affected accounts, virtual currency accounts (Bitcoin)


Based on my experience, the BSA/AML areas do not have the expertise nor the access to the systems or data required to accumulate this type of technical cybersecurity information to include in a SAR. And because the expectations outlined in the FinCEN Advisories above, we expect the BSA/AML departments will need to become more acquainted with the folks in the IT.

For example, say a computer in the bank used to originates wires is infected with malware that installs a key logger. Once detected a SAR may need to be filed. The SAR may include: the origin of the malware (i.e. a malicious website or phishing email), the URL or source email address of origin, the source and destination IP addresses and corresponding ports where the malware was communicating, the filename of the malware, and any possible customer accounts that could be compromised. Most of this information will require the assistance of the IT staff to gather and report. And in this example, the BSA/AML folks may or may not even know the event occurred unless IT staff are aware of the requirement to communicate the incident to BSA/AML personnel.


So, the takeaway this week is that we have an additional reporting line for cybersecurity events, and the BSA/AML and IT teams should begin to build rapport to allow open communication so as to effectively gather and report cyber information in SAR filings. Spend some time reading the FinCEN advisories, FAQ, and invite the BSA/AML folks to the next IT Steering Committee meeting.

Bryan NewlinBryan is a Manager at YHB and serves on the Risk Advisory Services Team. Bryan focuses on assisting organizations in a variety of industries with internal audits and IT-related audit and consulting services.

Learn More about Bryan