In the world of acronyms, nothing is more frustrating than the use of the same acronym for two completely different action items – especially when both requirements apply to the same industry. The acronym world implodes when one of your employee’s tells her manager the company received a SAR and the manager responds without further information, “We don’t receive a SAR, we file a SAR.”
Not necessarily! For those in the finance arena, the appropriate response should be, “Are you talking about a subject access request or a suspicious activity report?”
GDPR’s Subject Access Request
As a result of the European Union (EU) General Data Protection Regulation’s (GDPR’s) extraterritorial reach, a U.S. business that controls or processes personal data of EU residents may be subject to the GDPR. The GDPR came into effect on May 25, 2018 and is an EU regulation that requires businesses to protect EU residents’ privacy and personal data. It also grants several rights to individuals with respect to their personal data:
Access
Update
Opt out
Erasure
Portability
If your U.S. organization is subject to GDPR, a protected individual may contact you to find out whether you hold any personal data concerning her. This Subject Access Request (SAR) is the means by which the individual exercises her right to know details about the information and your use of the information such as the purpose for which you are processing the data, where and how long you will store the data, who you have disclosed the data to, etc.
Appropriate GDPR SAR training for your staff should include:
How to identify a subject access request.
Awareness of the strict deadlines associated with the request.
Whether it is permissible to charge a fee to deal with the request.
How to identify and collect the relevant information.
What information may be legally withheld.
An appropriate written response to the individual.
BSA’s Suspicious Activity Reporting
The U.S. Bank Secrecy Act (BSA) established recordkeeping and reporting requirements for national banks, federal savings associations, federal branches and agencies of foreign banks. The BSA was amended to incorporate the provisions of the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (the “USA PATRIOT Act”).
BSA requires financial institutions to file a Suspicious Activity Report (SAR) with the U.S. Financial Crimes Enforcement Network (FinCEN) for transactions involving US$5,000.00 or more in funds and assets if the institution knows, suspects, or has reason to suspect that:
The transaction involves funds derived from illegal activities or is intended or conducted in order to hide or disguise funds or assets derived from illegal activities (including, without limitation, the ownership, nature, source, location, or control of such funds or assets) as part of a plan to violate or evade any federal law or regulation or to avoid any transaction reporting requirement under federal law or regulation;
The transaction is designed to evade the BSA or its implementing regulations.; OR
The transaction has no business or apparent lawful purpose or is not the type of transaction that the particular customer would normally be expected to engage in, and the company knows of no reasonable explanation for the transaction after examining the available facts, including the background and possible purpose of the transaction.
How to identify the client associated with the account/investment, the source of funding and the nature of the transaction.
What the internal notification process is to escalate the employee’s concern to the appropriate manager.
How to conduct an enhanced investigation to determine whether to file an SAR with FinCEN.
How to complete and file a SAR.
The need for strict confidentiality in filing the SAR.
What information should be documented from the decision process to file the SAR (and close the account if closed).
Communication
Whether it is SAR v SAR or any other acronym in your professional world, do not make assumptions. Do not assume you or your employee know what those letters mean. It is better to spell out the phrase, particularly if you are working with a new employee. Once you are all on the same page as to the meaning, a good manager will ensure that everyone in her department knows not just the words, but the requirements associated with those words.
And now you know, you receive a GDPR SAR but file a BSA SAR.
For assistance, please contact me via my contact page or at elizabeth@elizabethmcmorrowlaw.com.
Comments