To the Chief Executive Officers of All State Member Banks, Bank Holding Companies, and State-chartered, Non-insured, U.S. Branches and Agencies of Foreign Banks, in the Second Federal Reserve District:
The Federal Bureau of Investigation, working with Federal Reserve staff and representatives from the other federal banking agencies as well as other federal law enforcement agencies, developed guidance concerning the reporting of violations of the federal criminal statute relating to computer crimes, 18 U.S.C. § 1030 (Fraud and Related Activity in Connection with Computers) in Suspicious Activity Reports (SARs). The guidance is intended to facilitate the timely and accurate reporting of apparent violations of this law to law enforcement and bank supervisory agencies.
The guidance is printed on the following pages. It describes the provisions of U.S.C. § 1030 and gives some examples of conduct that may violate the law. It also tells you how to report violations in a SAR.
Please bring this matter to the immediate attention of all personnel in your organization responsible for reporting suspicious activity.
If you have any questions on this matter (including how to obtain or file SAR forms), please contact Scott Freeman, Bank Supervision Officer, at this Bank.
GUIDANCE CONCERNING THE REPORTING OF COMPUTER-RELATED CRIMES BY FINANCIAL INSTITUTIONS
This guidance is provided in order to explain the federal criminal statute relating to computer crimes, 18 U.S.C § 1030, and to ensure the timely and accurate reporting of apparent violations of the statute to law enforcement authorities.
Regulations issued by the Federal Reserve, OCC, FDIC, OTS, and NCUA generally require banks, thrifts, credit unions, the U.S. branches and agencies of foreign banks, and other types of financial institutions to file Suspicious Activity Reports (SARs) whenever they detect any known or suspected federal criminal law violation or suspicious activity. The SAR system facilitates the reporting of suspected criminal activity and money laundering in a standard format to a single collection point, from which the information may be rapidly disseminated to appropriate law enforcement agencies. SARs play a critical role in collecting information about criminal activity affecting the financial community. Under the five financial institutions supervisory agencies' current sar rules, a financial institution is required to report any known or suspected criminal law violation involving an insider, regardless of amount. A financial institution is also required to report any known or suspected federal criminal law violation that involves or aggregates more than $25,000 in the even no suspect can be identified -- a threshold that drops to $5,000 if a potential suspect can be identified.
The current SAR form includes in Part III, Box 37, a listing of 17 various categories of criminal law violations and suspicious activities that a financial institution can check. The categories include check, credit and wire transfer fraud, defalcation/embezzlement and mysterious disappearances, and also inlcude a general category under "Other" that is to be used in the event the offense or activity does not appear to fit any of the delineated types of crimes. There is no category in Part III, Box 37, specifically reserved for violations of the provisions of the U.S. criminal code relating to computer crimes -- 18 U.S.C § 1030 (Fraud and Related Activity in Connection with Computers).
Criminal Law Relating to Computers
Computers and computer networks are at the heart of operation of a modern financial institution. Criminals -- both inside and outside the financial institutions -- recognize the potential vulnerability of computer systems. Consequently, financial institutions must be cognizant of the federal computer crime law, 18 U.S.C. § 1030. This statute specifically includes as a "protected computer," among other computers shielded by the statute, any computer exclusively for the use of a financial instituion, or, if not exclusively for such use, used by or for a financial institution where the conduct constituting the offense affects that use.
Financial institutions should pay particular attention to three provisions of 18 U.S.C. § 1030. Section 1030(a)(2) specifically prohibits intentionally accessing a protected computer to obtain certain kinds of information without authority or in excess of authority. Not only does it generally prohibit improperly obtaining information contained in a "financial record" of a financial institution. The provision may also apply to an individual who hacks into a financial institution computer system. "Financial record" is defined as information derived from any record held by a financial institution pertaining to a customer's relationship with the institution.
Another provision applicable to financial institutions is the prohibition against using a "protected computer without authorization or in excess of authorization to commit fraud. The provision of 18 U.S.C § 1030(a)(4) criminalize the knowing use of a protected computer without authorization or in excess of authorization with intent to defraud, and by means of such conduct furthering the intended fraud and obtaining anything of value. Thus, an individual who intentionally uses another person's home banking software and purloins that person's password in order to transfer money fraudulently into his or her personal bank account has committed a crime.
The third provision -- 18 U.S.C § 1030 (a)(5) -- with applications to financial institutions is the prohibition against intentional access without authorization that results in "damage to a protected computer. "Damage" is defined to include any impairment to the integrity or availability of data, a program, a system, or information that causes loss aggregating at least $5,000 in value during any one-year period. An example may involve a disgruntled former employee who maintains a "back door" into the computer system and uses it to introduce a virus that disrupts the system. Another example may involve an intruder who causes a system outage by flooding an institution's computer system with e-mail requests for information.
Other provisions of 18 U.S.C § 1030 applicable to financial institutions include subsection (a)(6), which outlaws trafficking in passwords knowingly and with intent to defraud. Subsection (a)(7) prohibits transmitting threats to cause damage to a protected computer with intent to extort money or any other thing of value from any legal entity, specifically including financial institutions. This prohibition applies regardless of whether any actual damage is caused, or whether the offender actually had the ability to cause such damage.
A violation of 18 U.S.C § 1030 can result in a fine or imprisonment for up to ten years.
A financial institution should report on a SAR any activity that appears to be violative of 18 U.S.C § 1030. If a reportable offense is detected, a financial institution should check Box 37f, marked "Other", and describe as completely as possible in Part VII, the narrative section of the SAR, the nature of the illegal or suspicious activity.