12 U.S.C. 93a, 1818, 1881–1884, and 3401–3422; 31 U.S.C. 5318.
Subpart A—Minimum Security Devices and Procedures
56 FR 29564, June 28, 1991, unless otherwise noted.
§ 21.1 Purpose and scope of subpart A of this part.
(a) This subpart is issued by the Comptroller of the Currency pursuant to section 3 of the Bank Protection Act of 1968 (12 U.S.C. 1882) and is applicable to all national banking associations. It requires each bank to adopt appropriate security procedures to discourage robberies, burglaries, and larcenies and to assist in identifying and apprehending persons who commit such acts.
(b) It is the responsibility of a bank's board of directors to comply with this regulation and ensure that a security program which equals or exceeds the standards prescribed by this part is developed and implemented for the bank's main office and branches (as the term “branch” is used in 12 U.S.C. 36).
[56 FR 29564, June 28, 1991, as ameded at 73 FR 22244, Apr. 24, 2008]
§ 21.2 Designation of security officer.
Within 30 days after the opening of a new bank, the Bank's board of directors shall designate a security officer who shall have the authority, subject to the approval of the board of directors, for immediately developing and administering a written security program to protect each banking office from robberies, burglaries, and larcenies and to assist in identifying and apprehending persons who commit such acts. (Approval by the Office of Management and Budget under control number 1557–0180)
(a) Contents of security program. The security program shall:
(1) Establish procedures for opening and closing for business and for the safekeeping of all currency, negotiable securities, and similar valuables at all times;
(2) Establish procedures that will assist in identifying persons committing crimes against the institution and that will preserve evidence that may aid in their identification or conviction; such procedures may include, but are not limited to:
(i) Using identification devices, such as prerecorded serial-numbered bills, or chemical and electronic devices;
(ii) Maintaining a camera that records activity in the banking office; and
(iii) Retaining a record of any robbery, burglary or larceny committed or attempted against a banking office;
(3) Provide for initial and periodic training of employees in their responsibilities under the security program and in proper employee conduct during and after a robbery; and
(4) Provide for selecting, testing, operating and maintaining appropriate security devices, as specified in paragraph (b) of this section.
(b) Security devices. Each national bank shall have, at a minimum, the following security devices:
(1) A means of protecting cash or other liquid assets, such as a vault, safe, or other secure space;
(2) A lighting system for illuminating, during the hours of darkness, the area around the vault, if the vault is visible from outside the banking office;
(3) Tamper-resistant locks on exterior doors and exterior windows designed to be opened;
(4) An alarm system or other appropriate device for promptly notifying the nearest responsible law enforcement officers of an attempted or perpetrated robbery, burglary or larceny; and
(5) Such other devices as the security officer determines to be appropriate, taking into consideration:
(i) The incidence of crimes against financial institutions in the area;
(ii) The amount of currency or other valuables exposed to robbery, burglary, or larceny;
(iii) The distance of the banking office from the nearest responsible law enforcement officers and the time required for such law enforcement officers ordinarily to arrive at the banking office;
(iv) The cost of the security devices;
(v) Other security measures in effect at the banking office; and
(vi) The physical characteristics of the banking office structure and its surroundings.
The security officer for a national bank shall report at least annually to the bank's board of directors on the effectiveness of the security program. The substance of such report shall be reflected in the minutes of the Board meeting in which it is given. (Approved by the Office of Management and Budget under control number 1557–0180)
Subpart B—Reports of Suspicious Activities
§ 21.11 Suspicious Activity Report.
(a) Purpose and scope. This section ensures that national banks file a Suspicious Activity Report when they detect a known or suspected violation of Federal law or a suspicious transaction related to a money laundering activity or a violation of the Bank Secrecy Act. This section applies to all national banks as well as any Federal branches and agencies of foreign banks licensed or chartered by the OCC.
(b) Definitions. For the purposes of this section:
(1) FinCEN means the Financial Crimes Enforcement Network of the Department of the Treasury.
(2) Institution-affiliated party means any institution-affiliated party as that term is defined in sections 3(u) and 8(b)(5) of the Federal Deposit Insurance Act (12 U.S.C. 1813(u) and 1818(b)(5)).
(3) SAR means a Suspicious Activity Report.
(c) SARs required. A national bank shall file a SAR with the appropriate Federal law enforcement agencies and the Department of the Treasury on the form prescribed by the OCC and in accordance with the form's instructions. The bank shall send the completed SAR to FinCEN in the following circumstances:
(1) Insider abuse involving any amount. Whenever the national bank detects any known or suspected Federal criminal violation, or pattern of criminal violations, committed or attempted against the bank or involving a transaction or transactions conducted through the bank, where the bank believes that it was either an actual or potential victim of a criminal violation, or series of criminal violations, or that the bank was used to facilitate a criminal transaction, and the bank has a substantial basis for identifying one of its directors, officers, employees, agents or other institution-affiliated parties as having committed or aided in the commission of a criminal act, regardless of the amount involved in the violation.
(2) Violations aggregating $5,000 or more where a suspect can be identified. Whenever the national bank detects any known or suspected Federal criminal violation, or pattern of criminal violations, committed or attempted against the bank or involving a transaction or transactions conducted through the bank and involving or aggregating $5,000 or more in funds or other assets where the bank believes that it was either an actual or potential victim of a criminal violation, or series of criminal violations or that it was used to facilitate a criminal transaction, and the bank has a substantial basis for identifying a possible suspect or group of suspects. If it is determined prior to filing this report that the identified suspect or group of suspects has used an alias, then information regarding the true identity of the suspect or group of suspects, as well as alias identifiers, such as drivers' license or social security numbers, addresses and telephone numbers, must be reported.
(3) Violations aggregating $25,000 or more regardless of potential suspects. Whenever the national bank detects any known or suspected Federal criminal violation, or pattern of criminal violations, committed or attempted against the bank or involving a transaction or transactions conducted through the bank and involving or aggregating $25,000 or more in funds or other assets where the bank believes that it was either an actual or potential victim of a criminal violation, or series of criminal violations, or that the bank was used to facilitate a criminal transaction, even though there is no substantial basis for identifying a possible suspect or group of suspects.
(4) Transactions aggregating $5,000 or more that involve potential money laundering or violate the Bank Secrecy Act. Any transaction (which for purposes of this paragraph (c)(4) means a deposit, withdrawal, transfer between accounts, exchange of currency, loan, extension of credit, or purchase or sale of any stock, bond, certificate of deposit, or other monetary instrument or investment security, or any other payment, transfer, or delivery by, through, or to a financial institution, by whatever means effected) conducted or attempted by, at or through the national bank and involving or aggregating $5,000 or more in funds or other assets, if the bank knows, suspects, or has reason to suspect that:
(i) The transaction involves funds derived from illegal activities or is intended or conducted in order to hide or disguise funds or assets derived from illegal activities (including, without limitation, the ownership, nature, source, location, or control of such funds or assets) as part of a plan to violate or evade any law or regulation or to avoid any transaction reporting requirement under Federal law;
(ii) The transaction is designed to evade any regulations promulgated under the Bank Secrecy Act; or
(iii) The transaction has no business or apparent lawful purpose or is not the sort in which the particular customer would normally be expected to engage, and the institution knows of no reasonable explanation for the transaction after examining the available facts, including the background and possible purpose of the transaction.
(d) Time for reporting. A national bank is required to file a SAR no later than 30 calendar days after the date of the initial detection of facts that may constitute a basis for filing a SAR. If no suspect was identified on the date of detection of the incident requiring the filing, a national bank may delay filing a SAR for an additional 30 calendar days to identify a suspect. In no case shall reporting be delayed more than 60 calendar days after the date of initial detection of a reportable transaction. In situations involving violations requiring immediate attention, such as when a reportable violation is ongoing, the financial institution shall immediately notify, by telephone, an appropriate law enforcement authority and the OCC in addition to filing a timely SAR.
(e) Reports to state and local authorities. National banks are encouraged to file a copy of the SAR with state and local law enforcement agencies where appropriate.
(f) Exceptions. (1) A national bank need not file a SAR for a robbery or burglary committed or attempted that is reported to appropriate law enforcement authorities.
(2) A national bank need not file a SAR for lost, missing, counterfeit, or stolen securities if it files a report pursuant to the reporting requirements of 17 CFR 240.17f–1.
(g) Retention of records. A national bank shall maintain a copy of any SAR filed and the original or business record equivalent of any supporting documentation for a period of five years from the date of the filing of the SAR. Supporting documentation shall be identified and maintained by the bank as such, and shall be deemed to have been filed with the SAR. A national bank shall make all supporting documentation available to appropriate law enforcement agencies upon request.
(h) Notification to board of directors —(1) Generally. Whenever a national bank files a SAR pursuant to this section, the management of the bank shall promptly notify its board of directors, or a committee of directors or executive officers designated by the board of directors to receive notice.
(2) Suspect is a director or executive officer. If the bank files a SAR pursuant to paragraph (c) of this section and the suspect is a director or executive officer, the bank may not notify the suspect, pursuant to 31 U.S.C. 5318(g)(2), but shall notify all directors who are not suspects.
(i) Compliance. Failure to file a SAR in accordance with this section and the instructions may subject the national bank, its directors, officers, employees, agents, or other institution-affiliated parties to supervisory action.
(j) Obtaining SARs. A national bank may obtain SARs and the Instructions from the appropriate OCC District Office listed in 12 CFR part 4.
(k) Confidentiality of SARs. A SAR, and any information that would reveal the existence of a SAR, are confidential, and shall not be disclosed except as authorized in this paragraph (k).
(1) Prohibition on disclosure by national banks. (i) General rule. No national bank, and no director, officer, employee, or agent of a national bank, shall disclose a SAR or any information that would reveal the existence of a SAR. Any national bank, and any director, officer, employee, or agent of any national bank that is subpoenaed or otherwise requested to disclose a SAR, or any information that would reveal the existence of a SAR, shall decline to produce the SAR or such information, citing this section and 31 U.S.C. 5318(g)(2)(A)(i), and shall notify the following of any such request and the response thereto:
(A) Director, Litigation Division, Office of the Comptroller of the Currency; and
(B) The Financial Crimes Enforcement Network (FinCEN).
(ii) Rules of construction. Provided that no person involved in any reported suspicious transaction is notified that the transaction has been reported, this paragraph (k)(1) shall not be construed as prohibiting:
(A) The disclosure by a national bank, or any director, officer, employee or agent of a national bank of:
( 1 ) A SAR, or any information that would reveal the existence of a SAR, to the OCC, FinCEN, or any Federal, State, or local law enforcement agency; or
( 2 ) The underlying facts, transactions, and documents upon which a SAR is based, including, but not limited to, disclosures:
( i ) To another financial institution, or any director, officer, employee or agent of a financial institution, for the preparation of a joint SAR; or
( ii ) In connection with certain employment references or termination notices, to the full extent authorized in 31 U.S.C. 5318(g)(2)(B); or
(B) The sharing by a national bank, or any director, officer, employee, or agent of a national bank, of a SAR, or any information that would reveal the existence of a SAR, within the bank's corporate organizational structure for purposes consistent with Title II of the Bank Secrecy Act as determined by regulation or in guidance.
(2) Prohibition on disclosure by the OCC. The OCC will not, and no officer, employee or agent of the OCC, shall disclose a SAR, or any information that would reveal the existence of a SAR, except as necessary to fulfill official duties consistent with Title II of the Bank Secrecy Act. For purposes of this section, official duties shall not include the disclosure of a SAR, or any information that would reveal the existence of a SAR, in response to a request for use in a private legal proceeding or in response to a request for disclosure of non-public OCC information under 12 CFR 4.33.
(l) Limitation on liability. A national bank and any director, officer, employee or agent of a national bank that makes a voluntary disclosure of any possible violation of law or regulation to a government agency or makes a disclosure pursuant to this section or any other authority, including a disclosure made jointly with another financial institution, shall be protected from liability to any person for any such disclosure, or for failure to provide notice of such disclosure to any person identified in the disclosure, or both, to the full extent provided by 31 U.S.C. 5318(g)(3).
[61 FR 4337, Feb. 5, 1996, as amended at 75 FR 75583, Dec. 3, 2010]
Subpart C—Procedures for Monitoring Bank Secrecy Act Compliance