From KYC to KLA: Navigating the Sea to a Safe Harbor

From KYC to KLA: Navigating the Sea to a Safe Harbor - The safe harbor: Moored to the dock of secrecy until a criminal violation untethers the anchor of disclosure

The safe harbor: Moored to the dock of secrecy until a criminal violation untethers the anchor of disclosure.

While financial institutions may know their customers (KYC) and dutifully identify suspicious activity, must they continue to keep law enforcement advised (KLA) of their course after they send out the SOS?

From disembarkation, muddy waters can obscure the course of a suspicious activity report (SAR). Whose responsibility is it to navigate smooth sailing for the content of the SAR to reach its final destination? Is merely filing a SAR enough to alert law enforcement of criminal activity?

The Annunzio-Wylie Anti-Money Laundering Act of 1992 (31 U.S.C. § 5318(g)(3)) contains a safe harbor for financial institutions to report potentially criminal activity to law enforcement. In particular, it provides that:

“Any financial institution that makes a voluntary disclosure of any possible violation of law or regulation to a government agency or makes a disclosure pursuant to this subsection or any other authority, and any director, officer, employee, or agent of such institution who makes, or requires another to make any such disclosure, shall not be liable to any person under any law or regulation of the United States, any constitution, law, or regulation of any State or political subdivision of any State, or under any contract or other legally enforceable agreement (including any arbitration agreement), for such disclosure or for any failure to provide notice of such disclosure to the person who is the subject of such disclosure or any other person identified in the disclosure.”1

This section broadly “provided a safe harbor for financial institutions and their employees from civil liability for reporting known or suspected criminal offenses or suspicious activity by filing a SAR.”2

This section’s broad protections leave the discretion to disclose information in the hands of the financial institution. Typically, a financial institution will be steadfastedly cautious when making disclosures, to avoid litigation or discipline from regulators. But extreme caution also carries risks—especially the risk that criminal activity will thrive. Without communication, direct and indirect, law enforcement may not stem the tide of the suspicious or unlawful activity. Without this knowledge, investigations may quickly run aground.

It is easy for a financial institution to view a SAR as both the beginning and end of its responsibility. But if a SAR is destined for law enforcement, why does the communication end once a SAR is filed? There is a mandate to file a SAR. However, there is no mandate for law enforcement to read a SAR. If an institution truly intends to warn law enforcement, how can it keep the beacon lit?

Without a commander taking the helm, navigating the course of disclosure, a financial institution risks permitting money laundering to flourish. Effective anti-money laundering includes direct and continued contact with law enforcement regarding criminal activity, something that the Annunzio-Wylie Anti-Money Laundering Act was designed to facilitate. Assuring the initial information supplies law enforcement with the wherewithal not only to investigate, but to take enforcement action, is just the beginning of the voyage.

Keeping law enforcement informed about the subject(s) of a SAR and the suspicious activity serves multiple purposes. Continued communication demonstrates the financial institution’s commitment to law enforcement collaboration and its willingness to successfully hold customers accountable for their actions. In addition, advising law enforcement of changes in account-holder patterns may be the key to successfully investigating the matter.

Yet why does it seem institutions are adverse to contacting law enforcement? Mitigating legal and reputational risk is necessary for many financial institutions to avoid litigation. Appeasing regulators is vital. However, when it comes at the expense of needed communication with law enforcement, is silence the right course of action? Moreover, why is a standard law enforcement request for communication often met with “no” when the applicable law says “yes”?

Prosecutorial guidance raises the following common concerns and answers:

Can I just pick up the phone and call the police?

Under Federal Deposit Insurance Corp. (FDIC), the Financial Crimes Enforcement Network (FinCEN) and Federal Reserve regulations, in situations involving violations requiring immediate attention—such as when a reportable violation involves terrorist activity or is ongoing—the financial institution shall immediately notify, by telephone, an appropriate law enforcement authority and financial institution supervisory authorities in addition to filing a timely SAR.3,4,5,6,7

Moreover, the Annunzio-Wylie’s safe harbor provides an institution with protection from civil liability for all reports of suspicious transactions made to appropriate authorities, including supporting documentation, regardless of whether such reports are filed pursuant to the SAR instructions.

Are you sure I can just pick up the phone and call the police?

The Federal Right to Financial Privacy Act (RFPA), 12 U.S.C. § 3403, states:

“Nothing in this chapter shall preclude any financial institution, or any officer, employee, or agent of a financial institution, from notifying a Government authority that [it] has information which may be relevant to a possible violation of any statute or regulation.”

The act further states:

“Any financial institution, or officer, employee, or agent thereof, making a disclosure of information pursuant to this subsection, shall not be liable to the customer under any law or regulation of the United States or any constitution, law, or regulation of any State or political subdivision thereof, for such disclosure or for any failure to notify the customer of such disclosure.”

What can I say?

Perhaps the better question is: “What can I not say?” Under the federal safe harbors, a financial institution that is directly contacting law enforcement may actively disclose only:

  • The name or other identifying information concerning any individual, corporation or account involved in the suspected illegal activity
  • The nature of any suspected illegal activity

Notably, a financial institution may disclose such information, notwithstanding any constitution, law or regulation of any state or political subdivision thereof to the contrary.8

What is included in those two categories? Courts have approved disclosure of the following other types of identifying information:

  • Name and social security number
  • Account number(s)
  • Copy of passport
  • Descriptions of transactions
  • Account history
  • Copies of suspected fraudulent money orders
  • Logs of account activity
  • Dollar amount of suspicious transactions

The section 3403(c) exception does not permit financial institutions to turn over or to verbally disclose the contents of financial records; rather, it is intended that the financial institution will provide information of the nature described above so that the law enforcement agency can then obtain the financial records through a form of legal process authorized by the act (administrative process, grand jury subpoena, formal written request, etc.).

The act stipulates that law enforcement authorities must use legal process under the act to obtain the actual financial records required in the investigation and prosecution of suspected offenses reported by financial institutions. Thus, the information provided in the financial institution’s report of a crime must be sufficient to allow law enforcement to satisfy the act’s requirements for access to records.

The U.S. Attorneys’ Manual, CRM 430, explains that the notification of a crime may also include the financial institution’s analysis of the information described above together with an analysis of the significance of the suspected offense. While the general description and analysis of suspicious transactions may not be so detailed as to eliminate any need for law enforcement access to actual records, it should be sufficient to enable law enforcement (1) to reasonably describe records needed in the investigation and (2) to determine that there is reason to believe such records are relevant to a legitimate law enforcement inquiry.

What if law enforcement calls me?

Fortunately for law enforcement, courts have interpreted the safe harbor provisions of the RFPA to apply not only to proactive disclosures by a financial institution, but also to disclosures in response to a direct inquiry from a government authority.9,10,11,12

Also, remember that the safe harbor does not protect financial institutions from being sued—it provides a defense to such a lawsuit

Interestingly, the 11th Circuit (Florida, Georgia and Alabama) does NOT recognize immunity for providing information directly in response to law enforcement’s verbal request for information. Instead, if law enforcement requests a direct disclosure, a financial institution acting in the 11th Circuit must first request some form of “written” legal process from law enforcement.

Does this mean that, in the 11th Circuit, financial institutions cannot make a direct disclosure to law enforcement, in the same way that financial institutions can in the rest of the U.S.? No. It means that disclosure has to be based on the conclusion that “a disclosure of any possible violation of law or regulation” is being made. In the 11th Circuit, financial institutions cannot simply rely on law enforcement saying the violation exists—financial institutions must have their own individualized suspicion.

Also, remember that the safe harbor does not protect financial institutions from being sued—it provides a defense to such a lawsuit. In addition, in some (but not all) jurisdictions, if false information is provided to law enforcement with a malicious purpose, that “disclosure” will not protect from litigation—or possible prosecution for providing false information to law enforcement.

Unlike the SAR provisions, the RFPA’s safe harbor under § 3403(c) is not limited to preliminary, one-time notifications; it extends to a bank’s response to a government request, again so long as the information is relevant to the suspected illegal activity, thereby assuring that the communication is not lost at sea. Such a demonstrated commitment to contact was protected in Toader v. J.P. Morgan Chase Bank, NA, No. 09 C 6684 (N.D. Ill., 2011). In that case, § 3403(c) protected a bank when it directly notified law enforcement of suspected criminal activity, then provided additional documentation, including copies of deposit and wire-transfer slips, in response to the law enforcement’s follow-up request. § 3403(c) also protected a bank that directly provided information in Sornberger v. First Midwest Bank, 278 F. Supp. 2d 935, 937 (C.D. Ill).

The RFPA’s disclosure safe harbor is not dependant on filing a SAR. The safe harbor still applies even when a bank does not file a SAR due to neglect or a mistaken belief that it was not required because the government was already initiating action. Whether there is a SAR or not is irrelevant to the justification for the alleged disclosure.13 The plain language of the RFPA provides immunity for the disclosure of “any possible violation of law or regulation.”

Fear and uncertainty can prevent lawful disclosures and undermine the partnership between law enforcement and financial institutions. But if financial institutions can, then perhaps more financial institutions should initiate contact with law enforcement to stop criminal activity. Moreover, institutions should strive to stay on course and continue to directly KLA of suspicious activity.

As always, adhere to internal policies and procedures. But, when plotting the course to combat money laundering, instead of saying no when it comes to information sharing, maybe review the concerns with supervision and consider rocking the boat.

Elliott Casey, staff attorney, Commonwealth’s Attorneys’ Services Council, Williamsburg, VA, USA,

ACAMS Today law enforcement contributor, VA, USA,

Disclaimer: The views expressed are soley those of the authors and are not meant to represent the opinions of employers.

  1. “31 U.S.C. § 5318 - U.S. Code - Unannotated Title 31. Money and Finance § 5318. Compliance, exemptions, and summons authority,” FindLaw for Legal Professionals,
  2. “Federal Court Reaffirms Protections For Financial Institutions Filing Suspicious Activity Reports,” Financial Crimes Enforcement Network, May 24, 2004,
  3. “PART 353—SUSPICIOUS ACTIVITY REPORTS,” Federal Deposit Insurance Corporation, February 29, 2016,
  4. “31 CFR 1020.320 – Reports by banks of suspicious transactions.” Legal Information Institute, October 26, 2010,
  5. “12 CFR 208.62 - Suspicious activity reports.” Legal Information Institute,
  6. “12 CFR 21.11 - Suspicious Activity Report.” February 5, 1996,
  7. “Suspicious Activity Reporting—Overview,” Federal Financial Institutions Examination Council,
  8. “12 U.S. Code § 3403 - Confidentiality of financial records,” Legal Information Institute,
  9. Giannone v. Bank of America, N.A., 812 F.Supp.2d 216, 226 (E.D.N.Y. 2011).
  10. Puerta v. United States, 121 F.3d 1338 (9th Cir. 1997).
  11. Hu v. Park National Bank, No. 07 C 844. (N.D. Ill. May. 8, 2008).
  12. Bigi v. Wright-Patt Credit Union, Inc., Case No. 3:12-CV-216 (S.D. Ohio Apr. 22, 2013)
  13. Miranda De Villalba v. Coutts & Co. (USA) International, 250 F.3d 1351 (11th Cir. 2001)

Leave a Reply