Senator Lankford Requests Treasury Secretary to Secure Sensitive Information

WASHINGTON, DC – Senator James Lankford (R-OK) today sent a letter to the Treasury Department regarding the policies and procedures the agency has in place to prevent the unauthorized disclosure of Suspicious Activity Reports (SARs). The letter comes after a Senior Advisor within the Financial Crimes Enforcement Network (FinCEN) was charged for the unauthorized disclosure of SARs and the conspiracy to make unauthorized disclosures of SARs, both of which carry a maximum sentence of five years in prison.

FinCEN, a bureau within the Treasury Department’s Office of Terrorism and Financial Intelligence, is the largest overt collector of financial intelligence in the United States. FinCEN’s mission is to safeguard the financial system from the abuses of financial crime, including terrorist financing, money laundering, and other illicit activity.

The letter states, “The system of SARs is critical to FinCEN’s work. Access to extremely sensitive information should be appropriately controlled, monitored, and compartmentalized, so to as eliminate unnecessary risk.

A PDF of the letter is available here, and the full text is below:

The Honorable Steven T. Mnuchin

Secretary of the Treasury

US Department of the Treasury

1500 Pennsylvania Avenue NW

Washington, DC 20220

Dear Secretary Mnuchin,

I am deeply concerned by allegations that an employee in the Financial Crimes Enforcement Network (FinCEN) illegally exfiltrated and distributed extremely sensitive information from Suspicious Activity Reports (SARs).

As you have noted, “there is no excuse for anybody who has access to these important systems to release information on an unauthorized basis.” The system of SARs is critical to FinCEN’s work. Access to extremely sensitive information should be appropriately controlled, monitored, and compartmentalized, so to as eliminate unnecessary risk.

I request more information about the policies and procedures in place for preventing the unauthorized disclosure of SARs.

1)       How many FinCEN employees have authorized access to SARs?

2)       To what extent does FinCEN monitor access to SARs? Is there a log of access to SARs including whether the information is exfiltrated?

3)    How does FinCEN assess whether access to SARs is conducted in accordance with an employee’s official responsibilities?

4)   Please describe the internal penalties for any unauthorized disclosure of a SAR.

5)  Have additional risk-based measures been considered to prevent future unauthorized disclosure of sensitive information?

6)  Please provide copies of all policies and guidelines related to management of the SARs database including physical and cyber security controls, if needed in a classified annex. 

7)   Please provide a copy of FinCEN’s SAR suppression policy.

8)  Please provide copies of all policies and guidelines related to sharing SARs information with external authorized users.

Please provide these documents and responses no later than November 16, 2018.

###