Published on April 13, 2018 in Law360, expert analysis.
The Curious Case of the Michael Cohen-Linked Suspicious Activity Report
Federal law prohibits the disclosure of the existence of Suspicious Activity Reports. So how did the existence of a Suspicious Activity Report linked to the President’s lawyer become public?
From early March 2018, news outlets have reported the existence of a Suspicious Activity Report linked to the President’s “personal lawyer,” Michael Cohen.[i] On March 5, The Hill, describing a Wall Street Journal story of the same day, reported that Cohen’s “$130,000 wire payment to adult film star Stormy Daniels shortly before the 2016 election was flagged as suspicious” by First Republic Bank and “reported to the Treasury Department.”[ii]
Following reports this week that the FBI executed search warrants at Cohen’s law offices, hotel room and home[iii] and seized “business records, emails and documents related to several topics, including a payment to”[iv] Stormy Daniels, the Wall Street Journal revisited the Cohen-linked Suspicious Activity Report, writing that First Republic Bank had “conducted its own investigation” of the Stormy Daniels transaction “after receiving the subpoena from the authorities.”[v]
From a legal perspective, these and similar news reports are striking for the legal question that they raise: How did the existence of the Suspicious Activity Report become public?
Federal law prohibits banks and other financial institutions from disclosing the existence (or non-existence) of Suspicious Activity Reports. Assuming news reports of the Cohen-related Suspicious Activity Report are correct, the disclosure of the report is itself headline worthy and may trigger (it if has not already) law enforcement and/or regulator inquiries as to how the report’s existence came to be in the public domain.
Banks Are Required to Report Actual and Suspected Financial Crimes
Federal laws require suspicious activity and other financial institution and transaction reports where they have “a high degree of usefulness in criminal, tax, or regulatory investigations or proceedings, or in the conduct of intelligence or counterintelligence activities, including analysis, to protect against international terrorism.”[vi] Pursuant to the Bank Secrecy Act, a key federal anti-financial crime law governing financial institution reporting obligations, U.S. banks (including U.S. branches and subsidiaries of foreign banks) are required to file Suspicious Activity Reports (SARs) where, among other circumstances, they have reason to believe that a completed or attempted financial transaction (such as a such as a deposit, withdrawal, or wire transfer) involves certain criminal violations and/or is, by its nature or circumstances, suspicious.[vii]
The SAR reporting system is a cornerstone of the Bank Secrecy Act framework, which is designed to protect the U.S. financial system from illicit uses. Reflecting the law enforcement objectives served by suspicious activity reporting, the Bank Secrecy Act (as amended by Section 314(a) of the USA Patriot Act of 2001 and implemented by federal regulation), requires banks to have in place systems to respond to law enforcement requests for financial transaction information that is responsive to a “particular investigative subject.”[viii] Therefore, SARs may be generated by banks acting on their own initiative (for example, upon detecting suspicious activity) and/or in response to or in connection with law enforcement requests for information. The Wall Street Journal’s April 9 reporting[ix] suggests that First Republic Bank’s investigation and report to federal authorities involving Michael Cohen may have been prompted by one or more law enforcement requests.
Federal Law Prohibits Disclosures of Suspicious Activity Reports
To protect the law enforcement objectives served by SARs, banks (and their employees, officers, agents, etc.) are prohibited from disclosing the existence of a SAR to “any person involved in the transaction.”[x] Law enforcement personnel and other federal, state, local, and tribal officials, employees and contractors are similarly barred from disclosing the existence of SARs.[xi]
Beyond the prohibition on disclosure to persons who are the subject of SARs, federal banking and anti-financial crime regulations prohibit banks and their employees, officers, and agents from disclosing the existence or non-existence of SARs, as well as information related to SARs, to parties other than, for example, law enforcement or, where appropriate, state or local authorities.[xii] Even if a bank is “subpoenaed or otherwise requested to disclose a SAR or the information contained in a SAR,” federal regulations (such as those applicable to national banks and state bank members of the Federal Reserve System) require banks to “decline to produce the SAR or to provide any information that would disclose that a SAR has been prepared or filed” and report such a subpoena or request to the appropriate regulator.[xiii]
To further encourage banks to generate and file SARs, federal law protects banks from legal liability that might arise from the authorized reporting of suspicious activity.[xiv]
Suspicious Activity Reports Are Not Obtainable Through Freedom of Information Requests
In contrast to many government records, SARs may not be disclosed in response to requests under the Freedom of Information Act (FOIA) or similar laws. Federal law prohibits the disclosure of SARs pursuant to the FOIA and analogous state, local, tribal or territorial laws.[xv] Accordingly, the existence of the Cohen-linked SAR would not have been discoverable through a Freedom of Information Act or similar request.
Civil and Criminal Penalties for Unauthorized Disclosures of Suspicious Activity Reports
As the above discussed laws and regulations make clear, the confidentiality of SARs is necessary and mandatory under federal law. Unauthorized disclosures of SARs and SAR-related information (such as evidence of suspicious activity) are subject to civil and criminal penalties and have been prosecuted and penalized.[xvi]
How Did the Cohen-Linked Suspicious Activity Report Become Public? Law Enforcement and Regulatory Authorities Might Want to Know
As to the SAR reportedly generated and filed by First Republic Bank in connection with Michael Cohen’s alleged payment or facilitation of payment to Stormy Daniels, it is unclear how the existence of the report came to be in the public domain. Given the strong regulatory, law enforcement, and financial services industry interests in preserving the confidentiality of suspicious activity reporting, it would not be surprising if the disclosure of the Cohen-linked SAR—if such a disclosure was, in fact, made and was unauthorized—might itself be or become the subject of law enforcement or regulator inquiry (which may or may not become public knowledge).
[i] Eli Watkins, FBI raids Trump lawyer Michael Cohen’s office, seizes Stormy Daniels documents, bank records, CNN Politics (April 9, 2018), https://www.cnn.com/2018/04/09/politics/michael-cohen-fbi/index.html.
[ii] Brett Samuels, Bank flagged Trump lawyer’s payment to porn star as suspicious: report, The Hill (March 5, 2018), http://thehill.com/homenews/administration/376792-bank-flagged-cohens-payment-to-porn-star-as-suspicious-report; Joe Palazzolo and Michael Rothfeld, Trump Lawyer’s Payment to Stormy Daniels Was Reported as Suspicious by Bank, Wall Street Journal (March 5, 2018), https://www.wsj.com/articles/trump-lawyers-payment-to-porn-star-was-reported-as-suspicious-by-bank-1520273701.
[iii] Philip Bump, To search Michael Cohen’s home and office, the FBI had to clear a higher-than-normal bar, Washington Post (April 9, 2018), https://www.washingtonpost.com/news/politics/wp/2018/04/09/to-search-michael-cohens-home-and-office-the-fbi-had-to-clear-a-higher-than-normal-bar/?noredirect=on&utm_term=.3b989cb0c945;
[iv] Matt Apuzzo, F.B.I. Raids Office of Trump’s Longtime Lawyer Michael Cohen; Trump Calls It ‘Disgraceful’, New York Times (April 9, 2018), https://www.nytimes.com/2018/04/09/us/politics/fbi-raids-office-of-trumps-longtime-lawyer-michael-cohen.html.
[v] Erica Orden, Rebecca Ballhaus & Michael Rothfeld, Agents Raid Office of Trump Lawyer Michael Cohen in Connection With Stormy Daniels Payments, Wall Street Journal (April 9, 2018), https://www.wsj.com/articles/fbi-raids-trump-lawyers-office-1523306297 (hereinafter “Orden et al.”).
[vi] 31 U.S.C.S. § 5311 (LexisNexis 2018).
[vii] See, e.g., Federal Financial Institutions Examination Council, Bank Secrecy Act Anti-Money Laundering Examination Manual, Suspicious Activity Reporting Overview, available at https://www.ffiec.gov/bsa_aml_infobase/pages_manual/OLM_015.htm.
[viii] United States Dept. of the Treasury, Financial Crimes Enforcement Network (FinCEN), FinCEN’s 314(a) Fact Sheet, April 10, 2018, available at https://www.fincen.gov/sites/default/files/shared/314afactsheet.pdf.
[ix] Orden et al., supra note 5.
[x] 31 U.S.C.S. § 5318(g)(2)(A)(i) (LexisNexis 2018).
[xi] Id. at § 5318(g)(2)(A)(ii).
[xii] See, e.g., 12 CFR 21.11 (LexisNexis 2018) (setting forth the Office of the Comptroller of the Currency’s suspicious activity reporting and confidentiality requirements applicable to national banks); 12 CFR 208.62 (LexisNexis 2018) (setting forth at Regulation H suspicious activity reporting and confidentiality requirements applicable to state bank members of the Federal Reserve System); FinCEN Advisory, SAR Confidentiality Reminder for Internal and External Counsel of Financial Institutions, March 2, 2012, available at https://www.fincen.gov/resources/advisories/fincen-advisory-fin-2012-a002 (reminding “financial institutions, and in particular, the lawyers that advise them” of SAR confidentiality requirements and expressing FinCEN’s concern “that an increasing number of private parties, who are not authorized to know of the existence of filed SARs, are seeking SARs from financial institutions for use in civil litigation and other matters.”).
[xiii] See, e.g., 12 C.F.R. 21.11 and 12 C.F.R. 208.62, supra note 12.
[xiv] 31 U.S.C.S. § 5318(g)(3) (LexisNexis 2018).
[xv] 31 U.S.C.S. § 5319.
[xvi] 31 U.S.C. §§ 5318(g)(2)(A) (LexisNexis 2018) (prohibiting, inter alia, financial institutions and law enforcement personnel from notifying persons involved in reported transactions that reports have been made); 31 U.S.C. § 5321(a) and 31 C.F.R. § 1010.820(f) (LexisNexis 2018) (providing for civil penalties); 31 U.S.C. § 5322 and 31 C.F.R. § 1010.840 (LexisNexis 2018) (providing for criminal penalties); and, e.g., Frank E. Mendoza, Assessment of Civil Monetary Penalty, U.S. Dept. of the Treasury, Financial Crimes Enforcement Network, December 15, 2011, available at https://www.fincen.gov/sites/default/files/shared/ASSESSMENT_without_consent.pdf (assessing against the respondent party, after the trial and conviction of the same for unauthorized disclosure of a SAR and related bribery offense, a civil monetary penalty without consent for willful unauthorized disclosure of a SAR to a person involved in an underlying transaction).