FinCEN Backs Cross-Border Data Sharing While Safeguarding SAR Secrecy

FinCEN has issued new guidance on 5 September 2025 that actively encourages appropriate, voluntary cross-border information sharing between financial institutions, including foreign affiliates and correspondent banks, to strengthen detection and disruption of money laundering, terrorist financing and wider illicit finance. Crucially, FinCEN reiterates that the Bank Secrecy Act does not prohibit sharing the underlying facts, transactions and documents related to suspicious activity, even though the Suspicious Activity Report (SAR) itself and any indication that a SAR exists remain strictly confidential.

According to the guidance, robust information exchange across borders can materially improve firms’ ability to spot risks and produce reporting that is highly useful to law enforcement and national security agencies. FinCEN frames this as a way to build a more complete risk picture across complex banking relationships while reminding firms to weigh their own risk profile, counterpart relationships and any constraints under other US or foreign laws.

FinCEN draws a clear line between what must stay confidential and what can be shared. SARs and any statement that would reveal the existence or non-existence of a SAR cannot be disclosed, but firms may share the facts that informed their SAR decisions. FinCEN also notes that even if a reasonable person could infer a SAR was filed from those facts, sharing the underlying information alone does not constitute a breach of SAR confidentiality.

The guidance includes practical, non-exhaustive examples of information that typically can be shared without revealing a SAR. On page 3, FinCEN lists transaction data such as wire details, counterparties, amounts, account numbers, dates and times; cash deposit and withdrawal records; and logs showing dealings with specific jurisdictions. It also cites customer and account information such as beneficial ownership, products and services used, stated business activities, occupation and sources of funds or wealth; plus investigative materials such as monitoring alerts, due diligence research, adverse media and cyber indicators like IP addresses or device identifiers. Firms should apply appropriate redactions to ensure nothing explicitly references a SAR decision.

FinCEN further reminds institutions of their duty to notify FinCEN, and where applicable their primary federal regulator, if they receive a subpoena or other request for a SAR or information that would reveal a SAR. The guidance points to prior instructions for counsel on handling unauthorised disclosure and responding to legal demands without naming a SAR in privilege logs.

Why SAR Secrecy Matters for UK & International Firms

For UK-headquartered groups with US operations or correspondent relationships, the update provides long-sought clarity to support lawful, controlled cross-border data flows that underpin group-wide AML programmes. It helps firms align US SAR rules with enterprise-level intelligence sharing and with UK expectations for group-wide risk management, provided they account for data protection and bank secrecy requirements in relevant jurisdictions.

Immediate Actions for Compliance Leaders

1. Map what you can share now. Build or refresh a “green list” of underlying data elements that are generally shareable under the guidance, with standard redaction rules and jurisdiction-specific caveats. Train staff to use it.

2. Tighten your language controls. Update templates, playbooks and ticketing systems so case notes, memos and analytics avoid phrasing that would reveal a SAR decision.

3. Calibrate correspondent bank requests. Use the exemplar categories from page 3 to make precise, proportionate requests for counterparty data, emphasising you seek underlying facts rather than any SAR material.

4. Refresh legal response protocols. Re-brief legal, investigations and litigation support teams on notification duties to FinCEN and regulators when receiving subpoenas or external requests that touch SAR content.

5. Document your risk-based approach. Record how you weigh relationship risk, foreign law constraints and data minimisation when sharing cross-border. Keep audit trails for all outbound and inbound sharing.

Read the full guidance here.