The FinCEN Files – Data protection concerns

The FinCEN Files, suspicious activity reports (SARs) leaked to Buzzfeed News and then on to the International Consortium of Investigative Journalists from US regulator FinCEN, have led to financial institutions and regulators grappling with various issues this week (see our article for more detail). We understand some institutions are also considering whether they should also be worried about GDPR concerns and whether they have an obligation to disclose a data breach.

The FinCEN Files are a cache of about 2,100 SARs (and other US Treasury documents) filed by nearly 90 different financial institutions reporting suspicions involving transactions which took place between 1999 and 2017. The majority of those leaked (85%) were filed by some of the world's largest financial institutions.

Data breaches often throw up GDPR concerns for institutions operating in the EU, namely whether an obligation to disclose the details of a breach to the relevant supervisory authority (in the UK, the Information Commissioner's Office (ICO)) or the data subjects themselves, has been triggered.

An affected institution must consider:

• whether it is the data controller; and

• if it is the data controller:

  • for the purposes of a disclosure to the ICO, whether there is likely to be any risk to individuals; and
  • for the purposes of disclosure to affected individuals, whether there is a high degree of risk to them.

Under GDPR a data controller is a person, which can include a public authority *"which, alone or jointly with others, determines the purposes and means of the processing of personal data".* According to a statement from FinCEN on 01 September 2020, it was aware "that various media outlets intend to publish a series of articles based on unlawfully disclosed [SARs], as well as other sensitive government documents, from several years ago". There is - under normal circumstances - no reason to think that entities that have submitted SARs to FinCEN would retain control over FinCEN's use or processing of that data. This suggests that FinCEN was the relevant data controller and, as such, GDPR disclosure obligations on the part of the disclosing institutions are not triggered.

Moreover, the Data Protection Act 2018 provides for an exemption to the obligation to notify an individual where data was initially gathered for the prevention or detection of crime or the apprehension of offenders and the notification would prejudice those purposes. It would seem that since the very purpose of a SAR is to detect or prevent crime, this would in most cases give rise to a clear exemption.

However, given that the FinCEN Files contain a great deal of information covering a wide range of jurisdictions, it may be worth seeking legal advice in relation to any data-related reporting obligations.