During an authorized penetration test for a U.S. banking client, you notice log entries showing multiple wire transfers deliberately split into amounts just below the USD 10,000 reporting threshold. Such structuring is a red flag for money-laundering and triggers Bank Secrecy Act suspicious-activity reporting deadlines. What is the most appropriate action for you to take first to satisfy typical legal and contractual obligations?
Delete the transaction logs to avoid mishandling regulated customer data
Inform the client's designated compliance/AML officer at once so the organization can evaluate and file a SAR if required
Continue the test and simply document the transfers in the final report
Call the nearest FBI field office to report the suspicious transfers yourself
Under the Bank Secrecy Act, the financial institution-not an external tester-is legally required to file a Suspicious Activity Report (SAR) within 30 days of detecting facts that may indicate fraud or money-laundering. The tester therefore must escalate the finding immediately to the client's designated compliance or AML point of contact. That contact will determine whether the threshold is met and, if so, prepare the SAR for FinCEN or the appropriate regulator. Contacting law enforcement directly can violate the NDA or scope agreement, while deleting evidence or merely listing the issue in the final report fails to meet the institution's statutory timeline.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a recognized enforcement office?
Open an interactive chat with Bash
Why is it important to notify both the enforcement office and the client's representative?
Open an interactive chat with Bash
What are the risks of removing evidence or suspending investigative efforts prematurely?