USA PATRIOT ACT · SECTION 314(b)
Section 314(b) lets financial institutions compare notes on suspected fraud and money laundering without a subpoena, a court order, or new liability. Here’s what the safe harbor covers, where it ends, and how a real exchange actually works.
A fraud analyst at a regional bank flags an account: opened three weeks ago, small deposits, then a newly added payee and a $180,000 wire out. On its own, the pattern is suspicious but inconclusive. The receiving account sits at another bank, and that bank is looking at the other half of the same picture: a business account taking in large wires from institutions it has no history with, and draining them within hours.
Neither institution can see the scheme. Together, they can. Section 314(b) of the USA PATRIOT Act is the provision that lets financial institutions compare notes without a subpoena, a court order, or new liability. It’s one of the most useful tools in the BSA toolkit, and one of the most underused, mostly because the hard part isn’t the law. It’s the logistics.
This page covers what 314(b) actually permits, where the safe harbor ends, and what an exchange looks like when it works.
314(b) is a voluntary information-sharing program with a legal safe harbor attached. Once two financial institutions are both registered with FinCEN, either one can ask the other about individuals, entities, organizations, or countries, for the purpose of identifying and reporting possible money laundering, terrorist financing, or fraud and other specified unlawful activity. The safe harbor protects them from civil liability for the sharing itself.
Participation is free. Registration takes about two business days. And the exchange can happen by phone, in writing, or electronically, directly between institutions or through an association.
The one-sentence version: 314(b) converts “I can’t tell you that” into “here’s what we’re seeing,” for registered institutions, on the right subject matter.
FinCEN’s June 12, 2026 guidance put to rest a long-running question: fraud is in scope, and so are the signals underneath it. Institutions can share, among other things:
The test isn’t a category list. It’s purpose. If the information is shared to identify or report possible money laundering, terrorist financing, or specified unlawful activity, it’s inside the harbor.
This is the section most explainers skip, and it’s where institutions actually get hurt.
You cannot share the existence of a SAR. SAR confidentiality survives 314(b) intact. You can share the underlying facts, the transactions, the patterns, the subject. You cannot say, or imply, that a SAR was filed. Compliance teams thread this needle every day: “we’re seeing activity consistent with X” is fine; “we filed on this guy” is a violation with personal liability attached.
The counterparty must be a current registrant. The safe harbor only holds between institutions registered for the current annual period. Sharing with a lapsed registrant means sharing with no protection. Verifying current registration before every exchange isn’t a nicety. It’s the load-bearing wall.
Purpose is a boundary, not a formality. Sharing for marketing, credit decisions, or general due diligence isn’t covered, even between two registered institutions. The harbor covers the fraud-and-laundering purpose and nothing else.
The safe harbor is federal. It protects against liability arising from the sharing. It doesn’t repeal your privacy obligations elsewhere, so information security and confidentiality procedures around the exchange still matter.
The names invite confusion. The mechanics are opposites.
| 314(a) | 314(b) | |
|---|---|---|
| Direction | Law enforcement → institutions, via FinCEN | Institution ↔ institution |
| Voluntary? | No. Responses are mandatory. | Yes. Both registration and each exchange. |
| Trigger | A government request naming a subject | Either institution’s own suspicion |
| Frequency | Batched requests on FinCEN’s schedule | Whenever the fraud happens |
314(a) is the government asking you to search your records. 314(b) is you and a peer institution deciding to solve a problem together. Registering for one does nothing for the other.
That’s it. Registration is the five-minute part of the program.
Back to the regional bank and the $180,000 wire.
Elapsed time in a well-run program: hours. Elapsed time in most programs: days, if the exchange happens at all.
FinCEN keeps encouraging participation because registration numbers understate the problem. Plenty of registered institutions rarely use the program. Three failure modes account for most of it.
Verification is manual. Confirming that the person you’re about to send account data to is actually the registered contact at an actually registered institution takes real effort, and it has to happen every time. Skip it and you’ve shared sensitive customer information with an unverified stranger. Fraudsters know this, and posing as a peer institution’s fraud team is an active social-engineering pattern.
The channels are improvised. Exchanges happen over phone calls, unencrypted email, and one-off spreadsheets. The statute permits it. Your information security program winces at it.
There’s no record. The safe harbor protects a purposeful, registrant-to-registrant exchange. When the exchange lives in a phone call with no documentation, proving those elements two years later is somebody’s very bad week.
None of these are legal problems. They’re infrastructure problems. The law did its job in 2001; the execution layer never got built.
This is the problem Kodex works on. Kodex is the network where sensitive requests between institutions get authenticated and answered: every counterparty verified, every exchange on secure rails, every request and response recorded with who asked, what was shared, and when. It’s the same discipline companies use on Kodex to handle law enforcement data requests, applied to the exchanges institutions make with each other.
Registration tells FinCEN you’re willing to share. Infrastructure is what lets you do it at the speed fraud actually moves.
Related reading: CALEA and the lawful-access landscape, and EU E-evidence for cross-border requests.
See how Kodex verifies every requester →Is 314(b) participation mandatory?
No. 314(b) is voluntary at every level: registration is voluntary, and each individual exchange is voluntary. Its counterpart, 314(a), is the mandatory one, requiring institutions to search their records in response to government requests routed through FinCEN.
Can we share fraud information under 314(b)?
Yes. FinCEN’s June 2026 guidance confirms that suspected fraud and its underlying indicators, including transaction patterns, IP addresses, device data, and surveillance footage, fall within the 314(b) safe harbor when shared to identify or report possible money laundering, terrorist financing, or specified unlawful activity.
Can we tell another institution that we filed a SAR?
No. SAR confidentiality survives 314(b). You can share the underlying facts and patterns behind your suspicion, but you cannot disclose or imply that a suspicious activity report was filed. Violating SAR confidentiality carries personal liability.
How long does 314(b) registration take?
FinCEN processes registrations within two business days and confirms by email. Registration runs through FinCEN’s Financial Institution Portal and must be renewed annually.
Do both institutions need to be registered before sharing?
Yes. The safe harbor only applies between institutions with current 314(b) registrations. Before each exchange, verify that the counterparty holds an active registration; sharing with a lapsed or unregistered institution means sharing without the safe harbor’s protection.