USA PATRIOT ACT · SECTION 314(b)

Section 314(b), Explained: What Financial Institutions Can Share, and How to Actually Do It

Section 314(b) lets financial institutions compare notes on suspected fraud and money laundering without a subpoena, a court order, or new liability. Here’s what the safe harbor covers, where it ends, and how a real exchange actually works.

Request a demoSee how Kodex verifies requesters, tracks deadlines, and responds securely.

A fraud analyst at a regional bank flags an account: opened three weeks ago, small deposits, then a newly added payee and a $180,000 wire out. On its own, the pattern is suspicious but inconclusive. The receiving account sits at another bank, and that bank is looking at the other half of the same picture: a business account taking in large wires from institutions it has no history with, and draining them within hours.

Neither institution can see the scheme. Together, they can. Section 314(b) of the USA PATRIOT Act is the provision that lets financial institutions compare notes without a subpoena, a court order, or new liability. It’s one of the most useful tools in the BSA toolkit, and one of the most underused, mostly because the hard part isn’t the law. It’s the logistics.

This page covers what 314(b) actually permits, where the safe harbor ends, and what an exchange looks like when it works.

What is Section 314(b)?

314(b) is a voluntary information-sharing program with a legal safe harbor attached. Once two financial institutions are both registered with FinCEN, either one can ask the other about individuals, entities, organizations, or countries, for the purpose of identifying and reporting possible money laundering, terrorist financing, or fraud and other specified unlawful activity. The safe harbor protects them from civil liability for the sharing itself.

Participation is free. Registration takes about two business days. And the exchange can happen by phone, in writing, or electronically, directly between institutions or through an association.

The one-sentence version: 314(b) converts “I can’t tell you that” into “here’s what we’re seeing,” for registered institutions, on the right subject matter.

What can financial institutions share under 314(b)?

FinCEN’s June 12, 2026 guidance put to rest a long-running question: fraud is in scope, and so are the signals underneath it. Institutions can share, among other things:

  • Transaction patterns. Newly added payees followed by large transfers. Rapid movement of funds through an account with no business rationale.
  • Identity signals. Multiple accounts opened with the same or similar identifying information across institutions.
  • Cyber and device data. IP addresses, device fingerprints, login activity from geographically impossible locations.
  • Physical evidence. Video surveillance footage of the person who stood at the teller window.
  • The subject itself. Names, account numbers, entities, and the institution’s basis for suspicion.

The test isn’t a category list. It’s purpose. If the information is shared to identify or report possible money laundering, terrorist financing, or specified unlawful activity, it’s inside the harbor.

What does the safe harbor not cover?

This is the section most explainers skip, and it’s where institutions actually get hurt.

You cannot share the existence of a SAR. SAR confidentiality survives 314(b) intact. You can share the underlying facts, the transactions, the patterns, the subject. You cannot say, or imply, that a SAR was filed. Compliance teams thread this needle every day: “we’re seeing activity consistent with X” is fine; “we filed on this guy” is a violation with personal liability attached.

The counterparty must be a current registrant. The safe harbor only holds between institutions registered for the current annual period. Sharing with a lapsed registrant means sharing with no protection. Verifying current registration before every exchange isn’t a nicety. It’s the load-bearing wall.

Purpose is a boundary, not a formality. Sharing for marketing, credit decisions, or general due diligence isn’t covered, even between two registered institutions. The harbor covers the fraud-and-laundering purpose and nothing else.

The safe harbor is federal. It protects against liability arising from the sharing. It doesn’t repeal your privacy obligations elsewhere, so information security and confidentiality procedures around the exchange still matter.

What’s the difference between 314(a) and 314(b)?

The names invite confusion. The mechanics are opposites.

314(a)314(b)
DirectionLaw enforcement → institutions, via FinCENInstitution ↔ institution
Voluntary?No. Responses are mandatory.Yes. Both registration and each exchange.
TriggerA government request naming a subjectEither institution’s own suspicion
FrequencyBatched requests on FinCEN’s scheduleWhenever the fraud happens

314(a) is the government asking you to search your records. 314(b) is you and a peer institution deciding to solve a problem together. Registering for one does nothing for the other.

How do you register for 314(b)?

  1. Registration runs through FinCEN’s Financial Institution Portal (the old SISS system was retired in May 2024).
  2. Your designated contact, typically the BSA/AML officer or an alternate, submits the 314(b) certification.
  3. FinCEN processes it within two business days and confirms by email.
  4. Renew annually. A lapsed registration means a lapsed safe harbor.

That’s it. Registration is the five-minute part of the program.

What does a real 314(b) exchange look like?

Back to the regional bank and the $180,000 wire.

  1. The analyst identifies the receiving institution from the wire details and confirms, against FinCEN’s registrant list, that it holds a current 314(b) registration. So does her own bank.
  2. She contacts the other institution’s 314(b) point of contact. Not a general fraud line. The named contact from the registration, because she needs to know the person on the other end is authorized to receive this.
  3. She shares the pattern and the subject: account details, the payee addition, the wire, the login from an IP that doesn’t match any customer history. No mention of whether her institution has filed or will file anything.
  4. The other institution responds with its half: the receiving account’s funnel behavior, two more inbound wires from other banks, an account opening document that reuses a phone number from a known mule network.
  5. Both institutions now have a complete picture. Each makes its own filing decision, and each keeps a record of what was shared, with whom, on what basis, and when, because that record is what proves the exchange lived inside the safe harbor if anyone ever asks.

Elapsed time in a well-run program: hours. Elapsed time in most programs: days, if the exchange happens at all.

Where does 314(b) break down in practice?

FinCEN keeps encouraging participation because registration numbers understate the problem. Plenty of registered institutions rarely use the program. Three failure modes account for most of it.

Verification is manual. Confirming that the person you’re about to send account data to is actually the registered contact at an actually registered institution takes real effort, and it has to happen every time. Skip it and you’ve shared sensitive customer information with an unverified stranger. Fraudsters know this, and posing as a peer institution’s fraud team is an active social-engineering pattern.

The channels are improvised. Exchanges happen over phone calls, unencrypted email, and one-off spreadsheets. The statute permits it. Your information security program winces at it.

There’s no record. The safe harbor protects a purposeful, registrant-to-registrant exchange. When the exchange lives in a phone call with no documentation, proving those elements two years later is somebody’s very bad week.

None of these are legal problems. They’re infrastructure problems. The law did its job in 2001; the execution layer never got built.

The execution layer

This is the problem Kodex works on. Kodex is the network where sensitive requests between institutions get authenticated and answered: every counterparty verified, every exchange on secure rails, every request and response recorded with who asked, what was shared, and when. It’s the same discipline companies use on Kodex to handle law enforcement data requests, applied to the exchanges institutions make with each other.

Registration tells FinCEN you’re willing to share. Infrastructure is what lets you do it at the speed fraud actually moves.

Related reading: CALEA and the lawful-access landscape, and EU E-evidence for cross-border requests.

See how Kodex verifies every requester →

Common questions

Is 314(b) participation mandatory?

No. 314(b) is voluntary at every level: registration is voluntary, and each individual exchange is voluntary. Its counterpart, 314(a), is the mandatory one, requiring institutions to search their records in response to government requests routed through FinCEN.

Can we share fraud information under 314(b)?

Yes. FinCEN’s June 2026 guidance confirms that suspected fraud and its underlying indicators, including transaction patterns, IP addresses, device data, and surveillance footage, fall within the 314(b) safe harbor when shared to identify or report possible money laundering, terrorist financing, or specified unlawful activity.

Can we tell another institution that we filed a SAR?

No. SAR confidentiality survives 314(b). You can share the underlying facts and patterns behind your suspicion, but you cannot disclose or imply that a suspicious activity report was filed. Violating SAR confidentiality carries personal liability.

How long does 314(b) registration take?

FinCEN processes registrations within two business days and confirms by email. Registration runs through FinCEN’s Financial Institution Portal and must be renewed annually.

Do both institutions need to be registered before sharing?

Yes. The safe harbor only applies between institutions with current 314(b) registrations. Before each exchange, verify that the counterparty holds an active registration; sharing with a lapsed or unregistered institution means sharing without the safe harbor’s protection.