Privacy Impact Assessment – Currency and Banking Retrieval System (CBRS)
CBRS System Overview
The Currency and Banking Retrieval System (CBRS) is an on-line database that contains Bank Secrecy Act (BSA) information. IRS field agents in Small Business Self Employed (SB/SE), and Criminal Investigations Divisions (CID) as well as Local, State and Federal law enforcement agencies (Customs, Justice, DEA, etc) access the database for research in tax cases, tracking money-laundering activities, investigative leads, intelligence for the tracking of currency flows, corroborating information, and probative evidence. Federal Regulatory agencies (Federal Reserve, Securities and Exchange Commission, etc) also use CBRS for general examination, compliance and enforcement efforts.
System of Records Number(s)
Treasury/IRS 46.050 Automated Information Analysis System
Treasury/DO .213 System name: Bank Secrecy Act Reports System
Treasury/DO .212 System name: Suspicious Activity Reporting System (SARS).
Treasury/IRS 34.037 IRS Audit Trail and Security Records System cover the audit logs.
Data in the System
1. Describe the information (data elements and fields) available in the system in the following categories:
A. Taxpayer
B. Employee
C. Audit Trail Information (including employee log-in info)
D. Other (Describe)
A. Taxpayer:
Form TD F 90-22.1: Report of Foreign Bank and Financial Accounts (5 U.S.C. 552(e)(3) 91-508; 31 U.S.C. 1121; 5 U.S.C. 301,31 CFR Part 103). Further details see appendix A.
B. Employee:
Userid and password
1. The userid is logged as part of the audit system, user_id. Record
2. The password if encrypted in memory for the duration of the logon session.
C. Audit Trail Information
1.User Query Description table - for each query a user executes will contain:
a. User_ID - Identification of user executing the query.
b. Query_Tmsp - timestamp when the query was initiated
c. Query_Desc - a short description of the query (optional)
d. Query_Elapsed_Time - run time of the query
e. Query_Result_Count - number of rows returned
2. User_Query_Parms table - For each query description row, contains parmeters entered:
a. User_ID - identification of user executing the query
b. Query_Tmsp - timestamp when the query was executed (each time)
c. Parm_Seq - parameter sequence Number
d. Query_Group, Contition, Part_Data_Value, IDN_Data_Value,Locn_data_value, Relational_operatr,Query_Doc_types – these fields contain the query parameters entered by the end user
e. Target_table_Name – tables access by the query
3. User_Query_Log table - contains all document control numbers that were viewed, in full or partially, by end users.
a. Qrylog_Tmsp - timestamp when the data was viewed
b. User_ID - user identification of the user that viewed the data
c. DCN - document control number of the document(s) that were viewed
d. Query_tmsp - timestamp when the query was initiated
e. Hitlist_Ind - switch showing if the data was viewed on the screen as part of the users selected data elements. The user viewed those fields on the listed document.
f. Drilldown_Ind – switch indicating the named user opened the listed document for viewing
g. Doc_type - type of document that was viewed
4. User_Download_Log – contains a list of all documents that were download by an end user.
a. Dwnlog_Tmsp - timestamp when the listed document was downloaded
b. User_Id - user identification of the user that downloaded the documents
c. DCN - document control number of the document(s) that were downloaded by the named user
d. Query_Tmsp - timestamp when the query was initiated that returned the DCN’s
D. Other:
The external users all have profiles that control the information forms they may access on the database. CBRS also contains the following types of Information Returns.
FinCen 104: Currency Transaction Report (31 U.S.C. 5313 and 31 CFR Part 103)
FinCEN Form 8300: Report of Cash Payments Over $10,000 Received in a Trade or Business (26 U.S.C. 6050I and U.S.C. 5331)
FinCEN Form 103: Currency Transaction Report by Casinos (31 U.S.C. 5313 and 31 CFR Part 103)
FinCEN Form 103-N: Currency Transaction Report by Casinos – Nevada (Nevada Gaming Commission Regulation 6A in lieu of 31 U.S.C. 5313 and 31 CFR Part 103)
Form TD F 90-22.47: Suspicious Activity Report (31 U.S.C. 5318(g)(3)).
FinCEN Form 102: Suspicious Activity Report by Casinos (31 U.S.C. 5318(g), Nevada Revised Statute 463.125, or New Jersey Casino Control Act 5:12-129.1)1.
FinCEN Form 101: Suspicious Activity Report by Securities and Futurer Industries
TD F 90-22.56: Suspicious Activity Report by Money Services Business
TD F 90-22.55: Registration of Money Services Business
Form TD F 90-22.53: Designation of Exempt Person (31 CFR 103.22)
FinCEN Form 105: Report of International Transportation of Currency or Monetary Instruments 1 U.S.C. 5316; 31 CFR 103.23 and 103.25)
Form 7501: Entry Summary
2. Describe/identify which data elements are obtained from files, databases, individuals, or any other sources.
A. IRS
B. Taxpayer
C. Employee
D. Other Federal Agencies (List agency)
E. State and Local Agencies (List agency)
F. Other third party sources (Describe)
A. The only information collected directly from the taxpayer is from Form TD F 90-22.1, Report of Foreign Bank and Financial Accounts. Employee information could be posted to the CBRS if the employee conducts cash transactions with a financial institution, casino, or a trade/business, for $10,000 or more.
B. NA
C. NA
D. United States Customs Service Entry Summary Form 7501.
E. NA
3. Is each data item required for the business purpose of the system? Explain.
Yes. All data items are required for the business purpose of the system.
4. How will each data item be verified for accuracy, timeliness, and completeness?
As data is posted to the CBRS information is checked for accuracy. If errors are detected correspondence letters are mailed to the filer asking for missing and incomplete information. Correspondence replies are posted to the CBRS upon receipt.
5. Is there another source for the data? Explain how that source is or is not used. NA
6. Generally, how will data be retrieved by the user?
Users will use a web-based front end or a desktop application to gain access to the database. Users, however, must have the appropriate security authority to do this.
7. Is the data retrievable by a personal identifier such as name, SSN, or other unique identifier?
Generally, users with the appropriate security access will search the database using an Identification Number, name, date of birth, account number or address.
Access to the Data
8. Who will have access to the data in the system (Users, Managers, System Administrators, Developers, Others)?
Data Entry Clerks, Application Developers (limited access), System Developers, contractors and managers.
9. How is access to the data by a user determined and by whom?
Access to the data is determined by agency and information supplied on form 5081. The back of form 5081 contains rules of behavior for accessing information systems. Both the employee and the employee’s manager sign form 5081. By signing this document the user is accountable for his/her misuse of the system.
Users of the CBRS are granted least access (Read Only) additionally system user profiles limits or grants access to the various BSA data depending on whatever agency the user works for. All users of the CBRS are profiled for least access ‘Read Only’. Users are then categorized as IRS or Non-IRS users, and are further categorized on each individual users profile if they have access to each form. As examples IRS Revenue Officers, Revenue Agents and Special Agents have access to all forms, a Non-IRS user from the Nevada Gaming Control Board will have access to Form 8852, Currency Transaction Report by Casinos – Nevada and Form TD F 90-22.49, Suspicious Activity Report by Casinos reported only from the state of Nevada.
Additionally the CBRS does not generate audit cases. However IRS Revenue Officers, Revenue Agents and Special Agents are required to query CBRS on all audit cases before closure.
10. Do other IRS systems provide, receive, or share data in the system? If YES, list the system(s) and describe which data is shared. If NO, continue to Question 12.
Yes. SB/SE receive data via Network Data Moves to the Automated Magnetic Media Processing System, AMMPS.
Form 4789, Currency Transaction Report
Form 8362, Currency Transaction Report by Casinos
Form 8852, Currency Transaction Report by Casinos – Nevada
Form TD F 90-22.1, Report of Foreign Bank and Financial Accounts
Form TD F 90-22.47, Suspicious Activity Report
11. Have the IRS systems described in Item 10 received an approved Security Certification and Privacy Impact Assessment?
Yes, Corporate Data and System Management Division for the Custom’s IRP project.
12. Will other agencies provide, receive, or share data in any form with this system?
Yes. The following agencies have at least access (read only) to the CBRS, except for the United States Customs Service, which provides data.
Alcohol, Tobacco, and Firearms
Comptroller of the Currency
Department of Justice
Drug Enforcement Administration
Executive Offices of the United States Attorneys General
Federal Bureau of Investigation
Federal Deposit Insurance Corporation
Federal Reserve System
Financial Crimes Enforcement Network
National Credit Union Administration
Nevada Gaming Control Board
Office of Thrift Supervision
Securities and Exchange Commission
Treasury Inspector General for Tax Administration
U.S. Customs Service
U.S. Postal Inspector
U.S. Secret Service
Over 75 State and Local Law Enforcement Agencies Across the 50 States
Administrative Controls of Data
13. What are the procedures for eliminating the data at the end of the retention period?
Paper Storage: The current year plus 6 prior years are kept on-site at DCC.
On-Line: The CBRS holds 11 years of data 1 for the current year and 10 prior years. Data is archived to tape as year is dropped from system
Documents are retired to the Federal Records Center six years after the end of the processing year, and destroyed eleven years after the end of the processing year. Procedures are documented in the Records Control Schedule for the Detroit Computing Center IRM 1.15.2.11-1 Chapter 11
14. Will this system use technology in a new way? If "YES" describe. If "NO" go to Question 15.
Yes, users will now access the database via a web-based front end coming through the intra/internet.
The CBRS IDMS data repository is being replaced with a single Data Base 2 (DB2) relational database. All documents will be processed and stored in a generic fashion, eliminating the need for document specific data structures. The single document table is structured as a data warehouse with supporting data tables used in performing queries.
The CBRS presentation layer is being changed from the old green screen technology to more user-friendly, windows based application, consisting of both a desktop and a WEB enabled front-end. It is being developed using XXXXXXXXX technologies. COBOL/DB2 stored procedures and triggers are used to massage data, process SQL calls against the database and communicate result sets to and from the application. COBOL/MVS and DB2 are used for batch processing and data storage. Currently at Milestone #3 because portal is not developed.
15. Will this system be used to identify or locate individuals or groups? If so, describe the business purpose for this capability.
Yes. The purpose of the CBRS is to house currency transactions that are reportable under U.S.C 26 and 31 requirements, but individuals may or can be monitored thru the system.
16. Will this system provide the capability to monitor individuals or groups? If yes, describe the business purpose for this capability and the controls established to prevent unauthorized monitoring.
Yes, the CBRS does not generate any cases. It is a database that contains information on cash transactions of $10,000 or more and is a mandated research tool used by agents during tax-related cases.
For IRS personnel there is a clearly defined and documented procedure, the use of IRS Form 5081, for requesting access to the CBRS. On the back of the Form 5081 are rules of behavior for access to the information system. The employee and the employee’s manager sign the Form 5081. By signing this document the user is accountable for his/her misuse of the system. For non-IRS users see #9.
17. Can use of the system allow IRS to treat taxpayers, employees, or others, differently? Explain.
There is no disparate treatment of individuals or groups. The goal of CBRS is to provide law enforcement and regulatory agencies access to the data, which could be useful when conducting criminal, tax, and regulatory investigations and proceedings.
Each of the categories under suspicion are treated the same way.
18. Does the system ensure "due process" by allowing affected parties to respond to any negative determination, prior to final action?
The information is entered as received and each document is treated as a separate transaction. Unlike an individual master file account CBRS transactions are not grouped together for an individual taxpayer. As an example, John Doe may have several transactions in the system conducted at different times. However, unless John Doe is the subject of an audit or investigation and an agent searches either by name, or SSN, etc. those individual transactions would never be grouped together. The filing individual can always amend a document data.
19. If the system is web-based, does it use persistent cookies or other tracking devices to identify web visitors?
The CBRS.net web application does not use any form of persistent cookies. When a user logs in to the CBRS.net system, a session cookie is created, which is kept in memory by the web browser, but never stored on disk for return visit tracking.
The CBRS.net system tracks users through audit logs kept after a user logs into the system. Each user will login with their individual mainframe ID and password. User's query and data download activities are stored in DB2 tables on the mainframe, with reporting abilities built into the system.
| 
