What we learned at the ACFCS 2016 Conference Part 2
Thursday, June 23, 2016
Posted by: Brian Monroe
In this second installment covering the ACFCS 2016 Financial Crime Conference, we will look at the rising scourge of elder abuse along with key updates on digital currencies and the critical takeaways tied to prescriptive, thematic enforcement actions.
The packed event in New York City at the Yale Club on June 1st and 2nd and digital conference on June 8th and 9th – attended by hundreds of current and former compliance officers, regulatory officials and law enforcement – covered some of the most challenging issues in financial crime, looking anew at historical gaps and taking a holistic look at emerging vulnerabilities.
In part one, we covered several trends, including the aggressive evolution of cyber threats, the human mistakes leading to data breaches, the convergent power of anti-money laundering (AML) systems to capture cyber data, the broad compliance program gaps identified by regulators, trade-based money laundering, and more.
While it is difficult to condense the immense breadth of knowledge at both events, what follows is our attempt to capture and share some of the key takeaways, themes and unexpected insights from the conference.
Combating elder financial fraud and abuse
In a June 2nd presentation, Jilenne Gunther, a senior strategic policy advisor for the American Association of Retired Persons (AARP), shed light on the increasing prevalence of fraud and financial abuse targeting elderly individuals. “Older Americans lose about $3 billion, but we know it’s just the tip of the iceberg,” said Gunther, who also leads the AARP’s BankSafe initiative. She added that banks as a result of scams against seniors, lose $1 billion annually.
Moreover, compounding the problem is that the people older folks should be able to trust the most are the ones most at risk to steal, and steal even more than strangers or non-related caregivers, she said, citing a study. And with the elderly population set to double in coming years, the “problem is only going to get worse.”
Thousands of older Americans are victims of financial exploitation every day. Older Americans are targeted not only because they have accumulated $18 trillion in assets, but also because they are more likely to suffer from cognitive decline making them vulnerable to exploitation.
Customers are asking their banks to help. Four of every five older Americans want their financial institutions to fight exploitation, according to the AARP’s own research.
Theft tied to older people averages $120,000, a figure roughly equal to their life savings. Studies also reveal that the closer a person is to the victim, the more they steal, with a child stealing an average of nearly $160,000, down to a non-related caregiver stealing an average of nearly $20,000.
In tandem with the elderly population expanding comes a greater awareness by fraudsters and hacking groups that they can potentially get more money from older people and do so with less stolen information, in some cases only needing a phone number, address and a bank account statement.
Investigators have noted that in some data breaches, the hackers parsed out the information by age to better manipulate older victims, through such means as penny stock pump-and-dump scams.
“The exploiters are good. They know who to target,” said Liz Loewy, the general counsel and senior vice president of industry relations at EverSafe and the former head of the elder abuse unit at the Manhattan District Attorney’s office. “It’s just a huge problem, an epidemic.”
According to the Census Bureau’s “middle series” projections, the elderly population will more than double between now and the year 2050, to 80 million. By that year, as many as 1 in 5 Americans could be elderly.
Those trends put more pressure on bank staff at all levels – including front line tellers, AML analysts and compliance officers, business line executives and even the investment arms of institutions – to “train employees to detect and prevent exploitation,” Gunther said.
The session highlighted several overarching scam areas fraudsters attempt to employ against the elderly, including
- Construction/Home Repair
- Sweetheart Grandparent
- Investment Fraud
- Reverse Mortgages
- Phishing and Internet Fraud
- Cold calls from a boiler room
- ID Theft
The panel also detailed key red flags that would be of value to compliance analysts and fraud investigators:
Changes in Financial Activity:
- Senior’s report of EFE
- Unusual and/or inconsistent transactions
- New debit card, credit card &/or increased activity
- Withdrawals over daily maximum limit
- Sudden insufficient funds
- Bounced checks and/or nonpayment for services
- Unusual credit or debit transactions
- New: Wired funds
- New: Internet banking
- Closed CDs, without regard to penalties
- New POA, account holder, change of address
More red flags, these tied to overall vulnerability with a focus on senior and Companion(s):
- Senior makes complaints about missing assets
- Inability to contact/speak with senior, despite repeated attempts
- Changes in the older victim; clothing, demeanor, conversation
- Senor unable to recall or discuss transactions
- New Caregiver or ‘family member’
- Senior appears to be frightened, fearful or submissive w/companion
- Companion – excessive interest
- Companion won’t permit senior to speak for himself/herself
So what are banks doing to more effectively detect and prevent scams against seniors? The panel also included a cross section of initiatives detailing what banks can do, including:
Barclays: The British banking giant has implemented a training program – the “Community Driving License” – that teaches all employees how to better interact with vulnerable customers. Employees receive online training on fraud and exploitation, dementia, vulnerabilities, and accessibility.
Barclays uses data analytics to proactively identify customers at risk of fraud or exploitation. The analysis focuses on the characteristics that put customers at higher risk of becoming a victim of fraud. Barclays is now testing how it can proactively provide education to protect these customers
Bank of American Fork: The bank promotes an age-friendly culture by having “Age-Friendly Champions.” Each branch has an Age-Friendly Champion who receives extra training on how to spot fraud or a stressed caregiver. The Age-Friendly Champion is a source of information and support for employees in addressing the needs of older adults. Champions hold quarterly meetings to receive additional training and to share best practices from their experiences, which has empowered employees and increased morale.
Oregon Bankers Association: The association, in conjunction with the Oregon Department of Human Services, Oregon Department of Justice, and the AARP Oregon office, developed a training kit aimed at preventing elder fraud and exploitation. The kit has been distributed to banks across the nation. This kit helps bank employees identify possible cases of financial exploitation and raises their confidence in reporting suspected cases.
Wells Fargo Advisors: The operation has made their training on exploitation mandatory for all employees. The training covers 10 questions related to spotting and reporting cases of financial exploitation and provides employees with three rules to intercede: negotiate, isolate, and tattle.
Negotiating for more time allows the advisor to contact a trusted family member and create enough of a delay to make the scammer run. Isolating the older person from the “new friend” allows the advisor to gather more information in a private context. The advisor is also encouraged to “tattle” with any concern and worries to the centralized elder unit at Wells Fargo Advisors.
First Financial Bank: The institution launched a program called “Fraud Busters” to stop exploitation. The 2-yearold initiative has saved First Financial customers over $1 million. The program focuses on three key fraud-fighting components: (a) prevention, (b) apprehension, and (c) education. The bank trained its 1,200 employees at more than 70 locations to identify scams as part of its Fraud Busters program. The tellers know when to report an incident to a manager, and when employees catch a scam, they’re given a Fraud Busters pin to wear at work.
Data analytics: EverSafe has developed software that focuses on early detection and prevention of exploitation before it occurs. This service scans financial accounts daily and issues timely alerts to customers and a third-party monitor about any suspicious activity.
It helps protect customers by detecting abnormal spending patterns, unusual credit card charges, missing deposits, unauthorized cash withdrawals, and identity theft. The service includes over 50 alerts that respond to patterns unique to cases of elder financial abuse.
In a session on June 8th, expert presenters from the private sector and law enforcement noted that virtual currencies, such as Bitcoin and the underlying blockchain technology, are moving in two seemingly opposing directions.
Session moderator George Prokop, Managing Director with PwC, noted that on one end, virtual currencies are moving toward more mainstream integration into the international financial system, with more companies accepting these forms of payment in the real and online worlds.
Additionally, the panel discussed how digital currency exchanges and administrators themselves have taken great strides in recent years to create AML programs, implement monitoring for suspicious activity and report aberrant actions to the government.
Conversely, there are also more criminal and hacking groups using Bitcoin and other virtual currencies for illicit ends, such as paying a cyber assailant in the aftermath of a ransomware attack, and doing so in a way a that remains difficult though not impossible to trace.
As a result, one panelist noted that while many think ransomware attacks are more an embarrassing nuisance, typically asking for ransoms in the $10,000 to $15,000 range, other cases that didn’t make headlines have soared into the six and even seven figures.
“Transnational criminal organizations from Eastern Europe are using Bitcoin to facilitate various cyberime. That’s a fact,” said Tigran Gambaryan, a special agent with IRS criminal investigations, who has worked on major cases involving the misuse of virtual currencies. “There are nation state actors. There is everything you can think of that’s out there.”
Moreover, these groups are using cyber attacks with purely profit-driven motives.
“We talked about how cyber activity didn’t really trigger financial events, but that’s kind of not the case now,” Gambaryan said. Hackers are using denial of service attacks (DDOS) and ransomware to force companies to pay them in Bitcoin, with the volume going “up and up until the DDOS stops.”
The fact is that the ransom payment is a financial transaction, something that needs to be logged and reported to the government so they swim those details against current cases, patterns and groups, he said.
“The era of innocent hackers trying to take down a web site is over,” Gambaryan said. “These are criminal organizations targeting these companies for payment, whether it’s a bank, hospital or law office. Those are financial events. If a payment is made, that is something that needs to be kept track of.”
Other panelists, including Lisa Dawson from digital currency exchange Bitstamp, noted that key challenges in the space remain, such as communicating with other digital currency firms, exchanges and banks about suspicious transactions – including possibly those tied to ransomware attacks that traditional financial institutions would have limited visibility into – through Patriot Action Section 314(b).
The panel also highlighted a particularly knotty conundrum with the intersection of virtual currency transactions and a regulation referred to as the “travel rule.”
As per the rule, details about the individuals involved in the transaction are supposed to “travel” with it through various payment chains, a requirement unable to be fulfilled through current blockchain structures, chiefly due to the fact that the details readily available don’t always link back to any “personal identifiers” of the real human involved.
One positive in getting to know the technologies more, at times through cases of illicit use, is that the investigative tools have improved, Gambaryan said, noting that early on he was “using Excel,” which was a smidge on the difficult side.
But now, investigators can work with operations like Bitstamp to correlate open ledger blockchain details with web addresses and financial events, and eventually back to actual bank accounts, which will then reveal account ownership details, he said.
‘Hyper-thematic’ enforcement actions
In a June 2nd session that analyzed various recent enforcement actions, experts noted that financial institutions, along with larger, international companies writ large, can face significant regulatory scrutiny and enforcement exposure for more than just weak AML programs, but also for failures tied to corruption.
The panel included Paul Pelletier, Member with Mintz Levin and former Deputy Chief of the DOJ’s Fraud Section; Hillary Rosenberg, Head of Anti-Bribery and Corruption for the Americas at Standard Charted; Michael Schidlow, Head of FCC and Emerging Risk Audit Development with HSBC; and Dhaval Sheth, Director with PwC.
The group buttressed the notion of this rising tendency of “hyper-thematic” enforcement by citing the $15 million settlement in 2015 between the SEC and Bank of New York Mellon for improperly providing student internships to the family members of officials “affiliated” with a massive sovereign wealth fund.
In the action, the bank did not follow standard hiring procedures, but instead handed out these valuable internships were awarded to individuals with “significant personal value” to the government officials in a bid to curry favor with and woo the individuals into letting the bank manage the fund.
A key takeaway is that company “hiring practices on the SEC’s radar,” according to Paul Pelletier, but the panel also cautioned that looking too closely to enforcement trends for compliance guidance was likely to be a questionable approach.
Instead of chasing the latest enforcement issues, panelists advised a broader approach that focused on sound controls, culture and employee conduct across the board.
They also suggested ways that AML programs could be leveraged to support anti-bribery and corruption functions, such as pulling in a client’s past transaction monitoring data and alerts from the AML department when conducting or updating an anti-corruption risk assessment.
How graft can infiltrate financial institutions already subject to AML rules continued with the study of the Direct Access Partners case.
In April, the Securities and Exchange Commission issued final judgments in its cases against individuals charged in an alleged Venezuelan bribery scheme involving Direct Access Partners, likely closing the book on the cases that began in 2013, according to the Wall Street Journal.
The commission issued seven final judgments this week against the individual defendants in cases that focused around a kickback scheme for business with a Venezuelan state bank. The judgments prohibited the individuals from further securities violations and reiterated required disgorgement from the defendants that had also been stated in the corresponding criminal cases.
In the Justice Department’s cases, the defunct broker-dealer’s former chief executive and managing director received four-year prison sentences for conspiracy violations of the Foreign Corrupt Practices Act and Travel Act after pleading guilty in 2014.
The state official at Banco de Desarrollo Economico y Social de Venezuela who took kickbacks in the scheme received time served after pleading guilty, according to the Journal.
Moreover, in light of a more aggressive stance against individuals and penalties for failures reaching record heights, the panel agreed that institutions across the board should take a more holistic view of transactions, counterparties and insiders that span AML and corruption exposure points and not be remiss in analyzing all information in the public domain.
The panel and presentation noted that with other corruption cases also tied to sovereign wealth funds, and individuals involved potentially being themselves state actors, banks and companies should take an “expansive view of government official,” among other tactics small and large to better view individuals, actions and transactions through an “all-crimes lens” to make more connections and make them faster to thwart criminals and the corrupt and sender richer, more timely intelligence to law enforcement.