FinCEN advisory sharpens cybercrime reporting expectations, urges close ties between AML, cyber
Friday, November 4, 2016
Posted by: Brian Kindle
By Brian Svoboda Kindle
November 3, 2016
The US Financial Crimes Enforcement Network (FinCEN) last week issued its clearest and most direct call for enhanced collaboration between BSA/AML units and teams responsible for cybersecurity, in an advisory that hones suspicious activity reporting (SAR) expectations related to "cyber-events and cyber-enabled crimes."
The bulk of FinCEN’s nine-page document and accompanying five-page FAQ sheet are devoted to expanding on when and how institutions should be conducting mandatory and voluntary reporting on suspected, or known, cyberattacks. It reiterates the $5,000 threshold for reporting on completed or attempted suspicious transactions, and indicates reports should be filed any time a “financial institution knows, suspects, or has reason to suspect that a cyber-event was intended… to conduct, facilitate, or affect a transaction” or series at or above that amount.
In practice, this guidance is likely to encourage institutions to report on a broad swath of cybercrime events. Cyberattacks that trigger a direct movement of funds, like account takeover schemes and ransomware payments from customer accounts, could fall under the reporting standards laid out in the advisory.
So too could a range of attacks and cyber activity that do not directly impact transactions. A distributed denial of service attack launched against a bank as a smokescreen for other nefarious activity could also be reportable, as would cyber incidents that might expose sensitive information.
One example FinCEN provides in the advisory is a cyberattack exposing customer information like online banking credentials and payment card numbers – since the data loss may be reasonably expected to lead to $5,000 or more in illicit transactions, a SAR on the breach should be filed.
FinCEN acknowledges that with the latest guidance, it is casting a wide net in an attempt to garner as much information as possible for law enforcement agencies on the often-elusive trails of cyber criminals.
"SAR reporting of cyber events, even those that may not meet mandatory SAR-filing requirements, is highly valuable in law enforcement investigations," the advisory states. Although not named in the document, the advisory references what appears to be the Liberty Reserve case as example of how SAR filing tied to cyber incidents supported a major enforcement action. In that case, reporting from 20 different institutions supported a multi-national law enforcement effort to dismantle a digital currency service running an alleged $6 billion money laundering operation.
Collaborative reporting and response to cyber incidents may be challenging to implement
While potentially beneficial for investigators and enforcement agencies, the breadth of cyber incident SAR reporting both required and encouraged in the advisory may entail some headaches for financial crime compliance staff.
One potentially tricky aspect of the advisory - institutions are advised to consider the aggregate amount of funds, saleable data and other assets stolen, exposed or otherwise involved in a cyber incident when contemplating when and what to report. Yet the amorphous and covert nature of many cyber attacks can in some instances make it difficult to fully reckon an attack’s impact in its immediate aftermath, if ever.
Another wrinkle to implementing FinCEN’s guidance: some institutions, particularly smaller and regional ones, lack the expertise and infrastructure to enable BSA/AML departments, fraud and cybersecurity teams to share information and coordinate responses to the degree that the advisory seems to envisage.
After FinCEN issued guidance in September on business email compromise fraud that also called for closer ties between AML, fraud and cyber units, some compliance professionals noted it may take a year or more for their institution to build the training programs, policies and software platforms needed to enable such a collaborative approach.
The advisory urges a converged approach to cybercrime risk mitigation, stating that "institutions are encouraged to internally share relevant information with BSA/AML staff, cybersecurity personnel, fraud prevention teams, and other" affected units. However, FinCEN also takes pains to clarify that being adroit in cybersecurity and cybercrime is not a new requirement for AML roles.
Two questions in the FAQ piggybacking along with the advisory make this clear. One asks “does FinCEN now require financial institutions’ BSA/AML units to have personnel/systems devoted to cybersecurity?;” the other “Are BSA/AML personnel now required to be knowledgeable on cybersecurity and cyber-events?”
For both questions, the answer is no. FinCEN states that there are no new duties associated with the advisory, but does note that “A BSA/AML unit may work and collaborate as necessary with its institution’s cybersecurity personnel, to assist in their ability to adequately identify and report suspicious activity” connected to cybercrime incidents.
FinCEN also notes that this relationship can be a two-way street – beyond the AML and fraud teams supporting (and reporting) cyber incident response, cybersecurity and IT teams can feed information that can buttress transaction monitoring and ongoing customer due diligence.
“Information provided by cybersecurity units could reveal additional patterns of suspicious behavior and identify suspects not previously known to BSA/AML units,” the advisory says. “For instance, BSA/AML units can use cyber-related information, such as patterns and timing of cyber-events and transaction instructions coded into malware, among other things,” to help identify threat actors and better understand the nature of the AML risks involved.
FinCEN urges thorough reporting, capturing of technical details
The advisory also provides guidance on what information institutions should capture when reporting cyber incidents like IP addresses, device identifiers, and (for transactions involving digital currencies) digital wallets.
In the FAQ, FinCEN provides more detailed, though “non-exhaustive” listing of the types of information and data points that can be useful to capture on SAR filings for cyber crimes, including elements like email addresses or email content, social media account names, and more technical details like the names of suspected malware and attack vectors used. Capturing and accurately describe these details in SAR filings may require input from, or collaboration with, cybersecurity staff in many instances.
The advisory ends with a reminder and encouragement that information-sharing between financial institutions on cyber threats and incidents is usually allowable under US under Section 314(b) of the Patriot Act.
In the past, financial institutions and other companies were often loath to share information on the cyber incidents impacting them, for fear it would expose their security vulnerabilities or open them up to liability. That calculus has shifted as cyberattacks grow in sheer numbers and in damage done. An increasing number of companies are viewing frequent and thorough sharing of cyber incidents and threat intelligence as a survival technique in an increasingly dodgy cyber landscape.