Compliance convergence: Group calls for 314(b) to cover cyber sharing, FinCEN tweaks SAR for hacks

By Brian Monroe
February 16, 2017

February has been a great month for those espousing the virtues of a converged approach to financial crime compliance. Several influential entities, including a storied banking association, the top self-regulatory securities body of the United States and the U.S. Treasury, issued proposals and public statements emphasizing closer ties between AML, cyber and fraud fields.

Below are brief summaries highlighting key recent developments in compliance convergence:

Explicit expansion of 314(b) for cyber sharing

On Thursday, the Clearing House Association (CHA), the oldest banking and payments association in the United States, stated in a broad review of the country’s anti-money laundering (AML) framework that Congress should expand Patriot Act Section 314(b), a safe harbor to cover the sharing of information related to illicit finance activities potentially tied to money laundering or terrorist financing, beyond those constraints and into the realm of cyber warfare.

The CHA states that, “for example, the safe harbor could be revised to permit sharing also for the purpose of identifying and reporting a specified unlawful activity,” as defined in U.S. statutes, which would allow sharing on nearly every crime that can create illicit funds, including fraud, kidnapping, and dozens of others.

Moreover, as the crimes in the statute, specifically cited as 18 U.S.C. 1956(c)(7), “relate to computer fraud and abuse, such a revision would protect sharing regarding cybercrimes and identity theft without requiring that financial institutions first determine whether the crime also involves money laundering or terrorist financing,” according to the report.

In that same vein, the CHA report noted that congress must keep an open mind on the innovation front in the areas of financial information sharing and fintech and “should also expand the safe harbor to cover technology companies and other non-depository institutions, to provide greater freedom to experiment with information-sharing platforms.”

The association is recommending FinCEN propose a rule stating that financial institutions “are encouraged to innovate in a financial intelligence unit (FIU) ‘sandbox,’ and that FIUs may operate outside the strictures of regular policies and procedures,” without fear of examiner pushback or harsh penalties for tech-related missteps.

AML, cyber allies in securities sector

Last week, Susan Axelrod, executive vice president of regulatory operations at the Financial Industry Regulatory Authority (Finra), stated in a speech in New York that to better counter criminals, terrorists and hackers at securities firms, cyber teams should work shoulder-to-shoulder with their AML partners.

Moreover, even as the industry “relies more on big data analytics for customer identification and suspicious activity identification, it’s important that firms continue to fuse their AML compliance programs with other compliance functions and not create siloes that can inhibit risk assessment and identification,” she said.

For example, “cybersecurity and senior investor protection are two examples of interrelated areas that should concern AML compliance staff,” Axelrod said.  

More specifically, in the cybersecurity area, “firms are required to report patterns of intrusion on their suspicious activity reports (SARs). So it’s essential that your cybersecurity staff remain in close contact with your AML staff,” she said.

FinCEN requesting to revise SAR form to gather more data on cyber-related events

FinCEN, the arbiter of U.S. AML rules, is proposing to update and revise some of the fields in the SAR, the document financial institutions, such as banks, money services businesses, securities firms and others, use to tell law enforcement about potentially illicit actions, individuals and entities.

The request for comment, released earlier this month with a comment period ending in early April, includes a host of critical changes that nudge banks to capture more details on cyber-enabled events, includes more opportunities for concise narrative descriptions on a broader array of activities and gives institutions more options to detail certain kinds of frauds, such as Ponzi schemes, just to name a few.

In particular, the updated form would include a new category, “cyber-event,” and ask banks to detail whether the attack is against the bank, customers or others.

As well, the SAR will have a new item called a “cyber-event indicator,” with multiple entries for banks to better parse out such details as the IP address, URL/domain, type of malware, type of media access control involved, suspicious email addresses, suspicious file names and the targeted system.