The US Financial Crimes Enforcement Network (FinCEN) last week issued its clearest and most direct call for enhanced collaboration between BSA/AML units and teams responsible for cybersecurity, in an advisory that hones suspicious activity reporting (SAR) expectations related to “cyber-events and cyber-enabled crimes.”
The bulk of FinCEN’s nine-page document and accompanying five-page FAQ sheet are devoted to expanding on when and how institutions should be conducting mandatory and voluntary reporting on suspected, or known, cyberattacks. It reiterates the $5,000 threshold for reporting on completed or attempted suspicious transactions, and indicates reports should be filed any time a “financial institution knows, suspects, or has reason to suspect that a cyber-event was intended… to conduct, facilitate, or affect a transaction” or series at or above that amount.
In practice, this guidance is likely to encourage institutions to report on a broad swath of cybercrime events. Cyberattacks that trigger a direct movement of funds, like account takeover schemes and ransomware payments from customer accounts, could fall under the reporting standards laid out in the advisory.
So too could a range of attacks and cyber activity that do not directly impact transactions. A distributed denial of service attack launched against a bank as a smokescreen for other nefarious activity could also be reportable, as would cyber incidents that might expose sensitive information.
One example FinCEN provides in the advisory is a cyberattack exposing customer information like online banking credentials and payment card numbers – since the data loss may be reasonably expected to lead to $5,000 or more in illicit transactions, a SAR on the breach should be filed.
FinCEN acknowledges that with the latest guidance, it is casting a wide net in an attempt to garner as much information as possible for law enforcement agencies on the often-elusive trails of cyber criminals.
“SAR reporting of cyber events, even those that may not meet mandatory SAR-filing requirements, is highly valuable in law enforcement investigations,” the advisory states. Although not named in the document, the advisory references what appears to be the Liberty Reserve case as example of how SAR filing tied to cyber incidents supported a major enforcement action. In that case, reporting from 20 different institutions supported a multi-national law enforcement effort to dismantle a digital currency service running an alleged $6 billion money laundering operation.
Collaborative reporting and response to cyber incidents may be challenging to implement
While potentially beneficial for investigators and enforcement agencies, the breadth of cyber incident SAR reporting both required and encouraged in the advisory may entail some headaches for financial crime compliance staff.
One potentially tricky aspect of the advisory – institutions are advised to consider the aggregate amount of funds, saleable data and other assets stolen, exposed or otherwise involved in a cyber incident when contemplating when and what to report. Yet the amorphous and covert nature of many cyber attacks can in some instances make it difficult to fully reckon an attack’s impact in its immediate aftermath, if ever.