Fincrime Briefing: Hackers force crypto exchange to close, FinCEN talks securities, Finra 2020 exam priorities, and more

By Brian Monroe
bmonroe@acfcs.org
February 11, 2020

Quote of the Day: “Love is our true destiny. We do not find the meaning of life by ourselves alone – we find it with another.” – Thomas Merton

In today’s briefing, hackers cripple crypto exchange, force it to close, FinCEN highlights weak information sharing in securities sector, crypto and AML gaps, Finra details focus on digital assets, cybersecurity, China behind Equifax hack, says U.S., and more.

Please enjoy this unlocked story, part of the many benefits of being an ACFCS member.

Want to talk about industry trends, story ideas or get published? Feel free to reach out to ACFCS Vice President of Content Brian Monroe at the email address above. Now, on to more sweet sweet content!

CYBERSECURITY/CRYPTOCURRENCIES: MORE HACKERS TARGETING CRYPTO

New crypto exchange Altsbit says it will close following hack as attackers say more virtual operations to be targeted

A cryptocurrency exchange that only launched in the last few months says it has been hit by a hack that it can’t afford to cover, just the latest victim of more aggressive hacking collectives, criminal infiltrators and state-sponsored breach bandits.

Altsbit – a platform reported to be based in Italy, though it doesn’t make this clear on its website or social media – announced the breach last Thursday, stating on Twitter: “Unfortunately we have to notify you with the fact that our exchange was hacked during the night and almost all funds from BTC, ETH, ARRR and VRSC were stolen. A small part of the funds are safe on cold wallets.”

An update on the company’s website now indicates that “fortunately a good part of the coins were kept on cold storage” and that it will issue partial refunds, not having the wherewithal to fully compensate users.

The cryptocurrencies taken in the hack are now listed as:

  • Bitcoin (BTC): 6,929 lost out of 14,782 held
  • Ether (ETH): 23,210 lost out of 32,262
  • Pirate Chain (ARRR): 3,924,082 lost out of 9,619,754
  • Verus Coin (VRSC): 414,154 lost out of 852,726
  • Komodo (KMD): 1,066 lost out of 48,015

The site said users who saw losses must apply for their partial refunds. The bitcoin and ether stolen were valued at around $72.5 million at press time.

Customers of the exchange will need to get their applications in quickly, with exchange saying: “Refunds will begin on February 10, 2020, and end on May 8, 2020; after this date it will no longer be possible to request a refund as the Altsbit platform will be terminated.”

Black-hat hacking group LulzSec appears to have claimed responsibility for the theft on its Twitter feed, saying: “We assure that @altsbit didn’t had (sic) proper security to stop Lulz Canon. Many others to follow. Better Stack up the Security – Note to other Exchanges.”

The group, a number of whose members have been arrested, has been linked to previous major hacks including one of Sony Pictures in 2011.

Altsbit had only launched as a rebranded service (though it’s not clear what it had rebranded from) in October, offering a “roadmap” that comprised a brief list of objectives with “Adding user security functions” coming in last as item number five, (via Coin Desk).

Monroe’s Musings: This attack should be a further clarion call to crypto firms of all stripes – miners, exchanges, crypto firms and entities engaged in initial coin offerings (ICOs) – that they are targets for illicit groups across the spectrum of crime.

Hacking groups love doing exactly what happened here: crippling and crushing an operation, stealing the money and bragging about it online.

Criminal groups in recent years have more aggressively been trying to swim their fiat financial assets into the virtual world to obfuscate money trails and make identification by AML teams and international investigators more difficult.

So, not surprisingly, if bad guys can skip a step and grab cryptocurrencies at the source, even better.

At the same time, countries like North Korea have created dedicated, state-backed hackers to break into as many virtual vaults as possible to steal and move crypto coins in a bid to evade U.S. sanctions that have made the recalcitrant regime radioactive to most financial institutions.

The key takeaway: If you are an exchange or work with managing, creating or moving crypto coins, consider upping your spending on cybersecurity, just as you work to adopt anti-money laundering best practices to create a holistic risk and threat control matrix against all areas of criminal infiltration.

SECURITIES/CRYPTOCURRENCIES: STRONGER ENFORCEMENT COMING, INFORMATION SHARING NEEDED

Securities sector not sharing information to same degree as banks, social media firms creating crypto need strong AML: FinCEN

A top official from the country’s financial crime compliance watchdog stated that the securities sector is broadly failing to share information on potential threats to the same degree as banks, adding as well that social media companies crafting crypto coins must bake in strong compliance countermeasures.

Those are two of the key points made by Jamal El-Hindi, Deputy Director of the U.S. Treasury’s Financial Crimes Enforcement Network (FinCEN), the administrator of the country’s anti-money laundering rules, at the Securities Industry and Financial Markets Association’s (SIFMA) 20th Anti-Money Laundering (AML) and Financial Crimes Conference.

El-Hindi highlighted that a much smaller percentage of trading firms take advantage of the powers and safe harbors of Patriot Act Section 314(b) which allows certain financial institutions to share information on individuals suspected of money laundering and terrorist financing, and in the eyes of many, precursor crimes, including fraud.

It’s also clear FinCEN is concerned about one of the murkiest areas of the securities arena: omnibus accounts.

Depending on the at-times attenuated structures in the broker-dealer field, certain accounts can have blind spots. For instance, omnibus accounts allow for “managed trades of more than one person, and allows for anonymity of the persons in the account.”

In addition, FinCEN, while not naming individual companies, is clearly cognizant of efforts by social media giants, like Facebook, to create their own cryptocurrencies and the potential for criminals to flock to a new technology that could move money quickly, easily, internationally and at amounts so low they would nary catch a wary glance from compliance teams.

The bureau has also worked closely with sector standard-setter, the Paris-based Financial Action Task Force (FATF), to create stronger requirements for crypto firms to identify, review and risk-rate users – and create a mechanism to share that information with related exchanges and even brick-and-mortar banking connections in the real world, dubbed by the industry as the crypto “Travel Rule.”

The areas highlighted by El-Hindi give a glimpse of regulatory compliance focal points to come and current vulnerabilities being exploited by illicit actors.

Here are some snapshots:

Information sharing between trading firms

The complexity of the transactions and relationships in your space present a challenge to transparency.

And when we talk about the concept of “knowing your customer,” we have to recognize that the culture of any highly competitive industry may discourage sharing customer information for the purpose of anti-money laundering or other financial crime prevention, when it could result in potentially losing a customer to a competitor.

I think that this dynamic continues to make your sector challenging from an AML regulatory perspective. 

Currently, about 40 percent of depository institutions are registered to participate in business-to-business information sharing through the 314(b) program. By comparison, only 14 percent of all entities in the securities sector that are eligible to register for this important information sharing mechanism do so.  

Here is my question to you:  Does this lower registration rate reflect a culture that is more fearful of information sharing in your competitive environment?  

We are hopeful that at a time when we are all recognizing the importance of appropriate information sharing, your businesses will work toward the sharing of more information with one another, either bilaterally or through associations under 314(b), to root out illicit activity, while at the same time figuring out how to protect the information you share from being used to steal each other’s customers.  

Information sharing between regulators, investigators

FinCEN has always promoted such coordination and continues to do so. This is particularly important given that enforcement initiatives and heightened compliance in one part of the financial sector may result in illicit activity migrating to other sectors.  

We have seen bad activity migrate from the banking sector to the capital markets. We also have seen migration of bad activity from your sector to the banking sector.

Only through cross-agency coordination on these issues can each regulator do its best to advise and supervise its constituents.

Recently, staff at FinCEN, the SEC, and FINRA got together with the banking regulator staff to discuss the potential migration of specific illicit activity to the banking sector as a result of greater scrutiny by the securities regulators with respect to offshore brokers attempting to use omnibus accounts for illicit purposes.  

It is an example of the type of cross-regulator awareness and focus necessary to keep up with the various new ways in which illicit actors are trying to abuse the financial system. 

Crypto AML duties

Let me take this opportunity to emphasize that actors working in these new systems for moving value are subject to the same AML principles and requirements as other financial institutions. 

Social media and messaging platforms and others now focusing on the establishment of cryptocurrencies cannot turn a blind eye to illicit transactions that they may be fostering.  

As we’ve said on other occasions, to the extent that the financial sector chooses to move forward with the opportunities that some of these emerging systems present, we are not going to allow it to slide backward on the protections and appropriate transparency that we have collectively worked so hard to weave into the financial system. 

We will judge emerging financial institutions on whether and how they make their systems resilient to, and report on, money laundering, terrorist financing, sanctions evasion, human and narco-trafficking, and other illicit activity.

Make no mistake about it, whether it is through existing rules and guidance or future rules and guidance, we will regulate in this space consistent with the existing principles underlying the BSA/AML regime.  

Industry will have to develop its new products and services to ensure appropriate transparency for law enforcement and national security purposes. And where that doesn’t happen, we have the ability to protect our financial system, (via FinCEN). 

Monroe’s Musings: FinCEN is under intense pressure to better uncover and address gaps in the country’s overall defenses.  

These include in the areas of AML regulations, public and private information sharing, bespoke intelligence gathering and law enforcement investigations support, one of FinCEN’s key duties in managing the database where all suspicious activity and currency transactions reports reside.  

However, FinCEN must also work with other federal regulators and investigators in key financial sectors, such as securities, an area over the last decade that has been ripe for stock fraudsters, penny stock purveyors and Ponzi schemers large and small.  

SECURITIES: FINRA SHIFTS FOCUS TO DIGITAL ASSETS

Finra to focus on crypto assets, cyber risks, shifts away from fraud, AML, penny stocks, in 2020 exam priorities

The self-regulatory sentinel of the U.S. securities sector is making a more concerted effort in 2020 to focus on how the various parties in what can be very attenuated securities transactions create, move and market crypto-tinged assets and better defend against more creative and aggressive cyber threats.

That is a marked change by the Financial Industry Regulatory Authority (Finra), which in 2019 stated it would be giving more emphasis to anti-money laundering (AML) compliance, penny stock frauds and scammers targeting the elderly – with one of the few overlapping “Risk Monitoring and Examination Priorities” being cyber defense, resilience and recovery.

Finra has also not touched on where and how securities operations should handle stocks tied to the cannabis industry, which is legal in 11 states for adults over the age of 21, and legal for medical use in 33 states, according to media reports. 

Here is a sampling of Finra’s key exam focus areas:

  • No texting: Communications with the public, with a focus on private placement retail communications and communications via digital channels;
  • When securities add liquidity: Cash management and bank sweep programs;
  • Controlling who is in control: Direct market access controls;
  • Executive decisions: Best execution;
  • Who, what, where, when: Disclosure of order routing information; and
  • Enemies at the virtual gates: Cybersecurity

These focus areas differ markedly from 2019.

In 2019, Finra gave added scrutiny to anti-money laundering, micro-cap fraudsters and gopher scammers that popped up again and again to swindle victims, particularly the elderly – with an overlap this year and last on a need for firms to bolster cyber protections.

Some of the more loudly stated 2019 exam priorities included:

  • AML.
  • Fraud, including microcap fraud.
  • Private securities transactions and private placements.
  • Insider trading and market manipulation.
  • Data quality and governance.
  • Recordkeeping.
  • Risk management and supervision.
  • Recidivist brokers and firms with checkered pasts.

CDD and SAR reviews

As well, in 2019 Finra stated it would assess firms’ compliance with FinCEN’s new Customer Due Diligence (CDD) rule, called the beneficial ownership rule, which became effective on May 11, 2018.

The CDD rule requires that firms identify beneficial owners of legal entity customers, understand the nature and purpose of customer accounts, conduct ongoing monitoring of customer accounts to identify and report suspicious transactions and, on a risk basis, update customer information.

Finra also stated it would focus on the data integrity of those suspicious activity monitoring systems, as well as the decisions associated with changes to those systems.

Increasing exam oversight, firm accountability

Apart from exam focus areas, Finra has made some key updates to how it examines firms overall.

Another major change for Finra in 2020 is trying to add more efficiency and accountability to exams by requiring a single designated point person to be responsible for coordinating between the varies entities in a trading chain, including on issues tied to AML and counter-fraud efforts.

In short, Finra has integrated three different examination programs into a single framework “designed to better direct and align examination resources to the risk profiles and business models of member firms.”

As part of the new program, all Finra member firms are grouped into one of five main firm business models: Retail, Capital Markets, Carrying and Clearing, Trading and Execution, and Diversified.

Each of these groupings has several sub-groups to more precisely categorize firms with similar business models and activities.  

In addition, each firm will be “assigned a single point of accountability, a senior leader who has ultimate responsibility for the ongoing risk monitoring, risk assessment, planning and scoping of examinations tailored to the risks of the firm’s business activities.”

This consolidation will “enhance the effectiveness of our risk monitoring and examination activities, enabling us to better serve our mission,” Finra said.

The securities and futures sectors include a “very complex group of inter-related parties handling various aspects of your transactions,” according to recent comments from FinCEN, related to financial crime and compliance in various sectors. 

“Different entities wear different hats at different times, depending on the types of activities,” said the official. “FinCEN’s regulations in this space, then and now, only reference broker-dealers, mutual funds, introducing brokers in commodities, and futures commission merchants.”

But those broad categories cover an “amazingly complex set of relationships. Introducing firms, clearing firms, primary brokerages, executing dealers, transfer agents, give-up agreements, piggy-backing arrangements, and more,” (via Finra).

Monroe’s Musings: As the AML compliance community fretted in recent years over the rising specter of individual liability at banks – a small number of top fincrime compliance officers were named, shamed and even fined in enforcement actions – Finra was actually years ahead in that regards.

In many AML actions in recent years, Finra sanctioned and penalized a panoply of top officials, from presidents to CEOs, CCOs to AML officers, when the failures were egregious, in some cases where the fincrime compliance officer tasked with holding the line was actively involved in the fraudulent acts – a rare act for an overall passionate and dedicated community of professionals.

And it appears they could be moving that way again for firms that attempt to create and sell crypto-tied assets, also called initial coin offerings (ICOs). Both U.S. and international watchdog groups, like FATF, have noted that virtual value is subject to AML rules.

As well, the securities sector also broadly is subject to AML obligations. So both sectors – securities and crypto – need to review where they overlap on AML to better work together and prevent criminals and fraudsters from gaming the system.

CYBERSECURITY: CHINA BEHIND HISTORIC EQUIFAX BREACH

U.S. charges four Chinese military members in connection with 2017 Equifax hack

The Justice Department has charged four members of the Chinese military with a 2017 hack at the credit reporting agency Equifax, a massive data breach that compromised the personal information of nearly half of all Americans.

In a nine-count indictment filed in federal court in Atlanta, federal prosecutors alleged that four members of the People’s Liberation Army hacked into Equifax’s systems, stealing the personal data as well as company trade secrets.

Attorney General William P. Barr called their efforts “a deliberate and sweeping intrusion into the private information of the American people.”

The 2017 breach gave hackers access to the personal information, including Social Security numbers and birth dates, of about 145 million people.

Equifax last year agreed to a $700 million settlement with the Federal Trade Commission to compensate victims. Those affected can ask for free credit monitoring or, if they already have such a service, a cash payout of up to $125, although the FTC has warned that a large volume of requests could reduce that amount.

At a news conference announcing the indictment, Barr said China has a “voracious appetite” for Americans’ personal information, and he pointed to other intrusions that he alleged have been carried out by Beijing’s actors in recent years, including hacks disclosed in 2015 of the health insurer Anthem and the federal Office of Personnel Management (OPM), as well as a 2018 hack of the hotel chain Marriott.

Those charged with the Equifax hack are Wu Zhiyong, Wang Qian, Xu Ke and Liu Lei. Officials said they were members of the PLA’s 54th Research Institute.

According to the indictment, in March 2017, a software firm announced a vulnerability in one of its products, but Equifax did not patch the vulnerability on its online dispute portal, which used that particular software.

In the months that followed, the Chinese military hackers exploited that unrepaired software flaw to steal vast quantities of Equifax’s files, the indictment charges.

Officials said the hackers also took steps to cover their tracks, routing traffic through 34 servers in 20 countries to hide their location, using encrypted communication channels and wiping logs that might have given away what they were doing, (via The Washington Post). Click to Read the indictment.

Monroe’s Musings: This story is yet another tale in the skirmish between cyber assassins and virtual vaults revealing that a simple mistake – failing to update something quickly enough – can lead to massive, devastating breaches that put the information and the digital lives of millions at risk.