Fintrac prescriptive in STR guidance, sector red flags, OSFI updates on cyber incident reporting
Monday, January 28, 2019
Posted by: Brian Monroe
By Brian Monroe
January 28, 2019
Two of Canada’s financial regulators have called on banks to be more aware and detailed when investigating and filing on potential illicit activities and engage in more urgency, depth and timeliness when reporting materially damaging hack and cybersecurity incidents.
Canada’s financial intelligence unit (FIU), Fintrac, recently released a host of guidance pieces to help financial institutions better understand when, how and if they should file a suspicious transaction report (STR) when faced with certain classic and emerging red flags related to money laundering and terrorist financing.
The three pieces of guidance include:
· What is a suspicious transaction report.
· Reporting suspicious transactions to Fintrac.
· Money laundering and terrorist financing indicators, which is laid out by sector.
The industry red flags list nearly a dozen sectors subject to anti-money laundering (AML) compliance reporting obligations, including accountants, notaries, casinos, money services businesses and securities dealers. A major missing piece: attorneys.
The documents delineate critical details in what can be a very frenzied and fraught process rife with subjectivity and is easily the most scrutinized area by regulators when reviewing overall compliance with federal AML programs, including that the threshold is “reasonable grounds” to suspect, not every aberrant transaction.
In that same vein, Fintrac states that STRs that have the most value are ones with more depth and detail, information that has greater intelligence potential for law enforcement – the end user and customer of the country’s AML efforts.
Such a balancing act can be difficult with banks under intense pressure to file quickly and “defensively” to prevent regulatory chastising that an STR wasn’t filed fast enough or was filed at all.
Fintrac states that the decision to file an STR is based on a “combination of facts, context and ML/TF indicators,” including weak or missing customer data, out of scope transactions not tied to the stated business or intersecting risky regions outside of Canada and engaging shell companies with opaque ownership structures and circuitous, unneeded third parties.
The guidance is a clear response to criticism Fintrac has faced in recent years that it has been not been cracking down on lax AML compliance or marshalling its analytical forces on major financial crime portals.
As a result, Fintrac is starting 2019 with a strong, prescriptive and extensive statement on what all entities subject to AML rules should be doing in their compliance programs.
For many years, Canada’s banking regulators and Fintrac itself have been criticized for not taking an aggressive enough approach to laying out AML compliance standards and expectations, examining and publicly citing scofflaws and aggressively penalizing lax compliance.
Though many watchdog groups have decried such an approach in the formal banking sector, the regulatory oversight stumbles came to a head in recent years related to the casino industry, where Chinese and other foreign countries created and executed systems to launder money through Vancouver and other regional gaming hubs – so much so the practice was even deemed the “Vancouver Model.”
Not surprisingly, Canada, Fintrac and its regulators are in the process of changing country financial crime and compliance perceptions – with the guidance setting the tone.
OSFI releases advisory to increase depth, speed of cyber reporting for ‘material’ incidents
Canada’s other banking supervisory authority also released updated guidance on what and how to report when the institution suffers a material data breach or cybersecurity incident that impairs banking technologies and related systems, with a tight turnaround time of roughly two months.
The Office of the Superintendent of Financial Institutions (OSFI), last week released a missive on “Technology and Cyber Security Incident Reporting,” exhorting federally-regulated financial institutions (FRFIs) to more quickly and completely report cyberattacks, data breaches and incursions that knock out some or all of banking systems, slowing or even halting normal operating procedures.
The advisory defines a technology or cyber security incident as an occurrence as one that has the “potential to, or has been assessed to, materially impact the normal operations of a FRFI, including confidentiality, integrity or availability of its systems and information.”
More urgency should be given to events and also directly reported to OSFI if they are of a “high or critical severity level,” in short, events that go on for extended periods, allow access to large numbers of customers or sensitive account details or is the latest in a series of high-profile data breaches.
Institutions also have a relatively tight turnaround time to update cyber policies, procedures and reporting mechanisms of March 31.
The move comes in response to record cyber-attacks in recent years that have cumulatively cost banks tens of billions of dollars annually.
Large domestic and foreign banks have responded, in some cases allocating more than $1 billion a year to counter hackers, hacktivists and opportunistic organized criminal groups. In tandem, more criminals are more aggressively and creatively engaging in “cyber-enabled,” frauds, such as business email compromise (BEC) attacks.
These types of incursions use phishing and spear-phishing attacks to wargame bank systems and individuals, in certain cases evading cybersecurity protections entirely by, say, impersonating a top banking official and ordering wire room staffers to change payment instructions for a wealthy client or company – instructions later found to have come from fraudsters.
A reportable incident may have any of the following characteristics:
- Significant operational impact to key/critical information systems or data;
- Material impact to FRFI operational or customer data, including confidentiality, integrity or availability of such data;
- Significant operational impact to internal users that is material to customers or business operations;
- Significant levels of system / service disruptions;
- Extended disruptions to critical business systems / operations;
- Number of external customers impacted is significant or growing;
- Negative reputational impact is imminent (e.g., public/media disclosure);
- Material impact to critical deadlines/obligations in financial market settlement or payment systems (e.g., Financial Market Infrastructure);
- Significant impact to a third party deemed material to the FRFI;
- Material consequences to other FRFIs or the Canadian financial system;
- A FRFI incident has been reported to the Office of the Privacy Commissioner or local/foreign regulatory authorities.
Initial Notification Requirements
As well, the advisory states that an FRFI must notify its Lead Supervisor, as promptly as possible, but no later than 72 hours after determining a Technology or Cyber Security Incident meets the incident characteristics applicable in the guidance.
FRFIs are expected to notify their Lead Supervisor as well as TRD@osfi-bsif.gc.ca.
When reporting a Technology or Cyber Security Incident to OSFI, a FRFI must do so in writing (Electronic/Paper). Where specific details are unavailable at the time of the initial report, the FRFI should indicate ‘information not yet available.’ In such cases, the FRFI should provide best known estimates and all other details available at the time.
Details to report include the following:
- Date and time the incident was assessed to be material;
- Date and time/period the incident took place;
- Incident severity;
- Incident type (e.g. DDoS, malware, data breach, extortion);
- Incident description, including:
- known direct/indirect impacts (quantifiable and non-quantifiable) including privacy and financial;
- known impact to one or more business segment, business unit, line of business or regions, including any third party involved;
- whether incident originated at a third party, or has impact on third party services, and
- the number of clients impacted.
- Primary method used to identify the incident;
- Current status of incident;
- Date for internal incident escalation to senior management or Board of Directors;
- Mitigation actions taken or planned;
- Known or suspected root cause;
- Name and contact information for the FRFI incident executive lead and liaison with OSFI.
OSFI advisory follows in U.S. regulatory footsteps
As well, the advisory follows moves by the U.S. Treasury’s Financial Crimes Enforcement Network (FinCEN), the country’s financial intelligence unit, to call out the rising risks of red flags tied to BEC attacks.
The Canadian advisory also mirrors certain overall goals tied to new cyber regulations that recently took effect in New York, including laying out certain best practices for cyber defense frameworks and timetables for resilience, recovery and reporting of incidents.
Follow-on reporting requirements
OSFI expects FRFIs to provide regular updates (e.g. daily) as new information becomes available, and until all material details about the incident have been provided.
Depending on the severity, impact and velocity of the incident, the Lead Supervisor may request that a FRFI change the method and frequency of subsequent updates.
Until the incident is contained/resolved, OSFI expects FRFIs to provide situation updates, including any short term and long term remediation actions and plans.
Following incident containment, recovery and closure, the FRFI should report to OSFI on its post incident review and lessons learned.
OSFI also released an appendix of key terms:
The following table provides some examples of reportable incidents, but should not be considered an exhaustive list.
Account takeover botnet campaign is targeting online services using new techniques, current defences are failing to prevent customer account compromise
High volume and velocity of attempts
Current controls are failing to block attack
Customers are locked out
Indication that accounts have been compromised
Service Availability & Recovery
Technology failure at data center
Critical online service is down and alternate recovery option failed
Extended disruption to critical business systems and operations
Third Party Breach
A material third party is breached, FRFI is notified that third party is investigating
Third party is designated as material to the FRFI
Material impact to FRFI data is possible
FRFI has received an extortion message threatening to perpetrate a Cyber attack (e.g., DDoS for Bitcoin)
Threat is credible
Probability of critical online service disruption