ARTICLE
Compliance Update with Amy K by Amy Kleinschmit, Chief Compliance Officer 2021 FinCEN Director’s Law Enforcement Awards Program The Financial Crimes Enforcement Network (FinCEN) recently honored recipients of the 2021 FinCEN Director’s Law Enforcement Awards Program, which recognizes agencies that use Bank Secrecy Act data to “successfully pursue and prosecute criminal investigations.” Case summaries can be found here and highlight just some of the ways law enforcement used BSA data, but here is one that caught my attention: COVID-19 FRAUD: Federal Bureau of Investigation The Federal Bureau of Investigation and the Small Business Administration Office of Inspector General initiated an investigation into the submission on behalf of five businesses of fraudulent Paycheck Protection Program (PPP) loan applications for approximately $800,000 each. BSA data played an integral role in identifying numerous leads on subjects associated with the fraud and to identify the flow of fraudulent funds. The BSA records also helped uncover a separate scheme by the main subjects of the investigation involving fraudulent auto loans. Authorities seized a vehicle valued at $125,000, jewelry, over $120,000 in cash, and over $3 million from 10 bank accounts. The defendants were charged with conspiracy to commit bank fraud, wire fraud, false statements to a financial institution, and money laundering. The United States Attorney’s Office, Northern District of Georgia is prosecuting this case. BSA Priorities The Anti-Money Laundering Act of 2020 (AML Act) requires the Secretary of the Treasury, in consultation several other agencies to establish and make public priorities for anti-money laundering and countering the financing of terrorism policy (AML/CFT Priorities). FinCEN recently issued these priorities are explained in more detail here. Briefly, these priorities are - (1) corruption; (2) cybercrime, including relevant cybersecurity and virtual currency considerations; (3) foreign and domestic terrorist financing; (4) fraud; (5) transnational criminal organization activity; (6) drug trafficking organization activity; (7) human trafficking and human smuggling; and (8) proliferation financing. FinCEN will issue regulations at a later date that will specify how financial institutions should incorporate these priorities into their risk-based AML programs. The AML Act requires that, within 180 days of the establishment of the AML/CFT Priorities, FinCEN must issue regulations regarding the above listed AML/CFT Priorities. At the same time, NCUA joined an interagency statement regarding the issuance of these priorities which can be found here. NCUA plans to revise their BSA regulations, as necessary, to address how the AML/CFT Priorities will be incorporated into credit unions’ BSA requirements. It is noted that credit unions are not required to incorporate the AML/CFT Priorities until the effective date of the final revised regulations. HOWEVER, in anticipation of those final rule changes, consider beginning the process now regarding how your credit union will incorporate the Priorities into your BSA program - such as by assessing the potential related risks associated with the products and services offered, the members/customers served, and your geographic areas. IT – Updated Exam Procedures Recently, the Federal Financial Institutions Examination Council (FFIEC) issued a new booklet in the FFIEC Information Technology Examination Handbook series, titled “Architecture, Infrastructure, and Operations.” This replaces the 2004 “Operations” booklet and “provides examiners with fundamental examination expectations regarding architecture and infrastructure planning, governance and risk management, and operations of regulated entities.” As pointed out when there were previous updates to examiner guides – this is like getting the questions before the test. Be sure to review and make sure your IT system is meeting these expectations. The updated booklet can be found here. Significant changes include the additions of new architecture, infrastructure, and emerging technology sections, including cloud computing, to the narrative. Cybersecurity is incorporated throughout the booklet as a consideration for all technology employed by entity management, whether managed internally or contracted for from a third-party service provider. Within the narrative, the FFIEC developed a new section for governance and common risk management elements of architecture, infrastructure, and operations (AIO), as well as sections that contain specific risks applicable to architecture, infrastructure, and evolving technologies. In the Common AIO Risk Management Topics section, the updated booklet included risk management discussions that include risks that affect each of the entity’s AIO functions. In the Architecture section, find new discussions relating to strategic planning of the IT architecture design to integrate with the business functions of the enterprise and provide for service delivery to customers. In the Infrastructure section, the FFIEC included sections on hardware, network and telecommunications, software, environmental controls, and physical access controls. The Operations section was updated to address key operational principles in IT environments. The booklet added discussions of operational controls, IT operational processes, service and support processes, and ongoing monitoring and evaluation processes. Beware of Scams The IRS recently issued IR-2021-137 in their “Dirty Dozen” scam series with a warning to taxpayers to watch out for unexpected schemes in the form of emails, text or social media messages and phone calls. Be sure to share these scams with staff and members to help everyone avoid being the victim to one of these scams. There are a number of scams discussed at the link above, but to highlight just a few points: Social media scams continue. Social media enables unscrupulous individuals to lurk on accounts and extract personal information to use against the victim. These cons may send emails impersonating the victim's family, friends or co-workers. The basic element of social media scams is convincing a potential victim that he or she is dealing with a person close to them that they trust via email, text or social media messaging. Using personal information, a scammer may email a potential victim and include a link to something of interest to the recipient, but which contains malware intended to commit more crimes. Scammers also infiltrate their victim's emails and cell phones to go after their friends and family with fake emails that appear to be real, and text messages soliciting, for example, small donations to fake charities that are appealing to the victims. Individuals should know that any of their information that is publicly shared on social media platforms can be collected and used against them. One way to circumvent these scams is to review privacy settings and limit data that is publicly shared. Ransomware on the rise. Financial institutions should be aware of trends and indicators of ransomware, which is a form of malicious software ("malware") designed to block access to a computer system or data. Access is often blocked by encrypting data or programs on information technology (IT) systems to extort ransom payments from victims in exchange for decrypting the information and restoring victims' access to their systems or data. In some cases, in addition to the attack, the perpetrators threaten to publish sensitive files belonging to the victims, which can be individuals or business entities. The U.S. Treasury Financial Crimes Enforcement Network (FINCEN) has noted that ransomware attacks continue to rise across various sectors, particularly across governmental entities as well as financial, educational and healthcare institutions. Ransomware attacks on small municipalities and healthcare organizations have increased, likely due to the victims' weaker cybersecurity controls, such as inadequate system backups and ineffective incident response capabilities. Cybercriminals using ransomware often resort to common tactics, such as wide-scale phishing and targeted spear-phishing campaigns that induce victims to download a malicious file or go to a malicious site. They may also exploit remote desktop protocol endpoints and software vulnerabilities or deploy "drive-by" malware attacks that host malicious code on legitimate websites. Proactive prevention through effective cyber hygiene, cybersecurity controls and other best practices are often the best defense against ransomware. The consequences of a ransomware attack can be severe and far-reaching, with losses of sensitive, proprietary, and critical information and loss of business functionality. The role of financial intermediaries in facilitating ransomware payments and ransomware attacks are a growing concern for the financial sector because of the critical role financial institutions play in the collection of ransom payments. As always, DakCU members may contact Amy Kleinschmit at akleinschmit@dakcu.org with any compliance related questions or concerns.
Compliance Update with Amy K
by Amy Kleinschmit, Chief Compliance Officer
2021 FinCEN Director’s Law Enforcement Awards Program
The Financial Crimes Enforcement Network (FinCEN) recently honored recipients of the 2021 FinCEN Director’s Law Enforcement Awards Program, which recognizes agencies that use Bank Secrecy Act data to “successfully pursue and prosecute criminal investigations.” Case summaries can be found here and highlight just some of the ways law enforcement used BSA data, but here is one that caught my attention:
COVID-19 FRAUD: Federal Bureau of Investigation
The Federal Bureau of Investigation and the Small Business Administration Office of Inspector General initiated an investigation into the submission on behalf of five businesses of fraudulent Paycheck Protection Program (PPP) loan applications for approximately $800,000 each. BSA data played an integral role in identifying numerous leads on subjects associated with the fraud and to identify the flow of fraudulent funds. The BSA records also helped uncover a separate scheme by the main subjects of the investigation involving fraudulent auto loans.
Authorities seized a vehicle valued at $125,000, jewelry, over $120,000 in cash, and over $3 million from 10 bank accounts. The defendants were charged with conspiracy to commit bank fraud, wire fraud, false statements to a financial institution, and money laundering. The United States Attorney’s Office, Northern District of Georgia is prosecuting this case.
BSA Priorities
The Anti-Money Laundering Act of 2020 (AML Act) requires the Secretary of the Treasury, in consultation several other agencies to establish and make public priorities for anti-money laundering and countering the financing of terrorism policy (AML/CFT Priorities). FinCEN recently issued these priorities are explained in more detail here. Briefly, these priorities are - (1) corruption; (2) cybercrime, including relevant cybersecurity and virtual currency considerations; (3) foreign and domestic terrorist financing; (4) fraud; (5) transnational criminal organization activity; (6) drug trafficking organization activity; (7) human trafficking and human smuggling; and (8) proliferation financing.
FinCEN will issue regulations at a later date that will specify how financial institutions should incorporate these priorities into their risk-based AML programs. The AML Act requires that, within 180 days of the establishment of the AML/CFT Priorities, FinCEN must issue regulations regarding the above listed AML/CFT Priorities.
At the same time, NCUA joined an interagency statement regarding the issuance of these priorities which can be found here. NCUA plans to revise their BSA regulations, as necessary, to address how the AML/CFT Priorities will be incorporated into credit unions’ BSA requirements.
It is noted that credit unions are not required to incorporate the AML/CFT Priorities until the effective date of the final revised regulations. HOWEVER, in anticipation of those final rule changes, consider beginning the process now regarding how your credit union will incorporate the Priorities into your BSA program - such as by assessing the potential related risks associated with the products and services offered, the members/customers served, and your geographic areas.
IT – Updated Exam Procedures
Recently, the Federal Financial Institutions Examination Council (FFIEC) issued a new booklet in the FFIEC Information Technology Examination Handbook series, titled “Architecture, Infrastructure, and Operations.” This replaces the 2004 “Operations” booklet and “provides examiners with fundamental examination expectations regarding architecture and infrastructure planning, governance and risk management, and operations of regulated entities.”
As pointed out when there were previous updates to examiner guides – this is like getting the questions before the test. Be sure to review and make sure your IT system is meeting these expectations.
The updated booklet can be found here. Significant changes include the additions of new architecture, infrastructure, and emerging technology sections, including cloud computing, to the narrative. Cybersecurity is incorporated throughout the booklet as a consideration for all technology employed by entity management, whether managed internally or contracted for from a third-party service provider.
Within the narrative, the FFIEC developed a new section for governance and common risk management elements of architecture, infrastructure, and operations (AIO), as well as sections that contain specific risks applicable to architecture, infrastructure, and evolving technologies.
In the Common AIO Risk Management Topics section, the updated booklet included risk management discussions that include risks that affect each of the entity’s AIO functions.
In the Architecture section, find new discussions relating to strategic planning of the IT architecture design to integrate with the business functions of the enterprise and provide for service delivery to customers. In the Infrastructure section, the FFIEC included sections on hardware, network and telecommunications, software, environmental controls, and physical access controls. The Operations section was updated to address key operational principles in IT environments. The booklet added discussions of operational controls, IT operational processes, service and support processes, and ongoing monitoring and evaluation processes.
Beware of Scams
The IRS recently issued IR-2021-137 in their “Dirty Dozen” scam series with a warning to taxpayers to watch out for unexpected schemes in the form of emails, text or social media messages and phone calls. Be sure to share these scams with staff and members to help everyone avoid being the victim to one of these scams. There are a number of scams discussed at the link above, but to highlight just a few points:
Social media scams continue.
Social media enables unscrupulous individuals to lurk on accounts and extract personal information to use against the victim. These cons may send emails impersonating the victim's family, friends or co-workers. The basic element of social media scams is convincing a potential victim that he or she is dealing with a person close to them that they trust via email, text or social media messaging.
Using personal information, a scammer may email a potential victim and include a link to something of interest to the recipient, but which contains malware intended to commit more crimes. Scammers also infiltrate their victim's emails and cell phones to go after their friends and family with fake emails that appear to be real, and text messages soliciting, for example, small donations to fake charities that are appealing to the victims.
Individuals should know that any of their information that is publicly shared on social media platforms can be collected and used against them. One way to circumvent these scams is to review privacy settings and limit data that is publicly shared.
Ransomware on the rise.
Financial institutions should be aware of trends and indicators of ransomware, which is a form of malicious software ("malware") designed to block access to a computer system or data. Access is often blocked by encrypting data or programs on information technology (IT) systems to extort ransom payments from victims in exchange for decrypting the information and restoring victims' access to their systems or data. In some cases, in addition to the attack, the perpetrators threaten to publish sensitive files belonging to the victims, which can be individuals or business entities.
The U.S. Treasury Financial Crimes Enforcement Network (FINCEN) has noted that ransomware attacks continue to rise across various sectors, particularly across governmental entities as well as financial, educational and healthcare institutions. Ransomware attacks on small municipalities and healthcare organizations have increased, likely due to the victims' weaker cybersecurity controls, such as inadequate system backups and ineffective incident response capabilities.
Cybercriminals using ransomware often resort to common tactics, such as wide-scale phishing and targeted spear-phishing campaigns that induce victims to download a malicious file or go to a malicious site. They may also exploit remote desktop protocol endpoints and software vulnerabilities or deploy "drive-by" malware attacks that host malicious code on legitimate websites. Proactive prevention through effective cyber hygiene, cybersecurity controls and other best practices are often the best defense against ransomware.
The consequences of a ransomware attack can be severe and far-reaching, with losses of sensitive, proprietary, and critical information and loss of business functionality. The role of financial intermediaries in facilitating ransomware payments and ransomware attacks are a growing concern for the financial sector because of the critical role financial institutions play in the collection of ransom payments.
As always, DakCU members may contact Amy Kleinschmit at akleinschmit@dakcu.org with any compliance related questions or concerns.