The same criminal. says the US Treasury’s Financial Crimes Enforcement Network.
That’s why FinCEN wants financial firms to include information on cybersecurity events or breaches on their suspicious activity reports (SARs). Doing so will ensure that the financial firm is on a heightened alert about cybersecurity events or breaches. Law enforcement, in turn, can also have sufficient information to catch the bad guys. Case in point: SARs filed in 2014 which FinCEN and the US Federal Bureau of Investigation trace the fraudulent withdrawal of about US$7 million from a Florida bank account to criminal groups in Russia and Ukraine. Ultimately, the US uncovered that the criminals had unleashed the Zeus botnet virus.
FinCEN’s decision, announced in a recent advisory, sounds logical. Individuals or firms which conduct money laundering or other illegal activities can do so by breaching or trying to breach a firm’s security walls. Yet figuring out how to incorporate information on attempted or successful cybersecurity breaches onto a SAR isn’t as easy as it sounds. A financial firm can’t simply cut and paste information from a cybersecurity report onto a SAR.
“Financial firms must readjust business processes and systems so that the anti-money laundering department is in lockstep with IT security,” says Timothy Ryan, a partner in fraud investigations and dispute services practice at EY in New York. “Although the goal of the two departments is the same — to catch the bad guys– historically they haven’t talked to one another.” The reason: the AML department is responsible for catching fraudulent financial transactions so its work falls under the jurisdiction of the compliance and general counsel’s office. The cybersecurity department is responsible for protecting the firm’s network and firewalls so it reports to the chief information officer.
In its new advisory, FinCEN urges financial firms to share information internally among all their AML, cybersecurity, fraud prevention teams and other affected units to improve the quality of reporting on SARs and create a strong culture of compliance. FinCEN’s plea underscores prior warnings to financial institutions against creating “communication silos” as indicated in a 2014 advisory.
“The financial firm’s compliance department will need to create an automated process whereby the cybersecurity department alerts the AML department to a cyberevent or cyber-enabled crime and provides the required information,” says Debra Geister, a manager with Navigator Consulting Group, a St.Cloud, Minnesota-based regulatory compliance and operations consultancy. “Likewise, the AML department needs permission to ask the cybersecurity department for the necessary information.”
FinCEN defines a cyberevent as an attempt to compromise or gain unauthorized electronic access to electronic systems, services, resources or information. By contrast, cyber-enabled crime represent actual illegal activities such as fraud, money laundering or identity theft carried out or facilitated by electronic systems and devices such as networks and computers.
As its name sounds, a suspicious activity report (SAR) filed to comply with the requirements of the US Bank Secrecy Act (BSA) is meant to alert the US Treasury that a client of the bank is acting in a “suspicious way” that the financial firm thinks could be illegal. The definition of illegal includes money derived from criminal activity, designed to evade the requirements of the BSA, or appears to serve no purpose. The financial firm files a SAR after investigating whether the client’s transactions with the bank deviate from its profile for no good reason. The majority of alerts generated by transaction monitoring and other systems often end up being false alarms.
The subset of financial institutions required to detect and file SARs is quite broad and includes banks, broker-dealers and mutual funds. Typically, the transaction or series of transactions must involve at least US$5,000, however the minimum threshold differs depending on the type of financial institution. Money services businesses, for example, have a US$2,000 transaction threshold. A financial institution can also always file a SAR voluntarily regardless of the transaction amount or whether it fits within the subset of financial institutions which what is called an affirmative SAR filing.
“The problem with incorporating any old information on a potential cybersecurity breach or potential breach into a report is that the financial firm must tie together the actual suspicious activity with the cybersecurity breach or event,” says Geister. “It can’t always do so, nor can it immediately know the amount of the damage or potential damage.” The US$5,000 threshold for filing the SAR would be the value of customer funds at risk based on the information targeted by the cyberintrusion.
The financial damage or potential damage related to cyberevents is far more difficult to quantify than those with actual cyber-enabled crimes. “Financial firms may have been reporting criminal activity, including cyber-related crimes on their SARs, but they were not previously required to report cyberevents,” explains Kathleen Nandan, co-chair of the AML and trade sanctions team at law firm Reed Smith in Pittsburgh. “It may be impossible to determine whether the cyberevent involved a financial transaction or attempted transactions or even whether a financial loss occurred at all.”
She offers the following scenario as one example: in a cyberevent related to “distributed denial of service,” hacktivists might be flooding a bank’s servers with message traffic to make a political point. Alternatively, they could be doing so to mask a crime, such as committing theft when the bank is most vulnerable. Yet another scenario: a cyber-thief has accessed a bank’s network and stolen personal identification numbers. Those PINs do have a monetary value which the financial firm might not be able to immediately calculate.
Ultimately, financial firms may have to make a judgement call as to whether the suspicious activity in the SARs report was the result of a cybersecurity breach or event. To play it safe, they will likely err on the side of saying it was rather than it wasn’t, several legal experts tell FinOps Report.
Potentially, the most difficult part of filing out the SAR will be figuring out the electronic footprint of the actual criminal. The footprint means the actual IP addresses involved with timestamps, virtual wallet information, and devise identifiers. FinCEN believes that IP addresses and other cyber information can be helpful in detecting cyberattacks, identifying the source of cyberattacks and identifying cyberactors conducting illicit financial activities, such as theft, identity theft and tax refund fraud. So far, only two percent of SARs filed with FinCEN contain IP address information, by FinCEN’s estimates.
Why so few? “Although some cybersecurity systems and tools might capture this type of information in logs, some do not,” says Ryan. “Even if they do include the IPs in logs, they might not be configured to efficiently pull, aggregate and report relevant information to analysts about the IPs of the actual criminals.”
Why? The answer isn’t as simple as extracting IP addresses and website domains from logs, explains Ryan. First, some context is required to determine if indicators captured in logs are part of an attacker’s activity. Some malware use non-malicious infrastructure. “The malware could be embedding command and control information in a public website,” says Ryan. “The public website itself is not malicious and will usually have legitimate traffic flowing to it. Creating rules that include that website will trigger many false positives.” Therefore, further analysis is required to properly identify indicators as part of an attacker’s infrastructure so that signatures are properly tuned to find related activity. Yet another problem, notes Ryan, involves data retention: if a financial firm retains logs for only short periods of time, it will be hard for it to reconstruct what happened.
What if a financial firm can’t track down the individual IPs that FinCEN wants? Ryan suggests that firms make a best effort to rejigger their cybersecurity systems to do so. “You don’t want to be one of the financial firms not disclosing the IP attributes,” he cautions. The reason, bank compliance managers tell FinOps: advisories, practically speaking, carry a lot of weight and are used to justify probing questions in regulatory exams.
Geister suggests that when in doubt, the financial firm should contact its own examiner for guidance. “The regulatory agency might not say exactly what should be included in a specific SAR report but it could explain what types of information it will scrutinize during its exam,” she says.