In October 2016, the Financial Crimes Enforcement Network (FinCEN) published an advisory document with frequently asked questions concerning cyber-events and cyber-enabled crime to financial institutions.
When filing suspicious activity reports (SAR) it is important for financial institutions to review this FinCEN guidance, in order to receive key information as to what to include on the SAR. Some examples of the information are noted in the excerpt below:1
Source and destination information:
- IP address and port information with respective date timestamps in UTC
- Uniform Resource Locator (URL) addresses
- Known attack vectors
- Command and control nodes
- Filenames of files suspected to be infected with malware
- MD5, SHA-1, or SHA-256 hash information
- Email content
Subject user names:
- Email addresses related to suspicious activities
- Social media accounts/screen names related to suspicious activities
- System registry modifications
- Indicators of system compromise
- Common vulnerabilities and exposures
Involved account information:
- Potentially or actually affected account information
- Potentially or actually involved virtual currency accounts (case sensitive)
As a Bank Secrecy Act/anti-money laundering (BSA/AML) officer, venturing into the cybersecurity realm is often new or unfamiliar territory. Although the industry trend is that it is becoming increasingly necessary for BSA/AML officers to learn and understand more about technology and cyber threats, it is essential, given the guidance from October, to establish regular meetings between the BSA/AML team and the institution’s information security team.
Communication within the financial institution is key. It is also important that the BSA/AML team reviews the bank’s incident response plan addressing cyber-events and cyber-enabled crimes in order to establish the BSA/AML team’s role within the event handling process. Including the BSA/AML team enables all cyber-events to be properly reviewed for possible SAR filing. Tracking and reviewing cyber cases is important to identify common patterns and emerging trends related to suspicious activities. Understanding key similarities in those cases can be facilitated by leveraging case data analytics and aggregation tools. Providing this enhanced analysis and reporting to law enforcement can assist them in developing their cases and put the key pieces of a very complex puzzle together. Throughout the case your FI team would more than likely be working with law enforcement, so it is important to document at what point in the process would the bank file a SAR. Would it occur at the end of the investigation so that you can ensure that all of the information is gathered and organized? Or would it possibly be within 60 days of detecting the cyber-event? Also, what would your FI consider to be a reportable cyber-event? Would it be only if there is a loss to customers or the FI or if the cyber-event had a significant customer impact? Per the FinCEN guidance: “In determining whether a cyber-event should be reported, a financial institution should consider all available information surrounding the cyber-event, including its nature and the information and systems targeted. Similarly, to determine monetary amounts involved in the transactions of attempted transactions, a financial institution should consider in aggregate the funds and assets involved in or put at risk by the cyber-event.”
These are all items that should be discussed within the BSA/AML team and information security team to determine what your institution’s policy will be going forward. In making those decisions it is essential to document what decisions are made and who in the FI is responsible for what part.
When working through a case, try to gather as much information as possible from your information security team and from customers that may have been victims of a cyberattack. It is also advantageous to create a case collection form for collecting information specifically about cyber-events, in order to guide the information security team to capture the specific related information needed to complete the SAR reports. Obtaining as much information as possible enables the bank to effectively assist law enforcement in developing and pursuing their cases and identifying emerging industry trends.
Along with the cyber incident response plan, it is also important to create BSA/AML and fraud incident response plans for the separate business lines within the institution. These plans should complement each other and align upward to an enterprise-risk event and incident response plan that can better align with the institution’s business continuity plans.
The BSA/AML incident response plan should account for the BSA/AML team's role in addressing and documenting cyber and other high-risk events and incidents potentially resulting in regulatory action or monetary penalties.
In conclusion, it is important for all BSA/AML officers to review FinCEN’s advisory and to work with the institution’s information security team to develop effective plans for addressing and reporting on potentially adverse cyber-events. An effective program identifies, gathers and documents as much related information as possible for cyber-events that may occur at your institution. Finally, sharing this information with law enforcement, so that it may be used to more effectively develop their cases and identify industry trends, is partnership at its finest.
For information on how you can identify where your organization is most vulnerable to a cyber-attack, please visit: http://www.acams.org/cyber-enabled-crime-training/.
- “Frequently Asked Questions (FAQs) Regarding the Reporting of Cyber-Events, Cyber-Enabled Crime and Cyber-Related Information through Suspicious Activity Reports (SARs),” FinCEN, October 2016, https://www.fincen.gov/frequently-asked-questions-faqs-regarding-reporting-cyber-events-cyber-enabled-crime-and-cyber