Integrating Cyber Incidents Into Your Anti-Money Laundering (AML) Program

Integrating cyber incidents into your anti-money laundering (AML) program

Cybersecurity has traditionally been considered outside of the standard anti-money laundering (AML) program and many AML departments lack expertise in this area. Parallel that consideration with the publication of the Financial Crime Enforcement Network’s (FinCEN) October 2016 cybersecurity guidance. Organizations are now faced with a challenge of integrating cyber incidents into their AML programs. While cybersecurity is an extremely complex issue, the AML portion can be distilled down to a much leaner process. This article is designed to lay out a framework that should be considered when integrating cybersecurity into an AML program.

Seat at the Table

The first step in building a cyber program is to identify all relevant stakeholders within the organization. At minimum, this should include personnel from the AML, fraud, and information technology (IT) or information security (IS) teams. Outside of these core functions, key lines of business may be of assistance as well. For example, individuals within the financial institution who govern the online banking system can gain access to information such as the Internet Protocol (IP) addresses and geographic locations where logins occurred. Incorporating technical information—such as IP addresses and geographic locations—can provide valuable information to the investigation and subsequent suspicious activity report (SAR) filing and is an important part of the cyber-integration program.

Customized training should be conducted for AML personnel who will be reviewing referrals, handling, dispositioning or filing SARs on cyber-related matters

Once key stakeholders have been identified, the next step should be to collectively review the organization’s current cybersecurity posture and threats. This is accomplished through the development of a cyber-risk assessment. Depending on the size and risk appetite and structure of the organization, this can be done formally or informally. The goal of this risk assessment is to identify the most common cyberthreats facing the organization, mitigate risks, identify accountable parties and develop action items. In most cases, the internal cybersecurity department will already have all of the necessary information and plans in place to monitor and track cyberthreats. The cyber-risk assessment will assist in identifying the vulnerabilities within the organization, as well as assist in the building of integration points for the AML program.

Preventing Turf-Wars

Initially, the cyber division may not clearly see the intersection of cybersecurity, threat finance and the need for integration into the AML program. As part of this integration, it is important to cohesively merge the conceptual differences and motives of the cyber and AML divisions. This will assist in the prevention of turf wars within the organization and allow key stakeholders to remain focused on the larger goal. To execute this process, it is important to delineate and document clear lines of responsibility. Most financial institutions already have a robust cybersecurity program within the IT department and it is not the role of the AML team to duplicate these efforts or take responsibility for cybersecurity. Rather, it is the role of the AML department to capitalize on their expertise, leverage their work output and provide an effective workflow to integrate their cyber information for AML reporting purposes.

Define the Behavior and the Process

Definitions are the key to setting up your cyber-reporting program. FinCEN provided the following three main definitions in their 2016 guidance:

  • “Cyber-Event: An attempt to compromise or gain unauthorized electronic access to electronic systems, services, resources or information.
  • Cyber-Enabled Crime: Illegal activities (e.g., fraud, money laundering, identity theft) carried out or facilitated by electronic systems and devices, such as networks and computers.
  • Cyber-Related Information: Information that describes technical details of electronic activity and behavior, such as IP addresses, timestamps, and Indicators of Compromise (IOCs). Cyber-related information also includes, but is not limited to, data regarding the digital footprint of individuals and their behavior.”1

While these definitions provide a high-level overview of types of cyber incidents, it is the organization’s responsibility to operationalize the definition. For instance, will cyber-events and cyber-enabled crimes be reported by the same units? The organization has likely established lines of responsibility for the types of activity fraud that AML will investigate and subsequently report. As a key stakeholder in the process, the nexus of cyber-events and cyber-enabled crime and how they integrate into the existing framework should be considered. Furthermore, the types of cyber incidents that will meet the threshold for reporting must be defined. For instance, if an employee’s computer is infected by malware but it is automatically quarantined by an internal monitoring system, does this qualify as a reportable incident? These potential incidents are what the key stakeholders need to consider and define as part of the cyber program.

FinCEN’s guidance states that the $5,000 threshold for SAR filing applies to cyber incidents as well; however, with cyber incidents the amount can be based off of funds that were at risk. There is no clear method to calculate dollar amount at risk through a cyber incident. For certain cases, such as an email compromise which directs funds be wired to a third party, the amount is fairly easy to calculate. However, in many other incidents it is not that simple. These are questions the organization will have to answer while setting up a cyber program. Other factors to consider are what types of supporting documentation will be saved, and which individuals are accountable for gathering and transmitting data and cyber-investigation standards within the AML program. This discussion should occur and workflows should be documented and outlined prior to an incident.

Internal Referral Process

The vast majority of cyber incidents will typically not be detected directly by an individual within the AML team. For cyber incidents, an internal referral process to appropriate personnel within the AML department will need to be established to serve as the conduit to facilitate the transfer of potential cyber-related suspicious activity. If an existing referral process is in place for other business lines, the recommended method would be to incorporate the cyber referrals into the existing internal referral workflow rather than building a new process. Depending on the size and complexity of the AML department, it is recommended to centralize the cyber-related referral, investigation, disposition and filing to an individual or team, as a level of specialized knowledge on the handling of cyber-related cases is required.


As part of the integration of cyber into the AML program, it is important to focus on training. Customized training should be conducted for AML personnel who will be reviewing referrals, handling, dispositioning or filing SARs on cyber-related matters. Furthermore, customized training should be established for the cyber team and key stakeholders to understand not just the policies and procedures processed, but the role the cybersecurity program plays in maintaining an effective and compliant AML program and combating money laundering and other organized crimes.

SAR Reporting

FinCEN’s guidance indicates that if a financial institution is aware of a cyber-event being used to facilitate suspicious activity, it is considered SAR reportable. The big difference between standard suspicious activity that is reported and a cyber-event is that a cyber-event need not have actually occurred. If it is determined that an attempt was made to conduct illicit activity via a cyber intrusion, consider reporting. Of course, the definition of what is considered an attempt is up to internal definitions.

In addition to reporting on incidents that are traditionally considered cyber such as malware infections or business email compromises, an important part of a cyber program is including technical information in SAR filings. This is the “cyber-related information” described by FinCEN. For technical incidents, this may include items such as malware filenames, attack vectors or device identifiers.2 However, for your everyday cases of suspicious activity, cyber information may also be relevant. For example, if one of the subjects has a website, the WHOIS data online can be searched and a name of who is registered on the site could be found. A number of websites provide WHOIS lookups and can be found with a quick internet search. Other information that could be beneficial to law enforcement includes email addresses or social media screennames located during an investigation. While there may be a small number of investigators specifically tasked to handle cyber incidents, the whole team should be aware of potential cyber information that should be included in the SAR filing.


Setting up a system of ongoing communication and coordination is an important final step. It is not enough to simply set up a series of policies and procedures and pull them off the shelf when necessary. Cyberthreats are constantly evolving and ongoing communication allows all parties to stay up-to-date on the complex issues. Communication may be handled formally through a scheduled recurring meeting or more informally through regular conversations between the involved parties. As a member of the AML team, one should also insist on being included in future cyber exercises and policy discussions. This will ensure both are up-to-date on organizational changes and able to influence events where necessary.


Establishing a cyber program within an AML program may initially seem to be a daunting task. However, if the program is broken down into the components described in this article, it becomes a much simpler undertaking. With teamwork and communication between relevant parties, a cyber program can be put into place and effectively managed on an ongoing basis.

Eric Barzydlo, CAMS, regulatory compliance officer, Fulton Financial Corporation, Lancaster, PA, USA,

Lauren Kohr, CAMS-FCI, SVP, chief risk officer, Old Dominion National Bank, Tysons Corner, VA, USA,

For information on how you can identify where your organization is most vulnerable to a cyber-attack, please visit:

  1. “Advisory to Financial Institutions on Cyber-Events and Cyber-Enabled Crime,” Financial Crimes Enforcement Network, October 25, 2016,
  2. “Frequently Asked Questions (FAQs) regarding the Reporting of Cyber-Events, Cyber-Enabled Crime, and Cyber-Related Information
    through Suspicious Activity Reports (SARs),” Financial Crimes Enforcement Network, October 2016,

Leave a Reply