A Guest Blog by Professor Moyara Ruehsen
Today we are very pleased to welcome guest blogger Moyara Ruehsen, PhD, CAMS, CFCS, who is an Associate Professor and Director of the Financial Crime Management Program at the Middlebury Institute of International Studies in Monterey, California. For more than 20 years, Professor Ruehsen has taught financial crime-related courses on a variety of topics including money laundering, trade-based financial crime, corruption, proliferation financing, terrorist financing and cyber-enabled financial crime. She has published articles and book chapters on a variety of topics related to threat finance and is a Certified Anti-Money Laundering Specialist and a Certified Financial Crime Specialist. Professor Ruehsen also consults for the U.S. government, multilateral organizations and the private sector. She served for several years on the Editorial Advisory Board of Money Laundering Alert, and the Middle East Task Force of the Association of Certified Anti-Money Laundering Specialists, or ACAMS.
For an extremely entertaining and illuminating discussion by Professor Ruehsen of how popular TV and movies gets money laundering right (and wrong), see here.
This blog post takes the form of a Q & A session, in which Professor Ruehsen responds to several questions posed by Money Laundering Watch about the critical topic of cyber-enabled financial crime. We hope you enjoy this discussion, which addresses how cyber-enabled financial crime threatens financial institutions and their customers. –Peter Hardy
How would you define cyber-enabled financial crime and how does that differ from the general category of cybercrime?
Cybercrime encompasses any crime committed online, including ransomware attacks, cyber-espionage, child pornography and cyber vandalism. But not all of these crimes have a financial motivation. Cyber-enabled financial crime is a smaller subset of cybercrime and includes crimes with a financial end-goal: ransomware, sextortion schemes, identity theft, money laundering, etc. There are some types of cybercrime, such as the theft of intellectual property that are trickier to categorize. The goal is to steal IP, not drain bank accounts or cryptocurrency wallets. And yet, that stolen IP has potential financial value for the thieves and represents a real financial loss to the company. Finally, we cannot make generalizations about state-sponsored cybercrime vs cybercrime carried out by criminals. Some state-sponsored cybercrime is financially motivated (for example, North Korea), whereas other types of state-sponsored cybercrime might be motivated by espionage (such as China and Russia).
What are the biggest threats currently faced by financial institutions from cyber-enabled financial crime, and how has the threat landscape changed over time?
Financial institutions have three principal concerns.
First, they need to protect their institution from theft. This kind of attack could come from outside in the form of social engineering (e.g. phishing email) that entices an employee to click on a link and download malware. There is also the problem of insider threats – criminally minded employees, who try to gain access to funds.
Second, they need to protect their customers from fraud. Even if funds were stolen as a result of the customer’s naivete or negligence, the customer may still try to hold the bank accountable.
And finally, they need to be mindful of regulators, who are now holding financial institutions to a higher standard when it comes to cybersecurity. Cybersecurity compliance is now part of every institution’s compliance portfolio.
As for whether the threat landscape is changing, in some ways no, and in other ways, yes. The Covid-19 era certainly has brought with it a tidal wave of fraud, in many forms. This is really stretching law enforcement resources, and that concerns me. What hasn’t changed? Business email compromise, or BEC, is still a huge problem. Ransomware is still a problem and getting more serious. Ransomware as a service is enabling more criminals to get into the ransomware business. The ransom demands are growing ever larger, and in some cases the criminals are threatening to release private, personally identifiable information (PII) if the ransom isn’t paid. A recent look at over 100,000 ransomware attacks in the second quarter of 2020 revealed that over 11% involved data theft. So it’s not just a matter of having file backups and getting systems back online. Once confidential information is out there, it’s out there. It’s truly frightening.
How can the BSA/AML programs of financial institutions help ameliorate these threats? Conversely, what are some typical holes or weaknesses in BSA/AML programs as to such threats?
We need to bring an end to the era of silos. Traditionally, the AML department was separate from the Fraud department and the Sanctions compliance department and the Cybersecurity department. These different groups of investigators need to confer more frequently and should consider coming under one management umbrella. I understand that “cybersecurity” may be too unwieldy and also intersects with IT, but there needs to be a close partnership with the institution’s financial crime investigators.
Second, we need to get better at using AI to pinpoint legitimate red flags and minimize false positive rates (which take up too much valuable time to review). And finally, as an industry, we need to convince regulators to reward actionable intelligence. A poor quality Suspicious Activity Report, or SAR, is an expensive waste of everyone’s time. Better to have not written it at all. But institutions are not being rewarded for the quality of their SAR narratives, so the end result is a satisficing exercise. The quantity and quality of SAR filings is driven solely by what will satisfy the regulators. Rarely is anyone rewarded for going above and beyond.
And finally, as an industry, we need to convince regulators to reward actionable intelligence. A poor quality Suspicious Activity Report, or SAR, is an expensive waste of everyone’s time. Better to have not written it at all. But institutions are not being rewarded for the quality of their SAR narratives, so the end result is a satisficing exercise. The quantity and quality of SAR filings is driven solely by what will satisfy the regulators. Rarely is anyone rewarded for going above and beyond.
Let’s suppose a financial institution does not deal in cryptocurrencies. Does that mean that it or its customers don’t have to worry about cyber-enabled financial crime relating to crypto?
Even if financial institutions think they are not directly dealing in cryptocurrencies or onboarding cryptocurrency exchanges as customers, there is nothing to prevent their customers from wiring money to or from a cryptocurrency exchange. And some of these customers may secretly be operating their own cryptocurrency exchange activities, misrepresenting the true nature of their business to the bank. This was the case of Kunal Kalra, who pled guilty last year to operating an unregistered money service business. He had fake business accounts with reputable banks, through which he would manage transactions for his bitcoin exchange business and drug trafficking activities.
FinCEN recently issued an Advisory to financial institutions about “money mules” and scams relating to COVID-19. What are “money mules,” and what can financial institutions do to protect themselves and their customers against such activity, particularly in regards to cybercriminals?
“Money mules” are individuals who wittingly or unwittingly help criminals launder money through their individual and business checking accounts. While this technique has been around for decades, there has been a surge in this typology since the Covid-19 lockdowns began this past Spring. People are spending more time at home on their computers and responding to “work from home” ads and other dubious schemes. It’s a target rich environment for criminals looking for naïve marks online, who can be persuaded to move criminal funds through their accounts. That is how overseas-based criminal gangs are able to defraud the U.S. government out of unemployment checks, tax refunds and other financial outlays. Sometimes they steal identities or purchase synthetic identities to apply for federal and state assistance. And then they use domestic money mules to help them move the money overseas.
The recent FinCEN Advisory (FIN-2020-A003) that was issued recently on Covid-19-related money mule schemes details some of these typologies. Financial institutions can do two things. First, they can tweak their AI algorithms to recognize changes in account activity that resembles money mule behavior (factoring in other variables to eliminate false positives from legitimate changes in account activity). Second, they owe it to their customers to educate them on these schemes and other fraudulent scams (like the imposter schemes detailed in the same FinCEN advisory). Some financial institutions may not see customer education as their responsibility, especially if it’s not a regulatory requirement. But an official letter to customers detailing a few of the typologies mentioned in the advisory could also protect the bank from upset customers who might try to sue the bank for compensation or who might unwittingly engage in money laundering activity that will generate even more work and SAR filings for overstretched in-house investigators.
Where do we go from here?
Several of the larger banks are already collaborating with federal agencies and sharing intelligence on cybercrime threats. The largest banks are considered “critical infrastructure” so this type of public-private collaboration made complete sense. But it’s time to include smaller financial institutions in the conversation. Other countries like the UK, Australia and Singapore have gone so far as to create joint government/private sector investigative units that share actionable intelligence in real time. We are still far from being able to do that in the U.S.
The smaller financial institutions are really at a disadvantage. They are too small to collaborate with federal agencies until a disaster happens, and they cannot afford to invest as much in cybersecurity measures as their larger competitors. They may not feel like they are as attractive a target, but their weaker defenses make them attractive to criminals. And in our hyperconnected world, cybercrime risks are difficult to mitigate when most of our seemingly low-risk business and retail customers are exposed to different varieties of cybercrime (BEC scams, romance scams, ransomware, Covid-19-fraud, work-from-home schemes, cryptocurrency scams, etc.) on a constant basis.
That again speaks to the importance of educating customers (business and retail customers). I’ve always wondered why financial institutions don’t do more of that, and I can only think that they are concerned that it might alarm some customers and make them uneasy. However, I think there is a way to issue such public service announcements in a way that instills customer confidence.