Overlapping Risks, Part 1: Anti-Money Laundering and Cybersecurity
Firm regulatory risks and priorities don't exist in a vacuum. And that is perhaps nowhere clearer than when it comes to a firm's anti-money laundering responsibilities. A firm's AML risks can overlap with any number of other priorities.
On this episode, the first of a two-part series, we're looking at the intersection of a firm's AML and cybersecurity risks. Joining us are Jason Foye, a director with FINRA's Anti-Money Laundering Investigative Unit, and Dave Kelley, a director with FINRA's Cybersecurity Specialist Program, both with FINRA’s National Cause and Financial Crimes Detection Program.
Resources mentioned in this episode:
Episode 60: Introducing Greg Ruppert and the NCFC
Episode 33: Money Laundering in the Securities Industry
Episode 34: AML Priorities and Best Practices
SWIFT: How Cyber Attackers ‘Cash Out’ Following Large-Scale Heists
FinCEN October 2020 Advisory on Ransomware
FinCEN July 2020 Advisory on Cybercrime
FinCEN October 2016 Advisory on Cyber Events
Regulatory Notice 20-32 on Fraudulent Options Trading
Regulatory Notice 20-13 on Fraud During the Coronavirus Pandemic
Listen and subscribe to our podcast on Apple Podcasts, Google Play, Spotify or where ever you listen to your podcasts. Below is a transcript of the episode. Transcripts are generated using a combination of speech recognition software and human editors and may contain errors. Please check the corresponding audio before quoting in print.
00:00 - 00:21
Kaitlyn Kiernan: Firm regulatory risks and priorities don't exist in a vacuum. And that is perhaps nowhere more clear than when it comes to a firm's anti-money laundering responsibilities. A firm's AML risks can overlap with any number of other priorities. On this episode, the first of a two-part series, we're looking at the intersection of a firm's AML and cybersecurity risks
00:21 – 00:31
00:31 - 00:56
Kaitlyn Kiernan: Welcome to FINRA Unscripted, from Hoboken, New Jersey, I'm your host Kaitlyn Kiernan. I'm pleased to welcome back to the show today two returning guests. We have Jason Foye, a director with FINRA's Anti-Money Laundering Investigative Unit, joining us from across two rivers from here in Brooklyn. And we've got Dave Kelley, a director with FINRA's Cybersecurity Specialist Program based out of Missouri. Dave and Jason, welcome back to the show.
00:57 - 00:57
Dave Kelley: Thank you.
00:57 - 00:58
Jason Foye: Thanks for having us.
00:58 - 01:08
Kaitlyn Kiernan: So, David and Jason, you work with two different specialist teams under Member Supervision's National Cause and Financial Crimes Detection Program, is that right?
01:08 - 01:08
Jason Foye: Yeah.
01:09 - 01:09
Dave Kelley: That's correct.
01:09 - 01:35
Kaitlyn Kiernan: And that's the new group headed by Greg Ruppert, which listeners can hear more about on episode 60. But this is going to be the first of a two-part series about anti-money laundering, or AML, and its intersection with key regulatory topics and other areas. So, on this episode we're looking at AML and cybersecurity. They seem like two very different things, but Jason, how much do these two topics overlap?
01:35 - 04:19
Jason Foye: There is significant overlap in these spaces. So, if you think about particularly the areas of AML, fraud and cyber, these are continuing to merge as it relates to cybercrime, cyber-enabled financial crime. And if you're a listener and you're wondering how these overlaps occur in practice you can break it down in a few ways. The most obvious is that cyber events are reportable under Suspicious Activity Reports, or SARs. And beyond that, the underlying activity that could be related to cybercrime and cyber enabled crime you can break that down into two broad categories that Dave can dig into a little bit further.
One is that bad actors can generate illicit funds through cybercrime that they then launder through the financial system. And that certainly presents a risk to the securities industry within the financial system. In this area, SWIFT, which is a network that financial institutions use to send and receive information about financial transactions, they recently released a report detailing the money laundering techniques that support some of these large-scale cyber heists. It's really an interesting read that we can certainly include in the show notes and encourage the audience to check out. FinCEN also recently released an advisory in October 2020 on the risk of ransomware, in particular, and the use of the financial system to facilitate ransom payments that certainly has some relevance in this space as well.
The other area that I think you see a lot of overlap is bad actors that either take over accounts of unsuspecting customers, or in some cases they open new accounts in the name of unsuspecting customers, using stolen or synthetic personal identification documents, and those accounts then get used by these bad actors to engage in some sort of crime. By using these accounts of an unsuspecting customer via a hack or stolen or synthetic identification fraud bad actors put an additional layer between them and the underlying conduct. A common example in this area involves unauthorized withdrawals of funds from a customer account. But we also see a variety of situations where some of these unsuspecting customer accounts are used in trading schemes, such as pump-and-dumps, or market manipulation.
If you're trying to frame where some of this overlap comes into play, those are areas that we're currently seeing right now. But I think it's really important to keep in mind that as we continue to see new and complex schemes perpetrated by bad actors, we expect that this threat is only going to increase over time particularly as markets, investors and day-to-day life continues to be more and more reliant on the Internet.
04:20 - 06:53
Dave Kelley: Yeah, Jason, I agree with all that. We're constantly seeing new attacks. The fraudsters are looking for ways to move money and to steal information about customers and in the end, they want the money, but they also want to gather that information about customers. And that all can lead to that money movement in the future sometime. Sometimes that doesn't happen right away, but eventually that's their goal.
We're seeing a lot of different types of attacks today and some of those will include email account takeovers and that can happen both from a firm employee or a registered rep or, in a lot of cases, we're seeing where the customer's accounts are being taken over and then the bad guys using that information or that account to attempt to move money or conduct transactions. We're also seeing lots of impostor websites out there. An imposter website is a website that looks like a firm's, but maybe it's just one letter different from the actual firm's website name. We're also seeing imposter websites set up in the name of a registered representative and they're looking to potentially grab new customers to gather information and to get money from that potential customer. A lot of identity theft going on out there, viruses, ransomware attacks. Ransomware attacks are where somebody clicks on something and all your data is encrypted so you can't use it.
But all these attacks usually start with some sort of phishing email. Phishing e-mails are not new, they've been around for quite a while, but boy they're getting a lot better than they used to be. They're trying to get you to do something, usually they want you to click on something right away to check on something or to click on a link. Either that or download a document or something like that. And as soon as you do that, they've got you because they can download a piece of code on your computer or your phone and then grab more information from you as you go along without you really knowing all about it.
We have on our website several documents which we've put out there which talk about a lot of these different issues that we're seeing today starting with in 2015 we put out a white paper on a lot of the different issues that we're seeing at the time that still really apply today. But since then we're continuing to see lots of issues like that as we go forward. So, go look at that on the FINRA.org website, search for cybersecurity. There's a lot of really great information about what we're seeing out there and what you can be doing to help protect yourself.
06:54 - 07:28
Kaitlyn Kiernan: We’ll include those in our show notes as well. And it does sound like this is an area a lot of concern for everyone, customers in terms of Is this a real website? Is this a real e-mail? And also, for firms in terms of KYC. Is this actually a real person that's setting up this account? Is it the person they say it is? And I'm sure we'll get into more of that later. Jason, you mentioned SARs before. Why is it important to file SARs on cyber incidents? And is there any kind of general guidance you can provide on when a SAR should be filed on this type of activity?
07:28 - 10:31
Jason Foye: As we discussed on our previous podcast, law enforcement and other agencies such as FinCEN, they regularly use information reported in SARs to initiate investigations, identify criminals in their networks, conduct intelligence assessments and other critical functions. As the risk of cybercrime and cyber-enabled financial crime continues to grow, financial institutions including FINRA member broker-dealers play a really crucial role in helping to protect investors and the markets as we work collectively to combat this threat. This includes putting in place effective cybersecurity controls and ensuring that SARs and file when appropriate in order to assist law enforcement and other agencies and the important work that they're doing in this space.
In terms of when SARs should be filed and some guidance on that, FinCEN issued an advisory and some frequently asked questions on the reporting of cyber events in October of 2016. I think one of the big challenges that financial institutions face in this space is the sheer volume of potential cyber events that they may be facing on a daily basis, particularly for some of the larger institutions. This makes determining what events may require a SAR to be filed difficult at times, especially if the value of the underlying activity associated cyber event is zero or is difficult to quantify.
So some of the guidance issued by FinCEN in the advisory and in these FAQs on these topics include informing financial institutions that are subject to large volumes of cyber events that they can report those through a single, cumulative SAR when the events are similar in nature or believed to be related, connected or part of a bigger scheme, and informing financial institutions that they consider the aggregate amount of the assets involved in the cyber event or the total assets that were put at risk by the cyber event. So, for example, if firms’ systems are targeted by an attack and firm or customer assets were at risk as a result of that attack, this may warrant a SAR filing even if no actual transactions occur.
When a financial institution does determine a SAR filing in this area is warranted, FinCEN did ask that the firms include certain information. This includes a general description of the cyber event, any indicators of the times the relevant IP addresses and timestamps, device identifiers or known or suspected methodologies used. So there is a lot of other guidance in the FinCEN notice and, as always, firms are expected to establish and implement reasonable AML programs that can be reasonably expected to detect and cause the reporting of suspicious activity, so I encourage the audience and those in the industry to take a look at that guidance, take a look at the procedures that are in place and think about it based on the policies and the procedures that we have established and are implementing. Do we think that we can reasonably detect red flags of suspicious activity and file SARs where appropriate?
10:32 - 10:41
Kaitlyn Kiernan: And Dave, are there any signs a firm should look out for to determine whether a hack is just a hack or if it's the bigger AML concern?
10:42 - 11:33
Dave Kelley: Really any cyber event or hack is a concern from an AML standpoint. Every firm should have some sort of incident response program already in place. So anytime they have a cyber event, or a hack happen, they need to implement their program. And the firm's AML program or team should be included in that incident response process that the firms already set up. So, you never know what's going to happen. A cyber event could end up being very small, nothing really happens out of it. For instance, maybe you have a ransomware attack, but it's stopped early on, so not much happens out of it. But on the other hand, some of these things could start very small and end up being a bigger deal than you realize upfront. So, I think that any hack or anything that happens in this area really you should be thinking about it from an AML standpoint also.
11:34 - 12:24
Jason Foye: I would just chime in. Thinking about it in both directions is really important. What I mean by that is if a firm, as Dave mentioned, is investigating a cyber event, make sure that they're considering or looking into what activity was conducted that may be related to that cyber event or, conversely, if a firm is reviewing red flags of suspicious activity, making sure that they're considering whether there was a potential cyber event related to that activity is really important. It's certainly worth noting that, as with any SAR investigation, no single red flags is necessarily going to be indicative of illicit or suspicious activity and financial institutions should always consider the full fact pattern specific to the individual customer, historical transactions, et cetera, when reviewing potential red flags. But just making sure you're considering and understanding where these risks overlap is really important.
12:24 - 12:50
Kaitlyn Kiernan: And Dave, you mentioned involving the AML team when investigating any cybersecurity event, but I would expect that for many firms, cybersecurity might be overseen by IT or an outside vendor while AML is a different team. They're separate for a reason, because they're both very complex areas. Why is it important for broker-dealers to think about the program holistically and involve both groups?
12:50 - 15:10
Dave Kelley: Like you mentioned, both teams they're looking at it from a different standpoint and you've got different backgrounds for those people. The cyber team if it's internal or even if you're using an outside firm to help you with that those people are usually IT people who are usually very technical and don't really have that background or that understanding of what AML really is requiring, versus AML, they really understand that AML side and the rules and regulations and what's going on from that standpoint, but they don't understand the technical side of what should be in place from a cyber standpoint. So, when you get those two teams together it helps you really understand and really address what you need to be doing from a firm standpoint when an issue does happen.
But you also need to have a lot of other things in place at your firm. You need to have a person that's leading the overall program. A bigger firm, for instance, would have a Chief Information Security Officer, or CISO, that leads up their cyber program and would be leading up any incident response program that you have. You need to make sure that cyber security and this program really comes down from the top of the organization. The leaders of the organization need to be behind it. It's also very important that every person in that organization is trained, so they really understand what their responsibilities are.
Ten years ago, the thought was cyber security was the responsibility of the IT group and they handled everything. Today, everybody in that organization, everybody in any firm, they all have a responsibility for helping to protect not only the firm information but also the customer's information. So, everybody really needs to understand that, and you need to have a good training program to on an ongoing basis remind everybody about what they need to be thinking about. And one last thing, you need to have a good risk assessment program. And a risk assessment program really takes a look at your organization and determines what those key risks are for your firm.
Each firm's different, because every firm has different types of systems or customers or people in different places. So, you need to be taking a look at that overall firm and deciding, "okay, what key risk areas do we need to protect at our firm."
15:11 – 17:24
Jason Foye: Just to put a fine point on some of the things that Dave raised there that are crucial and definitely agree with, this is really where effective delegation and communication becomes really critical for firms. In this area, firms want to make sure that from an AML of prospective that they clearly communicated to whatever person or group is responsible for the cyber security front. What the expectations are in terms of what types of events need to be escalated to AML for further review. And they want to make sure that they're also reasonably kind of testing to make sure that the events that they expect to be escalated to AML are in fact being escalated as expected.
This is no different than other areas of the firm where you may not see AML as the front-line reviewers, take trade surveillance as an example. This is an area where we commonly see AML programs relying on trading desks to escalate potentially suspicious activity to them for SAR reviews. This is often a reasonable approach given that the trading desk tends to have a level of subject matter expertise over the trading activity that AML may not have. However, where we see problems in this practice is in that delegation or in that communication. That's where AML believes the trade desk is monitoring for red flags or a particular suspicious activity like market manipulation and the trade desk doesn't fully understand that these expectations are in place, and while they may certainly understand that I see something, I certainly will escalate that to AML, but they're not proactively looking for the red flags in the way that AML thinks they are.
And some best practices are just what you would expect in any communication delegation function. Make sure that you're having regular conversations and communications with the other department, that you've clearly communicated what the expectations are and that you're following up. I really think a best practice is making sure you have regular governance of communication whether that be quarterly meetings, semiannual meetings together or annual meetings, whatever seems reasonable for your institution, where it's not just on an ad hoc basis when something is needed but you're having more regular communications to establish that relationship and understand what each team is doing and how the overlap can be best addressed and mitigated at the institution.
17:25 - 17:29
Kaitlyn Kiernan: Are there any best practices particularly when working with an outside vendor?
17:30 - 19:02
Dave Kelley: Yes, there is. Every firm nowadays is using outside vendors for a lot of different things whether it's leading your cyber program or systems that you use for trading or maybe using some systems for your AML program. So, I think there are several key things that every firm should have in place.
First, you need to have a documented process of how you work with these vendors and that documented process would include things like how do you vet new vendors. What's that process look like and who should be involved when you're vetting new vendors. For instance, if there is customer data involved you should always be including your data security group so they can take a look at the security processes that vendor has.
Of course, you always should have a contract in place with that that vendor. We still see today firms, especially smaller firms, that have been working with a vendor for a long time, but they don't have a contract in place that outlines the responsibilities of both the vendor and the firm. There needs to be a process in place to monitor how that vendor is doing on an ongoing basis. So again, if there's customer information involved, how is that vendor protecting that information?
And then one that a lot of times people don't think about is when you end your work with that vendor, how is that vendor off boarded? If they have access to data, how do you make sure that they don't have access to that data anymore? So, every firm should have that documented process including those areas.
19:03 - 19:15
Kaitlyn Kiernan: And Dave, earlier you mentioned some of the cyber risks that exist out there, but are there any emerging threats or trends in the cybersecurity and AML space that are relevant to talk about here?
19:15 - 21:16
Dave Kelley: Yeah, I think so. It's been an odd year. Different things happening. There's a lot more cyber attempts happening out there nowadays. These cyber guys, they seem to have a lot of time on their hands and so they are spending a lot of time trying to gather information or to get money or whatever. So, we're seeing a lot of attempts in all those different areas that I talked about before. We put a notice out on March 26, about the things that firms really need to be thinking about today because everybody is working at home.
There are things that should be common sense, but now instead of using systems that the firm has put in place that potentially has the right controls in place, they may be using computers or systems or networks at their home, which may not have all the security they need to be thinking about. So, they need to be putting together better training programs for all, they need to be making sure that their incident response plans are up to speed and that everybody understands their process. They need to be thinking about all the different phishing attempts that we're getting today. There's lots of new phishing attempts and they're getting better and better. And so, people need to really be able to look at those and not click on something that they are getting today.
Every firm is going to have issues as we go forward through this today and we're seeing a lot more of these, even FINRA had an issue this month. A fraudster sent emails to a lot of our broker-dealers and also to investment adviser firms wanting them to fill out a survey and that wasn't FINRA sending that out, but that fraudster was trying to gather information about those firms and potentially about their customers and more information about them to help potentially gather money or gather information. FINRA sent out a notice to our firms about that, so hopefully none of these firms did that, but you don't know. It's an important thing the firms should always be thinking about.
21:17 - 25:46
Jason Foye: In terms of emerging threats in the cyber security and AML space happening right now, FINRA has been really active, as Dave mentioned, putting out notices, looking for what the bad actors are doing in this space. A couple of things I would highlight, in a targeted Reg Notice that FINRA put out, Regulatory Notice 20-32, this dealt with a specific typology that we're seeing in the options space whereby bad actors are engaging in fraudulent options trading that's being facilitated by account takeover schemes through which the bad actors gain unauthorized entry into a customer's brokerage account and then use that brokerage account to fraudulently engage in options trading.
And I certainly encourage people to read that notice in the details that are present in the typology, but these tend to have some common fact patterns. A bad actor will have an account at one institution, will purchase an out-of-the-money option at a very low price. There will be another account at another institution whereby the bad actor will hack the account or again open up a fake account using stolen or synthetic account information, and then using that account, they will sell the option that they just bought at a very low price for a much higher price, generating profits for themselves in their original account.
But more broadly, FINRA also released Reg Notice 20-13, which reminded firms to be aware of fraud during the pandemic generally, and this notice outlined some of the common scams that relate to the risk of cybercrime and cyber enabled crime, fraudulent account openings, firm imposter scams, IT help desk scams. Some of stuff Dave been talking about earlier specific to the fraudulent account opening aspect of the Reg Notice 20-32 that I just mentioned, while, again, the specifics and tactics do vary, they typically involve some combination of establishing an account using stolen or synthetic customer identity information, funding the account using stolen bank information such as routing or bank account numbers to transfer money from the customer's bank account to the newly established brokerage account, affecting a smaller dollar transfers via ACA or other online payments from the customer's bank account, or diverting customer funds directly to the fraudsters account.
FinCEN also issued a related advisory in July 2020, which highlighted the risk of cybercrime and cyber-enabled crime during the coronavirus pandemic. And this advisory points to an increase in cyber-enabled crime through malware, phishing schemes, extortion, business e-mail compromise, customer account takeovers etc. Like FINRA's notice, FinCEN highlighted in one particular section how bad actors are exploiting the remote access platforms and process that a lot of us are utilizing more as we all work from home and are doing more of our day to day activities at home using the Internet and cyberspace. Cyber criminals and state actors are looking for ways to exploit weaknesses in these remote applications and virtual environments. This includes attempts to undermine online identity verification tools via fake or altered identity documents, attempts to undermine authentication processes and account takeover schemes and some other red flags I think the industry and audience may want to just be aware of that are laid out in this notice include misspellings of names and account information, photo identifications that appear blurry or are low resolution or have other visual irregularities, IP addresses associated with customer logins that don't match the stated address or what's known about the customer's location, or customer logins that are occurring via a single IP address across multiple seemingly unrelated accounts over a short period of time.
These are just some of the things that I think are common red flags that firms in the audience can be aware of if this is a risk that is material to their institution. FINRA's notice also does include some practices that firms can use to address some of these risks. This includes using both documentary and non-documentary verification methods as part of your CIP process, especially for accounts that are opened via electronic means, reviewing account applications for red flags from the red flags that we just noted, confirming customer identities with banks and, where appropriate, considering whether restricting funds transferred in certain situations based any unusual or suspicious red flags that the firms may have identified.
25:47 - 26:27
Dave Kelley: Yeah, Jason, I think that with more and more of our firms doing business exclusively with their customers online, that's becoming more and more important that these firms have some sort of monitoring process behind the scenes just to be watching what's going on out there with these accounts. You mentioned a couple of good things. If all of a sudden you start seeing a lot of new accounts open from the same IP address, that should be a red flag that this should be looked into, or a bank account being used by multiple accounts or different things like that that if firms are aware of and are monitoring for that that can really help them quite a bit to put a stop to some of these issues.
26:27 - 26:37
Kaitlyn Kiernan: And just to wrap up, how do you two and FINRA's broader cyber and AML specialist teams within the NCFC work together?
26:38 - 27:38
Jason Foye: From my perspective there's been a significant uptick in communication and collaboration throughout NCFC and throughout FINRA more broadly. This includes working together on exams where the risks identified by our respective specialty programs may overlap, sharing intelligence and information with each other and making sure that we're working together to educate the industry and investing public where possible through, you know, podcasts such as this. But, ultimately, it's not that different than some of the best practices we talked about in some of the earlier questions.
Dave and Dave's group and the AML group, other specialist groups and other groups inside FINRA, we're just trying to make sure that we're having regular communications with each other, having joint trainings with each other where cyber can meet with the AML team, for example, and walk us through their process try to share some of their subject matter expertise with us and we can do the same. So, we're just trying to make sure that were practicing good communication and not siloing ourselves and our little specialist groups the same way that we encourage the industry to think about those things.
27:38 - 28:08
Dave Kelley: Yeah, I agree completely. I think everything you said is things that firms could be putting in place also, having their IT group, their cyber group and their AML groups and compliance groups, the more they can work together on all these issues the better and that will really help them and they'll be sharing information about what they're seeing and that will help firms out to protect their customers, and in the end, that's the goal.
28:03 - 28:26
Kaitlyn Kiernan: Well, that's it for this first part of the two-part AML deep dive series. Thanks, Jason and Dave, for joining us today. Jason, we'll have you back again soon with Brooke Heckman, a director with FINRA's Vulnerable Adults and Seniors Team. Listeners, if you have any questions for our next episode, you can e-mail us at [email protected] Until next time
28:26 – 28:31
28:31 – 28:59
Disclaimer: Please note FINRA podcasts are the sole property of FINRA and the information provided is for informational and educational purposes only. The content of the podcast does not constitute any rule amendment or interpretation to such rules. Compliance with any recommended conduct presented does not mean that a firm or person has complied with the full extent of their obligations under FINRA rules, the rules of any other SRO or securities laws. This podcast is provided as is. FINRA and its affiliates are not responsible for any human or mechanical errors or omissions. Parties may not reproduce these podcasts in any form without the express written consent of FINRA.
28:59 – 29:05
Music Fades Out