Written by Shereefat Balogun, Regulatory Compliance Counsel
Woah, we’re ending cyber security month with a bang! Just last week, we blogged on the two massive cyberattacks that hit Netflix, Amazon, PayPal, Twitter, and others. In the wake of the increasing attacks, FinCEN recently issued an advisory outlining credit unions’ SAR obligations as they relate to cyber-events and cyber-enabled crime.
As many may know, especially those who just earned the NAFCU Certified Bank Secrecy Officer designation (woo hoo!), any illegal or suspicious activity can form the grounds of a SAR (Suspicious Activity Report, or as was used throughout our BSA Seminar “Something Ain’t Right”) filing. In certain cases credit unions are required to file a SAR. In particular, when criminal or suspicious activity from someone outside of the credit union that totals $5K or more and you have a suspect, you must file a SAR. For criminal or suspicious activity from an outsider totaling $25K or more, even if the credit union can’t identify a potential suspect, the credit union is required to file a SAR. See, 12 C.F.R. 1020.320.
Since cyber events targeting financial institutions often constitute criminal activity, FinCEN is requiring credit unions and other financial institutions to report cyber-events and cyber-enabled crimes. The advisory is careful to say that this “does not change existing BSA requirements or other regulatory obligations” and credit unions “should continue to follow federal and state requirements and guidance on cyber-related reporting and compliance obligations.” But as applied to cyber-events and cyber-enabled crimes, the advisory clarifies that credit unions are required to report a cyber-event that involves $5,000 or more. The advisory generally defines a “cyber-event” as an attempt to compromise or gain unauthorized electronic access to electronic systems and information. The advisory further defines a “cyber-enabled crime” as illegal activities, such as fraud, money laundering, or identity theft, carried out by electronic systems and devices.
Unlike money laundering and terrorist financing or other financial crimes, the dollar amount at stake in a cyber-event or cyber-enabled event may not be readily apparent. But based on the guidance and examples used, it appears that just about any unauthorized access that exposes or compromises member accounts could qualify as activity that would trigger the SAR obligation where the credit union “reasonably suspects” the amount at stake meets an applicable SAR threshold . The FinCEN advisory states that in determining the dollar amount involved in the cyber-event, the credit union should consider the funds and assets involved in or put at risk by the cyber-event. The advisory provides non-exhaustive examples of situations in which SAR reporting of cyber-events is mandatory:
Example 1: Through a malware intrusion (a type of cyber-event), cybercriminals gain access to a bank’s systems and information. Following its detection, the bank determines the cyber-event put $500,000 of customer funds at risk, based on the system s and/or information targeted by the cyber-event. Accordingly, the bank reasonably suspects the intrusion was in part intended to enable the perpetrators to conduct unauthorized transactions using customers’ funds.
The bank must file a SAR because it has reason to suspect the cybercriminals, through the malware-intrusion, intended to conduct or could have conducted unauthorized transactions aggregating or involving at least $5,000 in funds or assets. As explained in the next section, the bank should include all available information in the SAR relevant to the suspicious activity, including cyber-related information such as a description and signatures of the cyber-event, attack vectors, command-and-control nodes, etc.
Example 2: Through a cyber-event, cybercriminals gain access to a financial institution’s systems/networks. The cyber-event exposes sensitive customer information such as account numbers, credit card numbers, balances, limits, scores, histories, online-banking credentials, passwords/PINs, challenge questions and answers, or other similar information useful or necessary to conduct, affect, or facilitate transactions.
By evaluating the cyber-event and the type of information sought by its perpetrators, the financial institution reasonably suspects the cyber-event may have targeted information for the purpose of conducting, facilitating, or affecting transactions aggregating to at least $5,000. For instance, the financial institution could reasonably suspect the cybercriminals intended to steal and sell the exposed sensitive customer information to other criminals for financial exploitation to include unauthorized transactions at the institution. As further described below, the targeted financial institution should file a SAR to report all relevant information, including cyber-related information and information pertaining to any related unauthorized transactions.
The advisory also notes that credit unions should, in addition to the requirements set forth in the advisory, be familiar with existing guidance and NCUA’s cyber-related SAR-filing obligations. For example, in December 1997, NCUA issued Regulatory Alert, No. 97-RA12, providing guidance for reporting computer-related crimes.
As I mentioned during my presentation last week, BSA is sometimes said to be one of the most burdensome set of rules. And this new advisory seems to add more to our reporting obligations. But, as we emphasized during each session of the BSA seminar, BSA compliance officers are the gatekeepers who can help reduce the risk of a credit union being used to accomplish these financial crimes, and help law enforcement detect and stop them.
We will publish another blog detailing the information that needs to be included in a cyber-related SAR filing.
Trivia Question: What are the timing requirements for a SAR filing? When does the clock start? Books/Manuals closed!