 Thursday, October 30, 2003 ( 11:14 AM ) Mary Beth Update on the New $20  Less than a month after the debut of the new $20 design, counterfeits have already surfaced. In Elkhart, Indiana, a 14 year old girl used two in a restaurant. In Brockton, MA, phony bills showed up at a Radio Shack and a convenience store. In Utah, two men tried to pay for a motel room with bogus copies of new $20s. Those are just a few of the latest reports. (Search Google News using the search string "counterfeit $20" without the quotes to find them all.) In each case, the color looked good, but the security features were missing. Make sure your tellers -- and your commercial customers who are in retail businesses -- are checking for the watermark image, the security thread, and the color shifting ink to confirm the bill is genuine.
While some vending machine companies have retrofitted their equipment to accept the new bills, there are still plenty of machines out there --including some of the slot machines I played in Las Vegas last week - that just spit them back out, and an article published yesterday indicates that automated payment machines, like those found in self-service checkout counters, haven't been updated. 
It was a gaggle of gurus at my house Wednesday night. Carin Eisenhauer, Sam Ott and I extended some Oklahoma hospitality to out0of-towners Lucy Griffin, David Dickinson, and new BOL staffer Andy "King of Threads" Zavoina. As usual, we were drawn to the message board, where there's never a shortage of interesting posts. 
Who's Phishing? Over the last week, the National Infrastructure Protection Center's daily bullletin has reported spoof email scams that have targeted customers of Citibank, NatWest and Halifax. Other sources have also added Barclays and Lloyds TSB to the list. The newest version of the email scam offers big bucks in exchange for assistant with transferring funds out of a foreign country. (Sound familiar?) Some experts think these new emails are coming from Russian criminals. Ask yourself what you've done/should do to raise awareness of your customers to this problem so that they will not fall victim to such a scam. Halifax temporarily closed its online service as a protective measure. Read more. # Thursday, October 23, 2003 ( 8:19 AM ) Andy Remember those pesky pop-under ads we all grew to hate? Well X10's business model may have lacked a bit as they are in bankruptcy. I know we discussed these on the BOL Threads a number of times. # Tuesday, October 21, 2003 ( 4:45 PM ) Mary Beth Abagnale Addresses Bankers at ACB Annual Meeting In a thought provoking and at times emotionally moving speech, Frank Abagnale recounted his teenage escapades that made him the subject of director Steven Speilberg's blockbuster movie, "Catch Me If You Can". Having sold the movie rights to his book more than 25 years ago, Abagnale never envisioned a film being made chronicling his law breaking youth. While the movie highlighted the crimes he committed, Abagnale told the packed room of bankers how the emotional shock from the sudden divorce of his parents forced him to run away from home at the age of 16. From the time he left home at 16 until his eventual capture at the age of 22, he committed a series of financial crimes involving check fraud. Following years of incarceration he eventually went to work for the FBI Financial Crimes division. The message he left this group of bankers with was not how to fight fraud nor how to prevent Identity Theft, America's fastest growing crime, but rather the importance of family. Kids need both a mommy and a daddy while growing up, Abagnale said. He lamented the loss of his family through divorce that led him on his youthful misadventures. Later, Abagnale spent an hour in the ACB Expo and Marketplace signing his book for hundreds of bankers. 
#
( 4:26 AM ) Ken - Pegasus ABA/ABA AMLES Updates USA PATRIOT Issues for Bankers By Ken Golliher “Every once in awhile, close your eyes and pretend it’s September 12 again.” Similar remarks were made by two presenters on the first full day of the American Bankers Association/American Bar Association’s Money Laundering Enforcement Seminar in Washington, D.C. Both were encouraging attendees to avoid complacency while at the same time acknowledging that U.S. banks have made enormous efforts to implement the requirements of the USA PATRIOT Act (PATRIOT) in the last several months. The nation’s and the industry’s fight against money laundering and terrorist financing has generated record attendance at this annual event, now in its 15th year. With nearly 600 registrants and more than 30 vendors, the program began on Sunday and ends today. For the first time, the conference expanded to include formal sessions on Sunday afternoon. One of Sunday’s presentations dealt with using the Internet to perform due diligence. The second was presented by a consortium of vendors and entitled “The Different Pieces of the Technology Puzzle for AML/BSA.” It was intended to assist attendees in identifying areas where AML programs could be enhanced by existing technology. Monday morning’s session, “Anti –Money Laundering/Terrorist Financing: An Update of the USA PATRIOT Act and Beyond” was presented by a panel of well known experts from banking and the regulatory agencies. It reflected the varying perspectives of a group of people, all working toward the same broad goals. William Langford from the Department of the Treasury (Treasury) has focused on implementation of the anti-money laundering and terrorist financing efforts since September 11, 2001. He indicated that regulations implementing PATRIOT’s section 312, the last major piece of the regulations specifically affecting banks, “…are very near completion. All policy issues are resolved and only technical issues remain.” He noted that issuing anti-money laundering rules for insurance companies was one of Treasury’s near term priorities. He also referenced Treasury’s recent “Notice of Inquiry” regarding copying identification and the possible disallowance of certain kinds of identification for Customer Identification Programs (CIPs). He said the 34,000 comment letters confirmed Treasury’s original understanding – a requirement to copy identification was not necessary and that banks should be allowed to decide what type of identification they would accept on an individual basis. As far as the “List of Known or Suspected Terrorists” referenced in PATRIOT’s section 326, he again confirmed that it was not a reference to the OFAC list, but a completely separate list yet to be established. He indicated that no decision had been made on when such a list would be made available, but assured that banks would be notified in no uncertain terms at that time. “It may come through the 314 process, it may come otherwise,” he said. Deputy Chief Counsel Dan Stipano from the Office of the Comptroller of Currency (OCC) indicated the agency was publishing new examination procedures (identical to those adopted by the Federal Reserve) on its web site. The procedures cover certain aspects of changes made by PATRIOT to the Bank Secrecy Act (BSA), but those for Section 326 (CIP) are still under development. (The FDIC published new BSA examination procedures last week. See BOL’s Top Stories 10/20/03.) In keeping with his prior public comments, Stipano indicated, “There was never any intention to make the Section 326 regulations “hypertechnical” with a “right” or a “wrong” answer for everything” He encouraged bankers to resist the urge to overanalyze the regulation saying, “This isn’t Regulation Z.” However, he also said that there is still no established date by which bankers can expect the regulatory Q & A which is to provide them with CIP guidance. Banks were required to have CIP programs in place by October 1, 2003. Carmina Hughes, Special Counsel to the Federal Reserve’s Enforcement and Special Investigation Sections, encouraged attendees to review recent enforcement actions posted on regulatory agencies web sites to capture the current regulatory tenor regarding BSA compliance. She pointed out that banks would do well to avoid certain errors common to some recent enforcement actions: • lack of serious management commitment to BSA compliance, • a failure to heed prior regulatory criticisms and • a failure to file Suspicious Activity Reports(SAR’s). On the latter point, she noted that the Federal Reserve generally does not criticize a bank for failing to file a single SAR based on a legitimate difference of opinion. However, she also noted that the recent enforcement actions regarding SAR filing dealt with systemic failures not based on differing interpretations of filing requirements. Hughes indicated that, “SAR filing has never been more important than now.” She encouraged banks to develop a formal SAR filing process and reminded them that the requirement to file is not contingent on having “court ready” evidence of wrongdoing. Hughes also reported FinCEN oftentimes has difficulty understanding exactly why a SAR has been filed and that banks should take particular care to make certain the narrative portion of the SAR was well written. Panelist Richard Small, Citigroup’s Global Anti-Money Laundering Director, acknowledged that banks may be overanalyzing the CIP regulations, but in a smiling reference to Stipano’s early comment said, “We may be overanalyzing it, but if we are overanalyzing it we are doing it to cover our backside.” He encouraged regulators to take a consistent approach in analyzing CIP requirements, particularly in the circumstance where one bank may deal with multiple regulatory agencies and each agency is looking to see policies adopted at its particular level rather than allowing the institution to take a comprehensive approach. To cater to the audience’s diversity, there were several break-out sessions during the day: • How to Set Up an Effective AML Training program, • Money Service Businesses – A Look at Expanded Regulatory Requirements • Foreign/Correspondent Banking/Private Banking • International Money Laundering Trends: The Challenge of Compliance • USA PATRIOT Act Compliance: New Applications to Non-Bank and Non Financial Businesses • Labor Law and SARs – Reporting on Suspicious Employees The last session of the day was “Fine Tuning Your Identification Program.” More than most banking regulations, those requiring a CIP have generated a list of questions for which there are no clear answers in the regulation. Some are trivial. Others are not. Pamela J. Johnson, the Fed’s Senior Anti-Money Laundering Coordinator and Stipano gamely reviewed those questions and their individual interpretations of the issues involved as they have done in prior public appearances. The conference ends today. All sessions are being recorded and can be ordered from www.intelliquestmedia.com # Monday, October 20, 2003 ( 2:03 PM ) Mary Beth Where in the world is BOL? George Milner, Lucy Griffin and Barb Hurst are in Washington DC at the ABA/ABA AML conference, along with BOL Gurus John Burnett and Ken Golliher, and Alisa Barchie from Penley FastWatch. 
John and Ken serve as co-moderators of the Operations forum on BOL, but this is the first time they've gotten to meet in person, and they're enjoying getting a chance to visit outside of cyberspace for a change. 
Michele Petry, Carin Eisenhauer and I are at the America's Community Bankers conference in Las Vegas. We're joined by Cleve Shultz of Penley. Lots of folks here haven't heard of BOL. Can you imagine? We're doing our best to spread the word. 
Carin and Michele just left to go hear Frank Abagnale's presentation, while I'll be heading out in a few minutes to go to North Dakota where I'll present a full day workshop tomorrow, then on to South Dakota for a full day on Wednesday. Never been to either place before, so I'm looking forward to meeting everyone. 
Barbara Hurst, editor of Bankers' Hotline, and Lucy Griffin, editor of Compliance Action, are two of my favorite people, so I wish I could have been at the ABA conference this week to visit with them and catch up on the latest AML developments. Ken will be briefing us on the highlights. 
I got to visit with another of my favorite people at ACB, Roger Guerrin from Sanford Savings in Maine. He's a long-time BOL fan, but I actually got to know Roger through the Graduate School of Banking at Colorado where we both serve on the faculty. Roger has been on the faculty for many, many years and is one of the nicest people you will ever meet, as well as knowledgeable. 
#
Thursday, October 16, 2003 ( 1:12 PM ) Mary Beth Slave to Microsoft I'm having one of those days when I feel like all I've done this week is apply software patches. Did you see our Tech Advisory? FIVE new patches released by Microsoft. FIVE! I appreciate the fact they're trying to patch problems, but wouldn't it be nice if they'd do that in the process of creating the operating systems and software in the first place? # ( 5:33 AM ) Andy IRS Mileage for 2004 is Up Mileage rates go from 36 cents in 2003 to 37.5 cents in 2004. The IRS is also relaxing the rules so that small businesses can more easily take advantage of these rules and save time. # Tuesday, October 14, 2003 ( 10:02 AM ) Mary Beth Regarding Andy's post from earlier this morning, it looks to me that with the document in the Federal Register they are adding additional aliases to names already on the OFAC SDN list. For example, Basque Fatherland and Liberty is on the SDN list, and the new document in the Federal Register indicates they are adding additional names as aliases, including some which are Internet domain names. So, in addition to doing an OFAC search for Basque Fatherland and Liberty (which has been on the list since October 31, 2001), an institution will now need to do a search for any accounts held in the name of kahane.org, kahane.net, kahanetzadak.com, etc. Interestingly, the Federal Register publication was from the State Department. There's been nothing official on this from OFAC yet. # ( 8:09 AM ) Andy OFAC has you looking in more directions: An update based on aliases and including Web sites has been released from the State Dept. This may mean new risks for monitoring and that you have to look in yet another direction to see what is coming at you. The Federal Register has a list of entities, including four Web sites, that fall under the "blocked" designation, according to Executive Order 13224. I looked at one Web site which indicates the name was purchased just a short time ago and differs in purpose from that which is to be blocked. Assets of the site, and others listed, would have to be blocked by financial institutions, based on my read. # Monday, October 13, 2003 ( 12:40 PM ) Mary Beth Is E-banking safer than traditional? Andy Z here: Javelin Strategy & Research reports that 14% of ID theft starts with the victims mailbox. Analog mail (checks, statements, bills, etc.) are easier to steal than e-mail in the digital world. They report it is safer for your customer to get e-statements and e-bill presentment than the traditional printed versions. # Friday, October 10, 2003 ( 6:42 AM ) Mary Beth The New $20s Day 2 of circulation for the new $20 and I still haven't been able to get a hold of one yet! I've called several banks in town, as well as the Federal Reserve branch. Just ran across an interesting factoid from the Burea of Engraving and Printing: "It will take a while for the new twenties to show up in significant numbers. As a point of reference, when the last redesign of the $20 note went into circulation in 1998, it took six months before the new design made up 20 percent of the twenties in circulation." # ( 6:15 AM ) Mary Beth Change of Address Precautions This week, I got a call from a friend who said, "They got me!" Before I could speculate about whether she meant aliens or bogeymen, she explained that she had called her bank after realizing she hadn't received a statement in a while and learned from the bank that someone a few months previously had evidently managed to masquerade as her and change her address on the bank records. This morning, the NIPC daily report has a story about scammers who assumed the identities of credit card holders, submitted change of address requests, then added authorized signers to the accounts (in fake names the scammers had ID for). They then proceeded to visit riverboat casinos where they obtained cash advances on the credit card accounts, using the new cards issued to the authorized signers. So, how vulnerable is your institution to this type of fraud? What is your procedure for confirming the legitimacy of any change of address request? How do you verify the request is really from the customer? What precautionary measures do you employ? This is an important facet of information security. If you haven't adequately addressed the internal controls for this type of account modification, it's time to do so. # Thursday, October 09, 2003 ( 8:33 AM ) Mary Beth Financial Transactions Result in New Al Qaeda-related Indictment Ever wonder whether your SARs or 314(a) searches really matter? You bet they do. Follow the money, find the crime. While we don't know for certain that a SAR or 314(a) search response was responsible, we do know that somehow the federal government was able to uncover information that Uzair Paracha had conspired with others to receive funds for the benefit of al Qaeda and had conducted financial transactions involving an al Qaeda associate's bank account and accepted up to $200,000 of al Qaeda funds to be held as an investment. Go get 'em! Read the indictment. BOL Learning Connect Webinar on Check 21 BOL Gurus John Burnett, Ken Golliher and I will be presenting a Webinar November 7th that will be an introduction to the Check 21 Act. Hope to see you there! Learn more. Fun in Philly Sure had a good time in Philadelphia at the Bankers' Hotline Security Officers Workshop, then the following week in Texas at the Texas Bankers Association Security and Risk Management Conference. I heard some awesome war stories from Don Temple, a money laundering expert who had a long career with IRS and is now with Mantas. It was fun to get to meet JacFSB in person, and I brought back a few pics. 
JacFSB is in the photo above. Can you spot him? 
You don't want to mess with these guys! Brooke Blake is a former FBI agent. Branch Walton was Secret Service. Both are bank security experts who do consulting and training. It's always great to hear them. 
I got to meet BOL Guru Peter Djinis in person! That was a treat. He is a walking-talking BSA encyclopedia! # Tuesday, October 07, 2003 ( 6:28 PM ) Mary Beth InfoSec Problems from Attempted Customer Stealing Lots of interesting things going on these days. Remember back several months ago when two loan employees of a Colorado bank emailed imaged customer files to themselves in anticipation of working elsewhere and the OCC put the whomp on them, banning the two from banking for life and making several very no-nonsense comments about the information security/privacy implications of their actions? Well, Bank One is now alleging that five former employees took information about wealthy customers with them when they left to join Smith Barney, emailing it from their bank computers to outside email addresses. (Sounds familiar, doesn't it?) This time, however, it's not a regulatory enforcement action that's making the news -- it's a lawsuit by Bank One against the former workers. We found it interesting that the news report on the lawsuit talked all about the harm that had occurred to the bank -- and didn't even address the privacy issue. News report. Major Changes in Check Processing The Check 21 Act is about to become a reality, now that a compromise bill has been worked out. How big of a deal is this new piece of federal legislation on check truncation? BOL Guru Ken Golliher says it's the biggest thing to occur in banking since he began his career. "Theoretically", Ken said, "checks could be truncated at the teller line. Customer makes a deposit, the item is imaged, a substitute check is created. What happens to your backroom?" This law will potentially prompt major changes in the industry. It will present opportunities -- and will require decisions and preparations. Keep watching BOL for details. ID Theft Victim Sues Microsoft Over Security Vulnerabilities Did you hear about the lawsuit filed against Microsoft by an identity theft victim that may turn into a class action? Here's the claim: Microsoft's software has security vulnerabilities due to "shoddy work"; the security vulnerabilities led to the plaintiff's financial information being compromised; Microsoft should be liable. Hmmm. Sounds interesting, but there's a twist. The plaintiff's attorney was quoted as saying "[The plaintiff's] financial information was compromised and bank accounts were compromised or seized to the extent that law enforcement became involved." Oops. What's up with the seizure part? I think there's more to the story than we've heard thus far, but it will be an interesting case from the standpoint of how the court will rule on whether Microsoft can be held liable for the criminal acts of a third party. Expect to hear a lot about "foreseeability". Attack Web site Exploits Unpatched Machines Speaking of Microsoft -- how up-to-date are your Microsoft patches right now? Hackers apparently have a new way to exploit an unpatched hole in Internet Explorer. They use a specially designed "attack Web site" (Did you know there was such a thing?? Did you think the only real threat was from email? Oops. Think again.) to install a Trojan horse program on unpatched machines. The Trojan carries with it a program called Qhosts and it changes the DNS config on the computer so that when the user tries to go to popular search engines, it instead takes them to a site controlled by the hackers. The patch for this vulnerability was released in AUGUST, but there are reports of a variation on the vulnerability that could make even patched machines at risk. Oh, great. Learn more. Money Laundering: Good News, Bad News Good news on the money laundering front. According to a blurb in today's National Infrastructure Protection Center daily report, terrorist financiers appear to be turning away from laundering money through financial institutions. The report says terrorists are transporting their case in suitcases and containers and shipping the money out of the country or having a courier deliver it, rather than placing it in the banking system where a paper trail is created. The bad news, however, is that in terms of raising money, they're using credit card fraud and check forgery, among other means. And a high-tech crime fighting task force in the UK is exploring possible ties between computer viruses and terrorists. Muslim Employees and Others Discriminated Against, According to EEOC The EEOC has filed suit against The Plaza Hotel and the Fairmount Hotels on behalf of Muslim, South Asian, and/or Arab employees who were allegedly discriminated against and harassed due to their national origin, ethnicity, or religion in the wake of 9-11. The complaint filed in federal court has some shocking details about the employers' alleged conduct and provides a good reminder about lines that can't be crossed. Bank Robbery Deterrent Have you implemented a "customer dress code" yet as a deterrent to bank robbery? Look at month after month of photos of bank robbery suspects we've compiled, including the latest set. It doesn't take a rocket scientist to realize these bad boys (yes, they're mostly guys) want anonymity and hats, hoods, and sunglasses are the way they ensure they get it. They hide as much of their faces as they can. Then we wonder why more of them aren't caught. A simple request -- strictly voluntary -- made via a sign on your doors, requesting that customers kindly remove headgear and sunglasses will likely do one of three things: l) help make these schmucks decide to go elsewhere, or 2) make them the target of increased scrutiny (and greater likelihood of identification) if they don't comply with the request; or 3) make them easier to identify if they choose to do the robbery anyway. What's not to like about that? The Crown Royal Bank Robber Meanwhile, there's a bank robber down in Georgia who's been dubbed "Crown Royal" by the authorities, for his tendency to use a cloth Crown Royal bag in his robberies. (Isn't that kind of small?!?) He's robbed 26 banks thus far with his stinky alcohol breath and appears to be getting more aggressive. What a career choice. And more of them than ever before appear to be serial robbers. It's the "Bet you can't rob just one" syndrome. That's why it's so important to catch them early on, so they don't keep terrorizing others. Latest Twist in Do Not Call On October 7, the 10th Circuit Court of Appeals lifted a federal district court's order that had barred enforcement of the FTC's Do Not Call List, pending appeal. See our updated article for details. # |
|