Tips on Suspicious Activity
by Mary Beth Guard
The SAR Activity Report released by FinCEN on October 22, 2001 covers the period January-April, 2001. It provides an interesting look at the number of reports of suspicious activity filed under the Bank Secrecy Act, as well as a breakdown of the types of activity reported and the geographic distribution of the reporting institutions.
In addition to being interesting, however, the Report is helpful in two ways. First, it describes trends in suspicious activity. By reading about the notable trends, your institution can take steps to guard against those types of vulnerabilities. Second, it answers questions about the reporting process and SAR compliance that can aid you in your Bank Secrecy Act compliance efforts.
The most striking fact is that apparently institutions are either not reading the instructions closely, when it comes to reporting computer intrusions, or are simply misinterpreting those instructions. Close to half (64 out of 147) of the SARs dealing with computer intrusions should not have been filed! Only 83 of the reports that dealt with computer intrusions actually described activities that were considered "computer intrusions" as the term is defined in the SAR instructions.
As viruses and worms continue to proliferate and hacker activity increases, the number of reportable computer intrusions will undoubtedly rise.
Internal Control Breakdowns
Of the 83 SARs that properly reported computer intrusions, more than 60% described activity in which the computer intrusion involved a bank employee. In these instances, the bank employee utilized his/her position and breakdowns in internal controls to embezzle or defraud the bank.
Suggestion: Review your internal control procedures that relate to computer usage, file access, and monitoring of transactions to guard against this type of abuse.
Four banks reported being targeted by an individual from Russia who attempted to hack into those banks, and possibly others, during the period of late April/early May 2001. The hacker contacted the banks and informed them he was successful in his attempt to intrude into their systems. After identifying several vulnerabilities that allowed access to all logs, files, and passwords, he then attempted to extort bank officials by claiming that he would assist them with correcting their computer system vulnerabilities.
Suggestion: Employ effective intrusion detection software. Have a procedure in place to deal with any communications relating to extortion attempts. Require your employees to take detailed notes, if the hacker communicates via phone. If the hacker communicates via written letter, place it in a sealed plastic envelope to preserve fingerprint and/or DNA evidence. Carefully preserve any electronic evidence in order to aid law enforcement in tracking down those responsible. Pull up the Secret Service Web page that deals with preserving electronic evidence and make sure your tech people get a copy of it.
Bill Payment Fraud
Four Suspicious Activity Reports described a bill paying service whose customer information appeared to be compromised by someone within the organization. It's a little difficult to tell, but it sounds like it was perhaps a third-party bill paying service utilized by the customer or a third-party service which the financial institution had formed an alliance with. In each of the four instances, the intruder obtained valid ID and PIN numbers of customers and then initiated unauthorized automated clearinghouse debits from various accounts.
Suggestion: If you are partnering with an outside vendor in the bill payment area, make sure your due diligence is thorough. Remind your customers, through messages on your online site and statement stuffers, to periodically review all transactions that have taken place on their accounts and promptly report errors or fraudulent activity.
Other Reportable Schemes
Some of the other notable reported computer intrusion trends were as follows:
- attempted intrusions through a worm or virus;
- unsuccessful attempts to intrude into the system and then send bulk email/spam in order to overwhelm and disable the system;
- failed attempts to intrude into the bank's critical information systems. (These attempts were foiled by intrusion detection systems running on the banks' servers.);
- an unknown entity registered a new domain name and created a Web site that was similar to one being utilized by a credit union. The phony Web site successfully deceived credit union members in believing it was the credit union's site, which led to the victims entering their home banking security information. The perpetrator could then gain unauthorized access to the members' accounts via the Internet.
- suspect overrode web protocols and created a near-duplicate but sham bank Web site. Customers of the legitimate bank were unaware that information entered on the sham Web page never made it to the bank. The bank that detected the scam and reported it on a SAR did not know if any financial information was actually captured by the sham bank's Web site and used to conduct illicit activity.
Suggestion: If your bank has a Web site (and particularly if you offer online banking), employees of your institution should be checking your site throughout the day, and even on weekends, to ensure it has not been altered or hijacked. In addition you should follow the regulatory guidance issued in 2000 for protecting your domain name against copycats. The FTC recently brought an action against an individual who had registered a whopping 5500 copycat domain names! Make sure your customers are quite familiar with your true Web site address by including it on statements, ads, deposit slips, correspondence, signage, and other communications with them.
When Computer Intrusion Warrants a SAR
Under Block 35 f. - Computer Intrusion on the report form, a SAR should be completed if an incident of computer intrusion has occurred. To avoid filing a SAR unnecessarily, it pays to understand the parameters FinCEN has established for this type of suspicious activity.
Computer intrusion is defined as gaining access to a computer system of a financial institution to:
a. remove, steal, procure or otherwise affect funds of the financial institution or the institution's customers;
b. remove, steal, procure or otherwise affect critical information of the financial institution including customer account information; or
c. damage, disable, disrupt, impair or otherwise affect critical systems of the financial institution.
If your situation doesn't fit this criteria, don't report it on a SAR.
These examples, given by FinCEN, help illustrate scenarios that would trigger the reporting requirement:
- The perpetrator may be an insider (e.g., an employee of the financial institution) who has misused or overridden his/her authority to access and manipulate computer-based customer information.
- The perpetrator may be an outsider who has somehow hacked his/her way into the financial institution's critical computer system that contains customer data.
What NOT to Report
- Do not report attempted intrusions of Web sites or other non-critical information systems of the institution.
- Do not report intrusions into systems that provide no access to financial institution information, customer financial information or other critical information.
- Do not report an employee bringing in a diskette containing a computer virus.
- Do not report and instance where a hacker accesses your institution's Web site and defaces it by posting pornographic or other obscene materials.
DO report the following as computer intrusions:
- An employee of a financial institution using his computer access (or that of a co-worker or supervisor) to steal funds from a customer's account. (You would delineate several violations on block 35 of the SAR form, including misuse of position/self dealing, defalcation/embezzlement and computer intrusion.)
- A former disgruntled employee of a financial institution using his personal computer to access the institution's critical information system to steal customer account information. (Note "computer intrusion" on the form, as well as any other violations that had affected the customer's financial information, such as credit card fraud, identity theft.)
- A deliberate infection of your institution's computer server with something like the Code Red Worm which denied access to online banking customers. (In addition, the NIPC squad of your local FBI office should be contacted or you may contact the IFCC, at (304) 363-4312 or www.ifccfbi.gov.)
- An employee of a financial institution using his computer to alter a customer's check (or deposit slip) which would affect the deposited funds of the institution's customer. (The SAR should note several violations selected on block 35 of the SAR form, including misuse of position/self dealing, defalcation/embezzlement, check fraud and computer intrusion.)
- A hacker accessing one of your institution's critical information systems to steal customer information and then destroying the data in that institution's information system. (You should also note on the SAR any other violations which had affected the customer's financial information (e.g., credit card fraud, identity theft).)
How to Report
If you have a reportable instance of computer intrusion:
- Complete Part V of the SAR (the narrative) by giving a detailed explanation of the suspicious activity concerning the computer intrusion. Almost 12% of those who filed computer intrusion SARs during the January-April time period failed to do so.
- Do not include supporting documentation. Spreadsheets, photocopies of canceled checks or other documents, photos, and other related information should never be attached to (or submitted with) a SAR. Such documentation must instead be retained and made available for inspection upon request.
- Ensure that the appropriate violation code of "f" is selected in Part III, block 35 of the SAR form.
- If other types of fraud occur in conjunction with the computer intrusion, indicate these on the same SAR form in Part III, block 35.
In the following instances, instead of filing an SAR, you should contact the National Infrastructure Protection Center squad of your local FBI office or the Internet Fraud Complaint Center (IFCC), at (304) 363-4312 or www.ifccfbi.gov.
- If you notice from your firewall software that your institution's Web site is continually being "pinged" by hackers; or
- You discover an instance of computer intrusion that only affects your internal email system, FinCEN says such activity does not warrant the filing of a SAR.
Three Noteworthy Trends
Three particularly noteworthy trends in suspicious activity were mentioned by FinCEN:
Use of Money Transmitters as Money Laundering Vehicle. This would include, for example, money order and traveler's checks issuers, check cashing businesses and currency exchange. This does not directly affect insured depository institutions.
Use of Traveler's Checks to Disguise Identities. Whether your institution sells traveler's checks or simply encounters them when deposited or exchanged, be on the lookout for suspicious activity that involves using these instruments to disguise identities. Here's what to look for:
- Suspicious practices that involve the use of large dollar amounts in traveler's checks per instance, often in sequentially numbered ;
- Traveler's checks that list as the payee a numbered account in a foreign bank;
- The name and/or address on the purchase agreement being:
- left blank;
- illegible; or
- not matching the signature name on the corresponding traveler's checks.
FinCEN says that Mexico, Nigeria, Israel, and a number of East Asian countries have been cited in multiple SARs as the point of origin or negotiation for instruments involved in this type of activity.
Solicitation Letters (Advanced Fee Fraud or 4-1-9 Scams). This is often referred to as the Nigerian Letter fraud, so named because the content of the letter refers to a scheme for getting money out of Nigeria. FinCEN says the number of SARs referencing bank account solicitation letters coming from suspect individuals in Nigeria, South Africa, or Ghana representing themselves to be former or current high-level government officials, soldiers or influential professionals (or their spouses) is increasing.
Typically, the letters are directed at bank officials and/or specific customers (individuals or businesses) of banks, and request direct access to bank account and other identification information to arrange for a supposed large transfer of funds from Nigeria, South Africa, or Ghana into the subject account. This type of advanced fee fraud is called a "419 scam", but is often reported in SARs in the BSA/Structuring/Money Laundering category, since the letters usually seem to be soliciting assistance for clandestine currency flight.
Surprisingly, FinCEN does not appear to discourage the use of a SAR for reporting this type of activity. The agency does, however, offer the following additional guidance for recipients of these 419 scam letters or emails:
Individuals receiving a suspicious business proposal from Nigerian or other African sources should contact the U.S. Secret Service, Financial Crimes Division, 950 H Street, N.W., Suite 5300, Washington, D.C. 20233. The phone number is (202) 406-5572, fax number is (202) 406-6930. Nigerian Advance Fee Fraud letters can be emailed to the Secret Service at email@example.com."
Suggestion: If you are like me and you have actually personally received one or more of these ridiculous solicitations, you may find it difficult to believe that anyone ever falls for them, but stupidity and greed are powerful forces and victims have lost money. Educate your customers to help protect them against this fraud. The Secret Service has an excellent Public Awareness Advisory on Nigerian Fraud (419 Scams) available on its Web site.
Reporting on Identity Theft and Pretext Calling
Identity theft has been called the nation's fastest-growing crime. From January to the end of April 2001, FinCEN received 332 SARs reporting identity theft, compared with 637 cases over the whole of 2000 and 267 cases in 1999. This is a 50 percent increase from the same period a year ago.
If you are filing a SAR on activity such as credit or debit card fraud, loan or mortgage fraud, or false statements to the institution, and the fraud also involved identity theft or pretext calling as the underlying cause of the known or suspected criminal activity, you should complete the SAR in the following manner:
- In Part III, Box 35, check all appropriate boxes that indicate the type of known or suspected violation being reported and, in addition, in the "Other" category, write in "Identity Theft" or "Pretext Calling" as appropriate.
- In Part V, explain what is being reported, including the grounds for suspecting identity theft or pretext calling in addition to the other violations being reported. ? In the event the only known or suspected criminal violation detected is identity theft or pretext calling, write in "Identity Theft" or "Pretext Calling" as appropriate, in the "Other" Category in Part III, Box 35.
- Provide a description of the activity in Part V of the SAR.
The SAR Activity Review also delved into an area many financial institutions have been struggling with: how do you ensure you are safeguarding customer privacy when you are answering inquiries from customers or third parties about account information or funds verification, or when you are using skip-tracers or investigators? The latest report cites the following as recommended practices:
- When communicating with customers seeking information on their account, or a third party (such as a merchant or other financial institution) seeking to verify the authenticity of an individual presenting a monetary instrument, or that the presenter has sufficient funds to purchase a product, a financial institution should consider security measures that:
- require the use of a PIN, Password, or some other proper authorization code;
- mandate the use of caller-id or a call-back to the merchant;
- institute some additional mechanism for authentication;
- provide only information that the account exists; or
- prohibit the use of such communication in some instances.
- require all contacts with those third parties be done via agreement, and require that the third party stipulates that all information received is derived from legal methods and sources, and that the company does not, in any way, engage in pretext calling or any other unfair and deceptive practice; and
- require that any third party has security measures designed to protect any consumer information provided to it by the institution, and that the third party stipulates that it will not "reuse or redisclose" any financial information provided by the institution.
Suggestion: I have long recommended that financial institutions create a simple form that sets forth the text of Subtitle B of Title V of the Gramm-Leach-Bliley Act. (That is the portion of the law that makes it a crime to obtain, attempt to obtain, or solicit someone to obtain, customer information through false, fraudulent or fictitious means.) The form should set forth the text of the statute, then include a paragraph which says something to the effect: "I have read the above statutory language and I understand and agree that in performing services on behalf of ____your bank's name I will not engage in conduct, directly or indirectly, that in any way violates these statutory prohibitions." Then you have an authorized representative of the third-party company (collection agency, law firm, whatever) sign and date the form before a notary.
- Monitor call centers and other customer service representatives to ensure compliance with the institution?s security procedures.
- Consider "footprintsl"or similar authentication measures on the institution's computers to ensure compliance with the privacy and security policies.
- Instruct employees not to deviate from customer information security procedures. Once a comprehensive plan has been developed or updated to maintain customer information security -- it must be adhered to uniformly. Supervisors should demonstrate to frontline personnel that they take the procedures seriously by both following the procedures themselves and enforcing them uniformly within the institution.
- Test your customer information security procedures on a regular basis.
Where to File and Questions
Have questions about how to properly complete a SAR? Not quite sure where something should go, or how it should be designated? FinCEN maintains a Regulatory Help Line for such questions. Call 800-949-2732.
SARs are properly filed with the Internal Revenue Service's Detroit Computing Center. Paper SARs should be addressed to: IRS Detroit Computing Center, FinCEN, P.O. Box 33980, Detroit, MI 48232-0980. Magnetic Media Diskettes should be mailed to: IRS Detroit Computing Center, FinCEN, 985 Michigan Avenue, Detroit, MI 48226.
Originally appeared in the October 2001 edition of the Oklahoma Bankers Association Compliance Informer.
First published on BankersOnline.com 2/25/02
First published on 02/25/2002