Cyber event?

Posted By: Anonymous

Cyber event? - 10/14/21 11:36 PM

Customer allows a hacker into their online banking (under false pretenses) and the hacker moves funds from the customer's SAV to the customer's DDA and tells them the funds were deposited into the DDA by mistake and they need to send the money back. Elderly customer did not check the SAV so doesn't know it's their own funds they are sending out. Is this a cyber event? The customer let them in is where I'm hung up. I think it is, by the way. Just want to confirm.

Thank you
Posted By: Anonymous

Re: Cyber event? - 10/15/21 01:10 PM

"Cyber-Event: An attempt to compromise or gain unauthorized electronic access to electronic systems, services, resources, or information."

It's a very broad definition for a Cyber-Event. I would say that you have a Cyber Event against your customer.

I'd also call this account takeover.
Posted By: Adam Witmer

Re: Cyber event? - 10/15/21 01:26 PM

Great question as the guidance I recall doesn't address this specific situation. You might get differing opinions on this, but it seems to me you need to file a SAR for at least a cyber-event.

Cyber-Event: An attempt to compromise or gain unauthorized electronic access to electronic
systems, services, resources, or information.

Also, I'm not an attorney (or FinCEN), but I'm wondering if you had a crime occur with the transfer, which could push this into the "cyber-enabled crime" category:

Cyber-Enabled Crime: Illegal activities (e.g., fraud, money laundering, identity theft) carried out or facilitated by electronic systems and devices, such as networks and computers.
Posted By: Anonymous

Re: Cyber event? - 10/15/21 04:43 PM

Thank you for the responses. I feel better about the fact I'm not the only one having doubts about the wording in the guidance. I will l definitely file a SAR and include account takeover and cyber event. I just wish more of these criminals were caught and punished. This customer is elderly and has lost her life savings. The front line did an excellent job of asking her questions but the hacker had instructed her on how to respond in a believable way. Sad.
Posted By: praBSA

Re: Cyber event? - 10/21/21 11:55 AM

I'd be curious for further opinions on this topic as a whole.

FIN-2011-A016 states that account takeover activity should be reported.
FIN-2016-A005 is an advisory that really just talks about cyber-events and cyber-related crime targeting a financial institution.

Does FinCEN define "targeting a financial institution" as a customer providing their account information to a scammer and the scammer transferring funds out of the account? That seems too broad to me. I feel like the guidance's intent was for financial institutions to report crimes and attempts against the financial institution itself, and not individual customers.
Posted By: ColoradoAML

Re: Cyber event? - 10/21/21 02:10 PM

If a customer is deceived into providing remote access to their PC which leads to a criminal initiating or attempting fraudulent transactions, we report that as a cyber event against the customer.

I make a distinction between that and when a customer gives their credentials to a criminal in the course of an employment scam or something so that the criminal can make a fraudulent deposit.

The customer may have been deceived in both cases (or may claim to be deceived in the second case to hide their complicity as a money mule), but in the second case the customer is willfully allowing the criminal to transact through their account, while in the first the customer didn't intentionally provide access.

This is probably more clear in my head than it is on paper or in practice, but we've been able to be consistent with this. I also admit that it may be difficult to determine exactly what was divulged and how.
Posted By: RockChucker, CAMS

Re: Cyber event? - 10/21/21 06:52 PM

I agree with both praBSA and ColoradoAML.
It is important to distinguish if the attack/compromise is against the banks systems or a customer provides their online credentials and a fraudster uses them to defraud the customer.
Posted By: Anonymous

Re: Cyber event? - 10/21/21 09:50 PM

So did they send the funds out?