Cyber event?

Customer allows a hacker into their online banking (under false pretenses) and the hacker moves funds from the customer's SAV to the customer's DDA and tells them the funds were deposited into the DDA by mistake and they need to send the money back. Elderly customer did not check the SAV so doesn't know it's their own funds they are sending out. Is this a cyber event? The customer let them in is where I'm hung up. I think it is, by the way. Just want to confirm.

Thank you

https://www.fincen.gov/resources/advisories/fincen-advisory-fin-2016-a005

"Cyber-Event: An attempt to compromise or gain unauthorized electronic access to electronic systems, services, resources, or information."

It's a very broad definition for a Cyber-Event. I would say that you have a Cyber Event against your customer.

I'd also call this account takeover.

Great question as the guidance I recall doesn't address this specific situation. You might get differing opinions on this, but it seems to me you need to file a SAR for at least a cyber-event.

Cyber-Event: An attempt to compromise or gain unauthorized electronic access to electronic
systems, services, resources, or information.

Also, I'm not an attorney (or FinCEN), but I'm wondering if you had a crime occur with the transfer, which could push this into the "cyber-enabled crime" category:

Cyber-Enabled Crime: Illegal activities (e.g., fraud, money laundering, identity theft) carried out or facilitated by electronic systems and devices, such as networks and computers.

Thank you for the responses. I feel better about the fact I'm not the only one having doubts about the wording in the guidance. I will l definitely file a SAR and include account takeover and cyber event. I just wish more of these criminals were caught and punished. This customer is elderly and has lost her life savings. The front line did an excellent job of asking her questions but the hacker had instructed her on how to respond in a believable way. Sad.

I'd be curious for further opinions on this topic as a whole.

FIN-2011-A016 states that account takeover activity should be reported.
FIN-2016-A005 is an advisory that really just talks about cyber-events and cyber-related crime targeting a financial institution.

Does FinCEN define "targeting a financial institution" as a customer providing their account information to a scammer and the scammer transferring funds out of the account? That seems too broad to me. I feel like the guidance's intent was for financial institutions to report crimes and attempts against the financial institution itself, and not individual customers.

If a customer is deceived into providing remote access to their PC which leads to a criminal initiating or attempting fraudulent transactions, we report that as a cyber event against the customer.

I make a distinction between that and when a customer gives their credentials to a criminal in the course of an employment scam or something so that the criminal can make a fraudulent deposit.

The customer may have been deceived in both cases (or may claim to be deceived in the second case to hide their complicity as a money mule), but in the second case the customer is willfully allowing the criminal to transact through their account, while in the first the customer didn't intentionally provide access.

This is probably more clear in my head than it is on paper or in practice, but we've been able to be consistent with this. I also admit that it may be difficult to determine exactly what was divulged and how.

I agree with both praBSA and ColoradoAML.
It is important to distinguish if the attack/compromise is against the banks systems or a customer provides their online credentials and a fraudster uses them to defraud the customer.

So did they send the funds out?

This older thread brings up a question I have about filing out the SAR. When you click on the Cyber Event in Field 44, what do you choose from the drop down menu for the elder scam descibed above? I usually pick Other and describe it as online banking account takeover. But then what in the world is an event value??? No help from the help boxes on the SAR!

You might take a look at the SAR efiling instructions: https://www.fincen.gov/resources/filing-information

Number 13 beginning on page 144 discusses this and provides some examples.

Thank you ColoradoAML. I went straight to the instructions for that particular field and bypassed this part of the document. I think I came up with something that will fit for that filed. BTW, I asked FInCEN and their answer was "to enter a value that coincides with the indicate you have described". Hope that helps others!