O’Melveny Worldwide

FinCEN Issues New Anti-Money Laundering Red Flags to Stem Increased Threat of COVID Cybercrime

August 3, 2020

While the global pandemic has wreaked economic havoc, one area of financial activity has thrived: COVID-related cybercrime. Digital cybercriminals are creating risk for financial institutions by targeting industries and customers at a time they are most vulnerable. To help stem this tide, late last week FinCEN issued an advisory to help financial institutions detect, prevent, and report cybercriminals exploiting the COVID-19 pandemic. Financial institutions must pay close attention to these new red flags that serve as warning signs that cybercriminals are at work.

The reason for the surging volume of COVID-related cybercrime is plain: it is rooted in the reality of the pandemic that financial institutions must rely almost exclusively on remote digital transactions. This reliance on remote-access technologies increases the vulnerability of customers and systems to attack from cybercriminals. FinCEN’s advisory identifies certain red flags for suspicious activity involving false digital identification and other cyber indicators of compromise. FinCEN’s incorporation of specific security-related software flaws identified by the National Institute for Standards and Technology (NIST) reinforces the overlap between cybersecurity and Bank Secrecy Act compliance. While NIST standards are non-binding, financial institutions should pay attention to these standards as regulators incorporate them into industry-specific guidance.

FinCEN and other regulators will expect financial institutions to incorporate these red flags into their anti-fraud and anti-money laundering compliance programs. They will also expect financial institutions to practice heightened vigilance. Accordingly, financial institutions must carefully review these red flags, evaluate existing protections, and target compliance resources on the areas of greatest risk. Any doors left open will attract cybercriminals, with the regulators not far behind.

Pandemic Shifts in Doing Business Are Creating Vulnerabilities

During the COVID-19 pandemic, financial institutions are interacting with customers almost entirely through remote access. While the industry was already moving in this direction, the acceleration of this trend presents challenges for certain traditional products and services and technology-adverse customers. This rapid move to exclusive remote access creates greater opportunities for cybercriminals to steal sensitive customer and business information and compromise financial activity.

FinCEN has monitored this shift and has now moved to warn financial institutions about the risks of digital manipulation of identity documents and leveraging compromised log-in credentials. Additionally, FinCEN has highlighted the increase in phishing and malware scams that take advantage of COVID-19 relief programs. In addition to previously identified phishing scams, FinCEN noted that cybercriminals are focusing on industries, like healthcare, that are focused on COVID-19 response and hence, especially vulnerable to illicit actors.

Indicators of Potential Illicit Cyber Activity

FinCEN’s advisory provides an extensive list of red flags to assist financial institutions in detecting these attempts at cybercrime. The identified red flags include:

  • Low resolution or blurry pictures from digitally scanned identification documents;
  • Misspelled names or blurry text in digitally scanned identification documents;
  • Customer does not match physical description on identification;
  • Customer displays increased login attempts or password resets; and
  • Malicious cyber indicators (as published by various government agencies) evident in system log files, network traffic, or file information.

Unlike previous FinCEN advisories that focus on red flags apparent in financial transaction details, these red flags focus largely on information contained in source documents, including embedded fraudulent websites, spoofed email addresses, system and customer log files, and digital identity manipulation.

Incorporating FinCEN’s Guidance

Financial institutions should view FinCEN’s advisory as both clarifying regulatory obligations for filing SARs related to COVID-19 and providing explicit information aimed at assisting financial institutions in protecting themselves from cyber threats. While this advisory and FinCEN’s previous advisory on filing SARs on cyber events may appear to expand financial institutions’ filing obligations beyond purely financial activity, FinCEN’s regulations have explicit dollar thresholds for when SAR filing is mandatory (e.g. $5,000 for banks and $2,000 for money services businesses). These advisories reinforce the importance of financial institutions developing policies that encourage information sharing of malicious cyber-events between information technology teams and anti-fraud and anti-money laundering compliance staff. While already a best practice, such coordination will be considered mandatory for cyber threats that attempted to infiltrate financial products or services above corresponding thresholds requiring the filing of a SAR.

Beyond updating systems to catch the cybercriminals that FinCEN’s advisory highlights, financial institutions should utilize a risk-based approach towards compliance. When monitoring customers financial institutions should, of course, start with alerts generated from information that is readily available in transaction records and customer files, including changes in customer behavior. Once the alert is generated from readily identifiable red flag activity, financial institutions can then apply the additional red flags on digital identity manipulation and embedded malicious activity indicators for further investigation related to determining whether to file a SAR. 

By taking and documenting these steps, financial institutions satisfy regulators’ expectations that they will bolster their compliance efforts to meet the novel and multiplying challenges arising from financial fraud in the pandemic.

This memorandum is a summary for general information and discussion only and may be considered an advertisement for certain purposes. It is not a full analysis of the matters presented, may not be relied upon as legal advice, and does not purport to represent the views of our clients or the Firm. Laurel Loomis Rimon, an O'Melveny partner licensed to practice law in the District of Columbia and California, and Braddock Stevenson, an O'Melveny counsel licensed to practice law in New York and New Jersey, contributed to the content of this newsletter. The views expressed in this newsletter are the views of the authors except as otherwise noted.

© 2020 O’Melveny & Myers LLP. All Rights Reserved. Portions of this communication may contain attorney advertising. Prior results do not guarantee a similar outcome. Please direct all inquiries regarding New York’s Rules of Professional Conduct to O’Melveny & Myers LLP, Times Square Tower, 7 Times Square, New York, NY, 10036, T: +1 212 326 2000.