On May 18, the Financial Crimes Enforcement Network (“FinCEN”) issued an Advisory “to alert financial institutions to rising medical scams related to the COVID-19 pandemic. This [A]dvisory contains red flags, descriptions of COVID-19 related medical scams, and information on reporting suspicious activity.” According to FinCEN, “[t]his is the first of several advisories FinCEN intends to issue concerning financial crimes related to the COVID-19 pandemic.” FinCEN also issued a companion Notice to the Advisory that “provides detailed filing instructions for financial institutions, which will serve as a reference for future COVID-19 advisories.”

Although FinCEN has made clear that future advisories will follow, the May 18 Advisory and Notice are themselves the latest in a string of prior pronouncements by FinCEN relating to the global pandemic. As we have blogged, FinCEN updated its March 16, 2020 COVID-19 Notice for the stated reason of assisting “financial institutions in complying with their Bank Secrecy Act (“BSA”) obligations during the COVID-19 pandemic, and announc[ing] a direct contact mechanism for urgent COVID-19-related issues.” FinCEN, of course, is not the only regulatory body addressing Anti-Money Laundering (“AML”) issues implicated by COVID-19. As we also have blogged, the Financial Action Task Force (“FATF”) recently issued a paper entitled “Covid-19-Related Money Laundering and Terrorist Financing – Risk and Policy Responses” This FATF Paper follows up on the April 1, 2020 statement issued by FATF’s President on COVID-19 and measures to combat illicit financing.

The Advisory is surprisingly specific when describing the possible scams and potential red flags that FinCEN believes that financial institutions should be monitoring for in order to detect, prevent, and report such suspicious activity. In addition to providing a list of red flags, the Advisory provides specific case studies demonstrating the real-world concerns surrounding these scams. Although this level of detail is helpful to financial institutions when integrating the Advisory into their own programs, it also seems to impose heightened due diligence requirements on financial institutions when dealing with companies engaged in providing medical services and supplies.

The Broad Scope of the Advisory: Corporate Buy-In Required

The scope of employees to which FinCEN expects that its Advisory be shared is broad:

• Chief Executive Officers
• Chief Operating Officers
• Chief Compliance Officers
• Chief Risk Officers
• AML/BSA Departments
• Legal Departments
• Cyber and Security Departments
• Customer Service Agents
• Bank Tellers

This list is significant because of both its breadth and specificity. FinCEN appears to expect front-line employees to be keyed into issues regarding potential COVID-19 scams in the same way as AML/BSA and Anti-Fraud/Risk Departments are. Moreover the inclusion of top executives makes it clear that FinCEN expects there to be full corporate “buy in” when protecting and preventing such fraud.

The Advisory names three types of fraud creating concerns: (1) fraudulent cures, tests, vaccines, and services; (2) non-delivery scams; and (3) price gouging and hoarding of medical related items, such as face masks and hand sanitizer. In the context of each of these scams, FinCEN urges financial institutions to evaluate the surrounding facts and circumstances such as the customer’s historical financial activity, whether the transactions are in line with prevailing business practices, and whether the customer exhibits multiple indicators. Where appropriate and in line with the financial institution’s risk-based approach, FinCEN urges additional inquiries and investigation.

The specificity of the Alert might be used downstream by regulators and perhaps private litigants to point to obligations that financial institutions should have been integrating into their regular AML/BSA practices during the pandemic in order to detect and prevent fraud.

The specificity of the Alert might be used downstream by regulators and perhaps private litigants to point to obligations that financial institutions should have been integrating into their regular AML/BSA practices during the pandemic in order to detect and prevent fraud.

Medical-Related Frauds, including Fraudulent Cures, Tests, Vaccines and Services

FinCEN expects to see the emergence of companies touting fraudulent cures, tests, vaccines, and services. These offerings may be made to the public (as opposed to the medical community) and may be perpetrated by actors who recently have formed unregistered or unlicensed medical supply companies. Among the red flags that FinCEN expects to see are:

• A company has been identified as selling fraudulent products – FinCEN urges financial institutions to check current lists of COVID-19 warning letters from FDA, FTC, and DOJ’s websites;
• A web-based search indicates that the customer is selling at-home COVID-19 tests, vaccines, treatments, or cures (other than those authorized by the FDA);
• Transactions for such products are occurring through customers’ personal accounts;
• Web-based searches that show a name or web address similar to well-known companies, limited intern presence, location outside the U.S. and the purported ability to purchase pharmaceuticals without a prescription when one is generally required;
• Branding images appear to be slightly different from legitimate product offerings, indicating counterfeit products;
• Advertising the sale of highly sought-after goods at a deep discount or highly inflated prices;
• The merchant requests unusual forms of payment for the type of transaction, i.e., the use of a pre-paid card, money services business, virtual currency, or electronic funds transfer to a high-risk jurisdiction; and
• Patterns of high chargebacks and return rates.

Non-Delivery of Medical-Related Goods Scams

Given the intense demand for goods and services due to COVID-19 related supply chain issues, FinCEN expects to see criminals take advantage of companies, hospitals, governments and consumers in need of medical goods. FinCEN expects to see the involvement of shell companies and unidentified third party brokers to facilitate transactions via websites, robocalls or the Darknet.

The potential red flags include:

• Merchants without corporate history, lack a physical presence, or lack an EIN;
• Corporate database searches reveal vague or inappropriate company names, unrelated names, or a suspicious number of multiple “doing business as” (DBA) names, or does not align with its business model;
• Merchant is reluctant to provide customer or financial institution processing the transaction with invoices or other documentation supporting the stated purpose of trade-related payments;
• Difficulty determining nature of company or operations or business model;
• No ability to provide shipment-tracking numbers to customers or financial institutions for the purpose of processing transactions;
• Claims of delays or receipt of goods by merchant;
• Merchant cannot explain the source of goods or how the merchant acquired bulk supplies of highly sought after goods;
• Merchant or its owners/incorporators are identified as being associated with fraud either domestically or internationally; and
• Newly opened account receives large and unexpected wire transfers that accountholder fails to mention at account opening.

Price Gouging and Hoarding of Medical-Related Items

Price gouging and hoarding of medical-related items also has emerged as a leading focus of enforcement. To combat price-gouging and hoarding and COVID-19-related market manipulation, the Department of Justice (“DOJ”) has established the Hoarding and Price Gouging Task Force. FinCEN explains that it and the DOJ already have uncovered numerous cases of individuals and companies accumulating significant quantities of medical-related items for resale above market prices, and that it expects similar schemes to continue. Medical-related items include masks, disposable gloves, isopropyl alcohol, disinfectants, hand sanitizer, toilet paper and other health and safety products. According to FinCEN, payment methods for the medical-related items “vary by scheme” and can include use of pre-paid cards, money services businesses, credit card transactions, wire transactions, or electronic fund transfers. It identifies the following financial indicators of these scams:

• Use of personal accounts for business-related transactions;
• Establishment of medical supply companies or recent engagement in the sale of sought-after COVID-19-related supplies;
• A customer’s novel use of their money services or bank account including involvement in new or different types of transactions;
• Customer’s account sends or receives electronic transfers to/from newly established companies with no known physical or internet presence;
• Use of customer’s account in transactions for COVID-19-related goods; and
• Unusually large deposits into customer accounts related to COVID-19-related goods.

Implicit in this list of red flags is the need for financial institution to follow up and request additional information when and if their suspicions are raised. For example, an institution that is servicing a medical supply company may need to assess its KYC processes, risk ratings and/or transaction monitoring in order to try to account for the potential red flags listed above.

Specific SAR Reporting Guidance and The Companion Notice

The Advisory contains specific instructions for a filing of a Suspicious Activity Report (“SAR”) when financial institutions are faced potentially with such scams, and is accompanied by a “Companion Notice,” discussed below, which contains information regarding reporting COVID-19 related crime and reminds financial institutions of certain key BSA obligations.

• SARs filed should include the key term “COVID 19 FIN-2020-A002” in SAR field 2 and in the narrative
• Financial institutions should select SAR field 34(z) (Fraud-other) when reporting such fraud and specifically denote whether the same is a “Product – non delivery scam” or a “Price-Gouging and Hoarding scam”

The Companion Notice

In addition, FinCEN released the companion Notice to provide information on BSA reporting regarding criminal schemes and suspicious activity relating to COVID-19, and to “remind” financial institutions of their BSA obligations – i.e., financial institutions still must comply with the BSA, despite the systemic stresses being imposed by the pandemic. Future advisories from FinCEN relating to COVID-19 will refer back to the Notice, which makes seven primary points:

• FinCEN has a webpage devoted to COVID-19 and related updates
• BSA reporting must soldier on, although certain delays in reporting may be tolerated, and as FinCEN previously has stated, financial institutions should adopt a “risk based” approach to their BSA duties. Specifically, the Notice states:

Compliance with the BSA remains crucial to protecting our national security by combating money laundering and related crimes, including terrorism and its financing. FinCEN expects financial institutions to continue following a risk-based approach and to diligently adhere to their BSA obligations. FinCEN also appreciates that financial institutions are taking actions to protect employees, their families, and others in response to the COVID-19 pandemic. FinCEN recognizes that current circumstances may create challenges with respect to certain BSA obligations, including the timing requirements for certain BSA report filings. FinCEN will continue outreach to regulatory partners and financial institutions to ensure risk-based compliance with the BSA, and FinCEN will issue additional information as appropriate.

Financial institutions that wish to communicate their organizational COVID-19-related concerns, such as issues with the timely filing of BSA reports, should go to www.fincen.gov, click on “Need Assistance,” and select “COVID19” in the subject drop-down list.

• Narratives in SARs should include information regarding COVID-19 only when the virus is tied to the suspicious activities being reported. FinCEN does not want institutions to describe the challenges that COVID-19 is creating for them in SAR narratives.
• As always, financial institutions should retain the documents underlying SARs and be prepared to provide them to law enforcement when requested. FinCEN specifically noted that the BSA regulations provide a “safe harbor” from civil liability for providing information relating to SARs to law enforcement – according to FinCEN, this safe harbor applies to both mandated and voluntary SAR filings.
• FinCEN encourages information sharing amongst financial institutions regarding COVID-19 related schemes under Section 314(b) of the Patriot Act.
• The Notice sets forth the contact information for numerous law enforcement agencies for reporting criminal activity relating to COVID-19
• Finally, the Notice stresses FinCEN’s Rapid Response Program for recovering funds:

To better assist the public during the COVID-19 pandemic, FinCEN has temporarily expanded its Rapid Response Program to support law enforcement and financial institutions in the recovery of funds stolen via fraud, theft, and other financial crimes related to COVID-19. FinCEN has already been involved in multiple Rapid Response matters involving allegations of COVID-19 fraud, to include assisting in the recovery of $300 million in one case. To request immediate assistance in recovering cybercrime – and COVID-19-related stolen funds, financial institutions should file a complaint with the FBI’s [Crime Complaint Center], contact their local FBI field office, or contact the nearest [U.S. Secret Service] field office. Contacting law enforcement for fund recovery assistance does not relieve a financial institution from its SAR filing obligations.