According to the latest semi-annual risk report issued by the U.S. Office of the Comptroller of Currency (OCC), new methods of money laundering and a growth in both the volume and sophistication of electronic banking fraud have significantly increased the Bank Secrecy Act (BSA) and anti–money laundering (AML) risks faced by U.S. banks. Of particular concern is the potential of cybercriminals shifting from current disruptive attacks to those intended to cause destruction and corruption.
The report finds that rapidly evolving technology and business processes, together with a limited ability to increase revenue and operating profit are making it difficult for banks to keep up with threats. Sluggish economic growth has led many banks to diversify their business models, often accepting additional risks by venturing into new, unfamiliar or high-risk products and services. Banks that fail to evolve or incorporate appropriate controls into these new endeavors further compound risks. Others have lowered their overhead expenses, resulting in inadequate resources and expertise devoted to BSA/AML risk management. Furthermore, an expansion in the amount, nature and complexity of third-party relationships has resulted in increased interconnectedness, further heightening vulnerabilities to cyberattacks, especially where banks fail to carry out appropriate due diligence measures.
Noting that banks remain attractive targets for cyberattacks, the OCC advises banks to increase awareness of these risks and deploy the appropriate resources to properly identify and mitigate the associated risks. In the current environment, such proactive measures are crucial for avoiding the financial and reputational losses and/or liability that can result from data breaches, money laundering and other financial fraud.
Banks can protect themselves and their customers by carrying out thorough risk assessments, implementing effective internal controls, due diligence and data security measures and retaining staff qualified to carry out these functions. Employee training is also crucial for effective compliance programs and data security frameworks.