October is cyber-security awareness month, so it’s only appropriate that FINRA started it with another Regulatory Notice warning member firms to beware of a false-survey phishing scheme. The Notice warns of “a widespread, ongoing phishing campaign” soliciting survey responses in an email using the fake domain “@regulation-finra.org.” See Reg. Notice 20-35 (Oct. 6, 2020), here.
That’s more of the same for FINRA. It warned in August that fraudsters were using a fake FINRA domain (www.finnra.org – with an extra “n”) in Regulatory Notice 20-27, here. Later that month, FINRA warned that fraudsters were ginning up a fake registered representative website. See Regulatory Notice 20-30, here.
It shouldn’t be any surprise that fraudsters are targeted FINRA: It’s a potentially rich source to mine, given the combination of “other peoples’ money” and a regulator that can summarily suspend a license for failure to respond to its inquiries. See FINRA Rules 8210, 9552.
FinCEN & OFAC Ransomware Warnings
FinCEN and OFAC opened cyber-security awareness month with Advisories on financial-institution involvement in the processing of ransomware payments.
Ransomware payments typically involve multiple financial institutions, for example: A depository institution’s wire transfer to a convertible-virtual-currency (“CVC”) exchange – a money-service business (“MSB”) – before sending to the perpetrator’s wallet, where the laundering process begins.
FinCEN’s Advisory lists 10 ransomware red-flags to watch for and reminds covered institutions of their SAR-reporting obligations:
Financial institutions should determine if filing a SAR is required or appropriate when dealing with an incident of ransomware conducted by, at, or through the financial institution, including ransom payments made by financial institutions that are victims of ransomware. As a reminder, a financial institution is required to file a SAR if it knows, suspects, or has reason to suspect a transaction conducted or attempted by, at, or through the financial institution involves or aggregates to $5,000 (or, with one exception, $2,000 for MSBs)16 or more in funds or other assets and involves 16. See 31 C.F.R. §§ 1020.320, 1021.320, 1022.320, 1023.320, 1024.320, 1025.320, 1026.320, 1029.320, and 1030.20. The monetary threshold for filing money services businesses SARs is, with one exception, set at or above $2,000. See also 31 C.F.R. § 1022.320(a)(2). FINCEN ADVISORY 7 funds derived from illegal activity, or attempts to disguise funds derived from illegal activity; is designed to evade regulations promulgated under the BSA; lacks a business or apparent lawful purpose; or involves the use of the financial institution to facilitate criminal activity. Reportable activity can involve transactions, including payments made by financial institutions, related to criminal activity like extortion and unauthorized electronic intrusions that damage, disable, or otherwise affect critical systems. SAR obligations apply to both attempted and successful transactions, including both attempted and successful initiated extortion transactions.
The Advisory requires that ransomware SARS use the reference “CYBER-FIN-2020-A006” in Field 2.
At the same time, OFAC warned that facilitating ransomware payments on behalf of a victim may subject the facilitating financial institution to sanctions under OFAC regulations.
The FinCEN Advisory is here.
The OFAC Advisory is here.