On July 30, 2020, the Financial Crimes Enforcement Network (FinCEN) released an advisory that signals its focus on cybercrime arising from vulnerabilities potentially created by the COVID-19 pandemic. The “Advisory on Cybercrime and Cyber-Enabled Crime Exploiting the Coronavirus Disease 2019 (COVID-19) Pandemic” (the Advisory) explains how cybercriminals are using the COVID-19 pandemic to their advantage, capitalizing on remote access and exploiting financial institutions, businesses, and their customers to commit fraud, identity theft, and generally disrupt business. 1
The Advisory, which is geared to CEOs, risk and compliance officers, legal departments, anti-money laundering/Bank Secrecy Act (AML/BSA) departments, and cyber security departments, alerts financial institutions that FinCEN has observed an increase in cybercriminals (i) targeting and exploiting the use of remote platforms and processes, (ii) engaging in phishing, malware, and extortion, and (iii) using business email compromise (BEC) schemes to commit fraud and interrupt business and supply chains. The Advisory describes “red flags” under each category—twenty potential indicators of cybercrime—used most often by criminals to exploit vulnerabilities created or exacerbated by the COVID-19 pandemic. These red flags include indicators related to proof of identity (e.g., alteration of government-issued identifications), email and text scams to carry out business extortion (e.g., unsolicited emails regarding COVID-19 from untrusted sources), and fraudulent transaction instructions (e.g., transaction instructions originating from a similar, but not identical, customer email address).
The Advisory is likely a preview of future enforcement trends, and is in line with recent advisories published by other government agencies (e.g., the Department of Justice, and New York State Department of Financial Services). Indeed, the Advisory indicates FinCEN’s focus on combating cybercrimes related to COVID-19 by instructing financial institutions to flag cybercrime and COVID-19-related activity and provide information in the narrative of Suspicious Activity Reports (SARs) that identifies “a connection between the suspicious activity being reported and the activities highlighted in this advisory.” In light of this guidance, financial institutions and their compliance, legal, cybersecurity, and AML/BSA departments should assess their systems and affirmatively determine if their current framework adequately addresses cybercrime risks that put them and their customers in harm’s way.
Specifically, financial institutions can protect themselves by:
(i) documenting acknowledgement of the Advisory;
(ii) conducting an assessment vis-à-vis the issues raised in the Advisory to identify possible gaps in their systems; and
(iii) taking action to mitigate the risks and documenting that remediation, or, if no remediation is necessary, detailing in writing why the existing systems are adequate.
It is clear that FinCEN is focused on whether financial institutions have systems in place to effectively mitigate the risks that cybercriminals pose to financial institutions and their customers. Financial institutions should review carefully the Advisory and determine what action, if any, is necessary to mitigate cybercrime risk now to ultimately avoid a future enforcement action, or at least serve as evidence that the financial institution made good faith attempts to protect itself and its customers from cybercriminals.
FinCEN Advisory on Cybercrime and Cyber-Enabled Crime Exploiting the Coronavirus Disease 2019 (COVID-19) Pandemic, Financial Crimes Enforcement Network (July 30, 2020) https://www.fincen.gov/sites/default/files/advisory/2020-07-30/FinCEN%20Advisory%20Covid%20Cybercrime%20508%20FINAL.pdf.