Remarks Focus on Account Takeovers, BEC Schemes, Beneficial Ownership, Technological Innovation and SARs
FinCEN Director Kenneth A. Blanco delivered prepared remarks on September 24 at the 2019 Federal Identity (FedID) Forum and Exposition in Tampa, Florida.
Director Blanco summarized the topics of his remarks by stating the following:
First, I would like to tell you a little about FinCEN. Who we are, what we do, and why I am here to speak with you today.
Second, I will speak to how illicit actors are leveraging identity. Specifically, I will highlight some of the trends FinCEN is seeing in how criminals exploit and compromise identities.
Third, I will discuss how we use identity to protect our national security and keep our communities and families safe from harm.
As to the “who” and “what” of FinCEN, Director Blanco emphasized the agency’s role as “Administrator of the Bank Secrecy Act” and “THE Financial Intelligence Unit” of the U.S. Director Blanco went on to describe current developments in how “identity” – described by Director Blanco as “who we are legally” – is employed in the financial sector and government. Such developments are “critically important,” in part because “the features that make identity information valuable to companies also make these data stores high value targets for criminals and other bad actors, including terrorists and rogue states.”
Director Blanco next addressed the abuse of personally identifiable information by means of “account takeover,” which involves the targeting of customer accounts to gain unauthorized access to funds. He noted that FinCEN receives approximately 5,000 account takeover reports each month (totaling about $350 million), but that this figure amount merely reflects “attempts” and not actual losses. Director Blanco further noted that, “Criminals often acquire these leaked credentials through hacks, social engineering, or by purchasing them on darknet fora to facilitate the account takeover. Depository institutions, such as banks, are the most common targets given their high numbers of customer accounts, but institutions like insurance companies, money services businesses, and casinos, and of course their customers, are also affected.” Director Blanco then called for improving “cyber hygiene” by, among other things, implementing strong authentication solutions (such as multi-factor authorization and authentication procedures for processing payments or allowing access to sensitive information). He reminded the audience that FinCEN held in July 2019 a FinCEN Exchange on business email compromise (BEC) fraud schemes targeting U.S. financial institutions and their customers, and that FinCEN had issued a July 16, 2019 Advisory on BEC fraud.
Separately, Director Blanco warned of bad actors who exploit weaknesses posed by the ubiquity of Social Security numbers (“SSN”). A FinCEN analysis of Suspicious Activity Reports (“SARs”) filed since January 2003 found more than 600,000 SSNs affiliated with identity theft reported from financial institutions, many of which were associated with more than one name. “That is mind-boggling, and it points to something wrong with how identity is being verified and authenticated across much of the financial system.”
Director Blanco then discussed the use of identity as a means to counter illicit activity. In doing so, he emphasized that beneficial ownership information is a critical issue whose “importance to our national security cannot be understated.” Notably, Director Blanco criticized the lack of an ability to collect identity information as a “dangerous and widening gap in our national security apparatus.” Although he praised the agency’s promulgation of the customer due diligence rule (a topic on which we have written extensively, see, e.g., here, here and here), he called for a separate rule to collect beneficial ownership information at the corporate formation stage. “To be sure, it is not that shell companies should not exist—it is just that the authorities should be able to know who owns and controls them when there is a legitimate law enforcement need, subject to appropriate information access safeguards. But currently, there is no federal standard requiring those who establish shell companies in the [U.S.] to provide basic, but critical information at company formation.”
Finally, Direct Blanco stated that FinCEN has strongly supported “responsible innovation” in the financial sector in regards to using technological advances to comply with BSA regulations. “Innovative indicators that reveal customers’ digital footprints and activities are extremely helpful to financial institutions in the conduct of their day-to-day business, including helping them understand customer activity and monitoring for suspicious activity.” He observed that FinCEN changed the SAR form in 2018 in order to allow for the reporting of up to 99 technical indicators, such as IP addresses, MD5 hashes, PGP keys, and device identifiers.