Bates Research | 08-20-20
New FinCen Guidance on the CDD Rule, Cyber Fraud and Virtual Currency Scams Exploiting Twitter
Over the past several weeks, the Financial Crimes Enforcement Network (FinCEN) has issued new guidance on customer due diligence requirements, an advisory on cyber-enabled financial crime and an alert concerning scams involving fraudulent payments denominated in convertible virtual currency. These are significant compliance communications for financial institutions and come on the heels of FinCEN’s recent alerts on imposter fraud and money mule schemes (see previous Bates coverage). Here’s what you need to know.
New FAQs on Customer Due Diligence
The CDD Rule, which went into effect in 2018, requires covered financial institutions to develop procedures to identify and verify a customer’s beneficial owners when an account is opened, and to establish risk-based procedures for conducting ongoing due diligence. (FinCEN provides an active topic page on the subject which includes links to exemptive relief rulings and the latest regulatory FAQs.) On August 3, 2020, FinCEN issued new responses to FAQs concerning obligations “related to obtaining customer information, establishing a customer risk profile, and performing ongoing monitoring of the customer relationship.” The core message in this guidance is a reaffirmation that financial institutions must tailor their CDD program around customer risk.
On questions about the collection of customer information, FinCEN responded that the CDD Rule “does not categorically require” the collection of any particular information other than developing a customer risk profile, monitoring, and collecting beneficial ownership information. FinCEN emphasized that the collection of information is directly related to the level of risk, (i.e., where the customer’s risk profile is low, the collection of any specific information may not be necessary in order to understand the customer relationship.)
FinCEN reiterated that the CDD rule requires covered financial institutions to “establish policies, procedures, and processes for determining whether and when, on the basis of risk, to update customer information to ensure that customer information is current and accurate.” Consequently, while the rule does not require specific due diligence, media searches, or the collection of information concerning certain underlying transactions (e.g., identifying information on a “customer’s customer”), the level of risk determines the appropriate level of information that needs to be collected, which, ultimately, would help to alert a financial institution as to suspicious transactions.
Similarly, FinCEN noted that the CDD rule “does not prescribe risk profile categories, and [that] the number and detail of these categories can vary.” FinCEN’s broader guidance is that financial institutions should understand the types of financial crime risks that are consistent with the customer risk profile and that “any program for determining customer risk profiles should be sufficiently detailed to distinguish between significant variations in the risks of its customers.”
Concerning specific schedules for ongoing customer relationship monitoring, FinCEN relayed that there is “no categorical requirement that financial institutions update customer information on a continuous or periodic schedule.” While the specifics of a monitoring program are also based on risk, FinCEN said that a covered financial institution must update customer information as is relevant to assessing that risk and in order to “reassess the customer risk profile/rating.”
New Advisory on Cyber-Enabled Crime
Only a few weeks after FinCEN cautioned institutions about a rise in money mule schemes and imposter frauds that attempt to con investors and other consumers into deceptive transactions, FinCEN issued a new warning alerting financial institutions to indicators of COVID-19-related cyber scams. The advisory reviews “the means by which cybercriminals and malicious state actors” exploit the pandemic through malware, phishing schemes, extortion, business email compromise fraud, and exploitation of remote applications, especially against financial and healthcare systems. The advisory is based on data analysis of suspicious activity reports and law enforcement and other public reports. It describes risks and red flags for financial institutions to protect customers and legitimate COVID-19 relief efforts.
In the advisory, FinCEN identifies numerous red flag indicators and warns financial institutions to guard against:
- potential vulnerabilities of remote applications and in virtual environments (including potential manipulation of online verification processes and compromised login credentials across customer accounts) that can jeopardize private information, compromise financial activity and disrupt business operations;
- schemes targeting health care and pharmaceutical providers that seek the collection of personal and financial data (through malware, ransomware, phishing schemes and extortion);
- schemes targeting municipalities and the health care industry supply chain that attempt to modify or redirect payments to new accounts (“business email compromise” (BEC) fraud schemes).
FinCEN relayed that financial institutions should consider these indicators in context given “the surrounding facts and circumstances, such as a customer’s historical financial activity, whether the transactions are in line with prevailing business practices, and whether the customer exhibits multiple indicators, before determining if a transaction is suspicious or otherwise indicative of potential fraudulent COVID-19-related activities.”
FinCEN advised financial institutions to use specific language on SARs reports and to reference (in specific fields) these COVID-19 related schemes where the circumstances or subject matter matches.
New Alert on Convertible Virtual Currency Scams
In an alert issued in late July, FinCEN addressed concerns raised by a highly public incident exploiting Twitter accounts. The scheme involved the compromise of the Twitter accounts of public figures and organizations in order to solicit fraudulent payments denominated in convertible virtual currency (CVC). The fraudsters claimed that any CVC “sent to a wallet address would be doubled and returned to the sender.”
The Twitter advisory references a prior FinCEN alert on illicit activity involving CVCs and adds to the broader concern about identifying bad actors seeking to exploit CVCs “for money laundering, sanctions evasion, and other illicit financing purposes” (e.g., those involving darknet marketplaces, peer-to peer exchangers, foreign-located Money Service Businesses, and CVC kiosks.) Together, these warnings paint a daunting picture of the finance vulnerabilities posed by virtual currencies.
In the Twitter alert, FinCEN identifies several indicators to help detect, prevent, and report potential suspicious activity related to social media posts. Among others, these include solicitations from individuals or organizations where there is no prior existing business relationship (like from celebrities or public figures) and solicitations requesting donations where the solicitor is not affiliated with a reputable organization.
FinCEN has had a busy summer. The agency has now warned financial institutions to be on alert for a host of threats, from simple to highly sophisticated fraud and malicious activity. The advisory on increased vulnerabilities resulting from operating during the pandemic reminds us how quickly circumstances can turn into opportunities for bad actors and how alert compliance teams must be to keep up. The advisory on virtual currency risk is an indication that there is much more work needed to protect clients in the virtual markets. Finally, FinCEN’s additional CDD Rule guidance highlights how risk-based frameworks require constant tuning in order for compliance professionals to be able to execute the practical details of their programs.
In the meantime, expect FinCEN to keep issuing these advisories. Bates Group will keep you apprised.
To discuss this article and/or learn more how Bates can help you navigate AML, please contact:
Edward Longridge, Managing Director and Pratice Leader, Bates AML and Financial Crimes at email@example.com.
Dennis Greenberg, Managing Director, Bates AML and Financial Crimes at firstname.lastname@example.org
For additional information, please follow the links below to Bates Group’s Practice Area pages:
Bates AML and Financial Crimes
Regulatory and Internal Investigations
Retail Litigation and Consulting
Institutional and Complex Litigation
Consulting and Expert Testimony