Bates Research | 07-16-20
New OCIE, FinCEN Alerts Emphasize Vigilance Against Ransomware, Imposter Scams, Money Mule Schemes
In the past week, the SEC Office of Compliance Inspections and Examinations (OCIE) and the Financial Crimes Enforcement Network (FinCEN) warned financial institutions to guard against specific and increasingly prevalent types of fraud against consumers. These activities have been uncovered through examinations, suspicious activity reports (SARs), law enforcement information and public reporting. OCIE and FinCEN’s alerts follow other federal and state reports (see Bates coverage here and here) urging firms to increase vigilance against similar crisis-related misconduct.
Specifically, OCIE staff cautioned SEC registrants, including broker-dealers, investment advisers and investment companies, as well as registrant service providers, of an increase in the number and nature of ransomware attacks. FinCEN cautioned institutions about a rise in money mule schemes and imposter frauds that attempt to con investors and other consumers into deceptive transactions. Here are the highlights:
OCIE Warns Firms to Monitor for Ransomware
OCIE staff describes “ransomware” as “a type of malware designed to provide an unauthorized actor access to institutions’ systems and to deny the institutions use of those systems until a ransom is paid.” The systems in question usually affect the “integrity and/or the confidentiality” of customer data.
OCIE is concerned about recent reports that the latest attacks directed at both SEC-registered institutions and their service providers are becoming increasingly sophisticated. The purpose of the alert was not to offer a one-size-fits-all approach to protect against ransomware (such a solution does not exist), but rather to highlight recent observations on the subject so that firms can strengthen their “cybersecurity preparedness and operational resiliency.”
OCIE staff recommends that firms review and update incident response and resiliency policies, procedures and plans. Such a review should include (i) contingency and recovery plans for various denial of service scenarios, (ii) procedures for notification of an event, incident escalation, and stakeholder communications; (iii) processes for material event and suspicious activity reports (SARs); (iv) notification procedures for law enforcement and customers; (v) restoration of service processes; and (vi) backup applications to ensure the operation of critical services.
OCIE also wants firms to heighten their awareness of cyber-risk and boost their cybersecurity training and test responses through, for example, phishing email exercises. Further, OCIE wants firms to review and tighten their access management systems with the “least privileged access” in mind. This requires firms to configure controls “so users operate with only those privileges necessary to accomplish their tasks.” Finally, the staff recommends that firms review and strengthen their “perimeter security capabilities” including firewalls, detection systems, email security and web proxy systems in order to manage their network and “prevent unauthorized harmful traffic.”
The OCIE staff referenced other SEC cybersecurity guidance and offered additional links from the Cybersecurity and Infrastructure Security Agency (CISA) of the Department of Homeland Security (see here for an alert describing a particular ransomware threat) and the FBI (see here for a 2019 ransomware alert). Staff reminded firms that cybersecurity compliance was an examination priority.
FinCEN Warns Firms to Look for Imposter Fraud and Money Mule Schemes
FinCEN’s advisory focusing on money mule schemes and imposter scams is a kind of primer on reporting suspicious consumer fraud activity. In the advisory, FinCEN discussed the nature of these particular frauds, relevant indicators that should raise institutional red flags and additional information to be included for SARs reports.
FinCEN defines imposter scams as involving an actor “contacting a target under the false pretense of representing an official organization, and coercing or convincing the target to provide funds or valuable information, engage in behavior that causes the target’s computer to be infected with malware, or spread disinformation.”
COVID-19-related imposter scams include bad actors posing as IRS officials, the CDC, the World Health Organization, and non-profit health and academic institutions. FinCEN noted the many tools used by these actors to defraud the vulnerable, the elderly and the unemployed including the use of social media, telephone and robocalls, text messages, websites, and emails, as well as off-line activities such as “door-to-door collections” and flyers.
FinCEN emphasized that the objective of these scammers is primarily to target customers directly. As a result, FinCEN wants financial institutions to be aware of indicators on customer accounts that should trigger firms to be alert. COVID-19 red flags include bad actors offering to “verify, process or expedite” stimulus payments or other benefits under the Economic Impact Payments program, or prepaid debit cards under the Coronavirus Aid, Relief, and Economic Security (CARES) Act. Other attacks seek to obtain confidential financial information for some health-related purpose like contact tracing. FinCEN warns that institutions should be on guard against phishing emails ostensibly coming from government or non-profits, but that use commercial domains (e.g., “dot-com”). Other red flags include solicitations which are publicly unverifiable and often contain errors like misspellings. FinCEN said that these indicators, in context, may be considered suspicious for reporting purposes.
Money Mule Schemes
FinCEN defines a “money mule” as any “person who transfers illegally acquired money on behalf of or at the direction of another.” FinCEN highlighted COVID-19 money mule schemes in three categories: good-Samaritan, romance, and work-from-home, the latter presenting as an offering for a work-from-home job which involves the target agreeing to “move funds through accounts or to set up a new account” on behalf of the “business.”
The agency describes distinctions among an “unwitting or unknowing money mule,” a “witting money mule” and a “complicit money mule,” all defined by the person’s awareness, motivation and level of participation in the larger scheme. FinCEN says that all three types of money mules are deployed in COVID-19 schemes.
Red flags pertaining to COVID-19 that should trigger firms to be alert for money mule schemes include, among others: (i) receipt of transactions that do not fit a customer’s profile (e.g., overseas transactions, purchase of convertible virtual currency); (ii) unsatisfactory answers to “know your customer” inquiries; (iii) the opening of new bank accounts in the name of a business (possibly at multiple banks) and someone other than the customer transferring funds out of the accounts; (iv) receipt of multiple unemployment insurance payments within the same time period or from numerous employees (with ACH payment names that don’t match the account holder); (v) deposits that get diverted quickly “via wire transfer to foreign accounts;” (vi) documents related to the “employer” showing the use of a free email server rather than a company-specific email; and (vii) out-of-the-ordinary requests from the customer’s new employer to send and receive funds through the customer’s personal account (especially for individuals claiming to be U.S. citizens or servicemen currently abroad.)
FinCEN also provided very specific instructions for filling out SARs reports on COVID-19-related scams. FinCEN advised financial institutions to use specific language and to reference (in specific fields) this imposter scam/money mule scheme advisory on SARs reports where the circumstances or subject matter matches. Proper reporting on this activity, FinCEN states, will improve “law enforcement’s abilities to identify actionable SARs…and pull information to support COVID-19-related investigations.”
These issues are not new, but they have been taking on additional urgency since the advent of the pandemic. “The two alerts reinforce the risk-based approach to firm compliance obligations and highlight the necessity to consider context and a customer’s historical financial activity, among other facts and circumstances, when making determinations on reporting potential suspicious activity,” said Edward Longridge, Managing Director and Head of Practice, Bates AML & Financial Crimes.