Compliance Blog

Written by Shari R. Pogach, NAFCU Regulatory Paralegal

Cyber threats and Bank Secrecy Act/anti-money laundering (BSA/AML)/ Office of Foreign Assets Control (OFAC) compliance – key issues that credit unions and the financial industry face. In fact, the Office of the Comptroller of the Currency (OCC) issued a report, Semiannual Risk Perspective for Spring 2018, indicating that operational risks remain high for the banking institutions it regulates because of cyber threats and BSA/AML/OFAC compliance risk.  The report is based on institution data as of March 31, 2018.  While OCC guidance doesn't apply to credit unions, I thought it might help to illustrate examination trends in the financial sector and how other financial institutions are required to manage BSA risk.

Cyber Security Threat Risk

According to the OCC, the severity of cyber threats is continually evolving and increasing.  This requires steady vigilance by banks and consumers.  Social engineering phishing emails with malware and malicious links have been the source of many cyber incidents.   Criminals have used this method to get access in order to initiate other activity such as: loading ransomware onto computers, accessing confidential information, transacting unauthorized payments or conducting espionage. Poor authentication controls can lead to unauthorized access to customer data and funds theft.  Another common vulnerability is the use of unpatched or unsupported software and hardware by banks and their service providers.  In addition, third-party service providers are being targeted more for cybercrime and espionage.

To guard against these issues, the OCC's recommends:

• Implementing strong authentication and management of privileged and high-value user access (e.g., system administrators, staff capable of moving funds, and directors and executives with access to sensitive corporate information).
• Regular maintenance and system updates.
• Understanding the connections, system interfaces, and access entitlements with third parties is vital.

It is important to have a well-established and tested response plan for any cyber incident occurrence with clearly designated appropriate personnel for key response procedures.

BSA/AML/OFAC Compliance Risk

Money-laundering and terrorism-financing methods are constantly changing and becoming more complex.  This can create more challenges for banks to comply with the BSA requirements.  While new technology provides more convenience to bank customers, it also opens up potential vulnerabilities to criminals that criminals can use to launder money.

The OCC report indicates that some banks have not adopted appropriate compliance risk management systems at the same rate as evolving risks, resource constraints, changes in business models and regulatory changes. BSA/AML/OFAC risk assessments are not adjusted or realigned to reflect changes in risk profiles coming from instances of: an institution's growth, new products or services, new or growth in higher-risk customers and significant transaction volume increases. 

The report states that a sound risk assessment is the foundation of an effective BSA/AML program and can be the basis to identify coverage gaps within AML systems. And many risk assessment concerns can be traced to "weaknesses in change management processes, such as excluding the bank’s compliance function from decisions involving changes in product or service offerings."

The OCC expects banks to keep abreast and comply with regulatory changes, including FinCEN’s Beneficial Ownership/Customer Due Diligence regulation.  In addition, new U.S. economic and trade sanctions along with additional requirements in existing sanctions programs based on changing foreign policy and national security goals may increase compliance and operational risk.

***

Targeting Business Email Compromise Conspiracies.  The U.S. Department of Justice (Justice Department) announced the arrests of 82 persons from around the world tin conjunction with two major business email compromise (BEC) schemes designed to intercept and hijack wire transfers from businesses and individuals.  Operation Wire Wire, a multi law enforcement effort conducted over a six month period resulted in 42 arrested in the United States, 29 in Nigeria and three in Canada, Mauritius and Poland. It also resulted in the seizure of nearly $2.4 million, and the disruption and recovery of approximately $14 million in fraudulent wire transfers. Operation Keyboard Warrior, was a joint effort by U.S. and international law enforcement to stop online frauds coming from Africa.  Eight people were arrested for their participation in a widespread, Africa-based cyber conspiracy that allegedly defrauded U.S. companies and citizens of approximately $15 million since at least 2012.