The Financial Crimes Enforcement Network (“FinCEN”) just issued yet another Advisory regarding fraud threats faced by financial institutions, as exacerbated by the COVID-19 pandemic. This Advisory pertains to “Cybercrime and Cyber-Enabled Crime Exploiting the Coronavirus Disease (COVID-19) Pandemic.” We consistently have blogged on FinCEN’s pronouncements on the enhanced fraud risks created by COVID-19. And, our most recent post – a guest post by Professor Moyara Ruehsen – specifically addressed cyber-enabled financial crime. This post therefore will be high level, and we direct you to FinCEN’s recent Advisory for further details, as well as the commentary in our prior blog posts on such advisories.
FinCEN states that it issued this recent Advisory to “alert financial institutions to potential indicators of cybercrime and cyber-enabled crime observed during the COVID-19 pandemic. Many illicit actors are engaged in fraudulent schemes that exploit vulnerabilities created by the pandemic. This advisory contains descriptions of COVID-19-related malicious cyber activity and scams, associated financial red flag indicators, and information on reporting suspicious activity.” Further, “[t]his advisory is intended to aid financial institutions in detecting, preventing, and reporting potential COVID-19-related criminal activity. This advisory is based on FinCEN’s analysis of COVID-19-related information obtained from Bank Secrecy Act (BSA) data, open source reporting, and law enforcement partners.”
The Advisory focuses on two main areas, and sets forth a list of related red flags:
- Phishing, malware and extortion; and
- Business email compromise schemes.
The Advisory further states that, “[a]s no single financial red flag indicator is necessarily indicative of illicit or suspicious activity, financial institutions should consider additional contextual information and the surrounding facts and circumstances, such as a customer’s historical financial activity, whether the transactions are in line with prevailing business practices, and whether the customer exhibits multiple indicators, before determining if a transaction is suspicious or otherwise indicative of potential fraudulent COVID-19-related activities. In line with their risk-based approach to compliance with the BSA, financial institutions are also encouraged to perform additional inquiries and investigations where appropriate.” All of this is perfectly logical, but it is also perhaps easier said than done, particularly in the chaotic compliance environment created by COVID-19. The Advisory also concedes that most scammers are directly targeting the customers of financial institutions (vs. the institutions themselves), which complicates the task of financial institutions pursuing their BSA/AML obligations.
It is now trite to observe that COVID-19 has created a fertile breeding ground for rampant fraud. The real question facing financial institutions is how regulators in practice will regard potential BSA/AML compliance failures relating to COVID-19 in future examinations. Will regulators remember and acknowledge the pressures and confusion endemic to 2020, or will they regard today’s BSA/AML violations with skewed 20/20 hindsight and an unsympathetic eye, once the pandemic (hopefully) has faded? If the latter, these advisories will serve primarily as warnings, not helpful guides.