Financial services companies are not the only ones who need to pay attention to the intersection of cyber and fraud.
In 2016, Financial Crimes Enforcement Network (FinCEN) issued an advisory on cyber-events and cyber-enabled crime that shared guidance for financial institutions on what events should be reported through Suspicious Activity Reports (SARs).
The implications of the advisory have been two-fold. Financial institutions further understand the importance of having the cyber and fraud departments work together and share information with each other, and FinCEN now has access to additional data, which enables it to connect the dots and identify specific patterns it may not have been able to see before.
FEI Daily spoke with Nick Nichols, vice president of risk and compliance at DST, a leading provider of strategic advisory, transformative technologies, and operations outsourcing to the financial and healthcare industries, about the importance of collaboration between cyber and fraud departments and what organizations can learn from financial institutions about protecting themselves against cybercrimes.
FEI Daily: In 2016 FinCEN issued an advisory on cyber-events and cyber-enabled crime. Can you tell us more about that advisory?
Nick Nichols: When we talk about cyber-enabled crime, it’s not really about “hacktivism” where the hacker is trying to get in to put up pictures or to stop you from doing business; it’s about the cyber criminal conducting an attack to get confidential information on customers. Social security numbers, account information, date of birth, etc. That information can be used to conduct financial crime.
The Bank Secrecy Act says if you have a crime where that you believe the purpose was to get confidential information on customers, you must file Suspicious Activity Reports back with FinCEN. They then use that information to help and try to identify illegal activities.
If FinCEN is able to see information coming from institutions related to cyber-enabled crimes, it helps them with investigations that might point them back to a suspicious company or entity of some sort that might be transacting or transmitting money. Or to, hopefully, see a pattern related to some of those accounts before that problem becomes huge from the perspective of impact to both individuals and companies.
FEI Daily: How are the cyber and fraud departments of financial institutions working together today?
Nichols: What we’re seeing more of, which is great, is cyber and enterprise security groups being part of the anti-money laundering, or AML, and fraud programs. Training is done to recognize cyber crime so that you can ideally get ahead of it. I like to show two circles: your cyber unit and your AML and fraud team. And now there is overlap where those two teams are corresponding and part of centralized workgroups to ensure data is shared amongst them.
FEI Daily: What can non-financial organizations learn from how financial institutions are protecting themselves against cyber crimes?
Nichols: A recent report from the Identity Theft Resource Center said that, as of July 18, there have been 791 data breaches in the U.S. which represents a 29 percent increase from the same time period last year. The financial services industry represents 5.6 percent of the total breaches. So, it’s not just financial services companies but anyone with confidential data that needs to look at ensuring cyber groups are involved with fraud areas.
I think about other companies in, for instance, the gaming industry, they have AML requirements because people have lines of credit at those institutions. And so their confidential information is there.
I think about retailers. If you return something, some take your driver’s license number. Now they have my driver’s license number, my date of birth, my address. How much more does a criminal need to go approach a bank or a mutual fund?
Whether it’s a company like a casino that’s going to have my social security number and my bank information because of bank transfers, or a retailer that has my date of birth and address and credit card info, even though they’re not a financial institution, the potential impact is similar. My hope is that they are looking and understanding how their cyber areas need to interact with their fraud department.
FEI Daily: How can companies educate themselves better on the various reasons for attacks?
Nichols: It takes training to recognize cybercrimes, fraud and the relationship between the two. The early identification of crimes that might be happening is critical to reducing the impact. The more training that’s there to look for the signs, the better you can ensure that you can shut down the leak breach or fraudulent activity before the magnitude of it grows.
You may not be subject to AML regulations, based on your type of company, but everybody has a fraud risk. It’s very important to ensure that IT is having conversations with and involved with your fraud unit so that information is shared, regardless of the line of business you’re in.•