Jim Vilker, NCCO, CAMS

1
Cybersecurity, AML, And Identity Theft(Tying it
all together. finally)

• Jim Vilker, NCCO, CAMS
• VP of Professional Services
• CUAnswers

2
Scenario One

• Bill Big Business account is compromised and
  money is moved which was derived from criminal
  activities
• Who is to blame?
• Who caught it?
• Who loses?
• What risks need to be managed?
• How many departments were involved?

3
Scenario two

• Joe Member believes he now owns a castle in
  England and gives credentials to his home banking
  account to a criminal to pay the taxes. Money is
  layered through his account which was derived
  from illegal activity
• Who is to blame?
• Who caught it?
• Who loses?
• What risks need to be managed?
• How many departments were involved?

4
Scenario Three

• Mary Member opens an e-mail infected with
  Malware. Marys credentials are captured through
  a key logger. Marys account begins to have
  numerous ACH items deposited from Western Union
  proceeds of which were derived from ransomware
  schemes. Money is subsequently removed via bill
  pay.
• Who is to blame?
• Who caught it?
• Who loses?
• What risks need to be managed?
• How many departments were involved?

5
Agenda

• Introduction and background
• Classical Definitions
• The Nexus Resolved
• Dilemma on Guidance
• FFIEC - Cybersecurity and Cybersecurity on Vendor
  Management
• FinCEN
• Supervisory Priorities for 2016
• Antiquated Business Structure
• Solving the Problem

6
Background

• A bit about CUAnswers and Cybersecurity
• Why NASCUS chose me to present the topic
• Little if any research could be found linking
  these three topics together
• Surprised in the lack of regulatory guidance as
  these areas are interrelated. Proven nexus in
  later slides
• Reality is it is happening every day

7
Cybersecuritydesigned to interconnect BUT
AML/BSA
Identity Theft
Cybersecurity Fundamentals
8
Cybersecurity loosely Defined

• Cybersecurity revolves around developing systems
  to protect and monitor vital information such as
• PII
• Privileged Information
• Trade Secrets

9
AML Classically Defined acams

• Taking criminal proceeds (defined by predicate
  offenses) and disguising their illegal source in
  anticipation of to perform legal and illegal
  activities. Remember the stages in with money
  laundering occurs (will be important for later
  discussion)
• Placement
• Layering
• Integration

10
Identity theft or Account Take-Over defined by
FinCEN
11
Account TakeOverWhat it is and what it is not

• Account takeover activity differs from other
  forms of computer intrusion, as the customer,
  rather than the financial institution maintaining
  the account, is the primary target. Computer
  intrusion may be defined as gaining access to a
  computer system of a financial institution to a)
  remove, steal, procure or otherwise affect funds
  of the financial institution or the institution's
  customers b) remove, steal, procure or otherwise
  affect critical information of the financial
  institution including customer account
  information or c) damage, disable, disrupt,
  impair or otherwise affect critical systems of
  the financial institution.3 In an account
  takeover, at least one of the targets is a
  customer holding an account at the financial
  institution and the ultimate goal is to remove,
  steal, procure or otherwise affect funds of the
  targeted customer.

https//www.fincen.gov/statutes_regs/guidance/html
/FIN-2011-A016.html
12
Account takeoverAt odds and The nexUs

• At Odds An account takeover is a predicate
  offense in the eyes of cybersecurity doctrine
• An account takeover is not a predicate offense in
  the eyes of FinCEN until an illegal transaction
  occurs
• The NEXUS
• Once an illegal transaction occurs after an
  account takeover, cybersecurity and AML become
  interrelated and must be orchestrated with a
  coordinated and well-understood process

13
Theory on why the nexus has not come into play

• Lack of Guidance
• Lack of Regulation
• Silod Areas of Operation

14
Interesting Facts about the cybersecurity
Guidance

• November 3, 2015 - Press Release The Federal
  Financial Institutions Examination Council
  (FFIEC) today issued a statement alerting
  financial institutions to the increasing
  frequency and severity of cyber attacks involving
  extortion.
• June 30, 2015 - Press Release The FFIEC today
  released a Cybersecurity Assessment Tool to help
  institutions identify their risks and assess
  their cybersecurity preparedness.
• March 30, 2015 - Press Release The FFIEC
  released information regarding the release of two
  statements about ways that financial institutions
  can identify and mitigate cyber attacks that
  compromise user credentials or use destructive
  software, known as malware.
• March 17, 2015 - Press Release The Federal
  Financial Institutions Examination Council
  (FFIEC) today provided an overview of its
  cybersecurity priorities for the remainder of
  2015.
• November 3, 2014 - Press Release FFIEC Releases
  Cybersecurity Assessment Observations, Recommends
  Participation in Financial Services Information
  Sharing and Analysis Center
• September 26, 2014 - Press Release State and
  Federal Regulators Financial Institutions Should
  Move Quickly to Address Shellshock Vulnerability
• June 24, 2014 - Press Release FFIEC Launches
  Cybersecurity Web Page and Commences
  Cybersecurity Assessment
• May 7, 2014 - Press Release FFIEC Promotes
  Cybersecurity Preparedness for Community
  Financial Institutions

15
Even the latest and greatest
16
The only mention of AML
17
From a regulatory PerspectiveNCUA Focus for 2016
18
Supervisory Priorities CyberSecurity

• Encourages credit unions to become familiar and
  use cyber assessment tool
• https//www.ffiec.gov/pdf/cybersecurity/FFIEC_CAT_
  June_2015_PDF2.pdf
• Examiners will be incorporating it into the exam
  process
• NCUA now has entire site on cybersecurity
• But.. The entire financial institution
  industry is pushing back hard because the tool is
  seriously flawed
• http//www.bankinfosecurity.com/banks-demand-ffiec
  -overhaul-cyber-assessment-tool-a-8823/op-1
• More in just a bit

19
Supervisory Priorities Response programs

• Time to dust off your Information Security
  Program
• Appendix B to Part 748 Guidance
  http//www.ecfr.gov/cgi-bin/text-idx?SID69705844f
  47aa687e3dcfb1a4e457585mctruenodept12.7.748rg
  ndiv5ap12.7.748_12.
• NCUA guidance lists are just the minimum
• Many states have laws that are much more
  stringent
• Examiners will be reviewing your response program
  related to unauthorized access to, or use of,
  member information
• Document your response programs and report to the
  Board of Directors

20
Supervisory Priorities Bank Secrecy Act
Compliance

• Primarily related to MSBs
• Increase in MSBs in our own network
• Usually not detected at the time of account
  opening
• Have we all heard of MSB.Gov?
• NCUA does have a resource page including the
  examiners guide and AIRES checklist

https//www.ncua.gov/regulation-supervision/Pages/
bank-secrecy-act.aspx
21
FACT Act Regulation V
22
Silod areas of operationClassical departmental
structure
23
Cybersecurityinterconnecting in a new way
AML/BSA
Identity Theft
Cybersecurity Fundamentals
24
Solving the Problem
Cyber Security
BSA AML
Identity Theft
25
Putting it all together

• Risk Assessments
• Segregation of Duty
• Security Policy
• Intrusion detection fraud management
• Communication protocals
• Training
• Response programs

26
Risk Assessments

• Including BSA/AML in the assessment tool?
• Placement - where in the cyber world does it
  exist. micro structuring
• Layering - where in the cyber world does it
  exist.. electronic movement of money
• Integration where in the world does it
  existing..purchasing of legitimate assets
• Including Cybersecurity in the BSA risk
  assessment
• Including both in the IT risk assessment
  including the assessment self service products
  such as home banking

27
Segregation of DutyAnd Security Policy

• Include the BSA/Cyber component into the manner
  in which employees are given access to different
  areas of the operation
• Inject the BSA/Cyber component into the internal
  information security policy and program
• Understand the whys and hows when performing
  internal audits of employee activity related to
  BSA/Cyber.. think like a cyber criminal with
  lots of money to launder
• All of the above should completed with the
  protection of PII as the vital component

28
Intrusion detection fraud management

• Procedures for intrusion detection should take
  into account what can be done with information
• What types of transactional activity should be
  flagged once an account is taken over
• What systems are in place to uncover the types of
  activity that would indicate an account takeover
  with potentially criminal/AML types of activity?
• Refrain from focusing on the losses and create a
  sense of curiosity of what else could be going on

29
Communication protocols

• Coordinate the fraud management team and include
  the BSA/AML officer when communicating a
  potential account take over
• Develop procedures for performing forensics with
  more than loss mitigation in mind
• Determine when a compliance risk exists and at
  what point you must escalate the issue

30
Response programs

• Include in the response program the scenario
  where a taken over account was used to launder
  money (after determining severity)
• For the public. if it gets out
• For the regular
• For the authority
• The reputation risk can be high. Remember North
  Dade?

31
Does it really happen?
32
Cyber security REsources

• FBI Infragard
• Financial Services Information Sharing and
  Analysis Center
• National Credit Union Administrations Cyber
  Security Resources Page
• U.S. Computer Emergency Readiness Team
• U.S. Secret Service Electronic Crimes Task Force
  (ECTF)

http//www.cuanswers.com/resources/cybersecurity/
33
Questions??