FINRA Sees Overlapping Risks in AML, Cybersecurity

Firm regulatory risks and priorities don’t exist in a vacuum, especially when it comes to a firm’s anti-money laundering (AML) responsibilities, according to FINRA.

In its latest podcast, “Encore | Overlapping Risks: Anti-Money Laundering and Cybersecurity”, the first of a two-part series, FINRA was looking at the intersection of a firm’s AML and cybersecurity risks.

Jason Foye

Jason Foye, Director with FINRA’s Anti-Money Laundering Investigative Unit, said there is significant overlap in AML and cybersecurity.

He said that cyber events are reportable under Suspicious Activity Reports, or SARs and beyond that, the underlying activity that could be related to cybercrime and cyber enabled crime can be divided into two broad categories.

One area is that bad actors can generate illicit funds through cybercrime that they then launder through the financial system, he said.

“And that certainly presents a risk to the securities industry within the financial system,” he added.

The other area that Foye mentioned includes bad actors that either take over accounts of unsuspecting customers, or in some cases they open new accounts in the name of unsuspecting customers, using stolen or synthetic personal identification documents, and those accounts then get used by these bad actors to engage in some sort of crime. 

“By using these accounts of an unsuspecting customer via a hack or stolen or synthetic identification fraud bad actors put an additional layer between them and the underlying conduct,” said Foye.

An example in this area involves unauthorized withdrawals of funds from a customer account. 

“But we also see a variety of situations where some of these unsuspecting customer accounts are used in trading schemes, such as pump-and-dumps, or market manipulation,” he added.

Foye expects that this threat is only going to increase over time particularly as markets, investors and day-to-day life continues to be more and more reliant on the Internet.

Dave Kelley, Director with FINRA’s Cybersecurity Specialist Program, agreed, saying:  “We’re constantly seeing new attacks.”

According to Kelley, some of those attacks include email account takeovers  as well as impostor websites.

“A lot of identity theft going on out there, viruses, ransomware attacks,” he stressed.

He added that all these attacks usually start with some sort of phishing email. 

Foye said that law enforcement and other agencies such as FinCEN, regularly use information reported in SARs to initiate investigations, identify criminals in their networks, conduct intelligence assessments and other critical functions.

As the risk of cybercrime and cyber-enabled financial crime continues to grow, financial institutions including FINRA member broker-dealers play a really crucial role in helping to protect investors and the markets as we work collectively to combat this threat, Foye added.

This includes putting in place effective cybersecurity controls and ensuring that SARs and file when appropriate in order to assist law enforcement and other agencies and the important work that they’re doing in this space.

He thinks one of the big challenges that financial institutions face in this space is the sheer volume of potential cyber events that they may be facing on a daily basis, particularly for some of the larger institutions. 

“This makes determining what events may require a SAR to be filed difficult at times, especially if the value of the underlying activity associated cyber event is zero or is difficult to quantify,” he said.

Kelley added that any cyber event or hack is a concern from an AML standpoint. 

“Every firm should have some sort of incident response program already in place. So anytime they have a cyber event, or a hack happen, they need to implement their program,” he said.

“Ten years ago, the thought was cyber security was the responsibility of the IT group and they handled everything. Today, everybody in that organization, everybody in any firm, they all have a responsibility for helping to protect not only the firm information but also the customer’s information,” he added.

Kelley added that firms also need to have a good risk assessment program which determines those key risks.

This is really where effective delegation and communication becomes really critical for firms, said Foye.

“In this area, firms want to make sure that from an AML of prospective that they clearly communicated to whatever person or group is responsible for the cyber security front. What the expectations are in terms of what types of events need to be escalated to AML for further review. And they want to make sure that they’re also reasonably kind of testing to make sure that the events that they expect to be escalated to AML are in fact being escalated as expected,” he added.