Updated October 22, 2020
In response to COVID-19, the Financial Crimes Enforcement Network (FinCEN) has issued several notices and an advisory related to Bank Secrecy Act (BSA) compliance during the pandemic. In remarks at the Consensus Blockchain Conference on May 13, 2020, FinCEN Director Kenneth A. Blanco announced that FinCEN would be monitoring for criminal activity related to the COVID-19 pandemic. He stressed the importance of identifying cybercrime during the COVID-19 pandemic and advised that financial institutions be on the lookout for the following:
- Criminals who use COVID-19 as a "lure" targeting vulnerable individuals and companies that seek healthcare information and products or are contributing to relief efforts,
- Cybercriminals who target vulnerabilities in remote applications that are especially in use during the COVID-19 pandemic,
- Scams involving virtual currency payments, and
- Attempts by criminals who attempt to undermine financial institutions' due diligence and "know your customer" processes in the remote environment.
Director Blanco also advised that FinCEN would be releasing multiple advisories highlighting common typologies used in fraud, theft, and money laundering activities related to the pandemic. The first of these was released on May 18, 2020. To track the issuances, below are summaries of the advisories, notices, and Frequently Asked Questions (FAQs) issued to date by FinCEN during the course of the COVID-19 pandemic. We will be updating this collection as new issuances are released. Please contact the authors with any questions you might have.
One of the biggest challenges for financial institutions and their customers during the COVID-19 pandemic has been managing the significant increase in online and digital transactions. These efforts have included increases in online shopping and the shift to remote work and school, as well as digital efforts to distribute pandemic relief to consumers and small businesses. While the economy has done a remarkable job of adjusting to the ecommerce environment, there has been a corresponding increase in cyberattacks, ransomware scams, and related fraud. The Department of Treasury, through the Financial Crimes Enforcement Network (FinCEN), has issued a number of advisories related to fraud, theft, and money laundering associated with the pandemic, which we have summarized in a series of client alerts.
Earlier this month, FinCEN and the Office of Foreign Assets Control (OFAC), also part of the Treasury, issued complementary advisories warning financial institutions (and businesses generally) on the risks of ransomware attacks, including the need for financial institutions to avoid knowingly or inadvertently facilitating payments to bad actors in connection with these scams. Together, the FinCEN and OFAC advisories fit squarely within Treasury’s efforts to educate the public on fraud and money laundering risks associated with the pandemic, and build upon existing guidance that encourages financial institutions to monitor for and report on cyberattacks and related fraud. In this alert, we provide an overview of the FinCEN and OFAC guidance on ransomware attacks and explain how that guidance complements existing guidance for financial institutions relating to sanctions screening and monitoring for and reporting on suspicious activity involving cyberattacks and related fraud.
The Advisory highlights the ways in which FinCEN is seeing the COVID-19 pandemic being exploited through unemployment insurance fraud. The Advisory highlights five (5) representative types of unemployment insurance fraud FinCEN is seeing through its analysis of COVID-19-related information from Bank Secrecy Act (BSA) data, open source reporting, and law enforcement. It includes a list of 10 associated financial red flag indicators. The Advisory also provides SAR filing instructions related to the reporting of COVID-19-related unemployment insurance fraud.
Unemployment Insurance Fraud Typologies:
- Fictitious employer-employee fraud – “Employee” falsely claims employment with a legitimate company or creates a fictitious company and submits fictitious records to apply for unemployment insurance benefits.
- Employer-employee collusion fraud – Employee receives unemployment insurance payments while continuing to be paid reduced, underreported wages.
- Misrepresentation of income fraud – Employee returns to work and does not report income to continue receiving unemployment insurance or claims a higher wage than earned to receive higher unemployment insurance payments.
- Insider fraud – Use of credentials by state employees to inappropriately access or change unemployment insurance claims.
- Identity-related fraud – Use of stolen or fake identity on unemployment insurance applications to perpetrate an account takeover.
Unemployment Insurance Fraud SARS
- Insert “COVID-10 UNEMPLOYMENT INSURANCE FRAUD FIN-2020-A007” in SAR field 2 and the narrative.
- Select SAR field 34(z) (Fraud – other) as the suspicious activity type and include “unemployment fraud” in the field.
- Include the following in addition to standard transaction data:
- Relevant email addresses
- IP addresses with their respective time stamps
- Login information with location and time stamps
- Cyber-related information and technical indicators
- Virtual currency wallet addresses
- Mobile device information (e.g., device IMEI)
- Phone numbers
- Description and timing of suspicious electronic communications
- Follow FinCEN’s May 18, 2020 Notice Related to the Coronavirus Disease 2019 (COVID-10) specific to COVID-19-related SARs more generally
The Advisory highlights the ways in which FinCEN is seeing the COVID-19 pandemic being exploited in cyber-related crime through the targeting and exploitation of remote platforms and processes, phishing, malware, and extortion and business email compromise (BEC) schemes, particularly against financial and healthcare systems. The Advisory warns financial institutions to be alert to suspicious activity involving their customers because scammers are directly targeting customers. The Advisory also provides SAR filing instructions related to the reporting of COVID-19-related cyber and cyber-enabled crime.
Targeting and Exploiting Remote Platforms and Processes:
- Alerts that this has increased with the increase in remote access as criminals exploit vulnerabilities to steal sensitive information, compromise financial activity, and disrupt business operations.
- Warns that remote identity processes, including customer onboarding and identity verification and authentication of existing customers for account access purposes, is also at risk through digital manipulation of identity documentation and the leveraging of compromised credentials across accounts.
- Lists nine "red flag" indicators that may suggest an imposter scam is taking place.
Phishing, Malware and Extortion:
- Advises that there has been a significant increase in phishing scams, particularly targeting healthcare and pharmaceutical providers, offering COVID-19 information and supplies. While these mostly come by email, phone calls and texts are also being used.
- Warns the schemes often reference COVID-19 themes or advertise ways to make money, such as investments in convertible virtual currencies (CVCs) or via domain names that mimic legitimate organizations, including those that provide or enable teleworking capabilities.
- Further warns that malware, including ransomware, is being distributed through phishing emails, malicious websites and downloads, domain name system hijacking or spoofing attacks, and fraudulent mobile apps.
- Advises that financial institutions dealing in CVCs should be particularly alert to the potential use of their institution to launder cybercrime proceeds and to take steps to mitigate those risks consistent with Bank Secrecy Act obligations.
- Provides that, in most cases, criminals are requiring ransomware-related extortion payments to be in CVC.
- Lists seven "red flag" indicators that could suggest phishing, malware, or extortion schemes.
Business Email Compromise Schemes:
- Advises cybercriminals are increasingly using BEC schemes to exploit the pandemic.
- Warns that through spoofed or compromised email accounts, criminals are convincing companies to redirect payments to new accounts, claiming changes are necessitated by pandemic-related changes to business operations. Criminals do this by impersonating a critical player in a business relationship or transaction, such as a healthcare supply provider, to intercept or fraudulently induce payment for critically needed supplies.
- Lists four "red flag" indicators that could indicate a BEC scheme.
Warns financial institutions of imposter scams and money mule schemes, which are two kinds of consumer fraud that U.S. authorities have observed during the COVID-19 pandemic, and provides specific instructions on how to file Suspicious Activity Reports (SARs) related to the COVID-19 pandemic.
- Outlines the basics of imposter scams in which criminals impersonate organizations such as government agencies, nonprofit groups, universities, or charities to offer fraudulent services or otherwise defraud victims.
- Sets forth the following basic methodology of most imposter scams:
- An actor contacts a target under the false pretense of representing an official organization; and
- The actor coerces or convinces the target to provide funds or valuable information, engage in behavior that causes the target’s computer to be infected with malware, or spread disinformation.
- Provides alerts that possible COVID-19 schemes could involve imposters posing as officials or representatives of the Internal Revenue Service (IRS), the Centers for Disease Control and Prevention (CDC), the World Health Organization (WHO), or other healthcare or nonprofit groups, and academic institutions.
- Notes that imposters may try to defraud and deceive vulnerable populations, such as the elderly and unemployed, by telling individuals that they need to provide personal information or send payments in order to receive relief or benefits, such as Economic Impact Payments (EIP) under the Coronavirus Aid, Relief, and Economic Security (CARES) Act.
- Also notes that imposters may impersonate contact tracers and imply that their targets must supply personal information as part of contact tracing efforts.
- Lists seven “red flag” indicators that may suggest an imposter scam is taking place.
Money Mule Schemes:
- Defines a money mule as “a person who transfers illegally acquired money on behalf of or at the direction of another.”
- Provides that there are three types of money mules:
- Witting – meaning an individual who “chooses to ignore obvious red flags or acts willfully blind to his/her money movement activity”;
- Unwitting or unknowing – meaning an individual who is “unaware that he or she is part of a larger criminal scheme”; and
- Complicit – meaning an individual is “aware of his/her role as a money mule and is complicit in the larger criminal scheme.”
- Advises that during the COVID-19 pandemic, U.S. authorities have detected recruiters engaging in money mule schemes following common typologies, such as good Samaritan, romance, and work-from-home schemes.
- Lists eleven “red flag” indicators that could suggest a money mule scheme is taking place.
- Warns financial institutions that Bank Secrecy Act data, as well as information from other federal agencies, foreign governments, and public sources, suggests that there has been COVID-19-related criminal activity, including:
- Fraudulent cures, tests, vaccines, and services,
- Non-delivery scams, and
- Price gouging and hoarding of medically related items, such as face masks and hand sanitizer.
- Lists 22 financial “red flag” indicators that could suggest that the above illicit activity is taking place.
- Provides three case studies as examples of COVID-19-related illicit activity that has taken place.
- Provides financial institutions with Suspicious Activity Report (SAR) filing instructions, directing financial institutions to do the following for COVID-19-related cases:
- Reference this advisory on the SAR form by including the key term “COVID19 FIN-2020-A002” in SAR field 2 and write the narrative so that it indicates a connection between the suspicious activity being reported and the activities highlighted in this advisory,
- Select SAR field 34(z) (Fraud – other) as the associated suspicious activity type to indicate a connection between the suspicious activity being reported and COVID-19,
- Include the type of fraud and/or name of the scam or product (e.g., Product Fraud – non-delivery scam) in SAR field 34(z), and
- Refer to FinCEN’s May 18, 2020 Notice Related to the Coronavirus Disease 2019 (COVID-19), which contains information regarding reporting COVID-19-related crime and reminds financial institutions of certain BSA obligations.
March 16, 2020 – The Financial Crimes Enforcement Network (FinCEN) Encourages Financial Institutions to Communicate Concerns Related to the Coronavirus Disease 2019 (COVID-19) and to Remain Alert to Related Illicit Financial Activity
- Encourages financial institutions affected by the COVID-19 pandemic to contact FinCEN and their functional regulator as soon as practicable if the COVID-19 pandemic might delay the institution’s required BSA reports.
- Provides a phone number for FinCEN’s Regulatory Support Section (RSS) at 1-800-949-2732 (select option 6) for financial institutions wishing to contact FinCEN during the COVID-19 pandemic.
- Lists the following trends that typically arise in the wake of natural disasters and warns that the same trends could materialize during the COVID-19 pandemic:
- Imposter Scams,
- Investment Scams,
- Product Scams, and
- Insider Trading
- Instructs financial institutions to be aware of the above trends, take necessary precautions, and contact FinCEN if they suspect illicit activity related to COVID-19 that follows the above trends or takes any other form.
- Emphasizes that compliance with the BSA is vital to national security and that FinCEN expects financial institutions to continue following a risk-based approach and adhere to BSA obligations.
- States that for eligible federally insured depository institutions and federally insured credit unions, PPP loans for existing customers will not require re-verification of beneficial ownership information under applicable BSA requirements, unless otherwise indicated by the institution’s risk-based approach.
- States that FinCEN recognizes that some financial institutions may be experiencing COVID-19-related delays with BSA filings and suspends the implementation of a February 6, 2020 ruling regarding currency transaction report (CTR) obligations when reporting transactions involving sole proprietorships operating under a “doing business as” (DBA) name until further notice.
- Instructs financial institutions that want to contact FinCEN with COVID-19-related concerns to go to www.FinCEN.gov, click on “Need Assistance,” and select “COVID19” in the subject drop-down list.
- Encourages financial institutions to be innovative in their attempts to meet their BSA/anti-money laundering compliance obligations during the COVID-19 pandemic.
May 18, 2020 – Notice Related to the Coronavirus Disease 2019 (COVID-19)
- Accompanies FinCEN’s May 18, 2020 advisory (summarized above).
- Directs financial institutions to monitor the FinCEN website for COVID-19-related updates, as well as the Department of Treasury website on the Coronavirus Aid, Relief, and Economic Security (CARES) Act for up-to-date information concerning compliance with BSA obligations.
- Instructs financial institutions not to include in the SAR narrative their challenges during the pandemic and only include COVID-19 in the SAR narrative when it is tied to suspicious activity.
- If SAR filers have already included references to COVID-19 in matters not related to the pandemic, there is no need to file corrected reports.
- States that financial institutions are required to provide full details related to SAR filings, including supporting documentation, as quickly as possible.
- Directs financial institutions to maintain a copy of any SARs they file and to maintain the original or business record equivalent of any supporting documentation for a period of five years following the date of the SAR filing.
- Requires that financial institutions provide FinCEN or an appropriate law enforcement or supervisory agency with any requested SAR supporting documentation upon request, but only after verifying that the requestor is a legitimate representative of FinCEN or an appropriate law enforcement or supervisory agency.
- Encourages information sharing via Section 314(b) of the USA PATRIOT Act when financial institutions suspect that a transaction may involve terrorist financing or money laundering.
- Urges the public and financial institutions to report COVID-19-related criminal activity to relevant government agencies.
- States that FinCEN has expanded its Rapid Response Program to assist the public during the COVID-19 pandemic and encourages those who need immediate assistance in recovering cybercrime- and COVID-19-related stolen funds to file a complaint with the FBI’s Crime Complaint Center (IC3), contact their local FBI field office, or contact the nearest United States Secret Service field office.
- Reminds financial institutions that contacting law enforcement for fund recovery does not relieve financial institutions of SAR filing obligations.
- States that FinCEN has greater success recovering funds when victims or financial institutions report business email compromise (BEC)-unauthorized and fraudulently induced wire transfers to law enforcement within 24 hours.
April 13, 2020 – Paycheck Protection Program Frequently Asked Questions (FAQs)
- States that if a PPP loan is being made to an existing customer, lenders do not have to re-verify beneficial ownership information that has already been verified.
- Clarifies that if federally insured depository institutions and federally insured credit unions eligible to participate in the PPP program have not yet collected beneficial ownership information on existing customers, such institutions do not need to collect and verify beneficial ownership information for those customers applying for PPP loans, unless otherwise indicated by the lender’s risk-based approach to BSA compliance.
- States that lenders with new customers should collect the following information from all natural persons with a 20% or greater ownership stake in the applicant business to satisfy applicable BSA and FinCEN regulations governing the collection of beneficial ownership information:
- Owner name,
- Ownership %,
- Address, and
- Date of birth.
- States that if lenders to new customers whose ownership interest of 20% or greater in the applicant business belongs to a business or other legal entity, lenders will need to collect beneficial ownership information for that entity (more on those requirements can be found here).