QUESTION
We are a large mortgage lender in the West. A hedge fund owns us. Recently, the hedge fund came down hard on our compliance department for allowing the originating of loans that our AML process should have screened out. They were up in arms because our state regulator issued an administrative action against us.
We didn't file some SARs that were identity-related, but we did document why the SARS were not filed. That didn't satisfy the regulator because they said we did not follow our own AML program guidelines. We may now lose our Safe Harbor because we didn't file the SARs by following our own policy.
There are other issues, but the biggest one involves not screening for identity-related suspicious activity. That's the regulator's term: "identity-related suspicious activity."
The auditor we hired to do our annual AML test was fired. Now, to comply with the regulator, we have to find an auditor who will work with us to review the last 36 months to determine if we should have filed more identity-related SARs. This is a massive undertaking. I am one of several operations persons drafted into the compliance department to assist. I want to know more, and I hope you will give us some feedback.
What is identity-related suspicious activity?
ANSWER
We provide Anti-Money Laundering (AML) testing and training. We were the first compliance firm in the country to offer testing, training, and a written AML Program. Also, we handle large AML due diligence projects such as the one you've described. If you want information about our AML compliance support, contact us here.
For years, the Financial Crimes Enforcement Network (FinCEN) has issued trend analyses showing that identity-related suspicious activity is a huge percentage of filings. For instance, in 2021, approximately 1.6 million SARs (42% of the SARs filed that year) related to identity, which was $212 billion in suspicious activity.
Just a few weeks ago, FinCEN published its findings as part of its ongoing Identity Project ("Report").[i] The Report outlines how bad actors exploit identity-related processes in processing transactions as well as opening and accessing accounts.
I will provide a cursory overview of the Report and then move on to an answer to your question.
TYPOLOGIES
The Report discusses the existence of significant identity-related exploitations through various schemes. FinCEN identified over fourteen "typologies" commonly indicated in identity-related SARs.
The most frequently reported were
(1) fraud,
(2) false
records,
(3) identity
theft,
(4) third-party
money laundering, and
(5) circumvention of verification standards.
These top five typologies accounted
for 88% of identity-related SARs and 74% of the total suspicious activity
reported in 2021.
TRENDS
Trends found in the BSA reporting include:
· Although identity-related suspicious activity impacted all types of financial institutions, depository institutions filed the most identity-related BSA reports, which was about 54% of all identity-related filings.
· The impact of identity-related exploitations by BSA report volumes and cited U.S. dollar values are significant. Attackers most frequently use impersonation tactics, followed by compromise during authentication, and then circumvent verification to evade detection. Compromised credentials have a disproportionally large monetary impact compared to impersonation and circumvention.
· The Report found that compromised credentials have a disproportionate financial impact compared to other types of identity exploitation.
SAFE HARBOR
I will not comment on your company's exposure to losing the Safe Harbor except to point out that the Safe Harbor provision of the Bank Secrecy Act (BSA)[ii], among other things, shields financial institutions, their officers, and employees from civil liability for reporting known or suspected criminal offenses or suspicious activity by filing a SAR. From your question, I can't tell who told you that your company may lose the Safe Harbor.
The Safe Harbor provides immunity to any "financial institution that makes a voluntary disclosure of any possible violation of law or regulation to a government agency." This protection precludes liability under any federal, state, or local law, or regulation, or under any contract. Nevertheless, courts have disagreed about the scope of the protection it affords. You should be working with competent counsel in responding to the regulatory agency.
SCREENING PROCEDURES
It seems to me that your screening procedures failed to identify identity-related suspicious activity. You state that the regulator alleges you did not follow your own AML program procedures. That infers that you have procedures in a ratified AML Program that were not implemented.
There are three stages to a systemic framework that mitigates identity-related suspicious activity.[iii] These stages are: (1) Validation; (2) Verification; and (3) Authentication. I do not think this framework is failsafe, but it is quite comprehensive. Nonetheless, in the age of Artificial Intelligence, we can expect updates to these stages.
The following is a brief outline of each stage.
Validation
The validation stage begins when a customer presents identity attributes and supporting evidence (i.e., birth certificate, passport, driver's license, and so forth) – in person or remotely – for review by a financial institution. The financial institution then attempts to determine:
a)
Whether the presented
identity exists (i.e., whether it is tied to a real-life identity);
b)
Whether the presented
identity is unique (i.e., whether it is claimed by only one entity);
c) Whether the presented information and evidence are authentic and accurate.
Generally, the financial institution makes these determinations by comparing the presented information and evidence against authoritative government data, such as public records and Social Security Administration data, or third-party data sources, such as credit reporting agency, utility, and employer data (i.e., independent and reliable data sources).
Verification
In the verification stage, the financial institution confirms that the previously validated identity evidence belongs to the customer. The financial institution may, for instance, match the customer's appearance in person (or virtually) via photo or video to a photo on the customer's driver's license, passport, or other photo identification.
Verification tools and techniques can rely on humans or be entirely automated. These tools may also use biometrics like facial recognition and "liveness" detection or verify documents and attributes to determine a match. This process may also use various other technical and risk data from third parties.
Authentication
In the authentication stage, a financial institution assesses whether the customer is who they purport to be based on the customer's possession and control of valid "authenticators." Financial institutions may also engage in other activities involving transactions, such as verifying counterparties and other transaction monitoring.
Authentication is supposed to provide "risk-based" assurance that the customer is the same customer whose identity was validated and verified during previous steps of the identity process.
The authentication process can occur in person or remotely, be manual or digital, rely on humans or machines, and is considered more robust when it depends on multiple authentication factors (i.e., multifactor authentication).
Common authentication factors include:
a)
Ownership of something the
customer has (i.e., a badge, phone, or cryptographic key);
b)
Knowledge of something the
customer knows (i.e., a password, passphrase, or PIN);
c) Inherent or something the customer is (i.e., a fingerprint or other biometric data).
IDENTITY-RELATED EXPLOITATIONS
Based on identity-related BSA reports, attackers (1) impersonate others to evade validation; (2) circumvent or exploit insufficient verification processes; and (3) use compromised credentials to gain unauthorized access during authentication. Here is a brief synopsis of FinCEN findings.
Impersonation
Attackers impersonate others by providing false identifying information, claiming to be other entities, and otherwise misrepresenting identity information to evade validation. Financial institutions and other victims appeared to have more difficulty identifying impersonation when they lacked an authoritative source to compare identity documentation and evidence.
Examples of authoritative sources include records and credentials issued by government sources.
Successful impersonation starts in
the validation stage and continues throughout the identity process.
Circumvention or Exploitation
Attackers circumvent verification to obfuscate the sources and movement of funds. They use third-party "transactors" to mask the true transactors or refuse to cooperate and provide photo identification or supporting identity documentation.
These suspicious activities limit
financial institutions' ability to fully identify their customers, their
customers' transactions, and their customers' counterparties.
Compromise Credentials
Attackers compromise victims' credentials to gain unauthorized access to data, funds, information, locations, services, and systems. They target victims, their credentials, and their funds directly through account takeovers, business email compromises, brute-force login attacks, data breaches, identity theft, and other cyber events such as phishing, ransomware, and other endpoint compromises.
The attackers then generate illicit proceeds from the sale of stolen credentials or use stolen credentials to open accounts, apply for lines of credit, and conduct transactions.
They also use the compromised credentials to access accounts, information, and systems for their own financial gain.
If you want information about our AML compliance support, contact us here.
Jonathan Foxx, Ph.D., MBAChairman & Managing Director
[i] Financial Trend Analysis,
Financial Crimes Enforcement Network, FinCEN Issues Analysis of
Identity-Related Suspicious Activity, January 9, 2024. I will draw on some
highlights of this new issuance for guidance in providing an answer.
[ii] 31 USC § 5318(g)(3)(A)
[iii] FinCEN outlines identity processes
drawn generally from definitions detailed in the National Institute of
Standards and Technology's (NIST's) Digital Identity Guidelines when relevant
to financial institutions' BSA activities.
