Financial Institutions and Banking

Bank Wire

Crypto-assets: Handle with care

In January 2023, the federal banking agencies published “Joint Statement on Crypto-Asset Risks to Banking Organizations.” The statement cautions banks to be aware of — and, if applicable, mitigate — the risks associated with crypto-assets. According to the statement, these risks include:

  • Fraud and scams,
  • Legal uncertainties regarding custody practices, redemptions and ownership rights,
  • Inaccurate or misleading representations or disclosures, including misrepresentations regarding FDIC coverage,
  • Significant volatility, including potential impacts on deposit flows,
  • Stablecoins’ susceptibility to run risk,
  • Contagion risk resulting from interconnections among crypto-asset participants,
  • Lack of mature, robust risk management and governance practices in the crypto-asset sector, and
  • Heightened risks associated with open, public or decentralized networks (for example, lack of governance mechanisms, absence of contracts, or standards to clearly establish roles, responsibilities and liabilities).

The statement instructs banks to “ensure that crypto-asset-related activities can be performed in a safe and sound manner, are legally permissible, and comply with applicable laws and regulations,” including consumer protection laws. Notably, the statement opines that “issuing or holding as principal crypto-assets that are issued, stored, or transferred on an open, public, and/or decentralized network, or similar system is highly likely to be inconsistent with safe and sound banking practices.”

Be prepared to report computer security incidents

As concerns over cybersecurity intensify, banks should be prepared to report computer security incidents to federal regulators quickly. Under a rule that took effect last spring, banks must report computer security incidents that rise to the level of a “notification incident” within 36 hours. The rule defines “computer security incident” as an “occurrence that results in actual harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits.” These incidents aren’t limited to cyberattacks — they also can result from hardware or software failures, human error or other nonmalicious causes.

A computer security incident is deemed to be a notification incident if it’s reasonably likely to materially disrupt or degrade a bank’s 1) ability to carry out banking operations, activities or processes, or deliver products and services to customers, 2) business lines whose failure would result in a material loss of revenue, profit or franchise value, or 3) operations whose failure would pose a threat to U.S. financial stability. All banks should have procedures in place for identifying notification incidents and reporting them to their primary regulators on a timely basis.

© 2023

Financial Institutions and Banking

Strengthen Your Defenses: Preparing for ransomware attacks

In October 2021, a California community bank was victimized by a ransomware attack. The hackers obtained sensitive information from the bank’s systems, including loan application forms, tax returns, W-2 information, payroll records, names, addresses and Social Security numbers. They threatened to release this information if the bank failed to negotiate.

The bank incurred significant financial costs and reputational damage associated with the attack. It also offered free credit monitoring and identity theft protection services to affected customers. This is just one of many examples of community banks that have been targeted by ransomware attacks in recent years.

Double trouble

There was a time when smaller banks reasonably believed that cybercriminals would leave them alone, because larger institutions offered a bigger payoff. Recently, however, the trend has reversed. Cybercriminals are now targeting small banks, which they believe lack the wherewithal to protect against these attacks and have less robust internal controls than larger institutions.

A new ransomware scheme involves so-called “double extortion” attacks. In a traditional ransomware attack, the cybercriminal sends a phishing email to a bank employee or other user of the bank’s systems. If the recipient clicks on the link in the email, it introduces malware that infects the bank’s system, encrypting its data. The cybercriminal demands a ransom payment in exchange for the decryption key.

In some cases, however, victims were able to quickly restore their systems from unaffected backups and thus refused to pay the ransom. To avoid this result, a double extortion attack involves stealing sensitive data and threatening to release it if the ransom isn’t paid.

Protective measures

To minimize the risks associated with ransomware attacks, community banks should follow industry practices recommended by the Federal Financial Institutions Examination Council (FFIEC) and other federal banking agencies. These include:

  • Regularly assessing the bank’s exposure to ransomware risks and patching any vulnerabilities,
  • Educating employees about the risks of ransomware and training them on identifying and reporting potential attacks,
  • Inventorying hardware, software, connections and data, with programs in place that identify vulnerabilities,
  • Implementing backup systems designed to protect data from cybercriminals,
  • Segmenting networks to limit a cybercriminal’s access within the system if a breach occurs,
  • Managing third-party risks that expose the bank to ransomware attacks,
  • Implementing email filtering processes that identify malicious messages and prevent them from reaching end users, and
  • Restricting the use of employees’ personal devices on the bank’s network.

Be aware that payment of ransomware may result in sanctions if the cybercriminal is listed by the Office of Foreign Assets Control (OFAC) as a known or suspected terrorist or terrorist organization. Reporting ransomware demands promptly to the federal authorities can help mitigate these sanctions. Banks also may need to file Suspicious Activity Reports (SARs) in connection with ransomware payments.

Another critical tool for defending your bank against cyberattacks is a program of regular system vulnerability assessments and penetration tests. Vulnerability assessments involve scanning all internal and external networks to identify security flaws or weaknesses. Penetration testing — a form of “ethical hacking” — involves the intentional launching of simulated cyberattacks to identify any vulnerabilities that can be exploited to compromise the bank’s systems or data. It can also be used to test the bank’s security policies, employees’ security awareness, and the bank’s ability to flag and respond to security issues as they happen.

Typically, vulnerability assessments should be conducted twice a year and penetration testing should be done annually. But the appropriate frequency of testing depends on your bank’s circumstances and resources.

Have a plan

As cyber risks continue to mount, your bank needs a comprehensive cybersecurity plan that reduces risks and minimizes damages should they occur. It should include an incident response protocol for containing an incident, coordinating with law enforcement and third parties, restoring systems, preserving data and evidence, providing customer assistance, and reporting the incident to the relevant federal banking regulator within 36 hours.

© 2023

Financial Institutions and Banking

How To Assess and Deal With BSA/AML Risks

Over the past few years, many people have turned to electronic banking (e-banking), whether for individual or business purposes. While e-banking may be convenient, it also may increase the possibility of hidden criminal behavior. In addition, compliance with Bank Secrecy Act/Anti-Money Laundering (BSA/AML) laws and regulations is increasingly scrutinized by banking regulators. This puts banks in the middle of a potentially difficult — even dangerous — situation, unless they develop strategies to both assess and handle any related risks.

Get with the program

To help combat money laundering and terrorist financing, banks must develop and implement comprehensive BSA/AML programs. These programs ensure banks know their customers, monitor transactions, identify suspicious activity, and share information with the government and other financial institutions.

Federal regulators emphasize a risk-based approach to BSA/AML compliance. In other words, a bank is expected to conduct a thorough risk assessment and develop policies, procedures and processes that are adequate for its size, location, customer base, products and services.

Determine the impact

E-banking — including online account opening, ATM transactions, Internet banking transactions, remote deposit capture (RDC), telephone banking and mobile banking apps — can increase a bank’s BSA/AML risks. The lack of face-to-face contact in e-banking transactions introduces a heightened level of risk to institutions by making them vulnerable to unauthorized users accessing customer accounts. As your bank introduces new e-banking products and services, it’s imperative to evaluate their impact on your BSA/AML program.

For example, online account opening without face-to-face contact may heighten your risk because:

  • Verifying the customer’s identity is more difficult,
  • The customer may be outside the bank’s targeted geographic area,
  • The customer may perceive these transactions as less transparent, and
  • A front company or unknown third party may use the account.

To mitigate these risks, banks should ensure that their BSA/AML monitoring, identification and reporting systems are properly equipped to flag unusual and suspicious activities conducted electronically. Useful tools include ATM activity reports, funds-transfer reports, new-account-activity reports and change-of-Internet-address reports. Reports that identify related or linked accounts are particularly effective in an e-banking context. These reports reveal accounts with common addresses, phone numbers, email addresses and taxpayer identification numbers.

Additional risk-mitigating controls may include imposing limits on 1) the types and sizes of transactions that can be conducted through e-banking platforms, 2) the volume and frequency of online-initiated transactions, if allowed, and 3) online accounts to ensure they’re offered only to established customers. Banks need to develop effective and reliable methods for authenticating customers’ identities when they open accounts online (such as “out of wallet” questions that only that person can answer).

Reduce RDC risks

While RDC provides obvious benefits to customers, it exposes banks to money laundering, fraud and information security risks. For example, fraudulent, sequentially numbered or physically altered checks may be harder to detect when they’re submitted via RDC. Plus, it’s difficult for banks to control or locate RDC equipment, particularly when foreign correspondents and foreign money service businesses increasingly rely on RDC.

Inadequate controls can result in altered deposit data, duplicate deposits and other problems. Also, customers or service providers typically retain original checks or other deposit items, which may create recordkeeping, data safety and integrity issues.

Potential risk mitigation steps include:

  • Performing a comprehensive RDC risk assessment before implementation,
  • Conducting appropriate customer due diligence and enhanced due diligence,
  • Establishing risk-based parameters for RDC customer suitability, such as lists of acceptable industries and standardized underwriting criteria,
  • Comparing an RDC customer’s expected account activity to actual activity,
  • Establishing RDC transaction limits, and
  • Ensuring that RDC customers receive adequate training.

Contracts should clearly set out the relative roles, responsibilities and liabilities of the bank and its customers with respect to RDC transactions. This includes procedures for handling and disposing of original documents.

Being vigilant

Make sure your bank remains watchful for ongoing BSA/AML issues and other potential risks resulting from e-banking. There’s no going back — e-banking is here to stay. The best strategy is to ensure your bank remains fully compliant, with all appropriate processes and procedures in place.

© 2023

Financial Institutions and Banking

Should You Outsource The Internal Audit Function?

A solid internal audit program is one of the most effective tools a bank has to inspire confidence — among directors, investors, regulators, and other stakeholders — in its financial processes and reporting practices. Many banks outsource the internal audit function, in whole or in part, to take advantage of external auditors’ special skills and independence, address internal staffing shortages, and control costs. Here are some factors to consider when deciding whether to outsource this function.

Advantages of outsourcing

First and foremost, by outsourcing the internal audit, a community bank can tap a level of skill and expertise — critical in the highly regulated banking industry — that may be difficult to find or too expensive to maintain in-house. Access to this expertise is particularly beneficial for banks in smaller communities and those that want to expand their product or service offerings or enter new markets. External auditors may also have access to more sophisticated software or other audit tools that would otherwise be cost-prohibitive for a community bank.

Second, in the wake of the COVID-19 pandemic, many businesses, including banks, are facing severe labor shortages. Outsourcing the internal audit function allows them to focus on filling core positions.

Third, outsourcing can help a bank control costs. It allows the bank to set an internal audit budget that meets its needs and design a program that has more flexibility. The bank avoids the fixed labor and overhead costs associated with an internal audit staff, and it can adjust the use of outside consultants as its internal audit needs fluctuate or special projects arise.

Finally, outsourcing can help enhance auditor independence. In-house auditors who develop relationships with other bank staff may lose some objectivity — or at least the appearance of objectivity. Outsourcing also facilitates the rotation of internal auditors, something that’s difficult to do in-house.

Disadvantages of outsourcing

One potential downside is that outside consultants generally lack an insider’s in-depth knowledge about the bank’s operations, particularly when outsourced auditors are rotated frequently. The resulting learning curve may reduce the cost-effectiveness of an outsourced audit. To overcome this obstacle, some community banks outsource the internal audit function to their external auditors. Although doing so is permissible under specific circumstances, a bank should consider the potential impact on the external auditor’s independence before taking this approach.

Also, outsourcing arrangements require meticulous planning and monitoring, including a comprehensive engagement letter and regular communication. It’s critical to ensure that the parties are on the same page regarding the auditing firm’s activities, the scope of the audit and the advice provided by the auditor.

Outsourcing vs. co-sourcing

Co-sourcing can be an attractive alternative to fully outsourcing the internal audit function. As the name suggests, it involves splitting internal audit activities between internal and external auditors. This approach can take many forms, depending on the bank’s needs. A short-staffed bank might use outside auditors to supplement its staff and share various auditing tasks and responsibilities.

Co-sourcing also can be a good strategy if a bank’s internal audit staff lacks certain specialized skills. For example, if in-house staff isn’t equipped to perform specialized audits — such as information technology or Bank Secrecy Act/Anti-Money Laundering (BSA/AML) audits — the bank might engage an outside auditor to conduct those audits while its internal staff focuses on areas within its skill set.

A powerful tool

A well-designed internal audit program can be a powerful tool for evaluating a bank’s internal controls, processes, and procedures. Internal auditors also can recommend improvements and share their findings with the bank’s board of directors and other stakeholders. Whether conducted in-house, outsourced or co-sourced, an internal audit provides an opportunity for a fresh look at a bank’s operations by auditors who are independent from management.

Sidebar: Managing third-party risk

For banks that outsource or co-source the internal audit function, it’s important to recognize that doing so doesn’t absolve the bank’s board or management from responsibility for the internal audit. This function also doesn’t relieve the bank from liability for compliance or consumer protection issues associated with outsourced activities.

Before you enter an outsourcing relationship, review the federal banking regulators’ guidance on managing third-party risk, including the Office of the Comptroller of the Currency’s “Interagency Policy Statement on the Internal Audit Function and its Outsourcing.” Failure to properly manage this risk can result in financial loss and regulatory action. It can also jeopardize your bank’s reputation.

Among other things, a bank should:

  • Conduct a risk assessment to weigh the benefits and risks, including service provider risk, of outsourcing the internal audit.
  • Exercise due diligence in vetting the provider — including an examination of its background, reputation, financial condition, internal controls, disaster recovery plans, and business continuity plans.
  • Be sure that the contract or engagement letter clearly spells out each party’s rights and responsibilities. (For example, it should provide details on performance benchmarks, information sharing, audit rights, compliance, confidentiality, and indemnification.)
  • Monitor the provider’s performance and compliance with contract terms throughout the life of the arrangement.
  • Have a contingency plan in place in the event there are any disruptions in service.

© 2023

Financial Institutions and Banking

FinCEN’s National AML/CFT Priorities Set the Tone

In June 2021, the Financial Crimes Enforcement Network (FinCEN) issued its first set of government-wide priorities (the Priorities) for anti-money laundering and countering the financing of terrorism (AML/CFT). As required by the Anti-Money Laundering Act of 2020 (AML Act), the Priorities identify and describe the most significant AML/CFT threats currently facing the United States.

FinCEN will soon issue regulations that instruct banks and other financial institutions on how to incorporate the Priorities into their risk-based AML/CFT programs. In addition, though not required by the AML Act, federal banking agencies plan to revise their Bank Secrecy Act (BSA) regulations to explain how the Priorities will be incorporated into banks’ BSA requirements.

What are the Priorities?

FinCEN developed the Priorities after consulting with various Treasury Department offices, federal and state regulators, law enforcement, and national security agencies. Pursuant to the AML Act, FinCEN will update the Priorities at least once every four years in consultation with the same government agencies. These updates will reflect new and emerging threats.

The Priorities are:

Corruption. According to FinCEN, corrupt actors often exploit vulnerabilities in the U.S. financial system to launder assets and obscure crime proceeds. Past advisories on human rights abuses enabled by corrupt foreign political figures describe typologies and red flags that can help banks identify these actors and activities.

Cybercrime. Treasury is particularly concerned about cyber-enabled financial crime, ransomware attacks and misuse of virtual assets to launder illicit proceeds. Referencing past FinCEN and Treasury advisories regarding ransomware and COVID-19-related cybercrime, the Priorities note that banks are uniquely positioned to observe suspicious activity related to cyber-enabled financial crime and other cybercrime.

Terrorist financing. International and domestic terrorists require financing to support members, fund logistics and conduct operations. So, preventing such financing is essential to U.S. counterterrorism efforts. The Priorities remind banks of existing obligations to file suspicious activity reports (SARs) on potential terrorist financing transactions, follow requirements for reporting violations that require immediate attention and comply with required sanctions programs.

Fraud. The Priorities emphasize that fraud — including bank, consumer, health care, securities and tax scams — is believed to generate the largest share of illicit proceeds in the United States. These proceeds may be laundered through a variety of methods, including transfers through accounts of offshore legal entities, accounts controlled by cyberactors and money mules. Of particular concern are business email compromise and, most recently, COVID-19-related schemes.

Transnational criminal organization activity. These organizations — which may be involved in cybercrime; drug, wildlife, human, and weapons smuggling or trafficking; intellectual property theft; and corruption — are priority threats due to the “crime-terror nexus” of their illicit activities. According to the Priorities, these organizations are increasingly relying on professional money laundering networks.

Drug trafficking organization activity. Drug trafficking organizations tend to rely on Asian professional money laundering networks that facilitate exchanges of Chinese and U.S. currency or serve as money brokers in trade-based money laundering schemes. The Priorities note a substantial increase in complex schemes involving Mexican drug trafficking organizations that launder narcotics sale proceeds through Chinese citizens residing in the United States, including the use of front companies or couriers that deposit these proceeds in the banking system.

Human trafficking and smuggling. Human trafficking and smuggling networks use various mechanisms to move illicit proceeds, including cash smuggling by individual victims and sophisticated operations involving professional money laundering networks and criminal organizations. They may establish shell companies to hide the true nature of their business. They also may receive payments through such methods as funnel accounts and trade-based money laundering schemes.

Weapons proliferation financing. The principal threat here comes from proliferation support networks. These networks include individuals and entities, such as trade brokers and front companies, that exploit the U.S. financial system to move funds used to acquire nuclear, chemical or biological weapons or to further state-sponsored weapons programs. The principal driver of proliferation financing risk in the United States is global correspondent banking, due to its central role in processing U.S. dollar transactions.

What’s next?

Banks aren’t required to take any action with respect to the Priorities until final regulations are issued. When that happens, banks will need to review and incorporate, if appropriate, these Priorities based on their broader risk-based AML/CFT programs. Although it’s not certain when regulations will be finalized, it’s a good idea for banks to begin evaluating the potential risks associated with the products and services they offer, the customers they serve and the geographic areas in which they operate.

To begin evaluating potential risks and plan for final regulations, contact Jack Matthis at