Your BSA Obligations During the COVID-19 Pandemic
Stop Fraud banner on computer screen
© WrightStudio / Adobe Stock
Fraud and cybercrime thrive in times of national crises. While dealing with chaos and disruption, your role in protecting your company and reporting suspicious activities is more important than ever.
FinCEN’s news release of 3/16/2020 calls on financial institutions to be vigilant for fraud and cybercrime. FinCEN also requests that you contact them as soon as practicable if your company is concerned about any Coronavirus-related delays in filing required Bank Secrecy Act (BSA) reports. The 30-day timeframe for filing Suspicious Activity Reports (SARs) and the 15-day limit for filing Form 8300 (for cash transactions exceeding $10,000) are still in effect. FBAR filings have been extended to October 15. If COVID-19 circumstances cause you to push the deadlines, call FinCEN’s Regulatory Support Section (RSS) at 800-949-2732 or email FRC@fincen.gov.
Fraud
Even before the Coronavirus outbreak, our clients were seeing upticks in fraudulent and malicious transactions. Many of these targeted senior citizens or otherwise vulnerable clients for account takeovers. A client also reported receiving a 314(b) information request purportedly from credit union which was laced with malware. We can expect bad actors to be creative in hiding behind the current disruption, when policyholders might be more likely to withdraw funds.
While company IT Departments are reminding employees and agents, especially as so many more of us are working from our homes, to beware of phishing attempts, resist clicking on embedded links and attachments from unknown sources, and scrutinize email addresses (especially the part following “@”). In addition to those general reminders, it also is important to point out the possibility of fraudulent emails that appear to be from the CDC, IRS, company payroll department, etc. While we know you are really busy with all the coronavirus work, plus the regular workload, but it is a good time to refresh cyber awareness training for all employees and agents.
Cybercrime
The AML Compliance Officer is a key pillar in cybersecurity, incident response planning, and business continuity planning/implementation. While many of the roles involved with those efforts are not within the Compliance area, the AML Compliance Officer must be involved in coordinating these cross-enterprise activities and bears responsibility for reporting suspicious activities. With employees working from home, protecting the integrity of your company’s data and communications and customers’ privacy is an even larger task.
You can expect an increase in hacker activity. It’s critical that systems are current, with security patches applied, and that anti-malware and anti-virus controls are active on all operating systems, regardless of where they reside.
Remember: All financial institutions are expected to file SARs on cyber intrusions – even attempts – and regulators have fined companies for failure to do so! Of course, state insurance departments also have cybersecurity reporting mandates as well.
Incident Response and Business Continuity Planning
Given the vulnerabilities related to COVID-19’s disruption, CCS strongly recommends that you are fully prepared to respond to cyber incidents and business disruption. Your Cyber Incident Response Plan and Business Continuity Plan should be available remotely in the event your systems are unavailable. Your the response teams should be alert and ready to execute them. You can also ensure that the call roster for key response team members include all needed contact information.
Coordinating with your response team, you can also ensure that your regulatory notification obligations in the event of a breach are fully understood.
Going Forward
We believe it is likely that “reasonableness” standards will prevail – as long as you are prompt in alerting FinCEN and your primary regulator if you experience delays in filing due to the COVID-19 crisis.
Your periodic, Independent AML Audit is important in assessing your AML Program’s adequacy in reporting suspicious activities, including fraud, exploitation of vulnerable adults, and cybercrimes.
CCS suggests scheduling your independent review after May 1 and before the likely resurgence of COVID-19 cases in the fall of 2020.
For questions about the impact of COVID-19 on your AML operations, please email info@currincompliance.com.