The U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) recently issued a report entitled Identity-Related Suspicious Activity: 2021 Threats and Trends highlighting threat patterns and trend information derived from financial institutions’ Bank Secrecy Act (BSA) filings for the calendar year 2021. Financial institutions are required to file suspicious activity reports no later than 30 calendar days after the initial detection of facts that could constitute suspicious activity.
In the press release accompanying the report, FinCEN Director Andrea Gacki stated the report “reveals the existence of significant identity-related exploitations through a large variety of schemes” and advised financial institutions “to work across their internal departments to address these schemes.”
The report was issued pursuant to § 6206 of the Anti-Money Laundering Act of 2020, which requires FinCEN to periodically publish BSA-derived threat pattern information. FinCEN’s report draws from a dataset of approximately 1.6 million identity-related BSA reports, totaling $212 billion in suspicious activity. Identity-related BSA reports represented 42% of the 3.8 million reports filed in 2021.
As most identity-related BSA reports indicated that the bad actors impersonated others to defraud victims, the report analyzed how these bad actors exploit identity-related processes involved in transaction processing as well as opening and accessing accounts. The report described three such “identity-related exploitations” used to gain access to customers’ account information, including:
- Impersonating others to evade ID validation;
- Bad actors exploit the validation step by altering, counterfeiting, or forging documentation, records, or forms of payment.
- Others use a combination of real and fake personally identifiable information (PII), known as a synthetic identity, to fabricate a person to pass validation processes.
- Exploiting insufficient verification processes;
- Bad actors attempt to circumvent verification by using the legitimate credentials of third parties in “Third Party Money Laundering” schemes, using third parties with weak or insufficient verification standards in “Circumventing Standards” schemes, or refusing to provide requested information in “Refuse to Cooperate” schemes.
- Using compromised credentials to gain unauthorized access during authentication.
- Bad actors engage in an “Account Takeover” using stolen authenticators and credentials to gain full access to customers’ financial accounts.
- Bad actors also target victims through business email compromises, brute-force login attacks, data breaches, identity theft, and other cyber events such as phishing, ransomware, and other endpoint compromises.
These three “identity-related exploitations” allow bad actors to obtain the full PII details of their victims. Once these bad actors have the full PII details, they create new accounts and/or take out loans in their names.
FinCEN’s report also noted that the most frequently reported typologies (specific reporting categories) in identity-related BSA reports in 2021 were fraud, false records, identity theft, third-party money laundering, and circumventing standards. These five typologies accounted for a large majority of the identity-related BSA reports and suspicious activity dollar amount in 2021, with depository institutions filing the greatest number of identity-related BSA reports.
To thwart these bad actors in the future, FinCEN reports that it has leveraged its interagency and public-private partnerships to share information and explore best practices for mitigating the threats financial institutions face from fraud and cybercrime. For example, emerging technologies such as digital identity, artificial intelligence, and privacy-enhancing technologies may help combat a wide variety of fraud.
Banks and other depository institutions filed the majority of all identity-related BSA reports. However, all financial institutions subject to FinCEN’s Customer Identification Program (CIP) and Customer Due Diligence (CDD) requirements should take notice. FinCEN states that this report “does not intend to, nor does it impose, any additional regulatory obligations or supervisory expectations.” However, rest assured that supervisory examiners like the OCC, SEC, Federal Reserve, and others will take this report into account when examining financial institutions’ compliance with CIP and CDD obligations.
Moreover, on the identity front, FinCEN describes efforts to “explore the utility of available and developing identity solutions to enable stronger identity processes and counter the underlying drivers of identity-related crime.” But this may be hindered by the Consumer Financial Protection Bureau’s pending proposals to limit the availability of certain data to identity verification providers — as discussed here under proposed rules. Financial institutions need to evaluate what solutions are currently available to combat identity theft, as well as what solutions may no longer be available soon and explore what alternative approaches may make sense in the long term for AML/BSA compliance.