FinCEN issued an advisory to remind financial institutions of previously published information concerning tax refund fraud and the subsequent reporting of such activity through the filing of Suspicious Activity Reports. Identity theft can be a precursor to tax refund fraud because individual income tax returns filed in the United States are tracked and processed by Taxpayer Identification Numbers (TINs) and the individual taxpayer names associated with these numbers. Criminals can obtain TINs through various methods of identity theft, including phishing schemes and the establishment of fraudulent tax preparation businesses. In response to this problem, the Internal Revenue Service (IRS) has developed a comprehensive strategy focused on preventing, detecting, and resolving instances of tax-related identity theft crimes. FinCEN worked closely with the IRS to identify indicators of tax refund fraud.
The advisory is available on FinCEN’s Web site at: http://www.fincen.gov/statutes_regs/guidance/html/FIN-2013-A001.html.
Financial institutions are also reminded that they must begin using the new FinCEN reports, which are available only electronically through the BSA E-Filing System, by April 1, 2013. FinCEN's new SAR, CTR, RMSB, and DOEP reports have been available for use through the E-Filing System since March 29, 2012, and industry's adoption of the new reports continues to increase. The BSA E-Filing System will continue to accept submissions of the legacy versions of the SAR, CTR, DOEP, and RMSB only until March 31, 2013. The FinCEN BSA E-Filing User Test System website has been updated to allow for testing of all the reports now available for E-Filing.
Distributed denial of service (DDoS) attacks that hit 22 banks as well as two credit unions in California and Texas have prompted advice from CUNA Mutual Group on how to prepare for cyber attacks.
Ken Otsuka, risk management senior consultant for CUNA Mutual Group, noted that the scale and speed of the recent attacks were unprecedented. He defines DDoS attacks as attempts to disrupt or suspend online service by saturating the target's network with external communication requests to overload its server.
Although some hacktivists have called off the attacks, other groups use DDoS attacks as smokescreens for diverting funds from consumers' accounts.
Otsuka advised credit unions to take six steps:
Don't underestimate the threat of cyber attacks. "It's true that most credit unions don't face the same risk as national banks from attacks by high profile cybercriminal groups. But the first thing to understand about cyber attacks is that we can't predict the next type of attack to come along," he said. "Don't bet on behalf of your members that your credit union isn't big enough to be a target."
Mitigate the risk of service interruptions caused by DDoS. Although credit unions can't prevent such attacks, they can establish a process to identify them. Monitor bandwidth usage, use firewall logs to determine what is under attack, and employ an intrusion detection system to identify the type of traffic.
Perform due diligence on third-party service providers. Ensure that third parties such as Internet service providers and Web hosts address website problems caused by the attacks-- and that they have a contingency plan for these.
Be prepared to provide timely and accurate information to members. Have a plan to get the word out. The faster you do so, the better you can control the message and counter any rumors or misconceptions about what is happening. Monitor social media to find out what is said in cyberspace about any interruption to online services. You may need extra staff or third-party help to work the phones and contact local media to make sure members get correct information.
Check transfers initiated via online banking when an attack occurs. If staff are busy answering calls from members who can't access the website or initiating damage control, they may not notice fraudulent transactions initiated through online banking. When a DDoS occurs, review online banking transactions. If necessary, delay executing the transfers until their legitimacy is verified.
Have a strong multi-factor authentication method in place for online banking systems. The authentication process should comply with the Federal Financial Institution Examination Council's updated authentication guidance issued in 2011. It expects financial institutions to have a fraud monitoring system to detect anomalies in initial logins and authentication of members requesting online banking access to system, and in fund transfers initiated to others.