Pub. 3 2022 Issue 1

cbak.com 10 In Touch • A customer receives funds from a counterparty, and shortly after receipt of funds, sends equivalent amounts to a CVC exchange. • A customer shows limited knowledge of CVC during onboarding or via other interactions with the financial institution, yet inquires about or purchases CVC (particularly if in a large amount or rush requests), which may indicate the customer is a victim of ransomware. • A customer with no – or a limited – history of CVC transactions sends a large CVC transaction, particularly when outside a company’s standard business practices. • A customer that has not identified itself to the CVC exchanger or registered with FinCEN as a money transmitter appears to be using the liquidity provided by the exchange to execute large numbers of offsetting transactions between various CVCs, which may indicate that the customer is acting as an unregistered MSB. • A customer uses a foreign-located CVC exchanger in a high-risk jurisdiction lacking or known to have inadequate AML/CFT regulations for CVC entities. • A customer receives CVC from an external wallet and immediately initiates multiple, rapid trades among multiple CVCs, especially AECs, followed by a transaction off the platform with no apparent related purpose. This activity may indicate attempts to break the chain of custody on the respective blockchains or further obfuscate the transaction. • A customer initiates a transfer of funds involving a mixing service. • A customer uses an encrypted network (e.g., the onion router) or an unidentified web portal to communicate with the recipient of the CVC transaction. How to File a SAR for Ransomware These criminals must be held accountable for their crimes and prevent the laundering of ransomware proceeds. Financial institutions can use the 314(B) information sharing statute to assist law enforcement. This often-underutilized method of information exchange with safe harbor is critical to following the criminal activity in these complex schemes. In addition to using 314(B) authority, FinCEN has asked that specific language be used when filing a suspicious activity report (SAR) for cyber events: • In SAR field 2 (Filing institution Note to FinCEN) and the narrative indicate that the activity could be indicative of a ransomware-related activity. • Select SAR field 42 (Cyber Event) as the suspicious activity type. • Also, select SAR field 42z (Cyber Event-Other) as an additional suspicious activity type while using the keyword “ransomware” in this field. • Include relevant technical cyber indicators related to the activity or transactions in SAR fields 44(a)-(j), (z). • Include the critical term “CYBER FIN2021-A004” in the SAR narrative. As a FinCrime professional, it is incumbent upon you to stay in touch with the spectrum of criminal activity in your surrounding areas. Staying current with these FinCEN Priorities is a good foundation but should not be the only knowledge gathering you do. Thankfully, the AML and fraud industries have extensive opportunities for professionals to learn about these schemes. It is highly recommended that your financial institution takes advantage of those occasions.  These criminals must be held accountable for their crimes and prevent the laundering of ransomware proceeds. Financial institutions can use the 314(B) information sharing statute to assist law enforcement. Continued from page 9 Terri Lutrell is a compliance and engagement director at Abrigo. She provides insights that contribute and support long-term banking strategies based on analysis of market and industry trends, competitor developments, and financial and regulatory technology changes. She is an audit-certified anti-money laundering specialist and a board member of the Central Texas chapter of the Association of Certified Anti-Money Laundering Specialists (ACAMS).

RkJQdWJsaXNoZXIy MTIyNDg2OA==