Prepared Remarks of FinCEN Director Kenneth A. Blanco, delivered at the Federal Identity (FedID) Forum and Exposition

Identity: Attack Surface and a Key to Countering Illicit Finance
Tampa, Florida

 

 

Introduction

Good morning, everyone—it is great to be back in my home state of Florida.  Carole, thank you for that wonderful introduction.

I am delighted to be here with you today to address the 2019 Federal Identity (FedID) Forum and Exposition, and I would like to thank the FedID Planning Committee for inviting FinCEN to take part in this year’s event. 

Managing and using identities and identity information cuts across agencies and sectors, so it is wonderful to see such a broad representation from government and industry here this morning.

It is important to bring public and private sector minds together to collaborate on the future of identity and related innovation—what you are doing here is critical to our national security, and to keeping our people safe from harm.

As you all know, identity affects us every day in just about everything we do.  It is fundamental to how we interact with each other on social media and how we send payments to each other on mobile applications.  It is part of how we manage our everyday lives, our businesses, and how we interact with customers and vendors in-person and online. 

From the days of wax seals that provided integrity for communications in the Middle Ages to today’s use of machine learning-supported heuristics and facial recognition technology, the concept of identity and how to manage it continues to evolve.  So with this in mind, I hope my comments will set the stage for a particular kind of discussion this week:  identity as a National Security issue.

I would like to cover three things with you today: 

  • First, I would like to tell you a little about FinCEN.  Who we are, what we do, and why I am here to speak with you today.
     
  • Second, I will speak to how illicit actors are leveraging identity.  Specifically, I will highlight some of the trends FinCEN is seeing in how criminals exploit and compromise identities.
     
  • Third, I will discuss how we use identity to protect our national security and keep our communities and families safe from harm.

I know that the FedID Planning Committee and all the agencies here hope that this entire week will be a dialogue among all participants.  I encourage everyone here to bring as much candor and creativity as you can to these conversations.  I want you to think about to whom does this matter.  As I mentioned to you before my prepared remarks—it matters to them.  So let us begin.

 

FinCEN’s Role

FinCEN plays two primary roles:

One:  FinCEN is a regulator of all financial institutions and the Administrator of the Bank Secrecy Act, the primary laws in the area of money laundering and countering the financing of terrorism (AML/CFT).

Two:  FinCEN is THE Financial Intelligence Unit, or FIU, of the United States—the largest and most powerful financial system and economy in the world.

These are two critical components for our financial system, economy, and national security apparatus—what keeps us all safe.

As the U.S. regulator and administrator of the Bank Secrecy Act, or the BSA, which is the comprehensive AML/CFT legislative framework for the United States, FinCEN has authority to mandate certain controls, reporting, and recordkeeping obligations for U.S. financial institutions.  We have supervisory and enforcement authority over U.S. financial institutions to ensure effectiveness of the AML/CFT regime.

As the FIU of the United States, FinCEN acts both domestically with law enforcement and other regulators, and internationally with over 164 foreign countries to use the financial intelligence we collect to protect our country.  We have approximately 300 million sensitive financial records collected, stored, and protected.  FinCEN uses, analyzes, and shares this information, when appropriate and in accordance with law, with other regulators, law enforcement entities, financial institutions, and foreign counterparts through secure channels of communication.

Within the framework of FinCEN’s collection, protection, and analysis of financial intelligence, developments in how identity is used in the financial sector and government are critically important.  As you all know, there are many components of “identity,” each of which presents a unique element to how we identify ourselves and interact with others.  Identity is who we are legally and how we are recognized by the government and the financial sector.  It is what we are authorized to get access to, whether government-managed veterans benefits, bank accounts, databases, or matches on a dating app.  Identity is how we authenticate or prove who we are, when we use fingerprints on our iPhone or PIV cards to access Federal networks.  Identity is also how we carry associated permissions and authentication mechanisms across a federated enterprise.

The role of identity is critically important to us at FinCEN.  That leads me to the key reason why I am here in Tampa with all of you today.

It is pretty simple.  We need you to collaborate with each other and with us.  We need your minds and expertise, your experience and creativity, your technologies, your insights, your thoughts, your innovations to develop identity solutions, to help people live better, to help inform our regulations, to help us work better and faster to securely share critical information, to help us identify threats to people and protect our national security, and very importantly, to help us ensure that innovative approaches to identity and payment systems adhere to the principles of transparency underlying a U.S. financial system that helps fight crime, rather than foster it.

The digital age and information revolution continue to expand the data points and sources of information that contribute to someone’s identity.  Data brokers and other companies house billions of data points on user preferences, biometrics, emotions, reputations, and habits that can provide invaluable insights to companies and other organizations to understand you as an individual consumer and the broader consumer base.  Some of this information is also valuable to financial institutions and to law enforcement to understand someone’s risk profile for being involved in illicit activity or other threats.

All of you bring an extensive understanding of the challenges with current identity systems, such as concerns over trustworthiness, global interoperability, and data privacy—these are all issues that U.S. financial institutions constantly grapple with as they manage lines of business across multiple jurisdictions and sets of legal and regulatory expectations.

Of course, the features that make identity information valuable to companies also make these data stores high value targets for criminals and other bad actors, including terrorists and rogue states.

Bottom line:  Criminals can leverage vulnerabilities in identity technologies and governance to commit crimes, further their criminal activity, and hide from authorities.

 

Criminal Exploitation of Identity in Fraud and Cybercrime

The abuse of personally identifiable information, and other building blocks of identity, is a key enabler behind much of the fraud and cybercrime affecting our nation today.

Account takeover, which involves the targeting of financial institution customer accounts to gain unauthorized access to funds, is an extremely common cybercrime affecting U.S. financial institutions.  FinCEN is seeing around 5,000 account takeover reports each month involving approximately $350 million.  These are attempts, and, often because of diligent work by bank compliance officers, do not represent actual losses.  With billions of compromised credentials exposed online, there is a high likelihood that most users of the U.S. financial system have had some information about themselves, whether PII or login information, compromised at some point.

Criminals often acquire these leaked credentials through hacks, social engineering, or by purchasing them on darknet fora to facilitate the account takeover.  Depository institutions, such as banks, are the most common targets given their high numbers of customer accounts, but institutions like insurance companies, money services businesses, and casinos, and of course their customers, are also affected.

FinCEN has also seen a high amount of fraud, including automated clearing house (ACH) fraud, credit card fraud, and wire fraud, enabled through the use of synthetic identities and through account takeovers via fintech platforms.  In some cases, cybercriminals appear to be using fintech data aggregators and integrators to facilitate account takeovers and fraudulent wires.  By using stolen data to create fraudulent accounts on fintech platforms, cybercriminals are able to exploit the platforms’ integration with various financial services to initiate seemingly legitimate financial activity while creating a degree of separation from traditional fraud detection efforts.  Some criminals are also monetizing stolen credit card information through fraudulent merchant accounts to charge victims’ cards, or are simply creating fraudulent user accounts on fintech platforms as part of identity theft or synthetic identity fraud.

Earlier this year in July, we held a FinCEN Exchange on business email compromise (BEC) fraud schemes that are targeting U.S. financial institutions and their customers.

The FinCEN Exchange program is a public-private partnership that enables information sharing on priority AML/CFT threats and risks between FinCEN, industry, and law enforcement.  In the BEC FinCEN Exchange, FinCEN shared typologies on BEC fraudsters’ targeting of specific U.S. industry sectors, such as the manufacturing, commercial services, and real estate sectors.[1]

FinCEN further highlighted how criminals use BEC schemes to exploit vulnerable business processes in our July 16, 2019 Advisory on BEC fraud.[2]  BEC criminals exploit and compromise trusted relationships between two counterparties—such as between executives and employees, between a real estate agent and a homebuyer, or between vendors and organizations using their services—to generate fraudulent payment instructions to intercept funds meant for the trusted party.

These schemes often involve compromising vulnerable business processes, such as a common lack of strong authentication processes used in payment communications or ready availability of public information online on transaction counterparties, to hone their methodology and increase their likelihood of success.

BEC fraudsters are becoming increasingly sophisticated, often backed by complex networks of witting and unwitting money mules that assist in laundering their proceeds through the U.S. and international financial systems.

Financial criminals are also exploiting weaknesses posed by a key piece of the identity discussion in the United States—the Social Security number (SSN).  FinCEN analysis of SARs filed since January 2003 found more than 600,000 SSNs affiliated with identity theft reported from financial institutions, many of which were associated with more than one name.  That is mind-boggling, and it points to something wrong with how identity is being verified and authenticated across much of the financial system.

Account takeover schemes rely upon compromised credentials and reused passwords and usernames across different accounts.  Many fraud schemes and other financial crimes also rely upon weaknesses in identity verification and authentication systems, whether by betting that human judgement or software solutions at a financial institution will not be able to spot fraudulent documents, or through exploiting lack of multi-step or multi-factor authorization and authentication procedures for processing payments or allowing access to sensitive information. Simply improving cyber hygiene and implementing strong authentication solutions can go a long way in combating many of these crimes.

Criminals are also leaning pretty far forward in targeting advanced tech to facilitate fraud and other crimes in this area.  Data that is stored digitally, whether a password or a digital voice print, is still information that could be compromised.  Developments in digital identity solutions and biometrics offer many potential benefits, but industry and government have to account for the attack surface, and what resiliency and recovery look like in the context of a breach.

You may have heard before that “nothing is unhackable.”  The question that we have to think about is what is available to be hacked and how can it be used?  These days social media has combined with DNA to discover family members—a remarkable achievement.  But if the past is any indication of the future, we have to consider how this data could be compromised and used for inheritance fraud, to steal intellectual property, or fraudulently plant genetic evidence at the scene of crimes.

Even now, criminals are circumventing processes designed to curb identity fraud and using them to perpetrate novel cybercriminal schemes.  For example, in some account takeover scenarios that FinCEN has observed, criminals obtain access to financial accounts by taking over the victims’ mobile phones to defeat the two-factor authentication process used by many financial institutions.  This is an attack known as a SIM Swap.  In another example, we have observed darknet marketplaces where cybercriminals are able to purchase legitimate device identifier information along with the owners’ stolen credit card information to defeat fraud detection mechanisms and fully impersonate victims.

A financial institution, or any other entity targeted with similar types of fraud, should consider its entire attack surface and risk exposure to such illicit activity and misuse.  Unfortunately, the threat portion of the risk equation is too often overlooked.  Aside from just examining their processes and system vulnerabilities that could be exploited, it can be extremely valuable for financial institutions to evaluate the threat posture already affecting them or that has the potential to affect them, such as the availability of customer credential information available for sale on places like darknet marketplaces.

 

Identity as a Key in Countering Illicit Activity

Now let me talk about how we are using identity and innovation in this area to keep us safe.

Identity is a critical part of how FinCEN keeps Americans and the U.S. financial sector safe, whether through establishing AML/CFT requirements as a regulator, enforcing compliance as a supervisor, or conducting analysis as an FIU.  In our regulations, which I will elaborate on in a moment, FinCEN requires financial institutions to understand whom they are doing business with and to continue to monitor their risk throughout the business relationship.  Identity is at the core of our reporting and recordkeeping obligations because it is vital for FinCEN and law enforcement to understand whom the counterparties are in illicit transactions and the laundering of criminal proceeds.

Identity information can also help FinCEN and the financial sector understand that certain activity is illicit in the first place.  For example, if we see transactions associated with OFAC-designated persons.  If we see common identity information reported across multiple individuals, such as an SSN associated with multiple names, it can alert law enforcement and FinCEN to potential synthetic identity fraud.

FinCEN leverages our unique data and innovative tools in trend and relationship analysis to identify illicit networks of activity and actors abusing the U.S. financial system.  This information also helps us go after thieves who steal identities, the markets that sell them, and the criminal networks that launder related proceeds.

The strength of the U.S. AML/CFT framework is a vital component of U.S. national security, deterring illicit actors looking for permissive financial sectors to launder their proceeds, enabling visibility into the fraudulent activity affecting Americans that I described earlier.

 

AML/CFT Regulations and Identity

Let me take a moment to describe this framework.  As I mentioned earlier, the BSA gives FinCEN the authority to establish requirements under our regulations.  Those regulations require financial institutions to among other things maintain certain records and file certain reports with FinCEN.

Identity plays a big role in these recordkeeping and reporting obligations, as the information we collect is only as good as the integrity of the reports we receive from financial institutions.  So what information do we collect?

The vast majority of the reports we collect include cash transactions exceeding $10,000 and reports of suspicious transactions identified by financial institutions.  But we also collect information on cash crossing the U.S. border when you arrive or leave the country, when a retail store receives a large payment in cash over $10,000, and from individuals with foreign bank accounts.

Obviously the accuracy of these reports, which are made available to approximately 12,000 authorized law enforcement and regulatory users all over the country, is critical.  In order for financial institutions to provide us with reliable reporting, they must know their customers.

This brings me to a very important national security issue—beneficial ownership information.  Its importance to our national security cannot be understated; the lack of an ability to collect this information is a dangerous and widening gap in our national security apparatus.

In order to begin addressing this gap, on May 11, 2016, FinCEN issued a final rule titled the “Customer Due Diligence Requirements for Financial Institutions,” or the CDD Rule, which strengthened customer due diligence obligations for certain financial institutions to know the people who own, control, and profit from companies, and to verify their identities at account opening.  An open and transparent system in which we can identify the trail of transactions and actual account owners is essential to disrupting illicit activities and dismantling criminal and terrorist networks.  This rulemaking helped address this key vulnerability in the U.S. financial system.

The CDD Rule has four core requirements.  It requires covered financial institutions to establish and maintain written policies and procedures that are reasonably designed to:

  1. Identify and verify the identity of customers;
  2. Identify and verify the identity of the beneficial owners of companies opening accounts; requiring them to disclose the true identity of the person opening the account, any individual with 25 percent or more ownership of the legal entity, and the individual who controls the legal entity;
  3. Understand the nature and purpose of customer relationships to develop customer risk profiles; and
  4. Conduct ongoing monitoring to identify and report suspicious transactions and, on a risk basis, to maintain and update customer information.

The United States has developed, and rigorously enforces, one of the most effective AML and CFT regimes in the world.  But, as strong as our AML/CFT framework is, malicious actors will continue to attempt to exploit any vulnerability to move their illicit proceeds undetected through legitimate financial channels, in order to hide, foster, or expand the reach of their criminal or terrorist activity.  We must therefore be vigilant in our mission to protect the U.S. financial system by closing any regulatory gaps that expose our financial system to money laundering, other criminal activity, and terrorist financing risks that threaten our financial system and put our nation, communities, and families in harm’s way.

While the CDD rulemaking was a critical step, there is more work to be done.  The second critical step in closing this national security gap is collecting beneficial ownership information at the corporate formation stage.

Sophisticated criminals of all kinds, including terrorists, thrive when they have somewhere to hide.  They establish domestic shell companies to mask and further their criminal activity, to invest and buy assets with illicit proceeds, and to prevent law enforcement and others from efficiently and effectively investigating tips or leads, thus allowing them to hide from justice and continue their bad acts.

Beneficial ownership information also would help level the playing field for hard working and honest small businesses that often find themselves at a disadvantage competing against criminals who use shell companies to evade tax authorities, hide their illicit wealth, and rip-off their employees and customers.

For many of the companies here todaythose that are developing or dealing with sensitive technologiesunderstanding who may want to invest in your ventures, or who is competing with you in the marketplace, would allow for better, safer decisions to protect intellectual property.

To be sure, it is not that shell companies should not exist—it is just that the authorities should be able to know who owns and controls them when there is a legitimate law enforcement need, subject to appropriate information access safeguards.  But currently, there is no federal standard requiring those who establish shell companies in the United States to provide basic, but critical information at company formation.

For law enforcement to determine the true owner of a shell company today requires a time-consuming and resource-intensive process that can impede the detection and prosecution of criminal activity, including terrorism-related offenses.  Illicit shell companies established in the United States, for example, often have no office, few if any employees, a false registration, and a P.O. Box as an address.  This hampers investigations and takes up precious time that law enforcement may not have when trying to stop crime.

If beneficial ownership information were required at company formation, it would be harder and more costly for criminals and kleptocrats to hide their criminality and for foreign states to avoid detection and scrutiny.  In turn, this would help deter bad actors from trying to access our financial system in the first place.

We are committed to working with key stakeholders to find effective, sensible solutions to address this serious gap, including with respect to the legislative proposals that are currently pending in Congress.  Now is the time to take bipartisan action and address this serious and growing gap in our national security.

 

Emerging Technologies and Data Sets to Identity Illicit Financiers

We are also committed to working with industry on ways in which technological advances with respect to identity can fit within our current regulatory framework or may lead to changes in our regulations.

While not all methods of identification can serve all purposes, certain new methods still can strengthen our regime.  However, that is not the end of the story for identity under AML/CFT or in a financial institutions’ due diligence obligations.  Innovative indicators that reveal customers’ digital footprints and activities are extremely helpful to financial institutions in the conduct of their day-to-day business, including helping them understand customer activity and monitoring for suspicious transactions.  They are also incredibly helpful to FinCEN and law enforcement when they investigate illicit activity.  That is why we changed our Suspicious Activity Report (SAR) form last year to allow for reporting of up to 99 technical indicators, such as IP addresses, MD5 hashes, PGP keys, and device identifiers.

FinCEN engages with key stakeholders in the financial and regulatory technology space, to improve U.S. government and industry engagement, and promote the responsible development of financial innovations, to include digital identity solutions.

FinCEN has been very vocal in its strong support for innovation—responsible innovation—in the financial sector.  We understand that emerging solutions for issues like digital identity hold great promise for improving inclusion, privacy, security, and cost effectiveness for individuals and organizations to manage and use funds, goods, and information.

In December, FinCEN, along with the federal banking agencies, issued a policy statement encouraging innovation in the banking sector.[3]  The statement notes that innovative pilot programs in and of themselves should not subject banks to supervisory criticism, even if the pilot programs ultimately prove unsuccessful.  Likewise, pilot programs that expose gaps in anti-money laundering compliance programs will not necessarily result in supervisory action with respect to that program.  FinCEN’s Innovation Hours program, initiated earlier this summer, already has provided us with important opportunities to learn from those on the cutting edge of financial services innovation, including in the area of digital identity.

 

Conclusion

As I conclude today, I want to assure you that at FinCEN, we will continue to take definitive steps to strengthen partnerships to enhance the ability of all responsible actors in the financial ecosystem—whether government or industry, fintech vendor or bank—to better identify criminal actors who are exploiting our institutions.  Many of those efforts are now, and will continue to be, driven by the identity solutions and policies that will be discussed here this week.  I know that the FedID Planning Committee and all the agencies here hope that this entire week will be a dialogue among all participants.  I encourage everyone here to bring as much candor and creativity as you can to these conversations, and to keep in mind how much this matters to protecting each and every one of us.  Thank you.

 ###

 


[1] See https://www.fincen.gov/sites/default/files/shared/FinCEN_Financial_Trend_Analysis_FINAL_508.pdf

[2] See https://www.fincen.gov/sites/default/files/2019-07/Updated%20BEC%20Advisory%20FINAL%20508.pdf

[3] See https://www.fincen.gov/sites/default/files/2018-12/Joint%20Statement%20on%20Innovation%20Statement%20%28Final%2011-30-18%29_508.pdf