Cryptocurrency, Transnational Criminal Organizations and Social Engineering Fraud: “Pig Butchering”

With the current volatility in the financial market, many people are looking to diversify their investment and retirement portfolios by looking at unconventional investment opportunities. Many opportunities include small business and real estate investment, while other types of opportunities involve riskier ventures. A common theme of these risky ventures may involve cryptocurrency; whether it’s day trading, swing trading or mining, it is important to understand the risks involved with cryptocurrency and other crypto-related assets. As such, much of the risk might seem like common sense, and much of it is. To quote the adage, “If something seems too good to be true, it probably is.”

For more on a basic understanding of cryptocurrency risks, try starting with the UN Toolkit on Synthetic Drugs’ primer on Cryptocurrency Investigations. Within this site, there are several key principles explained, and additional resources for more robust training. Additional resources can be found by seeking out your accrediting agency of choice, such as the Basel Institute on Governance, the Association of Certified Fraud Examiners (ACFE), and the Association of Certified Anti-Money Laundering Specialists (ACAMS) to name a few.

While many cryptocurrency-related fraud schemes may seem technologically advanced, it is usually a combination of several much simpler schemes involving normal aspects of human behavior. In one such example known as “pig butchering,” scammers tend to use various forms of social engineering scams to make contact and gain trust. The deception usually preys on those that are less technologically savvy to avoid detection, such as retirees,  but can also be aimed at do-it-yourself investors looking for the next big thing. The goal being to take as much money from the victims by building the relationship and functioning much like a legitimate business, with the result often resembling a Ponzi scheme or boiler room money laundering scenario.

To offer more detail, the following may occur. A person is interested in the mining of cryptocurrency.  Realizing the expense and technical knowledge needed to farm cryptocurrency, the person then looks for alternative options. Somehow, whether through online discussion, message boards, or social media, the person divulges their interests and publicly seeks more information. The scammer, seeing this activity, reaches out through private message. Once the initial contact is made and a victim is hooked, a relationship is developed with the inherent goal of building trust and confidence. The goal is to get the person to invest in crypto mining, without ever having any control or physical contact with the operation. The seeds of the social engineering fraud have now been planted.

Next, the person can be directed to a cloned website of a real, legitimate business; however, contact information and other details are changed or masked to point to the bad actors. This form of social engineering, known as “clone phishing,” is used to build credibility with the victim. Additionally, official-looking email communications can be redirected to the scammers, resulting in a variation of “spear phishing” using a fake-forward technique.

For more on spoofing and phishing variations, along with their practical applications, the FBI provides a decent resource within their Common Frauds and Scams educational site.

The fraudsters then continue to build trust by providing some sort of dividend in the form of cryptocurrency to show that the process is working. After being provided with small, proportionate returns on investment, the victim is then asked if more investment is wanted, or if friends and family might be interested. The pattern repeats itself, resulting in a fatter and fatter payday. This is where the term “pig butchering” comes from: the victims keep fattening the pot with the promise of a larger payday, but in the end, the pot disappears, and the victims are left with little recourse to recoup their losses.

Pig butchering scams are not isolated to cryptocurrency; variants of the scam are also seen throughout the investment, asset management and banking world. For more on “pig butchering,” please reference FinCEN Alerts, FIN-2023-Alert005. If you or someone you know has been involved or victimized by this type of scam, refer to the FBI’s Public Service Announcement I-100322-PSA and file a report with the FBI’s Internet Crime Complaint Center at www.ic3.gov.

What do you do about the new Russian Sanctions?

What do you do about the new Russian Sanctions?

Given the current situation in Eastern Europe, specifically Ukraine, many are questioning what more they should be doing involving OFAC and the various sanctions programs involving the Russian Federation and Belarus. I will take a few minutes and go over the due diligence that is being requested by FinCEN. In my opinion, it is more than sanctions and a direct connection to Russia or Belarus and the various sanctioned entities involved in the situation.

Recently, FinCEN published a new FinCEN Alert (FIN-2022-Alert001) entitled, “FinCEN Advises Increased Vigilance for Potential Russian Sanctions Evasion Attempts.” Some key elements of this publication involve the following:

  • Select Red Flag Indicators of Sanctions Evasion through the U.S. Financial System
  • Select Red Flag Indicators of Sanctions Evasion Using CVC
  • Select Red Flag Indicators of Possible Ransomware Attacks and Other Cybercrime
  • New SAR Key Term “FIN-2022-RUSSIASANCTIONS”

 

Additionally, the bulletin provides distinct ‘Relevant BSA Obligations and Tools for U.S. Financial Institutions,’ specifically calling out the following:

  • Suspicious Activity Reporting involving OFAC Sanctions
  • Placement of key term “FIN-2022-RUSSIASANCTIONS” in SAR field 2
  • Currency Transaction Reporting and other Relevant BSA Reporting Requirements
  • Due Diligence (CDD/EDD)
  • Information Sharing (USA PATRIOT Act 314(b))
  • Executive Order 14024 (This is the specific Sanctions Program regarding the Russian Federation)

 

This seems like quite a bit to go over, but in my opinion, much of this is a reiteration of what a Compliance Department should already be doing. If you have questions or need more confidence, it is always a good move to read through the FinCEN Alert and apply it to your current practices. From there, determine for yourself whether your organization is meeting the ‘spirit of the law.’ Without regurgitating what is already written in the bulletin, I will briefly discuss each topic above and attempt to explain how I might go about establishing confidence in meeting each relative key element.

Select Red Flag Indicators of Sanctions Evasion through the U.S. Financial System

On this topic, there are seven (7) Select Red Flag Indicators that FinCEN is asking Financial Institutions to keep an eye on. In reading through these, I get the following overall feeling that FinCEN is asking that Financial Institutions know their customers. More specific, corporate vehicles and third parties need to be scrutinized to ensure that their use is not to obscure ownership, as well as the origination or destination of funds in a transaction. Regarding EO 14024, scrutinize high-risk areas normally associated with transactional flows to and from the Russian Federation, such as neighboring countries, or high-risk countries known for being tax havens and safe harbors. Pay attention to new account relationships, and always get to the bottom of an entity’s Beneficial Ownership. For established clientele, take exception to unusual foreign exchange activities. If you see something, it’s better to say something than ignore it.

Select Red Flag Indicators of Sanctions Evasion Using CVC

“CVC” is also known as convertible virtual currency, or the more popular term, cryptocurrency. There are three (3) Red Flag Indicators mentioned, but unless you own, operate, or host a cryptocurrency exchange, wallet provider, or host any of these products within your institution, the third one is where most financial institutions need to focus. The overall meaning of the red flag is to know where funds are coming from or going to, specific to cryptocurrency exchange. For most conventional financial institutions, this means scrutinizing transactions specific to crypto exchanges or foreign Money Services Businesses (MSBs) operating in high-risk countries or regions. Also, pay special attention here to volume and frequency of these types of transactions as an additional indicator of risk, as not all CVC transactions are necessarily bad. As previously mentioned in another blog post, more information on the risks and pitfalls to CVC transactions can be found on the FATF website, in a publication labeled “Virtual Assets Red Flag Indicators of Money Laundering and Terrorist Financing,” which can be downloaded and distributed.

Possible Ransomware Attacks and Other Cybercrime

Within this key element are three (3) more Red Flag Indicators. The first involves knowing where customer transactions are initiated or received by means of knowing the geolocation of IP Addresses. This may prove to be more difficult for most small financial institutions, as tools that do this sort of work can be expensive. Check in on your BSA Risk Assessment to determine the right risk-based approach for you organization. Another topic here is customers that use crypto currency mixers or tumblers. Using these services is an indicator of the user’s desire for anonymity.

Relevant BSA Obligations and Tools for U.S. Financial Institutions

The last section goes over much of what a compliance department already does. If you are to file a SAR on activity you believe to be related to the sanction program, enter the key term “FIN-2022-RUSSIASANCTIONS” in SAR field 2, which is on the first page. You can also contact FinCEN and advise them of the SAR by calling the FinCEN Financial Institutions Toll-Free Hotline at (866) 556-3974.

In my opinion, for smaller institutions, the last piece of the bulletin is the most important. This is the Customer Due Diligence reminder, and it is just as strong of a tool as OFAC scanning or transaction monitoring. Refine your process if necessary to get to the beneficial owner of each entity in your portfolio. Ensure that back-shop operations involving foreign transactions get special one-on-one guidance involving what they might look for as they process foreign transactions involving IAT and SWIFT, or any other foreign transaction vehicle your institution uses.

Lastly, one thing I do want to cover briefly is Charitable Organizations. As things progress in Ukraine, many are going to be looking for ways to help. Unfortunately, we also know that many scams out there will be taking advantage of customer interest in assisting those in need. Vigilance here is important as well, and as you field calls of charity fraud, make note of these transactions, and attempt to template them and find others who may not even know they were deceived. Look for common recipients or other patterns of activity to build your case.

In closing, often our premonitions are enough to draw light on something strange that may be occurring. As with most things OFAC, it’s better to be cautious than to let something slip through. Best of luck to everyone out there!

 

BSA/AML Program Fundamentals: An Introduction to the Five Requirements of a BSA/AML Program

Well-built structures have many things in common, and most structures start with a good foundation. The foundation is critical as it supports the building of the rest of the structure. Quality materials, well-trained construction professionals, prudent leadership, sound construction practices, and routine inspections all contribute to the optimal performance of a structure’s foundation. Understanding the geography of the building site often determines the methods, expertise and materials needed to establish the foundation, which ultimately influences the rest of the building’s structure.

Similarly, a BSA/AML Risk Assessment provides the details, or blueprint, specific to the financial institution’s understanding of its risk and provides a basis for how and where to mitigate said risk. Consequently, the foundation of a financial institution’s BSA/AML Risk Management Program is dependent on the health of its pillars. While not called out specifically as pillars, the BSA/AML Manual located within the FFIEC BSA/AML InfoBase calls out the following requirements for an adequate BSA/AML compliance program directly:

    • A system of internal controls to assure ongoing compliance.
    • Independent testing for compliance to be conducted by bank personnel or by an outside party.
    • Designation of an individual or individuals responsible for coordinating and monitoring day-to-day compliance (BSA compliance officer).
    • Training for appropriate personnel.
    • …(A) customer identification program (CIP) with risk-based procedures that enable the bank to form a reasonable belief that it knows the true identity of its customers.

It is these five requirements that constitute the often-cited “Five Pillars of a BSA/AML Program.” Considering these as requirements, it is a fair assessment of your program to consider each of these when determining the health and strength of your institution’s BSA/AML program. From a holistic standpoint, any weakness in one area affects the health of the entire foundation. For example, having a good training program without a good system of internal controls makes the training program less effective. Similarly, having an inadequate internal audit function only sets up the compliance officer and financial institution for failure down the road. Having stagnant policies without periodic review may point to further compliance gaps that are unanticipated by the institution.

On the other hand, maintaining a strong independent audit program only makes the internal controls and CIP program stronger, which in turn can lead to a well-versed BSA compliance officer with adequately trained staff that confidently affect the entire financial institution’s culture of compliance. A healthy culture of compliance reflects well on the safety and soundness of a financial institution, which in turn provides opportunities for growth and results in a positive reputation.

Over the next few months, we will begin discussing in the blog the various details of each of these five requirements. It is our hope that the reader takes away from this effort the overall goal of BSA/AML Compliance so that strategizing how best to use BSA/AML software systems, such as our own SimpliRisk application, lines up with their own institution’s needs and aspirations, while giving all readers an equal understanding of how PayLynxs interprets and views the “five pillars” of a sound BSA/AML Risk Management Program.

High Risk Transactions: Understanding Virtual Currencies & Associated Proposed Legislative Action

In recent months, virtual currency has seen an influx in interest from various directions. While in some circles, these currencies have always maintained their status, recent events have given rise to mainstream popularity, especially from those who may not fully understand how crypto and other means of virtual currencies work. Most prices have seen volatility, with wild swings in the exchange rate for many, and progressive record-breaking climbs for mainstays such as Bitcoin and to a lesser extent, Ethereum. Noting the growing popularity of virtual currencies, financial institutions need to continually adjust their own knowledge and understanding of virtual currencies and their respective markets to maintain a handle on the risks associated with their corresponding transactions.

So, the BSA layperson might ask, “What exactly are virtual currencies, and how do I determine and manage the risks associated with them?” While a bit dated, a good frame of reference for virtual currencies begins with The Financial Action Task Force (FATF). Back in June of 2014, FATF published a report, Virtual Currencies: Key Definitions and Potential AML/CFT Risks. It provides a great overview of virtual currency in its various forms, such as convertible versus non-convertible, centralized versus decentralized, altcoins, cryptocurrency, and others. The report also explains the various mechanisms involved with creating and exchanging said currencies using wallets, exchanges, mining, and torrents.

Groups such as FATF provide common basis behind much of the regulatory workspace. This is seen when looking at recent FinCEN actions, such as the request for comment recently extended by the Biden Administration. The Pending Notice of Proposed Rulemaking involving convertible virtual currencies proposes BSA requirements on certain Money Services Businesses (MSBs), exchanges and wallet administrators that are in line with Currency Transaction Reporting requirements in place today.

It is imperative that the AML and Risk professional have a basic understanding of the underlying gaps that these proposals are trying to fill and how they may or may not affect their institutions and their members and customers. Gaining a broader perspective on virtual currency provides a better understanding for the risk professional and allows for a more succinct risk-based approach.