(Current Issue:Financial crime in times of Covid-19 – AML and cyber resilience measures 整理)
目录
2. Financial crime during the pandemic crisis
3. Cyber resilience measures 网络韧性
a) The joint statement by the UK and US cyber security agencies
b) the Singapore Computer Emergency Response Team (SingCERT) 指出
c) the Cybersecurity and Infrastructure Security Agency
d) complementary measures 补充方法
b) Issuing public statements drawing attention to Covid-19 ML and TF threats
d) Providing guidance on digital customer on-boarding and simplified due diligence
e) Working closely with the financial sector
Highlights
- Cyber attacks, money laundering(ML) and terrist financing(TF)在疫情期间越来越多
- 全球当局通过警示金融机构并提供提高数字安全的方法来避免ML&TF
- 尤其要注意IT网络和未公布数据、数字安全意外响应计划、并着重培养员工的安全意识;
- 金融机构还需要警惕新的ML&TF风险并继续满足AML(反洗钱)&CFT(反恐怖组织融资行为)的要求,通过建立using the flexibility built into the AML/CFT risk-based framework, digital customer on-boarding and simplified due diligence processes.
- 当局应强调权衡expecting financial institutions to enhance or adjust their cyber resilience and AML frameworks 和avoiding imposing an excessive burden that could hinder妨碍financial institutions in delivering key financial services
1. Introduction
- not just a convenience but a necessity.
- Work-from-home arrangements with remote access to corporate networks have significantly expanded the attack surface for cyber criminals.
- financial crime seen so far during the current crisis.
2. Financial crime during the pandemic crisis
a) An increase in ML and TF risks stemming from Covid-19-related crime
(i) increased misuse of online financial services and virtual assets to move and conceal illicit funds
(ii) possible corruption connected with governmental stimulus funds or international financial assistance
b) The need to devote additional resources to ensuring the effective operation of business continuity arrangements may mean that financial institutions are less able to monitor suspicious transactions. Authorities are in a similar situation.
3. Cyber resilience measures 网络环境韧性
a) The joint statement by the UK and US cyber security agencies
- 列出practical indicators that systems have been compromised
- encourages individuals and organisations to review their guidance on home working
- mitigating malware and ransomware attacks恶意软件和勒索攻击
- enterprise virtual private network (VPN) security and risk management, among other topics, to ensure that Covid-19-related challenges are addressed.
b) the Singapore Computer Emergency Response Team (SingCERT) 指出
(i) ensuring that remote access systems are updated with the latest patches, security configurations and anti-virus signatures
(ii) performing regular audits of privileged domains
(iii) providing regular reminders to employees about cyber threats and preventative tips so that their awareness is heightened;
(iv) putting in place cyber incident response and recovery plans that can be effectively implemented in view of the telecommuting circumstances.
c) the Cybersecurity and Infrastructure Security Agency
In the United States, the Cybersecurity and Infrastructure Security Agency – the country’s cyber security agency – has identified as essential workers, among others, third-party staff supporting banks and other financial institutions responding to cyber incidents, and the Office of the Comptroller of the Currency (OCC (2020a)) has asked its supervised institutions to reflect this consideration in their business continuity approaches.
d) complementary measures 补充方法
In addition, a number of authorities are taking complementary measures specifically targeted at the increasing levels of cyber criminality in the financial sector during the pandemic crisis.
(1) Raising awareness through public statements about increasing levels of cyber crime
the April 2020 public joint statement by the Bank of Italy and the Institute for the Supervision of Insurance (IVASS) – the Italian insurance supervisor主要关注以下几点 :
(i) the vulnerabilities resulting from the more intensive use of teleworking;
(ii) conducting reviews to gain insights on the characteristics of cyber threats in the context of Covid-19
(iii) relying on information exchange mechanisms.信息传输机制
(2) Providing guidance on the most relevant cyber resilience areas
i)provided guidance on the heightened risks to IT networks and non-public information.
(a)New York State Department of Financial Services (DFS) (2020)强调
(i) the importance of relying on secure VPN connections that will encrypt all data in transit
(ii) using multifactor authentication protocols and updating them for key actions (eg security exceptions, wire transfers);
(iii) applying robust security protocols to company-issued devices and strong controls to personal or home devices used to access corporate technological infrastructures;
(iv) configuring corporate video and audioconferencing facilities in a way that limits unauthorised access
(v) taking measures that prevent the loss of non-public data.
As part of its Covid-19 cyber guidance, the DFS has also asked their regulated entities to address third-party risks connected with the current exceptional circumstances.
It expects regulated entities to coordinate with critical vendors to ascertain that they are adequately addressing the new risks and challenges posed by the pandemic crisis.
ii) The adjustment of cyber security incident response plans to the pandemic environment.
(a)the Abu Dhabi Global Market’s (ADGM) Financial Services Regulatory Authority (FSRA) (2020)
- communicated to their financial institutions the importance of instituting incident response plans that are commensurate with the nature, scale and complexity of their business in the current context.
- to increase preparedness for identifying and mitigating operational and cyber risks, thus enhancing the financial sector’s resilience so as to diminish the impact of possible cyber attacks.
iii)several authorities are emphasising staff training and awareness at financial institutions.
(a)the Financial Industry Regulatory Authority (FINRA (2020)), as part of its Covid-19 guidance to members, recommends that firms train their staff on
(i) how to connect securely to the office environment or office applications from a remote location
(ii) potential scams, fraudulent communications and other criminal activities.
另外,emphasises the need for IT support staff or others involved in managing or supporting staff using the firm’s systems to be alert and adequately trained to deal with fraudsters and social engineering schemes, such as bogus calls requesting password resets or fake reports of lost phones or equipment.
(3) Information-sharing on Covid-19-related threats
i) Organisations such as the Bank of Italy and IVASS:
- disseminate security bulletins
- organise webinars on attack techniques and possible countermeasures
- facilitate training on the correct use of company devices and the strengthening of controls connected to remote work.
ii) At the international level, the Euro Cyber Resilience Board (ECRB) for pan-European Financial Infrastructures and the BIS’s Cyber Resilience Coordination Centre (CRCC) are expected to play an important role in facilitating the exchange of information on Covid-19-related threats.
(a) ECRB:
The ECRB serves as a forum on systemic resilience against cyber risks. In recent weeks its members have agreed to share more cyber information and intelligence, with the aim of identifying cyber threats and exchanging best practice to prevent attacks.
(b) CRCC:
CRCC seeks to provide a structured and careful approach to knowledge-sharing and collaboration between central banks in the area of cyber resilience. A core service is to provide a secure collaboration platform for information-sharing on multilateral cyber threats.
4. AML Measures
a) 各地金融机构应保持警惕,同时
(i) using the flexibility built into the FATF’s risk-based approach to address the challenges posed by the crisis;
(ii) implementing responsible digital customer onboarding for the delivery of digital financial services to the fullest extent possible in the light of the lockdown and social distancing measures;
(iii) working closely together, including by sharing relevant information
(iv) offering effective mechanisms through which the industry can report Covid19-related financial crime to authorities.
b) Issuing public statements drawing attention to Covid-19 ML and TF threats
(1) FATF statement
c) Emphasising the flexibility built into the AML/CFT risk-based framework and providing guidance on its application
(1) A number of authorities worldwide have provided guidance on the way the AML/CFT risk-based framework will be applied flexibly in the Covid-19 context
i) the Financial Crimes Enforcement Network (FINCEN)
In the United States, the Financial Crimes Enforcement Network (FINCEN) has provided for certain regulatory relief under the risk-based approach to the AML/CFT requirements, including exempting firms from requirements to (re)verify beneficial ownership for new loans extended to existing customers under the Coronavirus Aid, Relief, and Economic Security (CARES) Act Paycheck Protection Program.
The OCC (2020b) has publicly expressed support for the FINCEN’s approach and stated that, when evaluating banks’ AML/CFT compliance programmes, it will consider the actions taken by banks to protect and assist employees, customers and others in response to the Covid-19 pandemic, including accepting reasonable delays in reporting filings and other risk management processes.
(2) Authorities have also emphasised that financial institutions should continue to provide essential financial services, while at the same time seeking to mitigate ML risks by using the various tools at their disposal.
i) machine learning --> improved ML detection
But the Covid-19 crisis has changed the behaviour of retail and corporate clients, which could drastically reduce the effectiveness of machine learning techniques, particularly those trained on past patterns of behaviour. Other tools may face similar challenges.
d) Providing guidance on digital customer on-boarding and simplified due diligence
(1) digital ID systems with technology, processes, governance and other safeguards
digital ID systems with technology, processes, governance and other safeguards that assure an appropriate level of trustworthiness in line with relevant FATF Guidance (eg on digital identity).
i) the CSSF considers that live video-chats could provide appropriate safeguards to verify a customer’s identity.
(2) simplified due diligence approaches
i) “grant a facilitation” in the application of due diligence requirements for new business relationships entered into before 1 July 2020.
It has extended the 30-day period for confirming the authenticity of identification documents to 90 days.
During this period, a new business relationship can be entered into with sufficient information regarding the contracting parties and a simple copy of the identification document provided that, on the basis of a risk-based assessment, the application of this flexibility is deemed appropriate.
e) Working closely with the financial sector
(1) Supervisors, FIUs and law enforcement agencies are using their existing channels to share ML/TF risks linked to Covid-19 with financial institutions and other private sector entities
(2) In addition, authorities have started to set up mechanisms by which victims, financial institutions and other businesses can report Covid-19-related fraud.
5. Concluding remarks
a) Authorities
In both areas, authorities have highlighted the need for
(i) drawing attention to these crimes so that financial institutions and the general public are better informed;
(ii) extra vigilance with respect to increasing and evolving risks
(iii) active sharing of information between the public and private sectors, and within and between jurisdictions
b) Guidance issued
The guidance issued underscores the trade-offs between expecting financial institutions to enhance or adjust their cyber resilience
c) AML frameworks
AML frameworks and, on the other hand, avoiding imposing an excessive burden that could hinder financial institutions in delivering key financial services.
14万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
