Financial Crime in Times of COVID-19 – AML and Cyber Resilience Measures

After completing this reading, you should be able to:

• Explain the increase of cyber threats faced by financial institutions because of the Covid-19 crisis.
• Explain the cyber resilience measures taken by international and national financial authorities in response to the increased cyber threats since the outbreak of Covid-19.
• Explain the AML and ATF measures taken by international and national financial authorities in response to the increased ML and TF risks since the outbreak of Covid-19.

Cyber risk refers to the potential exposure to loss resulting from the failure or breach of an organization’s IT systems. According to Cyber Lexicon – a specialized offshoot of the Financial Stability Board that has been set up to address cyber resilience in the financial sector – a cyber incident is defined as:

“Any observable occurrence in an information system that: (i) jeopardizes the cybersecurity of an information system or the system processes, stores or transmits; or (ii) violates the security policies, security procedures or acceptable policies, whether resulting from malicious activity or not.”

Cyber attacks take several forms:

• Malicious software designed to infiltrate systems and steal data;
• Man-in-the-middle attacks where attackers sandwich themselves between two parties in a transaction with an intent to manipulate figures and steal critical data;
• Phishing, where malware-infested emails are sent with the goal of gaining access to critical systems and stealing entry credentials;
• Cross-site scripting, where malicious scripts are injected into otherwise benign and trusted websites; or
• Password cracking where malicious codes are used to breach passwords to gain entry into a critical system.

Cyber Threats Faced By Financial Institutions Following the COVID-19 Crisis

1. Mass migration to working from home (WFH) has made institutions more vulnerable to attacks

Financial institutions have been forced to adopt a working from home (WFH) policy in an attempt to limit the spread of the virus. But the move has only served to increase the threat of cyber-attacks because of several reasons.

First, households and home networks do not enjoy the same level of protection and sophistication as office networks. For instance, research shows that WFH has increased the use of virtual private networks (VPNs) and remote desktop protocol (RDP) by 33% and 41%, respectively. This has given attackers a new window to launch their attacks and penetrate systems.

Second, WFH comes with new risks. WFH means staff has to share networks with other family members and devices. This has provided new attack points for malware that could ultimately penetrate a firm’s enterprise environment.

For example, video conferencing has been the preferred way to hold meetings. But some video conferencing devices and services have been found to have suboptimal anti-threat mechanisms, making them an easy target for hackers.

2. Reliance on third-party vendors has resulted in an increase in cyber attacks

In an attempt to improve enterprise systems and better manage IT infrastructure, most financial institutions have resorted to outsourcing more and more IT services from third-party vendors. But it’s an open secret that an institution’s control over a vendor’s cyber resilience measures is limited.

Even though the institution may take steps to ensure that the vendor embraces the latest cybersecurity tools, the vendor is ultimately in charge of its own systems and may not put in place the same level of protection as the institution. This means that attackers may still be able to penetrate the institution’s platform by compromising the vendor’s systems.

In Dec 2020 for instance, hackers managed to infiltrate and insert malware into SolarWinds Orion, an infrastructure monitoring system used by more than 33,000 institutions around the world. Although the financial sector was not the main target, the attackers were able to remain undetected for months.

3. Compared to other sectors, the financial sector has faced more cyber attacks since the COVID-19 pandemic started

Data gathered by Advisen – a for-profit data provider – shows that the number of cyber-attacks increased between February 2020 and June 2020. This coincides with the increase in the uptake of WFH arrangements. The finance and insurance sector was the hardest hit, taking about 25.3% of the total number of attacks.

Within this sector, insurers and credit unions bore the brunt of the attacks. These attacks were mainly in form of phishing, suspicious scanning, and cross-site scripting.

4. Evidence suggests that COVID-19presented new opportunities for attacks, but the same threat actors, methods, and tools have been in use.

The threat actors and attack methods used during the COVID-19 crisis are the same as those used before the crisis. Only the volume and scale of attacks went up. The most-reported attack method involved phishing. In other cases, attackers imitated well-known sources of COVID-19 information (such as the WHO) to get users to open links and files infected with malware.

Cyber Resilience Measures Taken By International And National Financial Authorities

In response to the cyber threats brought about by COVID-19, Interpol has released some guidelines aimed at making organizations more cyber resilient. National agencies have also issued some guidance. For instance, a joint communication issued by U.K. and U.S. cybersecurity agencies lists practical indicators that have been compromised. Both individuals and organizations have been encouraged to review their cybersecurity tools and make sure that they adopt the latest tools in order to protect themselves from evolving cyber threats.

The following specific measures have been taken:

1. Making public statements about the increasing levels of cybercrime

Cybersecurity authorities have released statements asking people to remain vigilant in light of the increasing level of cyber risk. A few agencies have even gone further to specify the type of threats institutions face as well as measures that should be taken in the context of COVID-19.

In April 2020, for example, the bank of Italy and the Institute for the Supervision of Insurance jointly made a public statement describing how they are addressing cyber risk during the COVID-19 crisis. As per the statement, the two institutions were focused on:

• The vulnerabilities arising from teleworking;
• Conducting reviews to identify the characteristics of cyber threats in the context of COVID-19; and
• Capitalizing on information exchange channels.

2. Providing guidance on the most critical cyber resilience areas

Some authorities have singled out areas where institutions have to build more resilience. The New York State Department of financial services has, for example, released the following guidelines:

• Institutions should use secure VPN connections that encrypt all data during transit to ensure that the data cannot be seized and used by unwanted parties.
• Institutions should use multifactor authentication to secure critical systems. If used, this means two or more pieces of evidence will be needed before access to systems (such as wire transfer) can be granted.
• There’s a need to configure video- and audio-conferencing devices in a way that keeps intruders at bay. Institutions should do all it takes to ensure that nonpublic data remains just that: nonpublic.

A different authority – the Abu Dhabi Global Market’s (ADGM) Financial Services Regulatory Authority (FSRA) (2020) – has emphasized the need for institutions to come up with incident response plans that are commensurate with the nature, scale, and complexity of their business. The goal here is to boost readiness and ensure that any attacks that materialize are neutralized quickly to minimize damage.

3. Information sharing

To enhance preparedness and incident response mechanisms, authorities have scaled up the exchange of information on COVID-related cyber threats with financial institutions and other trusted parties. Some authorities have gone as far as releasing security bulletins and organizing webinars where participants have been brought up to speed with regard to the attack techniques they are likely to see and how to rebuff them.

Anti-Money Laundering and Terrorist Financing (AML/ATF) Measures Taken in Response To The Increased Risks

The COVID-19 pandemic has heightened the risks of money laundering, cybercrime, and terrorist financing. International and National authorities have put forward a number of measures in an attempt to increase resilience and protect the global financial system from any planned attacks. One of the organizations that has been on the frontline in encouraging institutions to remain vigilant to current money laundering (ML) and terrorist financing (TF) risks is the Financial Action Task Force (FATF).

FATF is an independent inter-governmental body tasked with developing and promoting policies that protect the global financial system against money laundering and financing of terrorism or the proliferation of weapons of mass destruction.

FAFT issued a statement urging institutions to do the following:

• To take advantage of the flexibility built into the FATF’s risk-based approach to address the challenges posed by the crisis, particularly when it comes to reporting requirements. For example, the Hong Kong Monetary Authority (HKMA) has indicated that it is using its supervisory tools flexibly in this period even while reiterating that its risk-based approach to AML/AFT supervision does not require or expect a “zero failure” outcome.
• To implement responsible digital customer onboarding when delivering digital financial services to the fullest extent possible. FATF is of the view that non-face-to-face transactions are not necessarily high-risk and that they can actually be lower risk.
• To work closely with other institutions and other trusted parties. This includes sharing relevant information.
• To come up with mechanisms that will be effective in the reporting of Covid19-related financial crime to authorities.

In addition, central banks and banking supervisory agencies have issued public statements related to Covid-19 ML and TF threats. Most of them have been keen to highlight the fact that AML/AFT risks are quickly evolving, and countermeasures have to keep up if these threats are to be neutralized.

Authorities have also reiterated that there’s a need for financial institutions to continue providing essential financial services while at the same time seeking to mitigate ML risks by using the various tools at their disposal. Top on the list of such tools is machine learning, which has proved to be quite useful in detecting money laundering schemes.

What’s more, law enforcement agencies have been using the existing channels to share AML/ATF risks related to COVID-19 with financial institutions and other trusted parties. For example, the Hong Kong Monetary Authority (HKMA) is pushing for the creation of a public-private partnership through which ML/TF information linked to COVID-19 can be shared.

Practice Question

The US government acknowledges the need to alert its citizens on emerging threats resulting from the ongoing COVID-19 pandemic and incorporate measures in different sectors. Which of the following identifies cyber resilience measures that the US government is likely to apply?

   A. Creating public awareness about the increasing levels of cybercrimes

   B. Guiding on the most important cyber resilience areas

   C. Promoting information sharing on COVID-19 related threats

   D. All of the above

Solution

The correct answer is D.

The US authorities have responded to the increasing cyber-crime levels in the COVID-19 crisis through creating public awareness about cybercrime, providing guidance on the most important cyber resilience areas, and promoting information-sharing on Covid-19-related threats.