National Association for Bank Security - BSA and security seminars, videos, manuals

National Association
for Bank

Security

Security Through Education

Home
Products
Seminars
THE ADVISOR
About Us
Resources
What's Hot
Current News
Computer Based Training
Broad Based Compliance Consulting
BSA Consulting
Independent Review Services
On Site Training
Site Licenses For Many Of Our Publications
Contact Us

Top Ten Products

- Special offer in effect!

CurrentNews

The 2010 Bank Secrecy Act/Anti-Money Laundering Examination Manual -- by T_Duxbury on Friday, August 13 2010

An effective Bank Secrecy Act/ Anti-Money Laundering (BSA/AML) compliance program requires sound risk management – the capability to identify and control risks associated with money laundering and terrorist financing. The revised BSA/AML examination manual reflects the ongoing commitment of the federal and state banking agencies to provide current and consistent guidance on risk-based policies, procedures, and processes for banking organizations to comply with the BSA and safeguard operations from money laundering and terrorist financing. The 2010 version further clarifies supervisory expectations since the August 24, 2007, update. The revisions again draw upon feedback from the banking industry and examination staff.

Revisions were made throughout the manual by many agencies, including FinCEN, OFAC, and the State Liaison Committee (Agencies). The sections with more significant updates are again noted in the table of contents with the marker "2010." Significant updates include:

Bulk Currency Shipments — Added one new section, on bulk currency shipments.
BSA/AML Compliance Program Structures — Substantially reworked the section on Enterprise-Wide BSA/AML Compliance programs to discuss the variety of BSA/AML compliance programs that exist, reflect current supervisory expectations, and enhance the specific discussion of consolidated compliance programs. The section is now titled "BSA/AML Compliance Program Structures."
Core Examination Procedures for Assessing the BSA/AML Compliance Program — Streamlined and reorganized the core examination procedures for assessing the BSA/AML compliance program to make them more logical.
Developing Conclusions and Finalizing the Examination — Revised the section to include guidance to examiners on how to determine whether a violation is systemic or recurring, as opposed to a technical or isolated violation.
Currency Transaction Reporting Exemptions — Updated the section to reflect the changes in the regulation and FinCEN guidance in this area.
Funds Transfers — Updated the section to reflect introduction of the SWIFT MT 202 COV message format.
Suspicious Activity Reporting — Enhanced the discussion of methods to identify, research, and report suspicious activity. Reorganized the section to reflect current supervisory expectations and made the discussion easier to follow and more user-friendly. Added a new Appendix S to illustrate the interaction between the different components of a suspicious activity monitoring program.
Automated Clearing House Transactions — Updated the section to reflect the recent changes to international Automated Clearing House transactions. Made corresponding changes to the OFAC section.
Electronic Cash — Revised the section to include a more in-depth discussion of Prepaid Cards.
Trade Finance Activities — Updated the definitions in the section to more closely reflect actual usage in the industry and added a reference to recent Wolfsberg Group guidance.
Electronic Banking — Updated the section (specifically, the Remote Deposit Capture discussion) to reflect the FFIEC guidance, Risk Management of Remote Deposit Capture (January 14, 2009).
Third-Party Payment Processors — Updated the section to reflect recent agency guidance, Guidance on Payment Processor Relationships, FDIC FIL-127-2008 (November 7, 2008), and Risk Management Guidance: Payment Processors, OCC Bulletin 2008-12 (April 24, 2008).

The 2010 version of the manual is located on the FFIEC BSA/AML InfoBase at: http://www.ffiec.gov/bsa_aml_infobase/default.htm.

The New Brand of Radicalization -- by T_Duxbury on Friday, August 13 2010

Recently the Director of National Intelligence (DNI) addressed Congress and stated what the 16-Agency US intelligence community expects in the way of terrorism and terrorist financing “in coming years.” His remarks included the following expectations:

• Terrorist attempts will be made by small and disparate groups of terrorists and individuals;
• Many of the terrorists will have been radicalized by militants on the Internet;
• Training and propaganda material will increasingly be hidden in disguise in other, innocuous material on the Internet;
• Stopping smaller, piecemeal attacks will be more difficult;
• Terrorist plots will be small and quickly designed, but will cause disruption and sensation nonetheless;
• Increasing numbers of terrorist candidates will be radicalized in the United States, chiefly through the Internet;
• Future attacks, which will be smaller, involve fewer people, and call for less planning and coordination, will demand less financing, yet one must keep in mind that the Times Square Bomber (Faisil Shahzad) is believed to have made 12 round trips to Pakistan, allegedly for “training,” before attempting his operation. It is very fortunate for us that he was not as well-schooled as our own homegrown Timothy McVeigh (Oklahoma City bombing). Counterterrorism experts predict that as al Qaeda’s Pakistan-based members (thought to have trained the Times Square Bomber) struggle to gain membership and finance that membership, smaller offshoots in countries like Somalia and Yemen will increasingly gain support, followers, and financing. Entities from places like these will reportedly be more likely to plot and wage smaller, less sophisticated attacks that will be more difficult to detect and prevent.

Osama El-Atari Steals $53 Million from US Banks -- by T_Duxbury on Friday, August 13 2010

Sleight-of-Hand Collateral Tricks Banks

Recently a 31-year-old resident of Ashburn, Virginia, named Osama El-Atari pled guilty to running a fraud scheme that was responsible for more than $53 million in losses from banks throughout the United States. When he is sentenced in late July, he could potentially receive a 100-year sentence for bank fraud and money laundering charges.

In committing his crimes against financial institutions in Virginia, Ohio, Tennessee, and Maryland, the defendant presented the banks with fraudulent life insurance policies as collateral to obtain loans. The cash value of the insurance policies was passed off as in the millions of dollars. In addition, he set up fake domain names and used fraudulent federal express mailings and emails in order to convince banks his collateral was authentic. While the stated purpose of the loans was for various business ventures, he used the money to buy an exotic-car collection that included Lamborghinis and Ferraris and a multi-million-dollar home. What the remainder of the money was intended to finance is a matter of speculation.

El-Atari fled the United States in 2009 for an unstated location and purpose, but returned in 2010, possibly to continue to acquire funds. He was captured in Texas. Reminding all of the importance of taking an individual like this out of circulation, IRS Criminal Investigation spokesman C. Andre Martin stated, “Money Laundering constitutes a serious threat to our communities and to the integrity of our financial system,” not to mention the seriousness of the loss of more than $50 million by the several banks, and the question of the ultimate destination of much of the money.

Bill Highly Favored by Counterfeiters Gets Makeover -- by T_Duxbury on Friday, August 13 2010

The Treasury Department has announced that a newly-designed $100 bill will be placed into circulation on February 10, 2011, in an effort to protect the hundred from a range of threats – from the most slap-dash digital schemes up to, and including, the most sophisticated counterfeiting operations. The old bills, whose security designs instituted in 1996 included the portrait watermark, an embedded vertical security strip, and color-shifting numeral, will continue to be accepted until they wear out, as will even older bills.

Changes that will be made to the bill sound so advanced they will probably render it an acceptable intergalactic medium of exchange. They include the following:

• An historical reference to the quill pen used by the founding fathers appears superimposed over portions of the Declaration of Independence; however, Ben Franklin’s portrait remains where it was.
• As if acknowledging the rebirth in the popularity of 3-D films, a 3-D security ribbon will appear on the face of the bill. Images on the ribbon move as the bill is tilted. This will be somewhat complex. The images will be of bells that transform into numeral 100s and back into bells as the bill is moved. Moreover, and this is where the bill begins to cross over into the slightly bizzarre, when it is tilted back and forth and not just “moved around,” some images on the ribbon appear to move from side to side. If the note is shifted in a regular motion from side to side, the images slide up and down. This is a new technology simply called “Motion.”
• Also on the front – evidently there’s still room – is the graphic of a bell in an inkwell. When a note is laid flat on a table, only a solid copper inkwell is visible. When the note is moved, the inkwell changes color from copper to green. The same motion will also make a liberty bell appear. This all raises a crucial question. If a new hundred is dropped on the ground, will it be mistaken for a UFO and shot or stomped on?
• Much more mundanely, the reverse of the $100 note will now show the back instead of the front of Independence Hall, and the color-shifting feature that now changes from black to green will change from copper to green.

This new bill may make it easier for people to quickly verify its authenticity. There may be many who do not and would not bother to hold a bill up to a light source to view a watermarked portrait and an embedded security strip, even though this was and remains an excellent method of verifying authenticity.

Let’s hope all the pyrotechnics cataloged above help justify the price – 11.8 cents per note, up from 8 cents per note for the current version, which was pricey to begin with. Perhaps they will justify the price if they give high quality counterfeiters, such as those working overtime at the trade in places like Colombia and North Korea, enough headaches.

For further information about the new hundred, visit www.newmoney.gov.

Setting the Record Straight -- by T_Duxbury on Tuesday, August 10 2010

A note about the presumed ascendance of bank robberies: Some think bank robberies have increased every year for a long time and that we’re going to Hades in a handbasket. Bank Robberies have tended to spike through the years in certain cities and regions. New York City, New Jersey, Phoenix, Denver, San Francisco, Los Angeles (!!!), Houston, Jackson (Miss.), and Milwaukee come to mind. There has been no shortage of speculation about the causes for the unanticipated increases, speculation including such factors as drugs, the shape of the economy, and unemployment figures. Most security professionals conclude that it’s usually a combination of factors that drive up bank robbery statistics. What some people apparently allow themselves to believe, however, is that robberies from a nationwide perspective have increased over the decades and are continuing to do so year in and year out. Not true. A look at the data shows that the number of robberies in the last six years has declined fairly steadily.

A look further back in time shows the same general trends, with certain periods of increase. Overall, however, in the past three decades the robbery rate has drifted up and drifted back down, fluctuating to some degree along the way. Robberies in the 1990s significantly outpaced those in the 1980s. However, robberies in this past decade drifted downward, approaching the rate of the 1980s. The most recent five years are especially encouraging. All five rates were under 7,000 per year. The five years prior to these were all above 7,000, with one (2001) above 8,000. The prosperous decade of the 1990s saw seven rates over 7,000 per year (with two of them over 8,000 per year and two over 9,000 per year!); 2007-2009 witnessed the first time in the past 30 years where there were three rates in a row below 6,000 robberies per year. There were no robbery rates below 6,000 in the 1990s decade. So we are not going to Hades in a handbasket after all, as some fear. Part of this decline may be attributable to something no one seems to have thought about: improved security!

Most Common Security Dangers -- by T_Duxbury on Thursday, July 29 2010

According to the noted Forrester Research Corporation, the most common security dangers in cyber space are mundane, not sophisticated or arcane. Their analysts say that a successful computer attack usually depends on a combination of two or more of four factors: 1) Social engineering, i.e., schmoozing in among networks, fooling users. An example would be persuading a user to install marketing or some other kind of material that would purportedly be helpful to one’s business operation. Once unquestioningly installed, a targeted Trojan that collects confidential information is also installed. 2) Breakdown in, or absence of, process. This is simply inadequate procedure. A prime example is the ChoicePoint fiasco of some years ago. Criminals were able to open fraudulent accounts with ChoicePoint because the process for opening an account did not involve checking to determine if the client was a real company. 3) Technical vulnerabilities. What happens here is that computer security personnel (CIOs and CSOs, if the organization is large enough) do an inadequate job of complexity management. Networks are unavoidably complex. They call for careful management. One configuration problem, for example, could leave an entire network vulnerable. 4) Insider abuse. The FBI has found in recent years that almost half of all security breaches originate on the inside of networks. Policies are needed to stop the malevolent incidents and minimize the accidents. Also needed is a change in attitude from subconscious denial to realization and acceptance that colleagues, friends, and even family members are capable of insider abuse.

Should Banks Pay Victims of Ponzi Schemes? -- by T_Duxbury on Monday, July 19 2010

Dozens of Ponzi schemes have come to light around the country in recent years. One attorney, who formerly served as a federal prosecutor and also as an attorney with the US Securities and Exchange Commission, thinks banks should be held liable for their part in the schemes. The former prosecutor, who now is in private practice in the Minneapolis-St. Paul area, is seeking civil judgments against Bank of America in three cases and JP Morgan Chase in a fourth.

The attorney contends that the banks aided the scams that bilked people out of millions of dollars because they knew - or should have known - what was really going on. He maintains they at least should have known because they "handled the big inflows and outflows of cash." There are reportedly other attorneys looking at this as a way to obtain recompense for their clients.

Expert Recommends Security Standard for Bank Account Data -- by T_Duxbury on Monday, July 19 2010

"By enforcing PCI [payment card industry] security requirements, the credit card brands have done a good job at driving security awareness and system improvements by companies that process payment cards," says Avivah Litan, senior vice president and distinguished research analyst at Gartner Inc. "I've often wondered why a similar bank consortium has not exercised the same muscle around the protection of bank account numbers and related data. If you ask the banks where the threats are, ACH and wire fraud are top of mind and both of those rely on bank account data."

The FDIC has issued alerts about an increase in ACH and wire fraud against the bank accounts of small businesses, municipalities and nonprofits. While business bank accounts are under increasing attack, however, the losses from fraud typically accrue to the bank business customer. This, in the opinion of Litan, gives banks less incentive to enforce protection.

"PCI was implemented to protect the credit card companies, not consumers," says Litan. "When it comes to banks protecting themselves against losses, they do a good job, but when the losses are shifted to the customer, they’re not as good at enforcing protection."

Litan leaves us with one last remark – in the form of a question: "Isn't it time for a security standard for bank account data?"

Frightening MO -- by T_Duxbury on Thursday, July 15 2010

A bank robbery MO that was seen occasionally in the 1980s and 1990s has reared its ugly head in Minnesota. We haven’t heard of any other cases in the past five years or so. No, it’s not done with an explosive device, or with a handgun or rifle. Hideously, according to FBI agents, the individual in Minnesota announced that he had AIDS and nothing to live for, and then held a hypodermic needle filled with what appeared to be blood high in the air with his right hand. This got everyone’s immediate attention, especially the three tellers he directly threatened. Seconds later he was seen getting into a taxi cab outside the branch with a bag containing an undisclosed amount of cash.

The Card-Not-Present Scam -- by T_Duxbury on Thursday, July 15 2010

This now-persistent scam works thusly: Someone who claims to represent the security and fraud department of a major credit card issuer calls a customer, providing a phony badge number to help create credibility. The caller knows the person on the other end of the line is a customer of a particular company or institution because he has already obtained the person’s credit card number illegally from another source. The caller claims the customer’s card was flagged for an “unusual purchase pattern,” and the customer remembers having heard that, in an attempt to control fraud, card issuers look for unusual purchase patterns and purchase locations. The caller reassures the customer that he will receive a credit to his account, and provides him with a phony confirmation number.

The caller is now at the crucial part of the scam. He says in order to do this he must have the customer’s three-digit code on the reverse side of his credit card. He says he needs to do this in order to prove that the customer has the card in his possession and not just the account number. The card holder thinks that since the caller already has his account number (he has read it off to him to confirm it), it must be OK to give him the CVV (card value verification) number.

With this information in their possession, the hucksters will quickly make a purchase over the telephone for the amount they told the card holder was flagged. When the customer learns of the purchase, he won’t consider it a problem, having been told about it already, and he won’t be suspicious…until he (ultimately the issuer) has lost considerably more money.

Security professionals advise hanging up the phone on any callers like this and telephoning the card issuer to verify the legitimacy or illegitimacy of the call. Their toll-free number is usually listed on the back of the card. If it turns out to be a fraudulent situation, customers are advised to file a fraud report with the card issuer and the local police, close the affected account, monitor credit reports (for irregularities such as unauthorized account openings), and closely monitor billing statements.