FinCEN Issues Updated Advisory on Email Compromise Fraud Schemes

The guidance distinguishes between Business Email Compromise and Email Account Compromise.

Hooded man hacking into a computer.7/23/2019 

The Financial Crimes Enforcement Network (FinCEN) issued FinCEN Advisory FIN-2019-A005which provides updated guidance on email compromise fraud schemes. The updated guidance builds on the 2016 alert. It includes: 

  • Updated operational definitions for email compromise fraud;
  • Information on the targeting of non-business entities and data by BEC schemes;
  • General trends in BEC schemes targeting sectors and jurisdictions; and
  • Alerts financial institutions to risks associated with targeting of vulnerable business processes by BEC criminals. 

The guidance distinguishes between Business Email Compromise (BEC), which targets accounts of financial institutions or customers of financial institutions that are operational entities, and Email Account Compromise (EAC), which targets email accounts belonging to an individual. 

FinCEN recently observed that targets of BEC fraud now include entities that fall outside the definition of traditional business customers, such as government entities, and non-profit organizations or even financial institutions themselves. The guidance discusses schemes that are targeting these groups. 

When analyzing the trends, FinCEN highlighted that the BEC fraud has grown from 500 reports a month (averaging $110 million monthly in total attempted BEC thefts) in 2016 to over 1,100 reports a month (averaging over $300 million monthly in total attempted in BEC thefts) in 2018. The analysis revealed several prominent trends in BEC schemes affecting U.S. financial institutions and their customers. 

The guidance also provides information for U.S. financial institutions that credit unions should take into consideration. These include: 

  • Risk management considerations 
  • Response and recovery of funds 
  • Information sharing 
  • Suspicious activity reporting 

Question of the Week 

Q. If an employee is a notary and performs these duties on behalf of the credit union, should the notary keep the notary journal and stamp when employment ends?

A. There is no statutory requirement in Washington or Idaho for a Notary to keep a journal, so the employee may retain the journal when the employee leaves the employment.
 
In Oregon, the notary journal should be retained by the notary, unless the notary and employer have entered into a journal agreement. If a journal agreement has been signed, the notary shall hand the journal over to the employer and the notary shall retain a copy of the journal agreement, which may be examined by the Secretary of State upon request. If a journal agreement has been signed, many notaries choose to have two journals: an office journal for notarizations performed during employment and a second journal for notarizations performed outside of the employment. If the credit union keeps the journal, then it must follow the same rules for retention and disclosure as the notary would. The notary/employer shall keep the journal for 10 years after the last act noted in the journal. Keeping it longer is encouraged by the Secretary of State. 
 
In Washington, the stamp should not be surrendered upon termination of employment regardless of whether the employer paid for the seal/stamp, certificate, or bond. In Idaho, the stamp may be kept by the employer, if the employer purchased it; however, the employee should request that it be destroyed. In Oregon, the stamp is the employee’s property and should be retained by the employee. 

Related Links

WA Notary FAQs 

ID Notary Public FAQs 

OR Notary Public Guide 

Legal Briefs 

National Credit Union Administration (NCUA) 

NCUA approves final rule amendments for appraisals. 

NCUA issues a proposed rule change for the exceptions to employment restrictions. 

NCUA issues a final rule amending the fidelity bond requirements. 

Consumer Financial Protection Bureau (CFPB) 

CFPB issued an updated advisory recommending financial institutions report suspected financial exploitation of vulnerable adults. 

CFPB issues report on third-party debt collections. 

Financial Crimes Enforcement Network (FinCEN) 

FinCEN announced new efforts to curtail and impede Business Email Compromise (BEC) scammers. 

FinCEN released an updated advisory on Email Compromise fraud schemes targeting vulnerable business processes. 

Financial Accounting Standards Board (FASB) 

FASB announced issuing additional CECL Q&As, as well as plans for a series of CECL educational workshops to be held around the country. 

FASB delayed the effective date for CECL until January 2023. 

Federal Trade Commission (FTC) 

FTC, CFPB, and AG offices announce Equifax data breach settlement. 

Office of Foreign Assets Control (OFAC) 

OFAC has updated the SDN list as of July 19, 2019. The last update prior to this was July 11, 2019. 

Questions? Contact the Compliance Hotline: 1.800.546.4465; [email protected].