Bank Secrecy Act (BSA) compliance is now an integral part of a financial institution’s cybersecurity strategy, Jim Vilker, vice president of CU Answers, said Tuesday at the CUNA/National Association of State Credit Union Supervisors BSA Conference. Vilker explained that this all changed with an October 2016 bulletin from the Financial Crimes Enforcement Network (FinCEN) advisory that stated cyber crime and BSA policies should be shared with cybersecurity, compliance and BSA and anti-money laundering teams, among others.
“Cybersecurity is intersecting in a new way with BSA/AML compliance, and it’s becoming increasingly important that BSA/AML officers are aware of the kinds of cyberthreats out there,” Vilker said. “There used to be a lot of silos out there, where compliance, risk management, network security, all of those were separate parts, but today’s cybersecurity environment means all those departments need to be interconnected in a new way.
It is recommended BSA professionals be familiar with other regulatory requirements. A “cyber event” is defined as an attempt to compromise or gain unauthorized electronic access to electronic systems, resources, services, or information.
The timeline of a cyber event is:
The FinCEN bulletin outlines what information should be included if a financial institution files a suspicious activity report (SAR), including IP addresses, websites, email addresses and attack vectors (e.g. malware, hacking, identity theft),
“This is definitely not your mom’s SAR. There’s a lot of specific information you want to have in this area that is very specific to IT,” said Marsha Sapino, and AuditLink assistant manager at CU Answers. “So you definitely need to contact that department and get as much information as possible because this is what FinCEN is asking for, they need this information.”
Credit unions should have cyber incident plans in place in the event such a thing happens, plans that include: