Moneylaundering.com - Suspicious Internet Banking Activity, Part I

Suspicious Activity

November 1999

"Suspicious Internet Banking Activity, Part I"

(Editor’s Note: This article is the first in a series on detecting and reporting suspicious activity related to Internet banking. It examines types of Internet banking activity that could be considered suspicious. For around-the-clock access to content like this, subscribe to Moneylaundering.com Premium.)

Mr. Hamilton submits a new customer account application to your bank via an e-mail message that appears to have originated in South Africa. However, the application identifies Mr. Hamilton’s address as a P.O. box in the U.S. city where your bank is located. You attempt to call him, but find that the number provided in the application, which is a local number, has been disconnected. You then request a working phone number via e-mail. He does not respond. What should you do?

The suspicious activity reporting regulations issued by the Treasury Department’s Financial Crimes Enforcement Network and U.S. federal financial institution supervisory agencies require that "every bank" file with Treasury "a report of any suspicious transaction" that is "conducted or attempted by, at, or through the bank" and that is "relevant to a possible violation of law or regulation." This far-reaching definition includes transactions conducted through your institution’s on-line or Internet bank. Therefore, if you determine that Mr. Hamilton’s account application and his failure to respond to your e-mail is suspicious, you should report the activity through the channels developed by your institution.

Internet banking

In general, Internet banking is the process of opening and accessing financial accounts and conducting financial transactions via the Internet. Because of the anonymous, international and often untraceable nature of communications via the Internet, U.S. supervisory agencies view Internet banking as vulnerable to money laundering, fraud and other criminal activity. Still, a growing number of U.S. and foreign financial institutions now accept on-line account applications and provide wholesale and retail customers with Internet access to a wide range of products and services including balance inquiry, cash management, wire transfers, automated clearinghouse (ACH) transactions, loan applications and investment activity.

In its Handbook for Internet Banking, which was issued in October 1999, the U.S. Office of the Comptroller of the Currency says it is "critical" that banks apply the requirements of the Bank Secrecy Act, including suspicious activity detection and reporting, to their Internet banking products and services. The Handbook recommends that banks "set up a control system to identify unusual or suspicious activities" related to Internet banking that includes monitoring procedures for on-line transactions. It provides the following general types of suspicious Internet activity, each of which should elicit closer scrutiny by the bank:

unusual requests
unusual timing of transactions
unusual electronic message formats
anomalies in transaction types
anomalies in transaction volumes
anomalies in transaction values
anomalies in "time-of-day presentment"
"log-on violations."

Other examples of suspicious Internet banking activity include:

a customer who submits an incomplete on-line account application and then refuses to respond to a request for more information
a customer who submits an on-line account application with conflicting information, such as a physical address that does not match the location of the given e-mail address
a customer who applies on-line for multiple accounts with no apparent legitimate reason for such accounts
a customer who uses your bank’s on-line service to send repeated interbank wire transfers between several accounts with no apparent legitimate reason.

Computer intrusions

In September 1999, FinCEN and the five federal financial institution supervisory agencies announced plans to revise the Suspicious Activity Report form that is used by banks and other "depository institutions." One of the key proposed revisions to the form is the addition of "computer intrusion" to the 17 types of suspicious activity that the SAR now lists.

The OCC Handbook warns banks and bank service providers to guard against various types of computer intrusions or "on-line attacks," including:

using "sniffer" or "network monitor" software to capture keystrokes from a particular PC, including log-on IDs and passwords
using software to gain entry to a network by testing all possible password combinations
capturing and decoding encrypted messages that contain user IDs and passwords (known as "brute force")
dialing every number on a bank telephone exchange to find a modem connected to the bank’s network (known as "random dialing")
accessing information about the bank’s computer system or changing access passwords by calling the bank’s computer help desk and impersonating an authorized user (known as "social engineering")
accessing the system or network through a hidden, embedded code unknown to the bank (known as "Trojan Horse")
intercepting transmissions and attempting to deduce information such as user IDs and passwords from them (known as "hijacking").

Banks should also have systems in place to identify unauthorized access to computer systems or networks by employees. The OCC warns that computer systems are often more vulnerable to internal attacks than external because internal system users have knowledge of and access to the system. Under the SAR rules, banks are require to report "insider abuse involving any amount." If a bank suspects that an employee is accessing internal computer systems or networks without authorization, it should consider reporting the activity as suspicious.

Until next month, be alert.

Back to main free resource page

For around-the-clock access to content like this, subscribe to Moneylaundering.com Premium