Ransomware. Fraudulent account activity. Data breaches. Cybercrime’s intensifying presence poses grave threats to the banking sector, but by cultivating close partnerships with law enforcement and governmental agencies, community banks can centralize resources and mitigate risks.
By William Atkinson
It is important—imperative, even—that community banks work with local, state and federal law enforcement agencies on fraud, cybersecurity and other public safety issues to share information, and coordinating resources and responses to such crime. By establishing positive working relationships, banks and law enforcement agencies can pool information and better respond to issues that place customers and banks at potential risk.
“Both fraud and cybersecurity are the topics that bankers say keep them up at night,” says Joel Williquette, senior vice president, operational risk policy for ICBA. “While banks, and the financial sector as a whole, are recognized as being one of the best-prepared critical infrastructures, there are still concerns around zero-day attacks—[those] that are novel or new enough not to be detectable.”
For example, says Williquette, nations such as China and Russia have advanced cyber capabilities, allowing them to increase their attacks on U.S. businesses. And according to a recent Financial Trend Analysis, the Financial Crimes Enforcement Network (FinCEN) indicated that, “If current trends continue, SARs [Suspicious Activity Reports] filed in 2021 are projected to have a higher ransomware-related transaction value than SARs filed in the previous 10 years combined.”
Lean on law enforcement
What are some of the reasons for these increases? “The pandemic created additional opportunities with work-from-home environments, which, in some cases, are more relaxed in both security focus and technology safeguards,” says Williquette. He adds that the ranks of cybercriminals continue to grow, and digital crime is looked upon as an attractive and profitable career.
“It is difficult to catch digital fraudsters and hackers, and it is also very profitable to engage in digital crime,” he says. “Digital crime is really a growth industry.”
While comprehensive and constantly updated internal procedures are critical for community banks to stay ahead of these problems as much as possible, it is also critical that they establish strong working relationships with law enforcement agencies, and then coordinate with these agencies when problems occur.
Williquette recommends that community banks contact or visit their local Federal Bureau of Investigation (FBI), United States Secret Service (USSS), and/or Cybersecurity and Infrastructure Security Agency (CISA) field offices before an incident occurs.
“When we have a suspected cyber-related fraud, we notify the Internet Cyber Complaint Center [IC3]. … When the volume of [activity] reaches greater thresholds, the FBI will get involved.”
—Jeff Wyatt, Texas Bank and Trust Company
“This will give you familiarity with their offices and how to contact them when needed,” he says. “Once you have identified a real and significant cyber incident at your bank, initiate your incident response plan and teams, and then reach out to your incident response vendors, insurance company, legal counsel, law enforcement, CISA and regulators.”
One ICBA member that has partnered successfully with law enforcement agencies is $3.8 billion-asset Texas Bank and Trust Company in Longview, Texas, which operates 20 full-service banking centers through the east and north Texas regions, including five locations in the Dallas-Fort Worth area.
“When we have a suspected cyber-related fraud, we notify the Internet Crime Complaint Center [IC3],” says Jeff Wyatt, senior vice president and chief systems architect in the community bank’s technology division. “Individual account fraud may not be enough to warrant an FBI investigation, but when the volume of similar reported activity reaches greater thresholds, the FBI will get involved.”
According to Scottie Luke, senior vice president and chief risk officer in Texas Bank and Trust’s risk management department, the bank has developed a fraud group that is made up of several banks in its market areas, along with local law enforcement agencies, local FBI and Secret Service agents.
“Within our fraud group, we share information through meetings and via an email group as needed,” Luke says. “Pre-COVID, we held monthly meetings to share the latest fraud schemes and information on any cases we were dealing with, and that has now evolved to email only.” He adds that, as the pandemic continues to subside, the community bank will go back to its in-person monthly meetings as permitted.
Wyatt shares some of the details of how such cooperation can work successfully—in essence, discreetly stopping a potential cybercrime without alerting or alarming fraudsters to their actions.
“We have close relationships with the Secret Service, the FBI, state and federal regulators, TBA [Texas Bankers Association], ICBA and the Bankers Electronic Crimes Task Force,” Wyatt says. “On a few occasions, we have received possible business email compromises requesting account changes. Working with the Secret Service, we were able to pretend to make the requested changes and responded with indications that there were problems with the account.”
The community bank did this after it learned that attackers will often provide additional account information that allows the bank to identify multiple mule accounts at other associated institutions. Wyatt adds, “We then worked with the Secret Service and other banks to get these accounts closed.”
Go-to partners during a cyber incident
During a cyber incident, according to Joel Williquette, senior vice president, operational risk policy for ICBA, community banks should consider contacting either a regional office of the Federal Bureau of Investigation (FBI) or the United States Secret Service (USSS), as well as the Cybersecurity and Infrastructure Security Agency (CISA).
“Law enforcement’s primary role is in catching the ‘bad people,’ while CISA’s role is more geared toward protection, defense and recovery,” he says. “Both groups should be contacted, since they work together and fulfill different roles. They also have different resources that they can bring to mitigate a cyber incident.”
William Atkinson is a writer in Illinois.