The Advisor Newsletter January 2016 1

E-Newsletter Tools

THE ADVISOR Published monthly for financial institution security and risk management professionals by the National Association for

Bank Security and Profit Protection, LLC

January 2016 — Volume 35 Number 10

In This Issue

Welcome to the January 2016 Advisor. Starting with the July 2015 issue, we introduced a new feature that will offer subscribers a new link to a new look in addition to the familiar electronic Advisor.

Search Past Issues

Print-Friendly Issue

Forward to a Friend

Subscribe to this Newsletter

FEATURED STORIES Welcome to 2016! Three 2015 Kidnappings Rising Expectations for BSA/AML and OFAC

Compliance Concentrated Power Bank Robbery Attempt Leads to Shocking End A Violent Day: One Never Knows… PRESIDENT’S CORNER It’s About Time… NEWS AND NOTES Treasury Targets Mexican Drug Lord Chapo

Guzman’s Criminal Network Getting a Real “Kick” Out of Prosecuting

Racketeering and Corruption Can’t Be Too Careful: Security Flaw Exposes Bank

Information And in a Patriotic Context… An Idea Whose Time Has Come: Please Add to

Your ‘Good Ideas’ List Identity Theft “Protection” Company Oversteps

Itself…Again TIP OF THE MONTH From the FBI… QUESTIONS OF THE MONTH The NAICS Code and CTRs/SARs Medically-used Marijuana Distraction Scams One Might Expect to

Encounter Clarifying the 314(a) Obligation to Document the

Search OTHER FEATURED ARTICLES Not So Good The Bank Heist Connection Dumb Crook What Next? Hacker Leaks Data after United Arab

Emirates Bank Refuses to Pay Ransom

Welcome to 2016! "Those who don't know history are doomed to repeat it." – Edmund Burke

What have we learned from this past year’s banking experiences? What made the news in 2015? Every issue of The Advisor contained stories of financial crime, security, and recovery, many with analyses and helpful tips – an object lesson to the advisory service. As we close out 2015 and look back at the news of the day, which are the stories that capture the es-sence of security and compliance? Which ones send a message, a regret, a lesson learned, or a chill? Which will provide the “take-away” needed to educate and strengthen your institu-tion’s program, policies, and practices? The take-away should be to spot trends and direc-tion of security risk and the means with which to prepare and mitigate that risk. Here are just a few highlights -- a recap of what we saw in 2015, looking at what to expect in the year ahead:

There were plenty of stories about bank and credit union robberies. The bandits ranged from resourceful to ridiculous, but were always to be considered armed and dangerous. The

(Continued WELCOME on page 2)

Three 2015 Kidnappings During 2015 we profiled several early morning robberies in which employees were taken hostage after having been accosted while unlocking their banking facility or after their entry into the building by a gunman or gunmen inside. The gunmen broke in during the night and hid in ambush. These are two fairly common methods of committing the notorious morning glory robbery, and their danger is that they are premised on the presence of weapons and the taking of hostages. A third form of the three most common morning glory robberies (there are generally considered to be seven) involves the gunpoint hostage-taking of one employee and a family member or members away from the financial institution, often at home.

An unusual example presented itself during last year – actually three examples: the first in Oak Ridge, Tennessee, on April 28th; the second in West Knoxville, Tennessee, on July 7th; and the third in Ontario, Ohio, on November 5th. The three financial facilities, all of differ-ent financial institutions, were not too far apart, and indeed all three crimes were being investigated as of mid-December by the FBI as very likely having been committed by the same two-man team: an armed kidnapper/thief and an armed driver. For those interested, two men were arrested December 16th in North Carolina on suspicion of being behind the above robbery/extortion schemes.

(Continued KIDNAPPINGS on page 2)

The Advisor Newsletter January 2016 2

FBI finally published some financial crime statistics, but not as extensive and detailed as in the past. The overall trend for 2014 when compared to 2011 was a decrease in bank robberies, increase in burglaries, and little change in larcenies. One of the most noticeable trends was a drop in bank, thrift and credit union robberies, partly offset by a significant uptick in those involving armored carriers. Another disturbing trend was the increase in takeover robberies. But The Advi-sor did carry a comprehensive piece on sur-viving a bank robbery, along with cases of violence during and after a robbery.

The FBI also published warnings on ATM skimming. We saw and reported many cases involving crimes committed at ATMs, includ-ing ID theft through skimming, burglaries, hold-ups (including tellers while servicing the ATM), and even one case of yanking an ATM out of the wall.

There were cases of armored car heists, at least one of which resulted in death. There was some good news relating to advances in technology and successes attributed to en-hancements in security equipment.

There were stories of insider crimes, includ-ing one in New York dubbed Operation Pen and Teller, targeting dishonest tellers who stole and sold customer identity and banking information. On the flip side, there were cases of bankers as victims, including hos-tage-taking and injury.

The Advisor reported on and analyzed inci-dents of active shootings and violence in the banking workplace. And whether it hap-pened in a bank or credit union lobby versus a developmentally disabled training center in California or to a news reporter and camera-man in Roanoke or at any school or college campus in Anywhere USA, the message was to plan and prepare for any eventuality.

The importance of contingency planning can-not be overemphasized. There were stories of emergencies, disaster preparedness and recovery. FFIEC published its new Appendix G to the IT Examination Handbook – covering a self-test of readiness and preparedness.

There were new “SAR Stats” from FinCEN, SAR enforcement for inadequate or non-timely reporting, and even SARs involving corrupt public officials. Other reports of BSA/AML enforcement against banks and bankers made the news, along with regulatory guid-ance and expectations of a culture of compli-ance and the need for compliance accounta-bility at the highest levels. As if to reinforce this, the UK adopted final rules for AML com-pliance lapses and New York State even pro-posed that AML compliance officers be re-quired to certify the adequacy of their pro-grams and transaction testing and monitor-ing. FinCEN finally published updated Nation-al Risk Assessments on Money Laundering and Terrorist Financing.

The Advisor routinely discussed cases of fi-nancial data heists and cybercrime, along with a report from the Government Account-ability Office (GAO) on enhanced cyber secu-rity exams. Also considered was an OCC re-port on potential problems with 21st Century (mobile) banking.

And of course there were many sightings of innovative banking fraud – from elder fraud to check and card fraud to identity, loan and even tax refund fraud. The mandatory chip-and-PIN rules occupied a good deal of that discussion.

Seven General Security Tips for the New Year

Given what we’ve just been through, and knowing the trends and likely direction of security risk, what can we do to be ready in the coming year?

1. Review, rethink, reinvent and remind ourselves about security policies, inter-nal controls, preparedness and our re-spective codes of ethics and/or codes of conduct.

2. Know your enemy – bad actors, bad risks, and bad corporate cultures can lead to bad, often deadly results. Make frequently reviewed and updated pre-paredness an integral part of your cor-porate culture.

3. Do not disregard or set aside the red flags and exceptions from transaction activity management reports without a firm “reasonable explanation” of why.

4. Check and recheck that everything is working according to plan – no surprises in an industry full of surprises on a regu-lar basis – inspecting, refining, and testing, testing, and more testing!

5. Keep moving forward. Learn from our mistakes and the experience of others.

6. Share the knowledge and experience – training, training, and more training. Security through education!

7. Security really is everybody’s business. It’s not easy. It’s not always comforta-ble. It’s not always predictable. But it is critical.

The Bottom Line: Nothing is ever certain – best laid plans, etc. But that does not ab-solve anyone from being as thoroughly pre-pared as possible. Success may be measured by avoidance of problems as well as their resolutions. The predictable future may not be perfect, but it may provide some focus moving forward. Let’s apply this as we enter into a new year. Regardless of the outcome, we wish to all our friends and loyal reader-ship a Happy New Year and best wishes for the future, whatever it will bring.

(Continued WELCOME from page 1)

CASE I

The first hostage-robbery took place at Y-12 Federal Credit Union in Oak Ridge, TN. The CEO and his family were kidnapped from their home in the morning and held hostage away from the home at gunpoint. While the CEO’s family was held at gunpoint, he was coerced into removing money from the cred-it union. When this was accomplished, the other family members were released un-

harmed in the Gettysburg Country Club park-ing lot in Knoxville.

CASE II

In the second robbery, like the first, a banker and his family were held hostage by two masked men at gunpoint inside their home before being driven to the bank to steal the money. The banker was forced to remove money from his branch (West Knoxville) and hand it over to the two robbers while his wife and child remained in the car with the

(Continued KIDNAPPINGS from page 1)

(Continued KIDNAPPINGS on page 3)

The Advisor Newsletter January 2016 3

hostage takers. The robber waited outside while the banker went inside and secured cash. The banker was left at the branch, and the gunmen drove off in the family vehicle with the wife and child still in the car. The car and hostages were abandoned on a dirt road unharmed where the banker's wife was able to get help. No one was harmed during the kidnapping and robbery.

CASE III

In the third case, an unknown suspect en-tered a KeyBank employee’s home while no one was present. The suspect ultimately held the bank employee and his young fami-ly hostage at gunpoint overnight until the morning. The next morning the banker trav-eled to his place of employment as demand-ed by the armed suspect and removed an undisclosed amount of money prior to the bank opening. The bank employee returned home and provided the money to the sus-pect, and the suspect then released the bank employee’s family and fled the area. No physical injuries were reported by the bank employee or his family.

COMMENTS:

The takeaway here is that security profes-sionals tend to believe that what allows these hostage-taking criminals to so success-fully pull off these hardly-simplistic and usu-ally very lucrative morning glory bank rob-beries is pre-crime casing, which they be-lieve these criminals engage in most, if virtu-ally not all, of the time. Timing is important in all of the versions of the crime, and the best way to ensure that timing is “done right” is for the criminal to observe and be-come somewhat familiar with bank proce-dure. Conversely, it is important for bankers to not only follow all fundamental policies and procedures that relate to opening a

bank in a secure manner in the early hours (such as proper dual-person opening of each banking site and proper key control), but also to make the procedures conspicuous for their deterrent value so that any given morning glory bank robber, who will proba-bly be a veteran of this style of robbery, will be deterred from confronting tight, effective security and will back away and go else-where.

Some Notes on Assessing Risk

The following additional information will be of assistance in assessing your risk of a morning glory robbery:

The robber’s objective is to hold all bankers who are present hostage, with the hope of gaining access to the vault, or at least the night depository or ATM, thereby obtaining a much larger sum of money than a conventional bank robbery would afford in the priva-cy created by the facility’s locked doors while there are no customers present.

Facilities with one to four employees have the greatest likelihood of being victimized. The majority of morning glory robberies in which employee injuries or deaths have occurred have been at offices where six or fewer em-ployees arrive at the facility before it is open to the public.

Most commonly targeted are offices or branches which are located in subur-ban areas or relatively small communi-ties. The victimized facility is most fre-quently a freestanding building that houses only the banking office. It is commonly set back off the street, has its own parking lot, is not too far from a highway, and the inside of the office is not readily visible to those who walk or drive by.

Performing annual morning glory rob-bery risk assessments (as well as gen-eral overall robbery risk assessments at each banking site within your organiza-tion) allows you to determine if the level of security measures in place are adequate protection for each location based on their level of risk or vulnera-

bility to a morning glory robbery, wide-ly considered the most dangerous of all bank robbery risks. A consistent meth-odology should be utilized in the meas-urement of risk vulnerability. Four gen-eral components utilized to determine vulnerability are numbered below.

Current physical security devices and measures in place – are they adequate?

Total amount of monetary assets stored at the facility;

Geographical location of the facili-ty – consider in relation to banking office type: stand alone, strip mall, multi-story building, business dis-trict, rural, urban, industrial, acces-sibility to major interstate, dis-tance to law enforcement or gov-ernment facility;

Crime risk factors within a defined radius of the facility: number of robberies at the facility within the past 12-36 months; number of robberies at neighboring facilities within the past 12 to 36 months; average loss from reported rob-beries; types and volumes of other crimes reported at the facility or neighboring facilities within the past 12-36 months; other crimes reported; gang activity; illegal drug trafficking activity;

Depending upon the data collected, addi-tional security measures may need to be implemented at the site to include: com-plete premise protection of all doors, win-dows, and access portals; comprehensive interior and exterior surveillance; dye packs; tracking devices; bullet resistant glass; se-cured vestibules; remote teller processing; posting of armed uniformed guards, perhaps even overnight guards.

(Continued KIDNAPPINGS from page 2)

The Advisor Newsletter January 2016 4

Remember SOX (Sarbanes-Oxley)? Remem-ber how, in the aftermath of the scandals surrounding Enron and other publicly held companies, executives would be held per-sonally accountable for misrepresenting the financial position of their companies? Re-member how Congress raised the bar for full and accurate disclosures? Remember when the concept was first introduced for banking executives to be required to certify as to the accuracy of financial records?

Well, that concept seems to have now been borrowed and applied by New York State banking officials to compliance officers. Un-der a new proposal announced December 1st by New York Governor Andrew Cuomo, a bank’s chief compliance officer must certify as to the strength of the bank’s AML and OFAC compliance programs, putting the compliance officer in danger of criminal

charges for giving incorrect, exaggerated, or false certifications.

In response to charges of industry noncom-pliance and to “shortcomings in the transac-tion monitoring and filtering programs of these institutions,” along with a perceived “lack of robust governance, oversight, and accountability at senior levels of these insti-tutions,” this will put the onus on compli-ance officers to ensure the accuracy of AML compliance program information, including transaction monitoring reports and filters. This proposal will require banks to maintain “stringent filters” to help identify red flags and suspicious transactions that violate money laundering rules and a “Watch List Filtering Program” to interdict transactions that are prohibited by applicable sanctions, including OFAC and other sanctions lists, politically exposed persons lists, and internal

watch lists. It will undoubtedly increase op-erations and technology costs and could also make it difficult to hire and retain qualified compliance staff.

Although only a proposal, this may not bode well for the industry. Could this be a sign of things to come beyond New York? The ripple effect could drive up compliance expecta-tions (and associated costs). If so, would your institution be prepared? Would your compliance officer attest, under penalty of perjury and/or facing possible civil and crimi-nal charges, to: 1.) the accuracy of reports, 2.) the adequacy of internal controls, and 3.) the measurable effectiveness (or “results”) of your BSA/AML and OFAC programs? If not, what would it take for him or her to do so?

Concentrated Power Someone once said, "Power tends to corrupt, and absolute power corrupts absolutely.”

In recent months, several 21st Century big-name cases have come to light that rein-force this sentiment. First, the former New Mexico Secretary of State Dianna Duran pleaded guilty to charges of embezzlement and money laundering in connection with a fraud investigation alleging that she skimmed thousands from her election bank account. According to reports, she withdrew these funds from area casinos.

In another high-profile case, former U.S. Speaker of the House Dennis Hastert plead-ed guilty to charges of structuring transac-tions, stemming from his role in attempting large currency withdrawals from various banks while evading the required CTRs. As reported in the plea deal, he admitted to agreeing to pay an individual $3.5 million in so-called “hush money” in return for staying quiet about presumed indiscretions from his younger days.

Add the case of Sheldon Silver, former speaker of the New York Assembly. He re-

cently was found guilty on seven counts of corrup-tion, extortion, and money laun-dering, all stem-ming from schemes that produced nearly $4 million in ex-change for using his position to help

benefit a cancer researcher and real estate developers.

For financial institution security, risk man-agement, and BSA/AML professionals, this takes on new meaning, given the emphasis from the Financial Action Task Force (FATF) when expanding the concept of “PEPs” to include not just foreign senior political fig-ures, but domestic PEPs as well. http://www.fatf-gafi.org/media/fatf/documents/recommendations/Guidance-PEP-Rec12-22.pdf

While the guidelines, which speak to domes-tic as much as foreign-entrusted authorities, are directed at more egregious crimes in-volving “unjust enrichment” such as looting the national treasury while fleeing the fief-dom, FATF does speak to the need to assess customer risk in light of the potential for corruption. FATF Recommendation 12 dis-cusses risks associated with those individuals in a “prominent public function” as entrust-ed by a foreign or domestic government. In other words, those in a position of political, judicial, legislative or military power should be viewed in the cold light of day, removed from the shadows, and with an eye toward their transactions, sources of funds/wealth, and other financial activity. It’s all about risk assessment and, according to FATF, as rein-forced by these types of headlines, risky business deserves a closer look, including expanded customer due diligence, monitor-ing and awareness of certain indicators and red flags. That sends a clear message to all financial institutions.

Bank Robbery Attempt Leads to Shocking End

A grisly scene unfolded recently on a busy street in Miami Beach, Florida. Police wound up shooting and killing a man at point-blank range immediately after Tazing him in a brief but confusing episode that seemed to be

exacerbated by miscommunication. It began with a bank robbery that went awry for the robber, and might have come close to going awry for bankers and customers had the robber been armed as he claimed.

According to a report from the FBI, which is investigating the bank robbery portion of the crimes committed, the man shot dead by police first walked into a Bank of America

(Continued ATTEMPT on page 5)

Rising Expectations for BSA/AML and OFAC Compliance

The Advisor Newsletter January 2016 5

PRESIDENT’S CORNER

branch at approximately 10:30 am. He showed a note to a teller demanding money, and, curiously, it was rather politely written. It stated, “Give me all of your 50s, 100s & 20s [next line] Please [next line] I have a bomb, so please.” However, reportedly the suspect also told the banker to whom he gave the note that “he would shoot a cus-tomer.”

In spite of the alleged oral threat when the note was passed, “bank employees never gave him any money, and he left the bank,” as stated by the FBI report. No shots were fired, no object was left behind, and no one was injured, said a local investigating police detective.

There were no reports of any form of verbal exchange at the time the suspect was not given any money, or what shape any verbal-ized refusal might have taken. While it was reported that no shots were fired moments before the police confrontation while the suspect was inside a nearby barber shop (which is where he was reported to have gone immediately after the attempted rob-bery), he was reported to have grabbed a straight razor and “waived it around” in the shop in a threatening manner. What hap-pened next suggests that bankers in the branch that morning may now have a new risk-assessed vision of how an event like a presumed unarmed and seemingly typical bank robbery might quickly unravel and go south right inside a bank.

Police found the man shortly after he en-tered the barber shop and urged him to come out. When he finally did so, they saw that he was shirtless and was holding the straight razor, a very dangerous instrument. What happened next has become familiar to the public because videos of it have been played over and over again, ad infinitum. The suspect was immediately challenged by officers in the street and told to put the “knife” down. Seconds later, while standing by the hood of a police car, he raised his hand with the razor in it, at which point he was Tazed in the chest and then immediate-ly shot twice in the chest by law enforce-ment, dying at the scene. Fortunately, no bankers, customers, or others were hurt in this incident.

(Continued ATTEMPT from page 4)

A Violent Day: One Never Knows… A case of kidnapping followed by a shooting unfolded at 12:30 on a recent Monday when a gunman approached two strangers on Main St. in Richmond, Virginia, and asked them for money. When they told him they did not have money to give him, he pulled a gun on them and forced them back into their vehicle. Directing them from the back seat, the gunman ordered them to go to a nearby bank where one of them did his banking. There he ordered the bank customer to go inside and withdraw cash. Once inside, how-ever, the victim alerted police to the situa-

tion. Starting to panic because of the time that had elapsed, the gunman ordered the second hostage, a colleague of the first hos-tage at the same law firm, to drive away. When later asked about this at the scene, Richmond’s police chief said the first hostage did the right thing.

Richmond Police wasted no time in starting to pursue the older, grey-colored SUV through the city at a moderate speed, with a police airplane tracking the vehicle. Finally, after spike strips had been deployed and the SUV had failed to elude them, the SUV, pur-

suing police vehicles, and the police plane wound up back downtown. The pursuit had lasted about 30 minutes.

Unfortunately, the gunman was not ready to give up. Desperate, and seeing no way out but by heightened violence, he shot the sec-ond hostage in the head. With this, police officers opened fire. The result? Both the suspect and hostage were seriously wound-ed, but it was thought at the scene that they were in reasonably stable condition. One of the police officers was wounded, but not seriously.

It’s About Time… Over the years, loyal readers of The Advisor have heard many stories and experiences about bad actors. These are the folks who readily prey upon the elderly, the not-so-financially-astute, and many other financial institution customers, clients and members. Regular updates on the latest schemes and scams have included a growing number and variety of cases with unhappy endings. Final-ly, here is a story with a positive outcome: a cautionary tale with a redeeming lesson learned.

At a recent NABS seminar, one of the speak-ers told how his 93-year-old mother recently experienced the “granny-scam.” A nice young man (call him “Freddie the fraudster”) called and convinced her that he was her long-lost nephew and was in desperate need of money for some financial emergency. He had all the facts right – name, background,

family details, etc. It was later learned that Freddie got a lot of it from the published obituary of the victim’s deceased sister. The victim-to-be went to her bank, withdrew money, took it to Western Union, and wired it to that nice young man.

Unbeknownst to Freddie, and due to his bad luck and bad planning, his victim’s son turned out to be the senior financial intelli-gence analyst for the local U.S. Attorney’s Office. Using the investigative skills acquired over a long career in law enforcement, and in cooperation with colleagues in state and federal law enforcement and elder fraud protection, the subject was identified, tracked to his home, and busted, along with his co-conspirator girlfriend. The good news -- he was sentenced to 8 years. The better news is that our victim just received a check from the court for partial restitution.

1. First lesson learned: from the perspec-tive of the financial institution custom-

er/client/member, don’t be duped by a convincing phone call from a persuasive con-man. If there is one incontroverti-ble truth, it’s that folks like Freddie have friends, some with even less of a moral compass.

2. Lesson two: as a customer and as a banker, be alert! Watch for the telltale signs of duplicity. And if victimized, don’t be afraid (or embarrassed) to come forward. Swear out a complaint, pursue the truth and persevere.

3. Lesson three: from the perspective of the fraudster, the lesson to be learned is think twice (or thrice) before you go after someone whose son works for the good guys, all of whom are well-trained and experienced in tracking down and prosecuting the bad guys. Someone who pursues terrorists, money launderers, human traffickers, and other hardened criminals for a living is not a person you bad guys want to mess with.

The Advisor Newsletter January 2016 6

NEWS AND NOTES

Treasury Targets Mexican Drug Lord Chapo Guzman’s Criminal Network

The Department of the Treasury’s Office of Foreign Assets Control (OFAC) has designat-ed two Mexican nationals, Guadalupe Fer-nandez Valencia and Jorge Mario Valenzuela Verdugo, pursuant to the Foreign Narcotics Kingpin Designation Act (Kingpin Act). These individuals were designated for their criminal activities in support or on behalf of the Sina-loa Cartel or certain of its high-ranking mem-bers, such as the notorious Chapo Guzman and his son. This action follows the January 2015 unsealing of an indictment by the U.S. Attorney’s Office for the Northern District of Illinois against Fernandez Valencia, Valenzue-la Verdugo, and other Sinaloa Cartel co-defendants including Joaquin “Chapo” Guz-man Loera and his son, Jesus Alfredo Guz-man Salazar. As a result of the Treasury ac-tion, any assets these two individuals may have under U.S. jurisdiction are frozen, and U.S. persons are generally prohibited from engaging in transactions with them.

“As Sinaloa Cartel lieutenants for Jesus Alfre-do Guzman Salazar, Fernandez Valencia and Valenzuela Verdugo ultimately bolster the power and influence of Chapo Guzman’s nefarious criminal activities,” said OFAC Acting Director John E. Smith. “Treasury will continue to aggressively constrain the finan-cial resources of those who support Mexican drug lord Chapo Guzman and his illicit drug and money laundering operations.”

Getting a Real “Kick” Out of Prosecuting Racketeering and Corruption

It’s not often we find a story that links orga-nized sports and organized criminal conspira-cy with bank secrecy and security. But the simmering story surrounding FIFA (The Fédération Internationale de Football Associ-ation), the international governing body of football (or soccer) is really heating up at year end. Amongst all the resignations, alle-gations of bribery, and/or investigations of corruption on the world stage, the U.S. De-partment of Justice unsealed a 92-count in-dictment in Brooklyn, on December 3rd charging another 16 defendants with con-spiracies of racketeering, wire fraud and money laundering. Guilty pleas of eight of

the defendants were also announced. Bank records were undoubtedly a significant part of the investigations and following of the money.

In connection with the announcement, two defendants were arrested in Switzerland at the request of the U.S., and a search warrant was executed at a sports marketing company in Miami. As a reminder, a New Jersey-based sports marketing company pleaded guilty last May to wire fraud and tax evasion. Over-all, this case, involving fraud, bribery and corruption at the highest levels, has ties to defendants in many countries, and was in-vestigated and prosecuted by many law en-forcement agencies in multiple jurisdictions. Once again, it demonstrates the power of laws against money laundering and corrup-tion, along with the extra-territorial reach of these laws.

Can’t Be Too Careful: Security Flaw Exposes Bank Information

Recently the giant computer firm Dell re-leased a statement to the press in which it admitted that it inadvertently placed a secu-rity hole in its computers that could allow hackers access to users’ bank and other per-sonal data. Giving some insight into the seri-ousness of the development, some so-labelled computer security experts allegedly termed the security hole a “profound securi-ty flaw.” And it added fuel to a fire already set: another company was previously criti-cized for pre-installing adware (added-on software) that would potentially compro-mise security.

Customers were provided with guidelines on how to permanently remove the malicious software. Those aforementioned security experts said the software installed by Dell had two flaws: 1) the software would allow traffic to be intercepted, potentially exposing sensitive information; and 2) the key could be used to make a user’s computer misiden-tify unsafe connections as safe (for example, you could think you were looking at your bank’s website, whereas you would actually be looking at a spoofed site). Traffic on each site visited by users could be intercepted. Said one of the security experts, “In this way, supposedly secure communications could be eavesdropped upon, and passwords,

usernames, session cookies, and other sensi-tive information could fall into the hands of malicious hackers.”

And in a Patriotic Context…

This is a note for American financial institu-tions that consider themselves patriotic. Here’s what the European Union may do in response to the Paris attacks that occurred last year, headlined by the following quote: “EU Calls for European Intelligence Agency.” The European Commission recently called for the establishment of an EU-wide intelligence organization in the wake of the Paris attacks. The call occurred during what was termed emergency talks among Interior Ministers discussing ways to boost security. No men-tion was made of the San Bernadino massa-cre, but it may have helped fuel the intensity of the interest in forward movement in the talks.

The intelligence-meshing proposal comes amid concerns about how the gunmen who killed 129 people were able to remain under the radar despite some of them having shown some signs of radicalism and moving through several European countries. “This meeting is of great importance,” stated Eu-ropean Union Migration Commissioner Dimi-tris Avramopoulos to reporters in Brussels, Belgium. “After ‘Charlie Hebdo’, I had pro-posed the creation of a counter-terrorism centre at Europol… and finally it was done…I believe it is now a moment to take one more step forward and put forth the basis for the creation of a European intelligence agency.”

It appears that the European Union is poised to take a significant step in the war on ter-rorism. This move may encourage us, partic-ularly in the context provided by tragedies suffered in this country, to bolster our intelli-gence community rather than tear it down as we have done in recent years.

In a related story, the U.S. and Russia led the charge in a coalition of 13 nations to approve a UN plan to go after the financial assets of ISIS by putting the squeeze on funding sources. In the march to creating their cali-phate, ISIS is reported to be funding their activities from the sale of commodities, such as gas, oil, cotton and even smuggled antiq-uities seized from its excursions into Syria

(Continued NEWS AND NOTES on page 7)

The Advisor Newsletter January 2016 7

and Iraq. In a statement, U.S. Ambassador to the UN Samantha Power said, “Denying [ISIS] access to the international financial system is a key element of any comprehensive strate-gy to degrade and ultimately destroy it.” And, according to U.S. Acting Undersecretary of Terrorism and Financial Intelligence Adam Szubin, the key is to follow the money and shut down access to the worldwide financial system. While this may not immediately res-onate with every U.S. bank, the prospects are daunting for enhanced scrutiny and due diligence.

An Idea Whose Time Has Come: Please Add to Your ‘Good Ideas’ List

Congratulations to Farmers Bank and Ohio Valley Bank in Ohio for recognizing the im-portance of attempting to mount a meaning-ful offensive against cyber-crime. During the holiday season, they are partnering to bring what they call a “Cyber Security Summit” to their community. The objective is to “bring consumers and local businesses up to speed on current cyber threats and leave them with effective tactics so that they can protect themselves, free of charge, with the bonus for the two banks that current and potential

customers will become what bankers desire: educated customers.

Paul Reed, president and CEO of Farmers Bank, seems to have a good sense of propor-tion about the significance of the idea: “Our customers are our greatest assets,” he firmly stated. “Protecting them is our most im-portant responsibility, and we take that very seriously. The threat of cyber theft is real, but it is possible to prevent. The opportunity to bring businesses together is not only time-ly but very valuable for our communi-ty.” (According to the editors of Forbes mag-azine, cyber attacks are costing American businesses $400 billion $500 billion a year, and that does not include the many attacks that go unreported annually.) Teachers will include the president and CEO of Ohio Valley Bank and several information security spe-cialists. Adding to the enjoyment of the time will be light Christmas-style refreshments.

Identity Theft “Protection” Company Oversteps Itself…Again

We think that the moral of this very short story should be: “Beware of any advertising that sounds anything like this, ‘We can pre-vent identity theft’.” Five years ago we pro-filed a case in which LifeLock, the exception-ally popular, so-called identity theft protec-

tion company, claimed a little too much ca-pability to suit the Federal Trade Commis-sion and was penalized financially. Here the company has gone and crossed swords with the FTC again. LifeLock has been charged with – and this is profoundly ironic -- failing to properly secure its customers’ infor-mation and for misrepresenting the strength of its security. As a consequence, the compa-ny has recently agreed to pay $100 million to the FTC for its less-than-careful claims, etc., $68 million of which will be used to pay back consumers who sued the company in a class-action lawsuit.

In 2010, LifeLock settled with the FTC and 35 state attorneys general for $12 million. The claims were that the company had not se-cured customer information adequately and had made false claims about what it offered to consumers. It subsequently signed an agreement with the FTC saying that it would change its behavior accordingly. However, in the summer of 2015, the FTC came to be-lieve that the firm violated the 2010 agree-ment/order, and it is costing the company dearly. Edith Ramirez, Chairwoman of the FTC, stated the regulator’s position on en-forcement of its orders: “This settlement demonstrates the Commission’s commit-ment to enforcing the orders it has in place against companies, including orders requir-ing reasonable security for consumer data.”

(Continued NEWS AND NOTES from page 6)

TIP OF THE MONTH

From the FBI… The FBI warns us of the following scams, which seem to be growing in popularity (suggested use: in-house newsletter; state-ment stuffers [customer service gestures!]; website):

Online Shopping Scams—If a deal looks too good to be true, it probably is. Steer clear of unfamiliar sites offering items at unrealistic discounts or gift cards as an incentive to purchase a product. You may end up paying for an item, giving away personal infor-mation, and then receive nothing in return except a compromised identity. In addition,

do not open any unsolicited e-mails or click on the links provided.

Social Media Scams—Beware of posts on social media sites that appear to offer vouchers or gift cards. Some may pose as promotions or contests. Often, these are scams that lead you to participate in an online survey that is actually designed to steal personal information. In addition, do not post photos of event tickets on social media sites. Fraudsters can use the barcode to recreate tickets for resale.

Smartphone App Scams—Before down-loading an app from an unknown source, look for third-party reviews. Some apps, often disguised as games and offered for free, may be designed to steal personal in-formation from your device.

Work-from-Home Scams—Beware of unfamiliar sites and postings offering work you can do from the comfort of your own home. These opportunities may have unscrupulous motivations behind them. You should carefully research individuals or companies offering employment before providing them with your personal infor-mation.

Consumers who suspect they’ve been vic-timized should immediately contact their financial institution, then law enforcement. They are also encouraged to file a complaint with the FBI’s Internet Crime Complaint Center, regardless of dollar amount lost (www.IC3.gov).

The Advisor Newsletter January 2016 8

QUESTIONS OF THE MONTH The NAICS Code and CTRs/SARs

Our bank is filing a CTR in connection with a well-known customer, but we are stumped by how to report her occupation. I have sounded everything but the right thing for a NAICS Code for a person who, in the good ole days, would be a housewife, stay-at-home mom, who is not employed.... what would the code be? I had always put in the field Domestic Engineer, but when I look up the code, to me it reads that it pertains more to a “nanny,” “gardener,” maid, etc.

What should we put in as far as a code goes?

The answer is, “whatever makes it clear and descriptive to law enforcement” and not necessarily what is politically correct. This sounds like you are trying to apply a NAICS code to an individual who is conducting the large cash transaction. Our position with respect to the occupation or type of business is consistent with that of FinCEN and remains pretty clear: “If the specific occupation is not found in the authorized FinCEN listing of NAICS codes, leave the field blank.” Rely instead on the text field in Item 9 (occupation or type of business) to describe “housewife,” “unemployed,” or whatever would be sufficiently descriptive. That, in turn, may beg the question of what does the domestic engineer do to generate over $10,000 in currency?

To help support your decision, here are some related excerpts from FinCEN rulings and FAQs that may be useful:

“FAQ 19. How do I determine whether or not to indicate a North American Industry Classification System (NAICS) Code? Fin-CEN previously issued guidance in March 2012 that addressed the selection of the NAICS Code on the FinCEN CTR and Fin-CEN SAR. FinCEN emphasized that finan-cial institutions will continue to be ex-pected to provide only that information for which they have direct knowledge. As noted in that guidance, the issuance of the FinCEN CTR does not create any new obligation or otherwise change existing statutory and regulatory requirements for the filing institution. In addition, use of a NAICS code is not mandatory, and a financial institution may still provide a text response with respect to this infor-mation within the “Occupation” field.

Please note that batch filers must use only the 3-4 digit NAICS codes on our approved list of codes. Discrete filers can select from the available drop-down list embedded within the CTR. Please refer to FIN-2012-G002 for further information.”

With respect to that guidance issued March 9, 2012, FinCEN stated:

“Law enforcement officials have indicat-ed that the NAICS code is beneficial in CTR and SAR data; however, FinCEN em-phasizes that financial institutions will continue to be expected to provide only that information, for which they have direct knowledge. Again, the issuance of the new CTR and SAR does not create any new obligation or otherwise change ex-isting statutory and regulatory require-ments for the filing institution. In addi-tion, financial institutions are not re-quired to become familiar with NAICS codes, as the appropriate list of codes is contained in a drop down menu that au-tomatically populates the field. In addi-tion, use of a NAICS code is not mandato-ry, and a financial institution may still provide a text response with respect to this information.”

Medically-used Marijuana

Will medically-used marijuana cause pro-hibitive security problems?

The closest we can come to offering a straight answer to this question is a definite “maybe.” Other drugs (illegal ones) generally considered more dangerous than marijuana most probably bring

crime with them. This seems to be a univer-sally-accepted truism by now. Using marijua-na has been claimed by some to lead to the use of more dangerous illegal drugs. If this is true, then a claim that marijuana (used med-ically and recreationally) will usher in an in-crease in crime by virtue of its leading to more serious illegal drug use does not seem unreasonable.

Some claim that any increase in the use of marijuana, even where it is already in use illegally (e.g., for recreation in a medical-use-only state), will, in and of itself, usher in an increase in crime. This may not be an unrea-sonable claim either, for two reasons:

Because its sale is illegal in many areas of the country (on the bases of state-law, county-ordinances, and/or local-ordinances) and is desirable enough to cause illegal use and the commission of other crimes in order to purchase it;

Because of the apparent fact that a legal recreational and/or medical marijuana business will be a cash-based business, which banks will in large measure cause because of their understandable fear of consequences stemming from the legal reality that marijuana for any kind of use is still considered forbidden by federal law (which happens to be at present essentially unenforced).

Some medical experts claim that continued use of marijuana can impair judgment and memory – if so, this could have security ram-ifications; others claim that smoking ciga-rettes and continued marijuana use together increases the risk of contracting lung cancer five times over the risk from cigarettes alone. Is this a security risk? It’s at least potential for a debilitated workforce.

Thus medically-used marijuana, by virtue of its possible illegal recreational use and its possibly helping to usher in the use of stronger, more dangerous illegal drugs, may be seen (but only “may be”) as a possible security risk, and may carry with it potential legal liability ramifications, as well as simply legal ramifications of violating federal (as well as some state and more local) law.

Distraction Scams One Might Expect to Encounter

What distraction scams might we expect to encounter on the banking landscape?

Distraction scams are limited in variety and ingenuity only by the imagination of the con artist. These individuals are so well-versed in their trade that bankers as well as their cus-tomers are at risk. Acting in a way not entire-

(Continued Q of M on page 9)

The Advisor Newsletter January 2016 9

ly unlike the manner in which illusionists ("magicians") act when they take control of your attention and move it away from the tricks they want to accomplish with their hands (classic misdirection), con artists that operate in the banking environment imper-sonate priests, police officers (complete with uniforms, radios, weapons, and mo-torcycles at drive-throughs), doctors, nuns, and sympathy-eliciting old widows draped in black; they approach bank personnel as pregnant/not-pregnant women carrying infants, schmoozing Casanovas, physically-challenged persons, and purported chums of bank officers; they chat about the news, both sad and joyous, personal problems, cold/hot/wet/dry weather extremes – you name it – all in an attempt to distract the person in control of funds they have target-ed. Others cause disturbances that facili-tate a wide range of crimes, including short-change scams, check-cashing frauds, and grab-and-run larcenies. Still other distrac-tion-scam artists are masters at using the telephone as a means of developing credi-bility and setting up a fraud. Here are two examples of distraction scams.

The Disturbance Ruse

One gang member visits the targeted bank and, using a pretext, learns the location of the objective, in this example, traveler’s checks. Two or three other members of the gang visit the bank later. Their preference is the busiest time of the week. One or two create a diversion by creating a disturb-ance. One gang has used two people speak-ing in a foreign language and broken Eng-lish, arguing loudly with each other and perhaps an employee or two. The unin-volved individual in this gang steals the checks in the confusion, on some occasions using a collapsible device to reach over the teller counter if the checks are out of reach.

In some cases, the checks are stolen from the desks of platform people.

The Short-Change Scam

The success of this type of scam depends on successfully confusing the banker and causing that person to not fully complete one transaction before starting another. In one example, the con artist lays a $100 bill on the counter and asks the teller to give him $6 in quarters and $1 in dimes, with the rest in assorted bills. As the teller is counting out the change, the stranger un-obtrusively places a second $100 bill on top of the first. He then informs the teller that he wants to exchange another two $100 bills for four $50 bills. In effect, he has initi-ated a second transaction while the teller has still been busy with the first one. He counts the first $100 bill as one of the two $100 bills that he wishes to exchange for four $50 bills.

After finishing the change count and now seeing two $100 bills on the counter, the teller is not sure he has not already re-ceived the first $100 bill. He does not want to risk embarrassment or confrontation. He presumes he has put the first $100 bill in his cash drawer. He picks up the two $100 bills from the counter and gives the stranger four $50 bills. The stranger walks away with the four fifties, and also the $6 in quarters, $1 in dimes, and the rest of the change (various bills totaling $93) for the first $100 bill. He has come into the bank with $200 and walked out with $300.

Clarifying the 314(a) Obligation to Document the Search

Last month’s “Question of the Month,” “Making the Case for 314(a)” (The Advisor, December 2015, Volume 35, Number 9), had to do with changes to the 314(a) in-structions for those who access and down-load the bi-weekly, ultra-confidential list of names from FinCEN. Our response, based

on previous discussion with a FinCEN hot-line representative, was that each down-load was accompanied by an activity re-port, which would serve as documentation that a financial institution had conducted the search. We had also noted that the latest FFIEC BSA/AML Examination Manual stated, “Banks may print or store a search self-verification document from the Web-based 314(a) SISS for each 314(a) subject list transmission.” But our response also proposed that “a prudent step would be to contact both FinCEN and your primary banking regulator(s) for additional guid-ance.”

Since then, an alert reader let us know about clarifying information from a subse-quent discussion with a FinCEN representa-tive. FinCEN confirmed that the self-verification feature recently was removed from the SISS Guide and activity report. Consequently, the activity report itself would not represent documentation that a search was performed. The FinCEN rep fur-ther insisted that this “self-verification” feature was never represented to satisfy documentation of the search, as had been commonly misunderstood by bankers, au-ditors, and examiners. Based on this revela-tion, it would appear that each download-ed 314(a) listing would need to document that each name was the subject of a search, and that auditors and examiners would expect that such documentation would be available for review.

As before, we still maintain that prudence would dictate contacting both FinCEN and your primary banking regulator(s) for defin-itive guidance.

(Continued Q of M from page 8)

The Advisor Newsletter January 2016 10

OTHER FEATURED ARTICLES Not So Good

There are times when it is appropriate to consult management about a security matter, and times when it is not. Case in point: At about 3 pm in late November, po-lice in a Denver, Colorado, suburb respond-ed to a bank because of a report of what was termed “suspicious activity.” When po-lice arrived at the bank, they were informed by the teller that a full 30 minutes earlier a man had approached the counter and hand-ed her a note “that indicated a robbery,” as she phrased it. The police taking this report were more than likely dumbstruck by the nonchalant manner of the report, and per-haps a little confused. The note (recovered later) read: “This is an armed robbery!!! [Yes, there were three exclamation points here and at the end.] Remain calm and no-body will get hurt. You have 20 seconds to put $10,000 in unmarked bills in an enve-lope. Failing to do so may result in the en-dangerment of innocent lives. Go!!!”

This note was every bit an all-business rob-bery demand note, not just an “indication” of a robbery, even though the sentence that began with the words “Failing to do so…” changed the tone to something sounding bureaucratic.

The teller told police that she backed away from the counter to show the note to her manager rather than complying with the robber’s demand as stated very clearly in what was a demand note, not a written re-quest. The manager read the note and told the teller to give the man the money. But when the teller returned to the counter, the man was gone. Needless to say, the teller’s election to seek advice from the manager at such a critical time and leave the robber standing there without acceding to his de-mand was a risky act and a violation of Bank Protection Act and generally accepted stand-ard-of-the-industry protocol. It was not the time to seek management advice -- it could have resulted in violence and the taking of a hostage.

The Bank Heist Connection Late one recent Friday afternoon local police in the Denver, Colorado, area responded to a report of a robbery at a Guaranty Bank branch. A man described as in his late teens or early twenties approached a teller and

slid a robbery demand note across the coun-ter towards her. A moment later he walked out of the branch with $1,906, including five $20 bills whose serial numbers had been recorded and placed on file.

When police started investigating this case, they had no idea that it was related to the robbery profiled in the preceding story, “Not So Good.” However, when they reviewed both banks’ security camera videos, they noticed right away that a similarly-sized man wore a red baseball cap and a red-hooded sweatshirt with the word “Utah” written across the chest. It would be difficult to think of a more explicit connection between the two crimes, in view of how odds and proba-bility work. A banker-witness to the second crime reported to police that the suspect ran out of the bank and jumped into a silver hatchback, which sped away from the scene.

Detectives distributed still photos of the suspect to local law enforcement agencies in an effort to learn his identity. On Monday, three days after the crime, a probation officer responding to having seen one of the pictures called the local police investigating the crime to tell them one of his clients (the suspect) had been in his office a week earlier and was wearing the same sweatshirt. Inves-tigating detectives compared their still pho-tos of the suspect with his prior mug shots and photos on his publicly accessible Face-book page (!!!), a social medium that de-lights many, at the same time seems to repel a considerable number of less tolerant peo-ple, but not infrequently has aided law en-forcement in apprehending criminals. This was too much evidence to be denied, and if recovered, the five bait-money bills would simply be icing on the evidence cake.

Dumb Crook

“I have to go. I have to call 911.” Those were the words of TV reporter Adam Sallet of KIMT-TV in Mason City, Iowa. He was doing an on-location update of a bank robbery on live TV when he learned that the suspect had just struck again at the branch he and his cameraman were standing near. Before he could react to the knowledge, a banker ran out the front door pointing out the rob-ber. This was what prompted the reporter’s call to 911.

Arriving police spotted the suspect heading away from the branch, and he was quickly

captured. Miraculously, no one had been harmed.

The robber had paid little or no attention to the TV remote truck out front, which had been clearly marked and well identified. This put his foolhardiness on a level equivalent to the banker's, who ran outside after the crime pointing at the robber, a violation of a primary principle of safety after a robbery!

What Next? Hacker Leaks Data after United Arab Emirates Bank Refuses to Pay Ransom

A hacker who broke into a large bank in the United Arab Emirates made good on his threat to release customer data after the bank refused to pay a Bitcoin ransom worth about $3 million.

The hacker, who calls himself Hacker Buba, breached the network of the bank in Sharjah -- reportedly identified as Invest Bank -- and began releasing customer account and transaction records via Twitter. Although cyber extortion hacks using ransomware are a growing trend, it doesn’t appear that the hacker in this case used ransomware. Ran-somware involves malware installed on a victim’s machine that encrypts their data or otherwise locks them out of their system until they pay a ransom, usually in Bitcoin. In this case, it appears the bank still had access to its systems, and the hacker merely si-phoned the data.

The 64-dollar question? To what extent are American financial institutions at risk in the face of this insidious practice? This goes well beyond threatening denial-of-service attacks in response to refusal of ransom payments.

The Advisor Newsletter January 2016 11

ROBBERY

ASSIGNMENT KIT

Quantity Product

Code Product Price Each Total Price

OS214600 Robbery Assignment Kit(s) $29.95 $

OS214602

Robbery Assignment Kit includes one of each: height marker, roll of caution tape,“closed” sign

and Weapons Identification Guide

$65.95 $

OS1237 Weapons Identification Guide $24.95 $

OS1234 Color-Coded Height-Marker Tape $9.95 $

OS1235 Caution Tape $9.95 $

OS1236 Laminated Door Sign $7.95 $

Subtotal $

Florida add 6% Sales Tax $

Shipping and Handling Charge

$ 17.95

TOTAL RETURN TO:

National Association for Bank Security

4800 S.W. 51 Street, Suite 101

Ft. Lauderdale, FL 33314

Phone: 954-327-1223 • Fax: 954-327-1226

Check enclosed. Payable to: National Association for Bank Security

Bill me.

Name ___________________________________________________

Title ____________________________________________________

Organization _____________________________________________

Street Address ____________________________________________

City/State/ZIP ____________________________________________

Phone ( ) _________________________________________

E-Mail __________________________________________________

Order Now! fax

1-888-390-NABS (6227)

phone

1-800-390-NABS (6227)

online www.banksecurity.com

The Advisor Newsletter January 2016 12

The Advisor is published monthly by: National Association for Bank Security/Profit Protection, LLC

4800 S.W. 51 Street, Suite 101, Fort Lauderdale, FL 33314 Toll Free: 800-390-6227, 954-327-1223, Fax: 954-327-1226

Web Site: www.banksecurity.com

Distributed through the following state associations in cooperation with NABS/Profit Protection, LLC:

Alabama Bankers Association Colorado Bankers Association Connecticut Bankers Association Georgia Bankers Association Illinois Bankers Association Indiana Bankers Association Iowa Bankers Association Kansas Bankers Association Kentucky Bankers Association Louisiana Bankers Association Maine Bankers Association Maryland Bankers Association Massachusetts Bankers Association MBA Insurance and Services, Inc. Mississippi Bankers Association Missouri Bankers Association

Montana Bankers Association New Jersey Bankers Association New Mexico Bankers Association North Dakota Bankers Association Ohio Bankers Association Oklahoma Bankers Association South Carolina Bankers Association South Dakota Bankers Association Virginia Bankers Association West Virginia Bankers Association Wisconsin Bankers Association Wyoming Bankers Association

Editor Thomas R. Duxbury, MA

Advisory Board

Greg Benson Timothy E. Doherty

Thomas R. Duxbury, MA Maureen Holteen Marcus H. Ford

Jay M. Friedland, Esq. Phillips G. Gay, Jr., CRCM, CRP, CAM

Fred A. Gwin, CPP Alan J. Hazen

Boris F. Melnikoff, CPP

R. Eugene (Gene) Seitz, CBE Bill W. Thompson, CPP

J. Branch Walton Susan Wind

All rights reserved. Subscription rate: $185 per year (12 issues) in the U.S.A., U.S. possessions and Canada; substantial volume discounts are available. The information contained in this publication is intended to report incidents directed against financial institutions and furnish guidelines for its readers and is not purported to be legal advice or to represent that the guidelines are applicable to all the circumstances of every financial institution. For legal advice, users are encouraged to consult appropriate legal counsel. Neither the publishers nor NABS/Profit Protection, LLC, will be responsible for any consequences resulting from the use of any information contained herein. Copyright© by the National Association for Bank Security/Profit Protection, LLC.