Power of sharing for security

Josh Brown has spent virtually his entire career in some form of protection.

Today Brown works for Virginia’s Fauquier Bank, as director of security, and devotes his efforts to protecting that institution. He actually began as a locksmith, which led to a career as a Washington, D.C., area police officer, specializing in crime prevention duties. And this led to his next career move, in 2004, to become the bank’s expert on physical security and all forms of crime and crime prevention, including antifraud and BSA/AML duties, and a role in the bank’s enterprise risk management process. Brown even holds workshops for customers on issues like cyberfraud.

One of the most important lessons that Brown says that he learned along the way was the power of sharing information. It’s part of the job in police work, he explains.

“When you are in law enforcement, you share among your peers,” Brown explains. “You don’t want to be blindsided.”

Prevention and detection takes a team

Brown sees sharing as a key part of his current job—sharing within Fauquier’s organization, among financial institutions in his market area, and on the national level.

Inside the bank, there’s an advantage in being smaller. Fauquier is $602.1 million in assets, “so we’re not so big that we’re ‘siloed’,” explains Brown.

One of several ways that Brown participates in sharing of threat and related data is through FS-ISAC, the Financial Services Information Sharing and Analysis Center.

This industry service organization facilitates sharing of information both nationally and internationally and takes its cue from two presidential orders, one post-9/11, which “mandated that the public and private sectors share information about physical and cyber security threats and vulnerabilities to help protect the U.S. critical infrastructure.” Another mechanism is sharing with local institutions.

A key effort for Brown is the bank’s participation in FRAMLxchange, an electronic network operated by Verafin for both users of its BSA/AML and antifraud modules as well as other participating institutions. (The latter can join at the invitation of users who are Verafin customers. Fauquier has been using Verafin products since 2009.)

Verafin’s FRAMLx technology gives banks and credit union investigators the ability to fight fraud and money laundering/terrorism attempts two ways.

First, FRAMLx alerts notify participating financial institutions about unusual customer activity spread across multiple institutions.

Second, and of especially strong appeal to Brown, is the service’s peer collaboration component. FRAMLxchange is registered with FinCEN as an association of financial institutions permitted to engage in information sharing under Section 314(b) of the USA PATRIOT Act. That section permits registered institutions to engage in information sharing under a safe harbor that offers protections from liability. Member institutions like Fauquier can securely collaborate one-to-one with other institutions to voluntarily share information about potentially suspicious activity—all within Verafin’s network. They can send, receive, and respond to queries from other network members.

What’s OK, what’s not

Brown says he’s used the Verafin network as well as other relationships and tools to both root out problems or potential problems but also apparent problems that turned out not to be so.

One of the first helpful functions is enabling a bank to determine, through queries to the network, if there is a common issue occurring. Criminals often pull the same methodologies on multiple institutions in multiple geographies, and without bank-to-bank communication, everyone but the crook operates in the dark.

Brown admits that the thought of not knowing what he doesn’t know keeps him up at night, sometimes. “I’m always reading,” says Brown, “but you just can’t know where the next threat is coming from.”

Through the network, Brown says, he was able to shut down a kite artist who was trying to operate through the bank. Helpful as that is, a bank doesn’t want to turn away legitimate business. So when Fauquier was confronted with the following scenario, Brown went to the network as well.

A customer received a $30,000 wire transfer. The customer then broke that large sum into smaller amounts and sent out his own multiple wire transfers. Was this a legitimate business transaction? Or part of some scam?

Querying other institutions through the network enabled Brown to determine that the customer’s actions were legal, and so the bank avoided having to shut off an account, or even filing a federal Suspicious Activity Report.

Receiving system alerts also helps Brown do his job, he says, because this prevents him from dismissing some behavior that appears to be legitimate at the local level, but looks otherwise when it shows up on a larger canvas.

Keeping the pipeline flowing

In all cases, having input from beyond the bank’s own organization helps Brown when compiling an investigation. Even where no currency transaction report or SAR is filed, the bank often must keep records to demonstrate that a concern was explored, and capture the facts and reasoning that resulted in no report being filed.

Brown hates the idea of adding “noise” to law enforcement’s information stream, and thus resists the idea of “defense filing”—this means, when in doubt, send a form to the government. This may cover the bank’s tail, but a more thorough job, with documentation held internally, may avoid wasting enforcers’ time.

“If a BSA officer files on something that they know isn’t suspicious,” says Brown, “it just bogs down the whole process.”