FDIC: Beware Low-Tech FraudRegulator Michael Benardo on the Top 5 Fraud Threats to Banks
Michael Benardo, chief of the Federal Deposit Insurance Corp.'s Cyber Fraud and Financial Crimes Section, says banks have to look ahead to new cybercrimes, while at the same time keeping a close watch on some of the tried-and-true low-tech fraud schemes.
In this exclusive interview, Benardo, discusses:
- The role the FDIC plays in helping financial institutions combat and prevent fraud;
- How international communication is taking on more prominence among financial players, law enforcement and governmental bodies;
- Why consumer education still ranks as one of the most effective fraud-prevention methods.
Benardo is the chief of the Cyber Fraud and Financial Crimes Section in the FDIC's Division of Supervision and Consumer Protection. He oversees all aspects of fraud-related initiatives, including establishment of regulatory policies and procedures. He is instrumental in developing and implementing fraud-related supervisory programs, including examination techniques, and represents the FDIC on interagency working groups with a goal of developing consistent interagency programs for combating financial institution fraud.
Benardo has 18 years of progressive experience with the FDIC, including serving as a manager in the Technology Supervision Branch. He also served as a key member of the FDIC's Year 2000 project team from 1997 through the century date change. Prior to his employment with the FDIC, Benardo spent six years working in the commercial banking industry. He worked in a variety of areas, including several assignments in bank operations. Benardo holds a bachelor's degree in finance from the University of South Florida.
TRACY KITTEN: Before we get started, could you please tell the audience a bit about your role within the Cyber Fraud and Financial Crimes Section of the FDIC?
BENARDO: Sure. My official title is section chief, and that means I manage the section. The Cyber Fraud and Financial Crimes Section fits within our technology supervision branch in the Division of Supervision and Consumer Protection at the FDIC. So, we work very closely with the Information Technology Section and other sections; the Technology and Supervision branch, on issues related to how banks use technology; the threats and vulnerabilities that exist in those technologies or against those technologies; and other types of financial crimes as well.
KITTEN: And what is the Cyber Fraud and Financial Crimes Section's primary role?
BENARDO: Our primary role in the section is one of "understanding and research," is how I sort of like to put it. We are out there trying to figure out what types of threats are occurring, what's next coming down the pike; I always say that criminals are so creative that it's really hard to stay ahead of the curve. So, we are trying to be a little bit on the cutting edge to figure out what's happening next; and we look at all kinds of financial crimes, not just cybercrimes. We are looking at things like mortgage fraud, as well; counterfeiting; good old-fashioned check kiting; everything from that to the more technology-based phishing and farming and malware threats, and other things that we are seeing today.
As far as for our role within the FDIC, we work on all sorts of initiatives and we provide our input related to cyberfraud and financial crimes; so we work on policy issues and any sort of new guidance going out to financial institutions. We would be the primary author of such guidance related to cyberfraud and financial crimes. We work on training initiatives for our staff -- for the FDIC examiners, primarily -- making sure that they are equipped to have understanding and knowledge of these types of threats. We work on other types of examinations support, like the actual work programs and tools that examiners would use to look for these types of information while doing a bank examination.
KITTEN: How many people do you have in your department?
BENARDO: There are about 10 of us in the department here in D.C., based in Washington; but, like I said, we also work very closely with other sections in the group. We also, I should mention, work very closely with the Anti-Money Laundering Group, as so much fraud sort of has a money-laundering factor involved with it. So, we are kind of in constant communication with them as well. And then we work with our examiners in the field in our different regional offices; so while we only have 10 people here, we can certainly tap others to help work on projects as we need them.
KITTEN: Sure, and that's a nice segue into my next question, which is, I would like for you to list the top five cybersecurity-fraud threats, or maybe just the fraud threats that you deem to be the most threatening -- those that have been identified as having the greatest impact on the financial industry over the next 12 to 18 months.
BENARDO: Well, certainly the things we are watching are things like the threats from malware and sort of the whole botnet problem that exists, as far as the computers being taken over as part of botnets and how that happens, whether it's malware getting on computers or other ways. So we are definitely paying attention to that and watching that and working closely with others outside of the FDIC, other law enforcement agencies and things like that; and that sort of leads into the commercial-payments fraud, which has been a hot topic of recent, and we continue to watch it. That fraud has happened because malware has gotten on computers of commercial customers of financial institutions, thereby compromising their log-in credentials and causing the criminals to be able to commit fraud by moving money through wire transfer or ACH. So we are definitely watching the malware threat and how that relates to commercial-payments fraud.
Believe it or not, phishing continues to be a problem. People think back to the beginning of phishing, when it was really pretty easy to recognize a phishing e-mail because it had lots of typos or misspellings in it; and these days, people who are still committing phishing are really good at it and they no longer have those typos or misspellings, and they do put graphics in their e-mails that make them look much more legitimate. So, even though most people -- I think a lot of consumers recognize phishing e-mails, because of the constant consumer education that the financial institutions and the regulators and others have done related to, you know, "Your bank won't be asking you for confidential information in an e-mail" -- have gotten to understand what phishing e-mails are, my worry is sort of the next way that, as I said, criminals will be creative, and change phishing a little bit so that we don't recognize it, that it's some other sort of social engineering threat.
A third risk that we are always on the lookout for are data breaches. So far most of the larger scale data breaches that we have seen happen with merchants or payment processors, but that can cause a lot of problems for financial institutions: They have to reissue cards; they have to deal with sort of the aftermath of credit card information getting out there and other types of information, as far as how that could lead to identity theft for their customers; so that's always a big issue for us. And then some of the sort of less technologically advanced crimes we always are on the lookout for, counterfeit checks, that's still happening a great deal; even though the volume of checks is going down, there is still a high volume of counterfeiting going on, especially counterfeiting of bank cashier's checks and bank-official checks, because, again, criminals are sort of following the trends and know what's happening. They understand Reg CC and that those types of items have faster funds-availability, which allows them to get their money out of the scam faster. So, we constantly are on the lookout for that as well.
And then, finally, mortgage fraud I think is rounding out the plate right now because we are seeing a lot of that, both mortgage fraud that was committed against financial institutions by people creating false mortgages with straw borrowers and fraudulent appraisals and things like that, but also the other end of the spectrum, which is how it affects consumers or mortgage holders in things like mortgage rescue scams. We are starting to see a lot of that as well, especially in this economic time, where people are tricking, unfortunately, people who might be facing dire times by saying they can help them get out from under their mortgage or help them make their payments when, in fact, they are not -- they are taking advantage of that situation and somehow ripping them off, either collecting money that they don't ever get a service for or actually even trying to steal their property.
KITTEN: How financial institutions respond to those threats is somewhat of a challenge. I would like for you to maybe speak to some of the ways or new ways that financial institutions can respond to some of these threats and maybe focus on the mortgage fraud.
BENARDO: That's a good question. A big part of it, like you mentioned, is education. For example, let's look at a mortgage rescue scam. That doesn't really involve the financial institution; they may not even know that this is happening because their customer may be contacted by this outside party or they may see an ad in a newspaper or on a telephone pole and respond to it out of sort of desperation.
So it is important for financial institutions to make sure their customers are educated about what to do in case you run into problems with your mortgage, in case you start to fall behind. Don't go answer an ad that's posted on a telephone pole; come to the financial institution and talk to them about the problems and work with some of the well-known consumer organizations that are out there that can help you deal with the situation. That's where I think education, education sort of as a prevention, can help -- educating consumers up front so that they know what to do when they find themselves in one of these situations.
With regard to phishing, I think we saw that consumer education was successful there; unfortunately, the criminals will look for the next way, as I said, to change phishing so that they can get ahead of that consumer education so that people won't recognize it as a phishing e-mail. For the industry, for the financial industry and certainly for the regulators, it is important to figure out how that's going to happen so that we can try to get out ahead with education. I point out that the FDIC does a quarterly newsletter called the "FDIC Consumer News," and in that, nearly every quarter, we have one or two articles, at least, about fraud and what consumers can do to be on the lookout for fraud or help protect themselves, whether it be cyberfraud, mortgage fraud, counterfeit checks, or other kinds of scams that prey on consumers. And then I also would add that we do still educate the financial institutions a lot and talk to them both during our one-on-one time, when we are doing examinations of the institutions, but in a broader scale in our publications and special alerts that we do about trends that we are seeing.
For example, we issued special alerts last year, sort of at the onset of the commercial-payments-fraud issue about that -- about the ACH and wire fraud that we were seeing. We issued a special alert, sort of, about the other end of that kind of fraud, dealing with money mules to alert financial institutions that this is how the money is moving; money mules are being brought into this scheme to help move the money in the end and so to be on the lookout for things like that.
KITTEN: And I was going to ask about tools that you are providing to help institutions fight back, and it sounds like you are doing quite a bit of that just from an educational standpoint.
BENARDO: Yes, the FDIC is always, because we are concerned with consumer confidence in the industry, we have done a lot of education through the years on different issues to make sure that consumers are comfortable and understand what is happening. But we also encourage financial institutions to use that educational material and pass it on. Lots of things we produce they can brand themselves; in the past, we have done statement-stuffers about issues; and certainly the consumer news articles I mentioned can be passed on to their customers. A lot of this is now available on our website, and we have a YouTube channel and a Facebook page where, actually, financial institutions can link to those things and use those videos that we have available to put on their website for their customers. So, there are lots of ways that we try to get the message out about what we are seeing and what we are doing.
KITTEN: And you've touched on this a little bit, but I would like for you to, perhaps, elaborate. I was wondering how the FDIC is ensuring that institutions are taking the proper steps to fight fraud, and how does that translate into the local examinations?
BENARDO:Sure. Well, that sort of gets back to the basics of what we do; we sort of set expectations by issuing guidance to financial institutions. The FFIEC, or the Federal Financial Institution Examination Counsel, has issued the guidance related to IT security, IT business-continuity planning and those types of topics, so that is sort of our primary mechanism for getting our expectations out to the industry of what types of things we expect them to do. And then when we go out and do our examinations, we check to make sure they are adhering to those policies. If anything new comes up in the interim, since we issued a booklet as part of that guidance, then we will check for that as well. Typically, we have issued some sort of interim guidance -- a financial-institution letter or a special alert -- and then we can check when we go in to make sure the banks are doing what they need to do to address those kinds of concerns that we are seeing.
KITTEN: Generally speaking, from an international cybersecurity and cyberfraud perspective, what unique challenges face the global financial industry and international governments?
BENARDO: Well, there certainly are challenges there, Tracy, because fraud really has no geographical boundaries. What's happening here could be happening in other places; in other words, consumer fraud, things like the mortgage rescue scams that we talked about could be happening in other countries, especially where the economy may be suffering. So we might be able to sort of compare what we are doing with other countries and sort of work together from a global perspective to educate and address those issues; but also the problem more globally is that sometimes the fraud is coming from other parts of the world that may not be originating here in the Untied States. There are other countries that are more well-known for having frauds committed there. So identifying where certain kinds of fraud are coming from is important so that we can work with the local banking industry there, the regulatory agencies there, or law enforcement, if need be. But, again, in sort of the cyberworld, that can become more challenging and more difficult because of the way people can hide behind computers. So when we think a crime might be occurring or maybe coming from one place, it might actually be coming from somewhere else; so working with law enforcement and working with the information technology sector to identify how to figure that out is a challenge, but one we are definitely taking on and addressing.
KITTEN: How can financial institutions do a better job of communicating across borders?
BENARDO: Well, I think there are several ways. I think some of the sort of larger multinational institutions that have a presence in multiple countries certainly have a way of talking among themselves. We also work closely with organizations like the FBIIC and the FSSCC, if you are familiar with those acronyms. They stand for the Financial Banking Information Infrastructure Committee for the government side, and then the FSSCC is the private-sector side, and that's the Financial Services Sector Coordinating Council -- both of those organizations. And then the two sides work together, both the public and the private in that framework. But both of those organizations are working globally and jointly across sectors between the financial sector, the information technology sector, the law enforcement groups that are involved, to address these issues from a sort of bigger perspective, from the large picture.