September 07, 2022
Prepared Remarks
Jimmy Kirby
Acting Deputy Director
Financial Crimes Enforcement Network
2022 Federal Identity Forum & Exposition (“FedID”)
Atlanta, Georgia
Good morning. My name is Jimmy Kirby, and I’m the Acting Deputy Director of the Financial Crimes Enforcement Network (FinCEN).
It’s a real pleasure to address all of you—private sector, academia and fellow public sector attendees and speakers.
I’m grateful for the opportunity to speak at FedID today, particularly as this event brings together identity experts from both the public and private sectors to discuss this important issue. This conference’s needs analysis, collaboration, and strategic planning are vital to spurring innovation and building blocks to ensure reliable interactions in an increasingly digital world.
I would like to explain how FedID and its focus on digital identity, a building block for reliable financial services, fit into the broader FinCEN picture.
We’re focused on a range of important topics at FinCEN, including:
1. Emerging threats;
2. Responsible innovation; and
3. Expanding partnerships and feedback loops.
The Importance of Digital Identity to FinCEN’s Mission
I’ll take each of those themes in turn, but, before diving into them, I want to take a moment to lay some groundwork and emphasize the importance of digital identity.
We recognize that digital identity has broad implications for privacy, and for security, across a range of sectors—not just financial services. We also recognize that digital identity has broader applications in financial services than just anti-money laundering/countering the financing of terrorism (AML/CFT). But, at FinCEN, we are pragmatically focused on our mission to protect the U.S. financial system from illicit finance.
Identity is fundamental to the effectiveness of every financial institution’s AML/CFT program. Many of FinCEN’s regulations and authorities are driven by identity, and this is true regardless of whether customers are using traditional depository financial institutions, money services businesses, or emerging digital asset products. Put another way, many of FinCEN’s authorities are designed to help financial institutions and law enforcement identify customers and the nature of their activity. They include the foundational AML Program rules; various reporting requirements like the Suspicious Activity Reports and Currency Transaction Reports; as well as recordkeeping requirements like the Customer Identification Program rule and Customer Due Diligence rule. Identity is also at the heart of other, more targeted, FinCEN authorities, such as Geographic Targeting Orders (GTOs)—most notably FinCEN’s GTOs in the real estate sector focused on cash purchasers.
There are a number of features of a digital identity framework that—taken together—have the potential to spur innovation in financial products and services across the legacy financial system, as well as digital assets and emerging central bank digital currencies.
For example, evidence of digital identities must be dynamic and able to be updated frequently. We also need to consider features related to source verification and interoperability. Consumer permissioned identity evidence that is stored cryptographically and accessed via token exchange offers a high degree of potential to foster innovation and solve some of our current challenges, including protection of personal information that balances the transparency goals of AML/CFT laws and regulations with privacy concerns.
To get financial services right, we need to get identity right. It is vital to building trust in the system. Getting identity “right” means implementing identity solutions that preserve privacy and security, promote financial inclusion, and protect the integrity of the financial system. Focusing on the technology-based solutions, we also need to recognize that digital identity is hard. Even the National Institute of Standards and Technology (NIST) says so in its digital identity guidelines.
Emerging Threats
This brings us to the first part of my narrative—emerging threats. Financial services have been increasingly migrating toward a primarily online and non-face-to-face format, and COVID-19 only accelerated this evolution. These trends create new opportunities for abuse and new threats have emerged from a traditional cast of characters or, more recently, efforts to evade sanctions and other restrictions related to Russia’s further invasion of Ukraine.
To bring customers on board, financial institutions need to establish with confidence who their customers are on the front end and throughout the customer relationship. A failure or security compromise in any step of that process compromises the integrity of customer identity—potentially limiting a financial institution’s ability to confidently know with whom it is doing business, as well as customers’ confidence that they will not be a victim of identity theft or otherwise defrauded.
Security breaches have led to data hacks of centralized repositories of identity-related information, exposing personally identifiable information, or PII, and making those data sources less reliable. Bad actors can often buy this identifying information on darknet markets. Many of us have faced this and dealt with the unpleasant consequences—whether it’s a single username and password for a website you visit; whether your credit card information was compromised; or whether your Social Security number was stolen.
At the same time, improvements in the security of payments, like the chip and PIN technology embedded in the credit and debit cards we carry in our wallets, have prompted fraudsters to redirect their focus to exploiting identity. This shift, along with the move toward virtual delivery of financial services, makes it even more critical that we get identity right.
FinCEN is leveraging Bank Secrecy Act data to categorize, analyze, and quantify identity-related crime, including fraud and cyber events. Staff analysis of the over 3 million Suspicious Activity Reports that financial institutions filed with us in 2021 shows that the majority include reference to potential breakdowns in the identity verification process—verification, impersonation, and compromise—across all types of SAR filings.
• Verification failures often reflect processes that are insufficient, circumvented, not completed, or not in place to begin with. From our initial analysis, we found that a large percentage of identity-related SARs report verification issues. For example, in this category identity-related SARs report inconsistent personally identifiable information, forged documents, and fraud where an entity passes verification despite providing false information. Many filers did not recognize the fraudulent identities or related information at the time of the transactions, only discovering the fraud later based on additional review.
SARs also report that entities attempt to evade verification altogether. For example, in 2021, over one million SARs report possible structuring to avoid CTR filing requirements or attempts to avoid providing identification in connection with other recordkeeping requirements.
• Impersonation occurs when someone is acting as or using another person’s information or misrepresenting themselves. Many SARs report potential impersonation concerns. Impersonation tactics enable most cyber-attacks and compromises. In this category, SARs report identity theft, synthetic identities, COVID-19 fraud, phishing, and various other scams.
• Identity compromise includes unauthorized access to accounts or personal information and the ability to move funds without proper authorization. This includes stolen credentials, ransomware, brute-force login attacks, account takeovers, and business email compromise. In 2021, our initial analysis of SARs indicates that the dollar amount linked to account takeovers approximately doubled year-over-year and the dollar amount related to business email compromise schemes grew by over 50 percent year-over-year.
The big takeaway is that in 2021, financial institutions reported to FinCEN a substantial year-on-year increase in potential identity verification, impersonation, and compromise-related suspicious activity. We’ve noted that the dollar values associated with filings related to a variety of cyber and identity related activities have increased dramatically.
These amounts are noteworthy—and the upward trend is concerning. In line with prior recommendations published in our COVID-19 Cyber Advisory, FinCEN encourages financial institutions and service providers to continue to coordinate between their cyber security, fraud, and financial crime areas and consider specific NIST digital identity standards as they build out their identity proofing and authentication processes.
Responsible Innovation
An AML/CFT regime that merely accounts for and reacts to new threats, however, is not sufficient. In some cases, we face the same threats we always have, but they’re amplified by financial innovations and new technologies. We must adapt, change, and innovate as well.
We recognize this. Congress also recognized this with the enactment of the Anti-Money Laundering Act of 2020, or the AML Act. The AML Act is the most significant change to the BSA and FinCEN’s authorities since the passage of the USA PATRIOT Act in the aftermath of the 9/11 terrorist attacks.
The world in 2001 was very different than the world we live in today, and when we look back even further to when FinCEN was established in 1990, the changes are only magnified. For identity, the only authoritative source documents back in the 1990s were static, analog paper or plastic-based documents—such as driver’s licenses or Social Security cards. And, there were not digital assets, like we see today, nor had the innovators behind the Worldwide Web introduced an identity layer into the technology stack.
Now, digitally native financial services, including digital assets, present challenges to a patchwork system of largely paper-based identifiers and credentials issued by a variety of different federal, state, and local entities. These static, analog forms of ID are often better suited for in-person transactions.
Without being able to physically examine and hold a paper-based ID, or compare the picture on it to a person standing right in front of you, it is inherently more challenging and complicated to verify a person’s identity. Bad actors know this, and they exploit it. That’s why, as the amount of remotely delivered financial services increases, individuals around the world—including all of us here—face an increased risk of becoming the victim of an identity-related crime.
We find it tremendously encouraging to see that there’s an emerging set of government digital identity services like state mobile driver’s licenses, the Social Security Administration’s attribute validation service, and the Department of Homeland Security’s verifiable credentials. We are exploring ways to leverage these authoritative source documents and services, which benefit from a permanence of identity, to combat fraud and support institutions’ abilities to operate with effective integrity.
Clearly, the world has changed a lot, and we must do the same. The AML Act has touched off a new, post-post-9/11 era for anti-money laundering, giving FinCEN the authority to “streamline, modernize, and update the AML/CFT regime of the United States.” FinCEN is working very hard to implement this statute.
Our regulations and reporting requirements, as well as identity systems and the way in which we analyze data, need to evolve along with the threats. We can work together to foster development of infrastructure, information sharing, and standards that will safeguard the future of identity and the financial system. Events like this conference will help idea generation around mitigating the risks associated with digital identities.
FinCEN’s view is that our regulatory framework also needs to approach these innovations in a way that recognizes, not only the risks that they pose, but the opportunities that they present. A key question for us: How do we build a regulatory framework that creates the room to foster what’s positive about innovation, while at the same time ensuring that bad actors can’t take advantage of these innovations?
Expanding Partnerships and Feedback Loops
This brings us to expanding partnerships—the third, and final theme that I’d like to cover today. Getting identity in financial services “right” requires collaboration between the public and private sectors.
The AML Act enshrines FinCEN’s existing partnerships with the private sector—FinCEN Exchanges, Innovation Hours—and it calls for more. It places a spotlight on a public-private partnership, and this two-way flow of communication will include feedback on the use and demonstrated value of the information financial institutions provide.
We want to create feedback loops, and in the area of digital identity, we are engaging in that partnership in different ways.
Almost a year ago, we invited digital identity-focused businesses to our Innovation Hours. Companies showcased innovative approaches designed to enhance AML/CFT efforts. The response exceeded our expectations and encompassed a broad range of business models—from legacy financial systems to emerging technology businesses.
We have also long engaged with the private sector through the Bank Secrecy Act Advisory Group (BSAAG) to solicit ideas and seek input. Several of the BSAAG subcommittees are focused on how digital identity can advance the AML/CFT mission. These subcommittees bring together financial institutions, trade groups, and federal and non-federal regulators and law enforcement agency representatives.
In January, we were happy to announce our partnership with the FDIC on a digital identity-focused Tech Sprint. We view collaboration across regulators and between the public and private sectors to be critical to solving our shared challenge of measuring the effectiveness of digital identity proofing. We consider solutions to measure effectiveness of digital services as another building block for reliable financial services. And we were very pleased that the effort was voted a finalist in the FedID Best Educational Efforts.
In July, we, along with fellow U.S. federal financial agencies and our UK counterparts, provided participants in the U.S./UK Privacy Enhancing Technologies Prize Challenge a regulatory-context session as they prepare to develop their solutions. Getting identity “right” means implementing building blocks like Privacy Enhancing Technologies to protect personally identifiable or other sensitive information while still being able to detect anomalous transactions, as well as using other data in new ways to analyze identity-related crime, including fraud and cyber events.
All of these building blocks need to preserve privacy and security, promote financial inclusion, and protect the integrity of the financial system. These are key to building trust in the system.
And the public sector must learn from each other. To that end, we are also engaging with other domestic Federal agencies and regulators on digital identity. We also recognize that we can learn from our international partners regarding their digital identity initiatives.
Our focus and efforts are about solving problems in a pragmatic way. We welcome your feedback on this initiative and ideas for other steps to ensure reliable financial services.
Closing
In closing, I would like to thank all of you for coming to Atlanta to exchange information and enhance public-private collaboration on these important issues. You are making a difference by contributing to solutions for shared challenges.
It is important to bring public and private sector minds together to collaborate on the future of identity. We can benefit from each other’s experiences and knowledge to move toward building secure, privacy-preserving digital identity solutions.
Thank you, and I hope you all have a productive, and enjoyable, FedID Conference.
###
Prepared Remarks
Jimmy Kirby
Acting Deputy Director
Financial Crimes Enforcement Network
2022 Federal Identity Forum & Exposition (“FedID”)
Atlanta, Georgia
Good morning. My name is Jimmy Kirby, and I’m the Acting Deputy Director of the Financial Crimes Enforcement Network (FinCEN).
It’s a real pleasure to address all of you—private sector, academia and fellow public sector attendees and speakers.
I’m grateful for the opportunity to speak at FedID today, particularly as this event brings together identity experts from both the public and private sectors to discuss this important issue. This conference’s needs analysis, collaboration, and strategic planning are vital to spurring innovation and building blocks to ensure reliable interactions in an increasingly digital world.
I would like to explain how FedID and its focus on digital identity, a building block for reliable financial services, fit into the broader FinCEN picture.
We’re focused on a range of important topics at FinCEN, including:
1. Emerging threats;
2. Responsible innovation; and
3. Expanding partnerships and feedback loops.
The Importance of Digital Identity to FinCEN’s Mission
I’ll take each of those themes in turn, but, before diving into them, I want to take a moment to lay some groundwork and emphasize the importance of digital identity.
We recognize that digital identity has broad implications for privacy, and for security, across a range of sectors—not just financial services. We also recognize that digital identity has broader applications in financial services than just anti-money laundering/countering the financing of terrorism (AML/CFT). But, at FinCEN, we are pragmatically focused on our mission to protect the U.S. financial system from illicit finance.
Identity is fundamental to the effectiveness of every financial institution’s AML/CFT program. Many of FinCEN’s regulations and authorities are driven by identity, and this is true regardless of whether customers are using traditional depository financial institutions, money services businesses, or emerging digital asset products. Put another way, many of FinCEN’s authorities are designed to help financial institutions and law enforcement identify customers and the nature of their activity. They include the foundational AML Program rules; various reporting requirements like the Suspicious Activity Reports and Currency Transaction Reports; as well as recordkeeping requirements like the Customer Identification Program rule and Customer Due Diligence rule. Identity is also at the heart of other, more targeted, FinCEN authorities, such as Geographic Targeting Orders (GTOs)—most notably FinCEN’s GTOs in the real estate sector focused on cash purchasers.
There are a number of features of a digital identity framework that—taken together—have the potential to spur innovation in financial products and services across the legacy financial system, as well as digital assets and emerging central bank digital currencies.
For example, evidence of digital identities must be dynamic and able to be updated frequently. We also need to consider features related to source verification and interoperability. Consumer permissioned identity evidence that is stored cryptographically and accessed via token exchange offers a high degree of potential to foster innovation and solve some of our current challenges, including protection of personal information that balances the transparency goals of AML/CFT laws and regulations with privacy concerns.
To get financial services right, we need to get identity right. It is vital to building trust in the system. Getting identity “right” means implementing identity solutions that preserve privacy and security, promote financial inclusion, and protect the integrity of the financial system. Focusing on the technology-based solutions, we also need to recognize that digital identity is hard. Even the National Institute of Standards and Technology (NIST) says so in its digital identity guidelines.
Emerging Threats
This brings us to the first part of my narrative—emerging threats. Financial services have been increasingly migrating toward a primarily online and non-face-to-face format, and COVID-19 only accelerated this evolution. These trends create new opportunities for abuse and new threats have emerged from a traditional cast of characters or, more recently, efforts to evade sanctions and other restrictions related to Russia’s further invasion of Ukraine.
To bring customers on board, financial institutions need to establish with confidence who their customers are on the front end and throughout the customer relationship. A failure or security compromise in any step of that process compromises the integrity of customer identity—potentially limiting a financial institution’s ability to confidently know with whom it is doing business, as well as customers’ confidence that they will not be a victim of identity theft or otherwise defrauded.
Security breaches have led to data hacks of centralized repositories of identity-related information, exposing personally identifiable information, or PII, and making those data sources less reliable. Bad actors can often buy this identifying information on darknet markets. Many of us have faced this and dealt with the unpleasant consequences—whether it’s a single username and password for a website you visit; whether your credit card information was compromised; or whether your Social Security number was stolen.
At the same time, improvements in the security of payments, like the chip and PIN technology embedded in the credit and debit cards we carry in our wallets, have prompted fraudsters to redirect their focus to exploiting identity. This shift, along with the move toward virtual delivery of financial services, makes it even more critical that we get identity right.
FinCEN is leveraging Bank Secrecy Act data to categorize, analyze, and quantify identity-related crime, including fraud and cyber events. Staff analysis of the over 3 million Suspicious Activity Reports that financial institutions filed with us in 2021 shows that the majority include reference to potential breakdowns in the identity verification process—verification, impersonation, and compromise—across all types of SAR filings.
• Verification failures often reflect processes that are insufficient, circumvented, not completed, or not in place to begin with. From our initial analysis, we found that a large percentage of identity-related SARs report verification issues. For example, in this category identity-related SARs report inconsistent personally identifiable information, forged documents, and fraud where an entity passes verification despite providing false information. Many filers did not recognize the fraudulent identities or related information at the time of the transactions, only discovering the fraud later based on additional review.
SARs also report that entities attempt to evade verification altogether. For example, in 2021, over one million SARs report possible structuring to avoid CTR filing requirements or attempts to avoid providing identification in connection with other recordkeeping requirements.
• Impersonation occurs when someone is acting as or using another person’s information or misrepresenting themselves. Many SARs report potential impersonation concerns. Impersonation tactics enable most cyber-attacks and compromises. In this category, SARs report identity theft, synthetic identities, COVID-19 fraud, phishing, and various other scams.
• Identity compromise includes unauthorized access to accounts or personal information and the ability to move funds without proper authorization. This includes stolen credentials, ransomware, brute-force login attacks, account takeovers, and business email compromise. In 2021, our initial analysis of SARs indicates that the dollar amount linked to account takeovers approximately doubled year-over-year and the dollar amount related to business email compromise schemes grew by over 50 percent year-over-year.
The big takeaway is that in 2021, financial institutions reported to FinCEN a substantial year-on-year increase in potential identity verification, impersonation, and compromise-related suspicious activity. We’ve noted that the dollar values associated with filings related to a variety of cyber and identity related activities have increased dramatically.
These amounts are noteworthy—and the upward trend is concerning. In line with prior recommendations published in our COVID-19 Cyber Advisory, FinCEN encourages financial institutions and service providers to continue to coordinate between their cyber security, fraud, and financial crime areas and consider specific NIST digital identity standards as they build out their identity proofing and authentication processes.
Responsible Innovation
An AML/CFT regime that merely accounts for and reacts to new threats, however, is not sufficient. In some cases, we face the same threats we always have, but they’re amplified by financial innovations and new technologies. We must adapt, change, and innovate as well.
We recognize this. Congress also recognized this with the enactment of the Anti-Money Laundering Act of 2020, or the AML Act. The AML Act is the most significant change to the BSA and FinCEN’s authorities since the passage of the USA PATRIOT Act in the aftermath of the 9/11 terrorist attacks.
The world in 2001 was very different than the world we live in today, and when we look back even further to when FinCEN was established in 1990, the changes are only magnified. For identity, the only authoritative source documents back in the 1990s were static, analog paper or plastic-based documents—such as driver’s licenses or Social Security cards. And, there were not digital assets, like we see today, nor had the innovators behind the Worldwide Web introduced an identity layer into the technology stack.
Now, digitally native financial services, including digital assets, present challenges to a patchwork system of largely paper-based identifiers and credentials issued by a variety of different federal, state, and local entities. These static, analog forms of ID are often better suited for in-person transactions.
Without being able to physically examine and hold a paper-based ID, or compare the picture on it to a person standing right in front of you, it is inherently more challenging and complicated to verify a person’s identity. Bad actors know this, and they exploit it. That’s why, as the amount of remotely delivered financial services increases, individuals around the world—including all of us here—face an increased risk of becoming the victim of an identity-related crime.
We find it tremendously encouraging to see that there’s an emerging set of government digital identity services like state mobile driver’s licenses, the Social Security Administration’s attribute validation service, and the Department of Homeland Security’s verifiable credentials. We are exploring ways to leverage these authoritative source documents and services, which benefit from a permanence of identity, to combat fraud and support institutions’ abilities to operate with effective integrity.
Clearly, the world has changed a lot, and we must do the same. The AML Act has touched off a new, post-post-9/11 era for anti-money laundering, giving FinCEN the authority to “streamline, modernize, and update the AML/CFT regime of the United States.” FinCEN is working very hard to implement this statute.
Our regulations and reporting requirements, as well as identity systems and the way in which we analyze data, need to evolve along with the threats. We can work together to foster development of infrastructure, information sharing, and standards that will safeguard the future of identity and the financial system. Events like this conference will help idea generation around mitigating the risks associated with digital identities.
FinCEN’s view is that our regulatory framework also needs to approach these innovations in a way that recognizes, not only the risks that they pose, but the opportunities that they present. A key question for us: How do we build a regulatory framework that creates the room to foster what’s positive about innovation, while at the same time ensuring that bad actors can’t take advantage of these innovations?
Expanding Partnerships and Feedback Loops
This brings us to expanding partnerships—the third, and final theme that I’d like to cover today. Getting identity in financial services “right” requires collaboration between the public and private sectors.
The AML Act enshrines FinCEN’s existing partnerships with the private sector—FinCEN Exchanges, Innovation Hours—and it calls for more. It places a spotlight on a public-private partnership, and this two-way flow of communication will include feedback on the use and demonstrated value of the information financial institutions provide.
We want to create feedback loops, and in the area of digital identity, we are engaging in that partnership in different ways.
Almost a year ago, we invited digital identity-focused businesses to our Innovation Hours. Companies showcased innovative approaches designed to enhance AML/CFT efforts. The response exceeded our expectations and encompassed a broad range of business models—from legacy financial systems to emerging technology businesses.
We have also long engaged with the private sector through the Bank Secrecy Act Advisory Group (BSAAG) to solicit ideas and seek input. Several of the BSAAG subcommittees are focused on how digital identity can advance the AML/CFT mission. These subcommittees bring together financial institutions, trade groups, and federal and non-federal regulators and law enforcement agency representatives.
In January, we were happy to announce our partnership with the FDIC on a digital identity-focused Tech Sprint. We view collaboration across regulators and between the public and private sectors to be critical to solving our shared challenge of measuring the effectiveness of digital identity proofing. We consider solutions to measure effectiveness of digital services as another building block for reliable financial services. And we were very pleased that the effort was voted a finalist in the FedID Best Educational Efforts.
In July, we, along with fellow U.S. federal financial agencies and our UK counterparts, provided participants in the U.S./UK Privacy Enhancing Technologies Prize Challenge a regulatory-context session as they prepare to develop their solutions. Getting identity “right” means implementing building blocks like Privacy Enhancing Technologies to protect personally identifiable or other sensitive information while still being able to detect anomalous transactions, as well as using other data in new ways to analyze identity-related crime, including fraud and cyber events.
All of these building blocks need to preserve privacy and security, promote financial inclusion, and protect the integrity of the financial system. These are key to building trust in the system.
And the public sector must learn from each other. To that end, we are also engaging with other domestic Federal agencies and regulators on digital identity. We also recognize that we can learn from our international partners regarding their digital identity initiatives.
Our focus and efforts are about solving problems in a pragmatic way. We welcome your feedback on this initiative and ideas for other steps to ensure reliable financial services.
Closing
In closing, I would like to thank all of you for coming to Atlanta to exchange information and enhance public-private collaboration on these important issues. You are making a difference by contributing to solutions for shared challenges.
It is important to bring public and private sector minds together to collaborate on the future of identity. We can benefit from each other’s experiences and knowledge to move toward building secure, privacy-preserving digital identity solutions.
Thank you, and I hope you all have a productive, and enjoyable, FedID Conference.
###