Prepared Remarks of FinCEN Acting Deputy Director Jimmy Kirby During the Identity Policy Forum
January 25, 2023
Prepared Remarks of
Jimmy Kirby
Acting Deputy Director, FinCEN
Identity Policy Forum
January 25, 2023
Good morning. My name is Jimmy Kirby, and I’m the Acting Deputy Director of the Financial Crimes Enforcement Network (FinCEN).
It’s a real pleasure to address all of you—private sector and fellow public sector attendees and speakers—to discuss this important issue of proving who you are in a digital world.
I would like to explain how this Identity, Authentication, and the Road Ahead event and its focus on digital identity, a building block for reliable financial services, fits into the broader FinCEN picture.
We’re focused on a range of important topics at FinCEN, including:
1. Emerging threats;
2. Responsible innovation; and
3. Expanding partnerships and feedback loops.
The Importance of Digital Identity to FinCEN’s Mission
I’ll take each of those themes in turn, but, before diving into them, I want to take a moment to lay some groundwork and emphasize the importance of digital identity.
At FinCEN, we are pragmatically focused on our mission to protect the U.S. financial system from illicit finance threats.
Identity is fundamental to the effectiveness of every financial institution’s AML/CFT program regardless of whether customers are using traditional depository financial institutions, money services businesses, or emerging digital asset products. Many of FinCEN’s regulations and authorities are designed to help financial institutions and law enforcement identify customers and the nature of their activity.
They include the foundational AML Program rules; various reporting requirements like the Suspicious Activity Reports (SARs) and Currency Transaction Reports; as well as recordkeeping requirements like the Customer Identification Program (CIP) Rule and Customer Due Diligence (CDD) Rule. Identity is also at the heart of other, more targeted, FinCEN authorities, such as Geographic Targeting Orders (GTOs)—most notably FinCEN’s GTOs in the real estate sector focused on cash purchasers.
To get financial services right, we need to get identity right. It is vital to building trust in the system. Getting identity “right” means implementing identity solutions that preserve privacy and security, promote financial inclusion, and protect the integrity of the financial system.
Emerging Threats
This brings us to the first part of my narrative—emerging threats. Financial services have been increasingly migrating toward a primarily online environment. This trend creates new opportunities for abuse, and new threats have emerged from a traditional cast of characters.
As a result, we have been thinking about how we can leverage all of the data that financial institutions send to us to simultaneously identify and help mitigate the increasingly broad set of illicit activity, including money laundering, fraud, and terrorist financing.
We have embarked on a systemic analysis of SAR filings to look for common threads among these threats. Our goal is to utilize this valuable information by comprehensively categorizing all 2021 SARs into typologies using a rigorous and flexible identity framework.
We believe the preliminary results of this effort are promising, and we hope to make our analysis repeatable to assess trends and dynamics to encompass threats as they evolve. The preliminary results will help further enhance our ability to identify threats reported in Bank Secrecy Act (BSA) data, quantify vulnerabilities in
Know-Your-Customer (KYC) processes, and refine our fraud-based analysis using a financial crime attack lifecycle approach.
Let me share how we have approached the analysis and what we are finding.
First, let me address why we focus on identity.
• As I previously mentioned—identity is core to FinCEN’s mission, regulations, and reporting requirements.
• To bring customers on board, financial institutions need to establish with confidence who their customers are on the front end and throughout the customer relationship. A failure or security compromise in any step of that process compromises the integrity of customer identity—potentially limiting a financial institution’s ability to confidently know with whom it is doing business, as well as customers’ confidence that they will not be a victim of identity theft or otherwise defrauded.
• Security breaches have led to data hacks of centralized repositories of identity-related information, exposing personally identifiable information, or PII, and making those data sources less reliable. Bad actors can often buy this identifying information on dark net markets. Many of us have faced this and dealt with the unpleasant consequences—whether it’s a single username and password for a website you visit; whether your credit card information was compromised; or whether your Social Security number was stolen.
• Identity-related suspicious activity reports continue to increase, growing more than 15 percent from 2021 to 2022.
o For example, in 2022, FinCEN received more than 350,000 SARs tied to Identity Theft and over 600,000 SARs reporting the use of false or fraudulent identification records.
Reports of threats at each stage of the customer identification process continue to grow—from the proofing and enrollment stage to the authentication stage, including use of compromised credentials, impersonation, synthetic identities, and artificial intelligence to conduct illicit finance.
Watching these threats evolve, FinCEN embarked on designing an Identity Project to assess the role of identity in financial institutions’ reporting.
This project attempted to achieve three goals:
1. First, to learn about financial institutions’ customer identification processes.
2. Second, to quantify process breakdowns, vulnerabilities, and threats.
3. Third, to identify solutions, including digital identity.
We began by defining identity-related illicit activity. Identity-related illicit activity is when an identity or the customer identification process, or lack thereof, is exploited, resulting in unintended authorization. This definition includes fraud, cyber-enabled crime, and other suspicious activity.
While we continue to evaluate our data in this space, we are currently focused on the following explanation: Fraudsters exploit the current customer identification process vulnerabilities in three ways:
1. Impersonation;
2. Exploiting Insufficient Verification; and
3. Compromise.
We have tested this hypothesis by categorizing, analyzing, and quantifying identity-related reporting, including fraud and cyber events, in the totality of the 2021 SAR filings.
Based on FinCEN’s preliminary assessment of the initial results, the majority of the over 3 million SARs filed in 2021 involve identity-related suspicious activity. Further, the majority of those identity-related SARs are tied to the exploitation of insufficient verification processes.
We see opportunities for digital identity to address customer identification breakdowns in customer onboarding, account logins, and transaction monitoring, as well as in investigations.
I would like to drill down into a specific type and sector to give you a sense of the threats that we see evolving in BSA reporting, and their link to identity.
Reported business email compromise incidents in the real estate sector (RE-BEC incidents) indicate that perpetrators of these attacks typically aim to defraud individuals and entities in connection with real estate transactions, based on BSA data filed with FinCEN between January 2020 and December 2021.
Unfortunately, individual homebuyers suffer disproportionately from these incidents. Actors perpetrate real estate business email compromise attacks by improperly impersonating authorized persons or entities. The most common victims of impersonation were individuals and entities involved in the title and closing processes within a real estate transaction.
• BSA data for 2021 suggests that the average monthly value of RE-BEC incidents was approximately $500,000, with a median value of approximately $130,000. This represents a substantial increase from 2020 BSA data, where the suggested average monthly value of RE-BEC incidents was $350,000, with a median value of $110,000.
• The full data set consisted of 2,260 filings reporting roughly $893 million in RE-BEC-related incidents filed throughout 2020 and 2021.
From analysis of these filings, we have observed RE-BEC attackers laundering their illicit proceeds through the use of “money mules” and romance scams to recruit unwitting money mules. We are also seeing ties to other fraud types and the use of alternative payment systems, such as convertible virtual currency, to move illicit funds.
Responsible Innovation
This brings me to my second topic—responsible innovation.
An AML/CFT regime that merely accounts for and reacts to new threats is not sufficient. In some cases, we face the same threats we always have, but they’re amplified by financial innovations and new technologies. We must adapt, change, and innovate as well.
Congress also recognized this with the enactment of the Anti-Money Laundering Act of 2020, or the AML Act. Through our implementation of the AML Act, we seek to streamline, modernize, and update the AML/CFT regime of the United States.
This is particularly important as the amount of remotely delivered financial services increases. Individuals around the world—including all of us here—face an increased risk of becoming the victim of an identity-related crime. Digitally native financial services, including digital assets, present challenges to a patchwork system of largely paper-based identifiers and credentials issued by a variety of Federal, state, and local entities. These static, analog forms of ID are often better suited for in-person transactions.
Therefore, we find it tremendously encouraging to see that there’s an emerging set of government digital identity services like state mobile driver’s licenses, the Social Security Administration’s attribute validation service, and the Department of Homeland Security’s verifiable credentials. We are exploring ways to leverage these authoritative source documents and services, which benefit from a permanence of identity, to combat fraud and support institutions’ abilities to operate with effective integrity.
Our regulations and reporting requirements, as well as identity systems and the way in which we analyze data, need to evolve along with the threat environment. We can work together to foster development of infrastructure, information sharing, and standards that will safeguard the future of identity and the financial system. Events like this conference will help idea generation around mitigating the risks associated with digital identities.
FinCEN’s view is that our regulatory framework also needs to approach these innovations in a way that recognizes not only the risks that they pose, but the opportunities that they present.
Additionally, there are a number of features of a digital identity framework that, taken together, have the potential to address threats and spur innovation across all types of financial services.
For example, evidence of digital identities must be dynamic and able to be updated frequently. We also need to consider features related to source verification and interoperability. Consumer permissioned identity evidence that is stored cryptographically and accessed via token exchange offers a high degree of potential to foster innovation and solve some of our current challenges, including protection of personal information that balances the transparency goals of AML/CFT laws and regulations with privacy concerns.
Expanding Partnerships and Feedback Loops
This brings us to expanding partnerships—the third, and final theme that I’d like to cover today. Getting identity in financial services “right” requires collaboration between the public and private sectors.
The AML Act enshrines FinCEN’s existing partnerships with the private sector—such as FinCEN Exchanges and Innovation Hours—and it calls for more. It places a spotlight on a public-private partnership, and this two-way flow of communication will include feedback on the use and demonstrated value of the information financial institutions provide.
We are engaging in that partnership in different ways.
We invited digital identity-focused entrepreneurs to our Innovation Hours to showcase their innovative approaches designed to enhance AML/CFT efforts.
Several of our Bank Secrecy Act Advisory Group (BSAAG) subcommittees are focused on how digital identity can advance the AML/CFT mission. These subcommittees bring together financial institutions, trade groups, and Federal and non-Federal regulators and law enforcement agency representatives.
Last spring, we were happy to partner with the FDIC on a digital identity-focused Tech Sprint to crowdsource solutions to measure the effectiveness of digital identity proofing. We consider solutions to measure effectiveness of digital services as another building block for reliable financial services. We were very pleased that the effort was voted the winner for FedID’s Best Educational Efforts, and we are watching with interest the Department of Homeland Security Science and Technology’s Remote Identity Validation Tech Challenge.
Last July, we, along with fellow U.S. Federal financial agencies and our UK counterparts, provided participants in the U.S./UK Privacy Enhancing Technologies Prize Challenge—a regulatory-context session as they prepare to develop their solutions. Privacy Enhancing Technologies are another building block to protect personally identifiable or other sensitive information while still being able to detect anomalous or potentially illicit transactions.
All of these building blocks need to preserve privacy and security, promote financial inclusion, and protect the integrity of the financial system. These are all key to building trust in the system.
And the public sector must learn from each other. To that end, we are also engaging with other domestic Federal agencies and regulators on digital identity, at FedID and throughout the year.
Our focus and efforts are about solving problems in a pragmatic way. We welcome your feedback on this initiative and ideas for other steps to ensure reliable financial services.
Closing
In closing, I would like to thank all of you for coming to or dialing into this important event to exchange information and enhance public-private collaboration on these important issues that relate to identity. Your contributions to solutions for these shared challenges benefit us all.
Thank you, and I hope you have a very productive policy forum.
January 25, 2023
Prepared Remarks of
Jimmy Kirby
Acting Deputy Director, FinCEN
Identity Policy Forum
January 25, 2023
Good morning. My name is Jimmy Kirby, and I’m the Acting Deputy Director of the Financial Crimes Enforcement Network (FinCEN).
It’s a real pleasure to address all of you—private sector and fellow public sector attendees and speakers—to discuss this important issue of proving who you are in a digital world.
I would like to explain how this Identity, Authentication, and the Road Ahead event and its focus on digital identity, a building block for reliable financial services, fits into the broader FinCEN picture.
We’re focused on a range of important topics at FinCEN, including:
1. Emerging threats;
2. Responsible innovation; and
3. Expanding partnerships and feedback loops.
The Importance of Digital Identity to FinCEN’s Mission
I’ll take each of those themes in turn, but, before diving into them, I want to take a moment to lay some groundwork and emphasize the importance of digital identity.
At FinCEN, we are pragmatically focused on our mission to protect the U.S. financial system from illicit finance threats.
Identity is fundamental to the effectiveness of every financial institution’s AML/CFT program regardless of whether customers are using traditional depository financial institutions, money services businesses, or emerging digital asset products. Many of FinCEN’s regulations and authorities are designed to help financial institutions and law enforcement identify customers and the nature of their activity.
They include the foundational AML Program rules; various reporting requirements like the Suspicious Activity Reports (SARs) and Currency Transaction Reports; as well as recordkeeping requirements like the Customer Identification Program (CIP) Rule and Customer Due Diligence (CDD) Rule. Identity is also at the heart of other, more targeted, FinCEN authorities, such as Geographic Targeting Orders (GTOs)—most notably FinCEN’s GTOs in the real estate sector focused on cash purchasers.
To get financial services right, we need to get identity right. It is vital to building trust in the system. Getting identity “right” means implementing identity solutions that preserve privacy and security, promote financial inclusion, and protect the integrity of the financial system.
Emerging Threats
This brings us to the first part of my narrative—emerging threats. Financial services have been increasingly migrating toward a primarily online environment. This trend creates new opportunities for abuse, and new threats have emerged from a traditional cast of characters.
As a result, we have been thinking about how we can leverage all of the data that financial institutions send to us to simultaneously identify and help mitigate the increasingly broad set of illicit activity, including money laundering, fraud, and terrorist financing.
We have embarked on a systemic analysis of SAR filings to look for common threads among these threats. Our goal is to utilize this valuable information by comprehensively categorizing all 2021 SARs into typologies using a rigorous and flexible identity framework.
We believe the preliminary results of this effort are promising, and we hope to make our analysis repeatable to assess trends and dynamics to encompass threats as they evolve. The preliminary results will help further enhance our ability to identify threats reported in Bank Secrecy Act (BSA) data, quantify vulnerabilities in
Know-Your-Customer (KYC) processes, and refine our fraud-based analysis using a financial crime attack lifecycle approach.
Let me share how we have approached the analysis and what we are finding.
First, let me address why we focus on identity.
• As I previously mentioned—identity is core to FinCEN’s mission, regulations, and reporting requirements.
• To bring customers on board, financial institutions need to establish with confidence who their customers are on the front end and throughout the customer relationship. A failure or security compromise in any step of that process compromises the integrity of customer identity—potentially limiting a financial institution’s ability to confidently know with whom it is doing business, as well as customers’ confidence that they will not be a victim of identity theft or otherwise defrauded.
• Security breaches have led to data hacks of centralized repositories of identity-related information, exposing personally identifiable information, or PII, and making those data sources less reliable. Bad actors can often buy this identifying information on dark net markets. Many of us have faced this and dealt with the unpleasant consequences—whether it’s a single username and password for a website you visit; whether your credit card information was compromised; or whether your Social Security number was stolen.
• Identity-related suspicious activity reports continue to increase, growing more than 15 percent from 2021 to 2022.
o For example, in 2022, FinCEN received more than 350,000 SARs tied to Identity Theft and over 600,000 SARs reporting the use of false or fraudulent identification records.
Reports of threats at each stage of the customer identification process continue to grow—from the proofing and enrollment stage to the authentication stage, including use of compromised credentials, impersonation, synthetic identities, and artificial intelligence to conduct illicit finance.
Watching these threats evolve, FinCEN embarked on designing an Identity Project to assess the role of identity in financial institutions’ reporting.
This project attempted to achieve three goals:
1. First, to learn about financial institutions’ customer identification processes.
2. Second, to quantify process breakdowns, vulnerabilities, and threats.
3. Third, to identify solutions, including digital identity.
We began by defining identity-related illicit activity. Identity-related illicit activity is when an identity or the customer identification process, or lack thereof, is exploited, resulting in unintended authorization. This definition includes fraud, cyber-enabled crime, and other suspicious activity.
While we continue to evaluate our data in this space, we are currently focused on the following explanation: Fraudsters exploit the current customer identification process vulnerabilities in three ways:
1. Impersonation;
2. Exploiting Insufficient Verification; and
3. Compromise.
We have tested this hypothesis by categorizing, analyzing, and quantifying identity-related reporting, including fraud and cyber events, in the totality of the 2021 SAR filings.
Based on FinCEN’s preliminary assessment of the initial results, the majority of the over 3 million SARs filed in 2021 involve identity-related suspicious activity. Further, the majority of those identity-related SARs are tied to the exploitation of insufficient verification processes.
We see opportunities for digital identity to address customer identification breakdowns in customer onboarding, account logins, and transaction monitoring, as well as in investigations.
I would like to drill down into a specific type and sector to give you a sense of the threats that we see evolving in BSA reporting, and their link to identity.
Reported business email compromise incidents in the real estate sector (RE-BEC incidents) indicate that perpetrators of these attacks typically aim to defraud individuals and entities in connection with real estate transactions, based on BSA data filed with FinCEN between January 2020 and December 2021.
Unfortunately, individual homebuyers suffer disproportionately from these incidents. Actors perpetrate real estate business email compromise attacks by improperly impersonating authorized persons or entities. The most common victims of impersonation were individuals and entities involved in the title and closing processes within a real estate transaction.
• BSA data for 2021 suggests that the average monthly value of RE-BEC incidents was approximately $500,000, with a median value of approximately $130,000. This represents a substantial increase from 2020 BSA data, where the suggested average monthly value of RE-BEC incidents was $350,000, with a median value of $110,000.
• The full data set consisted of 2,260 filings reporting roughly $893 million in RE-BEC-related incidents filed throughout 2020 and 2021.
From analysis of these filings, we have observed RE-BEC attackers laundering their illicit proceeds through the use of “money mules” and romance scams to recruit unwitting money mules. We are also seeing ties to other fraud types and the use of alternative payment systems, such as convertible virtual currency, to move illicit funds.
Responsible Innovation
This brings me to my second topic—responsible innovation.
An AML/CFT regime that merely accounts for and reacts to new threats is not sufficient. In some cases, we face the same threats we always have, but they’re amplified by financial innovations and new technologies. We must adapt, change, and innovate as well.
Congress also recognized this with the enactment of the Anti-Money Laundering Act of 2020, or the AML Act. Through our implementation of the AML Act, we seek to streamline, modernize, and update the AML/CFT regime of the United States.
This is particularly important as the amount of remotely delivered financial services increases. Individuals around the world—including all of us here—face an increased risk of becoming the victim of an identity-related crime. Digitally native financial services, including digital assets, present challenges to a patchwork system of largely paper-based identifiers and credentials issued by a variety of Federal, state, and local entities. These static, analog forms of ID are often better suited for in-person transactions.
Therefore, we find it tremendously encouraging to see that there’s an emerging set of government digital identity services like state mobile driver’s licenses, the Social Security Administration’s attribute validation service, and the Department of Homeland Security’s verifiable credentials. We are exploring ways to leverage these authoritative source documents and services, which benefit from a permanence of identity, to combat fraud and support institutions’ abilities to operate with effective integrity.
Our regulations and reporting requirements, as well as identity systems and the way in which we analyze data, need to evolve along with the threat environment. We can work together to foster development of infrastructure, information sharing, and standards that will safeguard the future of identity and the financial system. Events like this conference will help idea generation around mitigating the risks associated with digital identities.
FinCEN’s view is that our regulatory framework also needs to approach these innovations in a way that recognizes not only the risks that they pose, but the opportunities that they present.
Additionally, there are a number of features of a digital identity framework that, taken together, have the potential to address threats and spur innovation across all types of financial services.
For example, evidence of digital identities must be dynamic and able to be updated frequently. We also need to consider features related to source verification and interoperability. Consumer permissioned identity evidence that is stored cryptographically and accessed via token exchange offers a high degree of potential to foster innovation and solve some of our current challenges, including protection of personal information that balances the transparency goals of AML/CFT laws and regulations with privacy concerns.
Expanding Partnerships and Feedback Loops
This brings us to expanding partnerships—the third, and final theme that I’d like to cover today. Getting identity in financial services “right” requires collaboration between the public and private sectors.
The AML Act enshrines FinCEN’s existing partnerships with the private sector—such as FinCEN Exchanges and Innovation Hours—and it calls for more. It places a spotlight on a public-private partnership, and this two-way flow of communication will include feedback on the use and demonstrated value of the information financial institutions provide.
We are engaging in that partnership in different ways.
We invited digital identity-focused entrepreneurs to our Innovation Hours to showcase their innovative approaches designed to enhance AML/CFT efforts.
Several of our Bank Secrecy Act Advisory Group (BSAAG) subcommittees are focused on how digital identity can advance the AML/CFT mission. These subcommittees bring together financial institutions, trade groups, and Federal and non-Federal regulators and law enforcement agency representatives.
Last spring, we were happy to partner with the FDIC on a digital identity-focused Tech Sprint to crowdsource solutions to measure the effectiveness of digital identity proofing. We consider solutions to measure effectiveness of digital services as another building block for reliable financial services. We were very pleased that the effort was voted the winner for FedID’s Best Educational Efforts, and we are watching with interest the Department of Homeland Security Science and Technology’s Remote Identity Validation Tech Challenge.
Last July, we, along with fellow U.S. Federal financial agencies and our UK counterparts, provided participants in the U.S./UK Privacy Enhancing Technologies Prize Challenge—a regulatory-context session as they prepare to develop their solutions. Privacy Enhancing Technologies are another building block to protect personally identifiable or other sensitive information while still being able to detect anomalous or potentially illicit transactions.
All of these building blocks need to preserve privacy and security, promote financial inclusion, and protect the integrity of the financial system. These are all key to building trust in the system.
And the public sector must learn from each other. To that end, we are also engaging with other domestic Federal agencies and regulators on digital identity, at FedID and throughout the year.
Our focus and efforts are about solving problems in a pragmatic way. We welcome your feedback on this initiative and ideas for other steps to ensure reliable financial services.
Closing
In closing, I would like to thank all of you for coming to or dialing into this important event to exchange information and enhance public-private collaboration on these important issues that relate to identity. Your contributions to solutions for these shared challenges benefit us all.
Thank you, and I hope you have a very productive policy forum.