April 08, 2022
Prepared Remarks
Himamauli Das
Acting Director
Financial Crimes Enforcement Network
FDIC-FinCEN Digital Identity Tech Sprint Demonstration Day
April 4, 2022
I am very pleased to be able to speak at the inaugural FDIC-FinCEN Tech Sprint focused on digital identity. My name is Him Das. I’m the Acting Director of the Financial Crimes Enforcement Network (FinCEN).
It’s a real pleasure to address all of you—tech sprinters, judges, and fellow public sector observers. Thanks to all of you for your contributions and the creativity that you’ve brought to this effort.
I’m also grateful to the Federal Deposit Insurance Corporation (FDIC) for its partnership on this Tech Sprint and to the members of our FinCEN team who have been working with the FDIC to push this initiative forward.
I would like to explain how the Tech Sprint and its focus on digital identity fit into the broader FinCEN picture.
At FinCEN, we’re focused on:
New threats;
New innovations; and
New partnerships.
The Importance of Digital Identity to FinCEN’s Mission
I’ll take each of those themes in turn, but before we dive into them, I want to take a moment to lay some groundwork. I want to emphasize just how important digital identity really is.
Most importantly, we recognize that digital identity has broad implications for privacy, for security, across a range of sectors—and not just financial services. We also recognize that digital identity has broader applications in financial services than just anti-money laundering/countering the financing of terrorism (AML/CFT). But at FinCEN, we are pragmatically focused on our mission to protect the U.S. financial system from illicit finance.
Identity is fundamental to the effectiveness of every financial institution’s AML/CFT program. And effective measurement of identity proofing—as all of you are focused on in this Tech Sprint—is similarly fundamental.
FinCEN’s regulations and our information collection authorities are driven by identity. That is, they are designed to help financial institutions and law enforcement identify customers and the nature of their activity: the Customer Identification Program rule, the Customer Due Diligence rule, the AML Program rule, Currency Transaction Reports, Suspicious Activity Reports (SARs), and Geographic Targeting Orders. This is true regardless of whether those customers are using traditional depository financial institutions, money services businesses, or emerging digital asset products.
There are number of features of a digital identity framework that—taken together—have the potential to spur innovation in financial products and services across the legacy financial system, as well as digital assets and emerging central bank digital currencies.
For example, evidence of digital identities must be dynamic and able to be updated frequently. We also need to consider features related to source verification and interoperability. Consumer permissioned identity evidence that is stored cryptographically and accessed via token exchange, in particular, offers a high degree of potential to foster innovation and solve some of our current challenges.
To get financial services right, we need to get identity right. Getting identity “right” means implementing identity solutions that preserve privacy and security, promote financial inclusion, and protect the integrity of the financial system. It’s about building trust in the system.
Digital identity, however, is hard. Even the National Institute of Standards and Technology (NIST) says so in its digital identity guidelines. Proving that someone is who they say they are—especially remotely, via a digital service—is fraught. There is a famous The New Yorker quote from 1993 that captures the challenge: “On the internet, nobody knows you’re a dog.”
New Threats
This brings us to the first part of my narrative—new threats. Financial services have been increasingly migrating toward an online and non-face-to-face format, and COVID-19 only accelerated this evolution. These trends create new opportunities for abuse and new threats have emerged.
To bring customers on board, financial institutions need to establish with confidence who their customers are. One of the key steps is to complete an identity proofing process. The goal of this process is to establish that each customer corresponds to a single, unique, real-world identity based on validated evidence that is correct and genuine. By “correct” and “genuine,” what I mean is that the evidence of identity is not counterfeit or misappropriated.
A failure or security compromise in any step of that process compromises the integrity of customer identity. It means that a financial institution can’t confidently know with whom it’s doing business.
Uneven implementation of IT security standards has also led to data hacks of centralized repositories of identity-related information, exposing personally identifiable information, or PII, making those data sources less reliable. Bad actors can often buy this identifying information on darknet markets. Many of us have faced this and dealt with the unpleasant consequences. Whether it’s a single username and password for a website you visit, whether your credit card information was compromised, or whether your Social Security number was stolen, I don’t have to tell you the issues it can create.
At the same time, improvements in the security of payments, like the chip and PIN technology embedded in the credit and debit cards we carry in our wallets, have prompted fraudsters to redirect their focus to exploiting identity. This shift, along with the move toward virtual delivery of financial services, makes it even more critical that we get identity right.
FinCEN is leveraging Bank Secrecy Act data in new ways to analyze identity-related crime, including fraud and cyber events. A large number of SARs show three types of potential breakdowns in the identity verification process: verification, impersonation, and compromise.
Verification failures often reflect processes that are insufficient, circumvented, not completed, or not in place to begin with.
Impersonation occurs when a criminal is acting as or using another person’s information or misrepresenting themselves.
Identity compromise includes unauthorized access to accounts or personal information and the ability to move funds without proper authorization. FinCEN is shedding light on these issues and how we can potentially combat them.
For example, in 2021, financial institutions reported to FinCEN a substantial year-on-year increase in potential identity verification, impersonation, and compromise-related suspicious activity. We’ve noted that the dollar values associated with filings related to a variety of cyber and identity related activities have increased dramatically:
For example, the dollar amounts linked to reports of impersonators potentially using stolen or socially engineered email credentials in business email compromise schemes grew by over 50% year-over-year, reaching $8 billion.
Similarly, filings related to potential account takeovers using stolen identities accounted for more than $8 billion, about twice as much as the value correlated to the prior year’s filings on this subject.
These amounts are noteworthy—and the upward trend is concerning. FinCEN encourages financial institutions and service providers to consider specific NIST digital identity standards as they build out their identity proofing and authentication processes, in line with prior recommendations published in our COVID-19 Cyber Advisory.
New Innovations
An AML/CFT regime that merely accounts for and reacts to new threats, however, is not sufficient. In some cases, we face the same threats we always have, but they’re amplified by financial innovations and new technologies. We must adapt, change, and innovate as well.
We recognize this, and Congress recognized this, with the passage of the Anti-Money Laundering Act, or the AML Act. Until the AML Act, the overarching legal foundation of our regime hadn’t really been updated significantly since the immediate wake of 9/11. And although there has been important work through regulation, rulemaking, and guidance to keep pace with evolving risks, that legal foundation was in many respects built, as the aphorism goes, “to fight the last war.”
The world in 2001 was very different than the world we live in today, and when we look back even further to when FinCEN was established back in 1990, the changes are only magnified. For identity, the only authoritative source documents back in the 1990s were static, analog paper or plastic-based documents. We only had driver’s licenses or Social Security cards. And there were no digital assets, nor had the innovators behind the Worldwide Web introduced an identity layer into the technology stack.
Now, digitally native financial services, including digital assets, present challenges to a patchwork system of largely paper-based identifiers and credentials issued by a variety of different federal, state, and local entities. These static, analog forms of ID are better suited for in-person transactions.
Without being able to physically examine and hold a paper-based ID or compare the picture on it to a person standing right in front of you, it’s inherently more challenging and complicated to verify a person’s identity. As we just talked about, bad actors know this, and they exploit it. That’s why, as the amount of remotely delivered financial services increases, individuals around the world—including all of us here—face an increased risk of becoming the victim of an identity-related crime or, for example, losing your access to your life savings.
We find it tremendously encouraging to see that there’s an emerging set of government digital identity services like state mobile driver’s licenses, the Social Security Administration’s attribute validation service, and the Department of Homeland Security’s verifiable credentials. We are exploring ways to leverage these authoritative source documents and services, which benefit from a permanence of identity, to combat fraud and support institutions’ abilities to operate with effective integrity.
Clearly, the world has changed a lot, and we must do the same. The AML Act, as this group knows, touched off a new, post-post-9/11 era for anti-money laundering, giving FinCEN the authority to “streamline, modernize, and update the AML/CFT regime of the United States,” and that, indeed, is what we are doing.
Our regulations and reporting requirements, as well as identity systems, need to evolve along with the threats. We can work together to foster development of infrastructure, information sharing, and standards that will safeguard the future of identity and the financial system. Events like this Tech Sprint will help idea generation around mitigating the risks associated with digital identities.
FinCEN’s view is that our regulatory framework also needs to approach these innovations in a way that recognizes, not only the risks that they pose, but the opportunities that they present: How do we build a regulatory framework that creates the room to foster what’s positive about innovation, while at the same time ensuring that bad actors can’t take advantage of innovations more effectively than the good guys?
New Partnerships
This brings us to new partnerships—the third, and final theme that I’d like to cover today. Getting identity in financial services “right” requires collaboration between the public and private sectors.
The AML Act enshrines FinCEN’s existing partnerships with the private sector—FinCEN Exchanges, Innovation Hours—and it calls for more. It places a spotlight on a public-private partnership where we’re working together to modernize and foster compliance with this regime. This won’t just require us communicating with you; it will require you communicating with FinCEN.
We do want to create a feedback loop. To do so, we are engaging on digital identity in different ways.
Last October, we invited digital identity-focused businesses to our Innovation Hours. Companies showcased innovative approaches designed to enhance AML/CFT efforts. The response exceeded our expectations and encompassed a broad range of business models—from legacy financial systems to emerging technology businesses.
We have long engaged with the private sector through the Bank Secrecy Act Advisory Group (BSAAG) to solicit ideas and seek input. Several of the BSAAG subcommittees are focused on how digital identity can advance the AML/CFT mission. These subcommittees bring together financial institutions, trade groups, and federal and non-federal regulators and law enforcement agency representatives.
In January, we were delighted to announce our partnership with the FDIC on this digital identity-focused Tech Sprint. We view collaboration across regulators and between the public and private sectors to be critical to solving our shared challenge of measuring the effectiveness of digital identity proofing.
We are also engaging with other domestic Federal agencies and regulators on digital identity, and learning from our Five Eye partners’ digital identity initiatives.
Our focus and efforts are about solving problems. We are pragmatic. And I think lots of small steps will eventually lead to cumulative progress.
We hope to do more tech sprints. We want tech sprints to eventually build toward pilot programs and then, lead to regulatory actions. We welcome your feedback on this initiative and ideas for other Tech Sprints.
Closing
In closing, I would like to thank all of you for your hard work and congratulate you on making it through to the finish line. You are making a difference by contributing to solutions for a shared problem. You are a force multiplier.
It is important to bring public and private sector minds together, to collaborate on the future of identity. We need to continue to cooperate in order to address vulnerabilities and emerging threats and to keep pace with technological innovation. We can benefit from each other’s experiences and knowledge to move toward building secure, privacy-preserving digital identity solutions.
I again want to reiterate how grateful we are to the FDIC for their partnership and for including us in the conversation. There have been some insightful solutions presented during the course of this Tech Sprint, and it will take the intellectual power and creativity of all of us to figure out how to further secure identities and prevent illicit actors from exploiting identity in financial crime.
Thank you.
Prepared Remarks
Himamauli Das
Acting Director
Financial Crimes Enforcement Network
FDIC-FinCEN Digital Identity Tech Sprint Demonstration Day
April 4, 2022
I am very pleased to be able to speak at the inaugural FDIC-FinCEN Tech Sprint focused on digital identity. My name is Him Das. I’m the Acting Director of the Financial Crimes Enforcement Network (FinCEN).
It’s a real pleasure to address all of you—tech sprinters, judges, and fellow public sector observers. Thanks to all of you for your contributions and the creativity that you’ve brought to this effort.
I’m also grateful to the Federal Deposit Insurance Corporation (FDIC) for its partnership on this Tech Sprint and to the members of our FinCEN team who have been working with the FDIC to push this initiative forward.
I would like to explain how the Tech Sprint and its focus on digital identity fit into the broader FinCEN picture.
At FinCEN, we’re focused on:
New threats;
New innovations; and
New partnerships.
The Importance of Digital Identity to FinCEN’s Mission
I’ll take each of those themes in turn, but before we dive into them, I want to take a moment to lay some groundwork. I want to emphasize just how important digital identity really is.
Most importantly, we recognize that digital identity has broad implications for privacy, for security, across a range of sectors—and not just financial services. We also recognize that digital identity has broader applications in financial services than just anti-money laundering/countering the financing of terrorism (AML/CFT). But at FinCEN, we are pragmatically focused on our mission to protect the U.S. financial system from illicit finance.
Identity is fundamental to the effectiveness of every financial institution’s AML/CFT program. And effective measurement of identity proofing—as all of you are focused on in this Tech Sprint—is similarly fundamental.
FinCEN’s regulations and our information collection authorities are driven by identity. That is, they are designed to help financial institutions and law enforcement identify customers and the nature of their activity: the Customer Identification Program rule, the Customer Due Diligence rule, the AML Program rule, Currency Transaction Reports, Suspicious Activity Reports (SARs), and Geographic Targeting Orders. This is true regardless of whether those customers are using traditional depository financial institutions, money services businesses, or emerging digital asset products.
There are number of features of a digital identity framework that—taken together—have the potential to spur innovation in financial products and services across the legacy financial system, as well as digital assets and emerging central bank digital currencies.
For example, evidence of digital identities must be dynamic and able to be updated frequently. We also need to consider features related to source verification and interoperability. Consumer permissioned identity evidence that is stored cryptographically and accessed via token exchange, in particular, offers a high degree of potential to foster innovation and solve some of our current challenges.
To get financial services right, we need to get identity right. Getting identity “right” means implementing identity solutions that preserve privacy and security, promote financial inclusion, and protect the integrity of the financial system. It’s about building trust in the system.
Digital identity, however, is hard. Even the National Institute of Standards and Technology (NIST) says so in its digital identity guidelines. Proving that someone is who they say they are—especially remotely, via a digital service—is fraught. There is a famous The New Yorker quote from 1993 that captures the challenge: “On the internet, nobody knows you’re a dog.”
New Threats
This brings us to the first part of my narrative—new threats. Financial services have been increasingly migrating toward an online and non-face-to-face format, and COVID-19 only accelerated this evolution. These trends create new opportunities for abuse and new threats have emerged.
To bring customers on board, financial institutions need to establish with confidence who their customers are. One of the key steps is to complete an identity proofing process. The goal of this process is to establish that each customer corresponds to a single, unique, real-world identity based on validated evidence that is correct and genuine. By “correct” and “genuine,” what I mean is that the evidence of identity is not counterfeit or misappropriated.
A failure or security compromise in any step of that process compromises the integrity of customer identity. It means that a financial institution can’t confidently know with whom it’s doing business.
Uneven implementation of IT security standards has also led to data hacks of centralized repositories of identity-related information, exposing personally identifiable information, or PII, making those data sources less reliable. Bad actors can often buy this identifying information on darknet markets. Many of us have faced this and dealt with the unpleasant consequences. Whether it’s a single username and password for a website you visit, whether your credit card information was compromised, or whether your Social Security number was stolen, I don’t have to tell you the issues it can create.
At the same time, improvements in the security of payments, like the chip and PIN technology embedded in the credit and debit cards we carry in our wallets, have prompted fraudsters to redirect their focus to exploiting identity. This shift, along with the move toward virtual delivery of financial services, makes it even more critical that we get identity right.
FinCEN is leveraging Bank Secrecy Act data in new ways to analyze identity-related crime, including fraud and cyber events. A large number of SARs show three types of potential breakdowns in the identity verification process: verification, impersonation, and compromise.
Verification failures often reflect processes that are insufficient, circumvented, not completed, or not in place to begin with.
Impersonation occurs when a criminal is acting as or using another person’s information or misrepresenting themselves.
Identity compromise includes unauthorized access to accounts or personal information and the ability to move funds without proper authorization. FinCEN is shedding light on these issues and how we can potentially combat them.
For example, in 2021, financial institutions reported to FinCEN a substantial year-on-year increase in potential identity verification, impersonation, and compromise-related suspicious activity. We’ve noted that the dollar values associated with filings related to a variety of cyber and identity related activities have increased dramatically:
For example, the dollar amounts linked to reports of impersonators potentially using stolen or socially engineered email credentials in business email compromise schemes grew by over 50% year-over-year, reaching $8 billion.
Similarly, filings related to potential account takeovers using stolen identities accounted for more than $8 billion, about twice as much as the value correlated to the prior year’s filings on this subject.
These amounts are noteworthy—and the upward trend is concerning. FinCEN encourages financial institutions and service providers to consider specific NIST digital identity standards as they build out their identity proofing and authentication processes, in line with prior recommendations published in our COVID-19 Cyber Advisory.
New Innovations
An AML/CFT regime that merely accounts for and reacts to new threats, however, is not sufficient. In some cases, we face the same threats we always have, but they’re amplified by financial innovations and new technologies. We must adapt, change, and innovate as well.
We recognize this, and Congress recognized this, with the passage of the Anti-Money Laundering Act, or the AML Act. Until the AML Act, the overarching legal foundation of our regime hadn’t really been updated significantly since the immediate wake of 9/11. And although there has been important work through regulation, rulemaking, and guidance to keep pace with evolving risks, that legal foundation was in many respects built, as the aphorism goes, “to fight the last war.”
The world in 2001 was very different than the world we live in today, and when we look back even further to when FinCEN was established back in 1990, the changes are only magnified. For identity, the only authoritative source documents back in the 1990s were static, analog paper or plastic-based documents. We only had driver’s licenses or Social Security cards. And there were no digital assets, nor had the innovators behind the Worldwide Web introduced an identity layer into the technology stack.
Now, digitally native financial services, including digital assets, present challenges to a patchwork system of largely paper-based identifiers and credentials issued by a variety of different federal, state, and local entities. These static, analog forms of ID are better suited for in-person transactions.
Without being able to physically examine and hold a paper-based ID or compare the picture on it to a person standing right in front of you, it’s inherently more challenging and complicated to verify a person’s identity. As we just talked about, bad actors know this, and they exploit it. That’s why, as the amount of remotely delivered financial services increases, individuals around the world—including all of us here—face an increased risk of becoming the victim of an identity-related crime or, for example, losing your access to your life savings.
We find it tremendously encouraging to see that there’s an emerging set of government digital identity services like state mobile driver’s licenses, the Social Security Administration’s attribute validation service, and the Department of Homeland Security’s verifiable credentials. We are exploring ways to leverage these authoritative source documents and services, which benefit from a permanence of identity, to combat fraud and support institutions’ abilities to operate with effective integrity.
Clearly, the world has changed a lot, and we must do the same. The AML Act, as this group knows, touched off a new, post-post-9/11 era for anti-money laundering, giving FinCEN the authority to “streamline, modernize, and update the AML/CFT regime of the United States,” and that, indeed, is what we are doing.
Our regulations and reporting requirements, as well as identity systems, need to evolve along with the threats. We can work together to foster development of infrastructure, information sharing, and standards that will safeguard the future of identity and the financial system. Events like this Tech Sprint will help idea generation around mitigating the risks associated with digital identities.
FinCEN’s view is that our regulatory framework also needs to approach these innovations in a way that recognizes, not only the risks that they pose, but the opportunities that they present: How do we build a regulatory framework that creates the room to foster what’s positive about innovation, while at the same time ensuring that bad actors can’t take advantage of innovations more effectively than the good guys?
New Partnerships
This brings us to new partnerships—the third, and final theme that I’d like to cover today. Getting identity in financial services “right” requires collaboration between the public and private sectors.
The AML Act enshrines FinCEN’s existing partnerships with the private sector—FinCEN Exchanges, Innovation Hours—and it calls for more. It places a spotlight on a public-private partnership where we’re working together to modernize and foster compliance with this regime. This won’t just require us communicating with you; it will require you communicating with FinCEN.
We do want to create a feedback loop. To do so, we are engaging on digital identity in different ways.
Last October, we invited digital identity-focused businesses to our Innovation Hours. Companies showcased innovative approaches designed to enhance AML/CFT efforts. The response exceeded our expectations and encompassed a broad range of business models—from legacy financial systems to emerging technology businesses.
We have long engaged with the private sector through the Bank Secrecy Act Advisory Group (BSAAG) to solicit ideas and seek input. Several of the BSAAG subcommittees are focused on how digital identity can advance the AML/CFT mission. These subcommittees bring together financial institutions, trade groups, and federal and non-federal regulators and law enforcement agency representatives.
In January, we were delighted to announce our partnership with the FDIC on this digital identity-focused Tech Sprint. We view collaboration across regulators and between the public and private sectors to be critical to solving our shared challenge of measuring the effectiveness of digital identity proofing.
We are also engaging with other domestic Federal agencies and regulators on digital identity, and learning from our Five Eye partners’ digital identity initiatives.
Our focus and efforts are about solving problems. We are pragmatic. And I think lots of small steps will eventually lead to cumulative progress.
We hope to do more tech sprints. We want tech sprints to eventually build toward pilot programs and then, lead to regulatory actions. We welcome your feedback on this initiative and ideas for other Tech Sprints.
Closing
In closing, I would like to thank all of you for your hard work and congratulate you on making it through to the finish line. You are making a difference by contributing to solutions for a shared problem. You are a force multiplier.
It is important to bring public and private sector minds together, to collaborate on the future of identity. We need to continue to cooperate in order to address vulnerabilities and emerging threats and to keep pace with technological innovation. We can benefit from each other’s experiences and knowledge to move toward building secure, privacy-preserving digital identity solutions.
I again want to reiterate how grateful we are to the FDIC for their partnership and for including us in the conversation. There have been some insightful solutions presented during the course of this Tech Sprint, and it will take the intellectual power and creativity of all of us to figure out how to further secure identities and prevent illicit actors from exploiting identity in financial crime.
Thank you.