Top Story Security Related

The Financial Stability Board, an international organization that coordinates the work of national financial authorities and international standard-setting bodies and develops and promotes the implementation of effective regulatory, supervisory, and other financial sector policies in the interest of financial stability, has issued a report, "The Financial Stability Implications of Artificial Intelligence," which outlines recent developments in the adoption of artificial intelligence (AI) in finance and their potential implications for financial stability.

The FSB stated that widespread adoption and more diverse use cases of AI have prompted the FSB to revisit its 2017 report on AI and machine learning in financial services. Financial firms currently use AI mainly to enhance internal operations and improve regulatory compliance, but generative AI (GenAI) and large language models have given rise to new use cases, such as document summation, information retrieval, and code generation. While many financial institutions appear to be taking a cautious approach to using GenAI, interest remains high and the technology’s accessibility could facilitate more rapid integration in financial services.

The report notes that—

• The rapid adoption of AI offers several benefits but may also amplify certain financial sector vulnerabilities, such as third-party dependencies, market correlations, cyber risk and model risk, potentially increasing systemic risk.
• While existing financial policy frameworks address many of the vulnerabilities associated with use of AI by financial institutions, more work may be needed to ensure that these frameworks are sufficiently comprehensive.
• Financial authorities should enhance monitoring of AI developments, assess whether financial policy frameworks are adequate, and enhance their regulatory and supervisory capabilities including by using AI-powered tools.

FinCEN has issued FIN-2024-Alert004 to help financial institutions identify fraud schemes associated with the use of deepfake media created with generative artificial intelligence (GenAI) tools. The alert explains typologies associated with these schemes, provides red flag indicators to assist with identifying and reporting related suspicious activity, and reminds financial institutions of their reporting requirements under the Bank Secrecy Act (BSA). This alert is also part of the U.S. Department of the Treasury’s broader effort to provide financial institutions with information on the opportunities and challenges that may arise from the use of AI.

The CFPB has released a report, "State Consumer Privacy Laws and the Monetization of Consumer Financial Data," summarizing state laws that give consumers more control over their data, how these rights complement the protections under federal law, and the gaps in protection that result from state law exemptions for financial institutions subject to the Gramm-Leach-Bliley Act (GLBA) or the Fair Credit Reporting Act (FCRA).

The CFPB suggests that state policymakers should assess gaps in their state data privacy laws, and consider the importance of ensuring that their citizens are protected in instances where federal law currently has gaps or may be ineffective.

The Treasury Department yesterday announced that OFAC has sanctioned Abdel Rahman Joma’a Barakallah for his leadership role in the Rapid Support Forces (RSF), a primary party responsible for the ongoing violence against civilians in Sudan since April 2023.

For identification information on Barakallah and a notice on amendments to OFAC's Sudan Sanctions Regulations, see yesterday's BankersOnline OFAC Update.

FinCEN has reported its September 2024 outreach efforts on its Beneficial Ownership Reporting Rule requirements.

The report also included a list of upcoming events at which FinCEN representatives are scheduled to further disseminate BOI reporting information through the end of the year.

OFAC is asking for user opinions of their website. They are asking site users to take about ten minutes to complete a survey to help them improve their services, enhance users' experience, and create new features.

The survey can be found HERE.

Yesterday, the Treasury Department reported that OFAC has designated one individual and one entity who support a corrupt patronage network in Bosnia and Herzegovina (BiH) that is attempting to evade U.S. sanctions.

For the names and identification information of the designated individual and entity, see yesterday's BankersOnline OFAC Update.

FinCEN recently announced that certain victims of Hurricane Milton, Hurricane Helene, Hurricane Debby, Hurricane Beryl, and Hurricane Francine will receive an additional six months to submit beneficial ownership information reports, including updates and corrections to prior reports.

FinCEN has issued the five Notices below extending the filing deadlines for reporting companies that 1) have an original reporting deadline beginning one day before the date the specified disaster began and ending 90 days after that date, and 2) are located in an area that is designated both by the Federal Emergency Management Agency as qualifying for individual or public assistance and by the Internal Revenue Service as eligible for tax filing relief.

Notice regarding—

• Hurricane Milton
• Hurricane Helene
• Hurricane Debby
• Hurricane Beryl
• Hurricane Francine

The NCUA has announced it issued three consent orders and one prohibition notice in October permanently prohibiting individuals from participating in the affairs of any federally insured depository institution.

Consent orders were issued to:

• Gloria J. Hall, a former employee of Prairie View Federal Credit Union, Prairie View, Texas
• Diane Stephens, a former employee of Priority First Federal Credit Union, Du Bois, Pennsylvania
• Laurie Allen, a former employee of Vibrant Credit Union, Danville, Illinois

A Notice of Prohibition was issued to Salusthian Lutamile, a former employee of IDB Global Federal Credit Union, Washington, D.C.

The FBI, the Treasury Department, and the Israel National Cyber Directorate have issued a Cybersecurity Advisory (CSA) to warn network defenders of new cyber tradecraft of the Iranian cyber group Emennet Pasargad, which has been operating under the company name Aria Sepehr Ayandehsazan (ASA) and is known by the private sector terms Cotton Sandstorm, Marnanbridge, and Haywire Kitten.

The group exhibited new tradecraft in its efforts to conduct cyberenabled information operations into mid-2024 using a myriad of cover personas, including multiple cyber operations that occurred during and targeting the 2024 Summer Olympics – including the compromise of a French commercial dynamic display provider. ASA has also undertaken a project to harvest content from IP cameras and used online resources related to Artificial Intelligence. Since 2023, the group has exhibited new tradecraft including the use of fictitious hosting resellers to provision operational server infrastructure to its own actors as well as to an actor in Lebanon involved in website hosting. Recently released reporting from Microsoft indicates this group has demonstrated interest in election-related websites and media outlets, suggesting preparations for future influence operations.

The CSA provides the threat group’s tactics, techniques, and procedures (TTPs), including its leveraging of online resources related to Artificial Intelligence, and indicators of compromise (IOCs). The CSA also highlights similar activity from a previous FBI advisory that was published on 20 October 2022. This new advisory’s information and guidance are derived from FBI investigative activity and technical analysis of this group’s intrusion activity against U.S. and foreign organizations and engagements with numerous entities impacted by this malicious activity.

The authoring agencies recommend all organizations follow guidance provided in the Mitigations section to defend against the Iranian cyber group’s activities.