Date: December 5, 1997 NO. 97-RA-12
TO: All Federally Insured Credit Unions
SUBJECT: Guidance for Reporting Computer-Related
Crimes
The enclosed document, Guidance Concerning
the Reporting of Computer-Related Crimes by Financial Institutions,
explains the federal criminal statute relating to computer crimes,
18 U.S.C. §1030, and is intended to facilitate the timely
and accurate reporting of apparent violations of the statute to
law enforcement agencies.
Computers and computer networks clearly
perform a vital role in financial institution operations, including
credit unions. The potential for the electronic misappropriation
of funds, compromise of information, or serious damage to computer
systems present a unique challenge to federal regulatory agencies,
victim institutions and law enforcement.
The enclosed guidance, developed under
the auspices of the Interagency Bank Fraud Working Group, reflects
the recognition of emerging technological threats and the critical
need for a coordinated assessment and response. The National
Credit Union Administration, along with the other members of the
Bank Fraud Working Group including the U.S. Department of Justice,
other bank regulatory agencies and federal law enforcement, is
dedicated to fostering a high degree of interagency cooperation
and coordination in the area of financial institution fraud.
This guidance sets forth violations
of the federal computer crime statute which may be reportable
offenses under the existing SAR system. Any violations should
be brought to the immediate attention of those personnel responsible
for reporting suspicious activity.
Inquiries may be directed to your respective
regional office. Your cooperation in this matter is greatly appreciated.
Sincerely,
/S/
Norman E. D'Amours
Chairman
GC/EI
Attachment
This guidance is provided in order
to explain the federal criminal statute relating to computer crimes,
18 U.S.C. §1030, and to ensure the timely and accurate reporting
of apparent violations of the statute to law enforcement authorities.
BACKGROUND
Regulations issued by the Federal Reserve,
OCC, FDIC, OTS, and NCUA generally require banks, thrifts, credit
unions, the U.S. branches and agencies of foreign banks, and other
types of financial institutions to file Suspicious Activity Reports
(SARs) whenever they detect any known or suspected federal criminal
law violation or suspicious activity. The SAR system facilitates
the reporting of suspected criminal activity and money laundering
in a standard format to a single collection point, from which
the information may be rapidly disseminated to appropriate law
enforcement agencies. SARs play a critical role in collecting
information about criminal activity affecting the financial community.
Under the five financial institutions supervisory agencies' current
SAR rules, a financial institution is required to report any known
or suspected criminal law violation involving an insider, regardless
of amount. A financial institution is also required to report
any known or suspected federal criminal law violation that involves
or aggregates more than $25,000 in the event no suspect can be
identified -- a threshold that drops to $5,000 if a potential
suspect can be identified.
The current SAR form includes in Part
III, Box 37, a listing of 17 various categories of criminal law
violations and suspicious activities that a financial institution
can check. The categories include check, credit and wire transfer
fraud, defalcation/embezzlement and mysterious disappearances,
and also include a general category under "Other" that
is to be used in the event the offense or activity does not appear
to fit any of the delineated types of crimes. There is no category
in Part III, Box 37, specifically reserved for violations of the
provisions of the U.S. criminal code relating to computer crimes
-- 18 U.S.C. §1030 (Fraud and Related Activity in Connection
with Computers).
CRIMINAL LAW RELATING TO COMPUTERS
Computers and computer networks are
at the heart of operations of a modern financial institution.
Criminals -- both inside and outside of financial institutions
-- recognize the potential vulnerability of computer systems.
Consequently, financial institutions must be cognizant of the
federal computer crime law, 18 U.S.C. §1030. This statute
specifically includes as a "protected computer," among
other computers shielded by the statute, any computer exclusively
for the use of a financial institution, or, if not exclusively
for such use, used by or for a financial institution where the
conduct constituting the offense affects that use.
Financial institutions should pay particular
attention to three provisions of 18 U.S.C. §1030. Section
1030(a)(2) specifically prohibits intentionally accessing a protected
computer to obtain certain kinds of information without authority
or in excess of authority. Not only does it generally prohibit
improperly obtaining information from any "protected"
computer, but it specifically prohibits improperly obtaining information
contained in a "financial record" of a financial institution.
The provision may also apply to an individual who hacks into
a financial institution computer system. "Financial record"
is defined as information derived from any record held by a financial
institution pertaining to a customer's relationship with the institution.
Another provision applicable to financial
institutions is the prohibition on using a "protected"
computer without authorization or in excess of authorization to
commit fraud. The provisions of 18 U.S.C. §1030(a)(4) criminalize
the knowing use of a protected computer without authorization
or in excess or authorization with intent to defraud, and by means
of such conduct furthering the intended fraud and obtaining anything
of value. Thus, an individual who intentionally uses another
person's home banking software and purloins that person's password
in order to transfer money fraudulently into his or her personal
bank account has committed a crime.
The third provision -- 18 U.S.C. §1030(a)(5)
-- with applications to financial institutions is the prohibition
on intentional access without authorization that results in "damage"
to a protected computer. Damage is defined to include any impairment
to the integrity or availability of data, a program, a system,
or information that causes loss aggregating at least $5,000 in
value during any one-year period. An example may involve a disgruntled
former employee who maintains a "back door" into the
computer system and uses it to introduce a virus that disrupts
the system. Another example may involve an intruder who causes
a system outage by flooding an institution's computer system with
e-mail requests for information.
Other provisions of 18 U.S.C. §1030
applicable to financial institutions include subsection (a)(6),
which outlaws trafficking in passwords knowingly and with intent
to defraud. Subsection (a)(7) prohibits transmitting threats
to cause damage to a protected computer with intent to extort
money or any other thing of value from any legal entity, specifically
including financial institutions. This prohibition applies regardless
of whether any actual damage is caused, or whether the offender
actually had the ability to cause such damage.
A violation of 18 U.S.C. §1030
can result in a fine or imprisonment for up to ten years.
GUIDANCE
A financial institution should report
on a SAR any activity that appears to be violative of 18 U.S.C.
§1030. If a reportable offense is detected, a financial
institution should check Box 37r, marked "Other", and
describe as completely as possible in Part VII, the narrative
section of the SAR, the nature of the illegal or suspicious activity.