Joe is a victim of a Business Email Compromise and, although fraudsters use many tactics to complete a BEC, the basic formula is the same: get an employee to send funds and then withdraw all of the funds before someone realizes it’s a scam. According to a report by the Federal Bureau of Investigation, cyber criminals use BECs as one of the main attack vectors to obtain thousands – and in some cases, millions – of dollars from unsuspecting victims. Additionally, the Federal Trade Commission recently released data showing that consumers reported losing more than $12.5 billion in 2024 due to fraud. Most of the losses were due to investment scams, but $2.95 billion was reported lost from imposter scams, including BECs.
Because most of these fraudsters open bank accounts to receive the funds, do banks bear some of the blame?
KYC regulations
In response to the attacks on September 11, 2001, the USA PATRIOT Act was enacted to expand the powers of law enforcement and intelligence agencies to combat terrorism. The Patriot Act introduced Know Your Customer regulations, which provide guidelines for financial institutions to know more about their customers. All banks in the United States must comply with these regulations, which are intended to help financial institutions maintain accurate information about their clients and minimize risk. KYC regulations have five main components:
- Customer Identification Program. Verifying the identity of customers using personal or corporate identification documents.
- Customer Due Diligence. Assessing the risk profiles of customers applying appropriate measures based on their risk level.
- Enhanced Due Diligence. Applying additional scrutiny for high-risk customers to mitigate potential risks.
- Customer Acceptance Policy. Establishing guidelines for onboarding customers.
- Ongoing Transaction Monitoring. Continuously monitoring customer transactions to detect suspicious activities.
In 2018, the Financial Crimes Enforcement Network established the Customer Due Diligence rule. The rule not only requires banks to identify and verify the identities of customers but also to verify beneficial ownership – in other words, to know who is ultimately “benefiting” from the funds in the account. The CDD rule does not provide specifics regarding the monitoring expectation, but FinCEN requires banks to monitor for suspicious activity by adopting and enforcing a risk-based approach.
What does this mean for banks?
Banks have historically been protected by the Electronic Fund Transfer Act of 1978 and Section 4A of the Uniform Commercial Code. The EFTA requires banks to reimburse victims for “incorrect” transfers, but the victims are required to notify the banks almost immediately.
This presents a problem for victims, who in many cases do not discover the fraud until days, or even weeks, later. However, there are recent indications that lawmakers may be starting to side with the victims.
If a BEC is not the bank’s fault and not the victim’s fault, how does one protect against this type of fraud? Believe it or not, human interaction is the key to recognizing accounts that are opened for nefarious purposes. Bank employees must validate and confirm the Customer Identification Program information and physical address and, for businesses, validate and understand the business’s relationship with the bank. Bank employees must also have triggers for knowing when to exercise enhanced due diligence and to ask the right questions – is this a legitimate business, is this a real person, and can this information be validated? Questions should be tailored to the circumstances of the case.
In the meantime, training, constant reminders to exercise vigilance, and periodic risk assessments are the best way to protect against BECs.
