7 November 1997
Source: Mail list cypherpunks@cyberpass.net
Thanks to RH and JM
Date: Fri, 7 Nov 1997 00:09:05 -0500 To: cypherpunks@cyberpass.net From: Robert Hettinga <rah@shipwright.com> Subject: From Our Friends at the Fed --- begin forwarded text Date: Thu, 6 Nov 1997 20:23:25 -0800 From: jmuller@brobeck.com (John D. Muller) Subject: From Our Friends at the Fed To: rah@shipwright.com Thought this missive from the Federal Reserve (SR Letter 97-28 for those who insist on a formal citation) might be of interest. ---------------------------------------------------------------------- Suggested Cover Letter To the Chief Executive Officer or General Manager of Each State Member Bank, Bank Holding Company, State Chartered, Non-Insured U.S. Branch or Agency of a Foreign Bank, and Edge and Agreement Corporation in Your District Dear ______________________: The Federal Bureau of Investigation, working with Federal Reserve staff and representatives from the other federal banking agencies as well as other federal law enforcement agencies, developed the attached guidance concerning the reporting of violations of the federal criminal statute relating to computer crimes, 18 U.S.C. ß 1030 (Fraud and Related Activity in Connection with Computers) in Suspicious Activity Reports (SARs). The guidance is intended to facilitate the timely and accurate reporting of apparent violations of this law to law enforcement and bank supervisory agencies. The guidance describes the provisions of 18 U.S.C. ß 1030 and gives some examples of conduct that may violate the law. It also tells you how to report violations in a SAR. We would appreciate you bringing this matter to the immediate attention of all personnel in your organization responsible for reporting suspicious activity. In the event you have any questions concerning this matter, please contact __________________________. Sincerely, [Reserve Bank Official] Attachment ---------------------------------------------------------------------- GUIDANCE CONCERNING THE REPORTING OF COMPUTER-RELATED CRIMES BY FINANCIAL INSTITUTIONS This guidance is provided in order to explain the federal criminal statute relating to computer crimes, 18 U.S.C. § 1030, and to ensure the timely and accurate reporting of apparent violations of the statute to law enforcement authorities. Background Regulations issued by the Federal Reserve, OCC, FDIC, OTS, and NCUA generally require banks, thrifts, credit unions, the U.S. branches and agencies of foreign banks, and other types of financial institutions to file Suspicious Activity Reports (SARs) whenever they detect any known or suspected federal criminal law violation or suspicious activity. The SAR system facilitates the reporting of suspected criminal activity and money laundering in a standard format to a single collection point, from which the information may be rapidly disseminated to appropriate law enforcement agencies. SARs play a critical role in collecting information about criminal activity affecting the financial community. Under the five financial institutions supervisory agencies' current SAR rules, a financial institution is required to report any known or suspected criminal law violation involving an insider, regardless of amount. A financial institution is also required to report any known or suspected federal criminal law violation that involves or aggregates more than $25,000 in the event no suspect can be identified--a threshold that drops to $5,000 if a potential suspect can be identified. The current SAR form includes in Part III, Box 37, a listing of 17 various categories of criminal law violations and suspicious activities that a financial institution can check. The categories include check, credit and wire transfer fraud, defalcation/embezzlement and mysterious disappearances, and also include a general category under "Other" that is to be used in the event the offense or activity does not appear to fit any of the delineated types of crimes. There is no category in Part III, Box 37, specifically reserved for violations of the provisions of the U.S. criminal code relating to computer crimes--18 U.S.C. § 1030 (Fraud and Related Activity in Connection with Computers). Criminal Law Relating to Computers Computers and computer networks are at the heart of operations of a modern financial institution. Criminals--both inside and outside of financial institutions-- recognize the potential vulnerability of computer systems. Consequently, financial institutions must be cognizant of the federal computer crime law, 18 U.S.C. § 1030. This statute specifically includes as a "protected computer," among other computers shielded by the statute, any computer exclusively for the use of a financial institution, or, if not exclusively for such use, used by or for a financial institution where the conduct constituting the offense affects that use. Financial institutions should pay particular attention to three provisions of 18 U.S.C. § 1030. Section 1030(a)(2) specifically prohibits intentionally accessing a protected computer to obtain certain kinds of information without authority or in excess of authority. Not only does it generally prohibit improperly obtaining information from any "protected" computer, but it specifically prohibits improperly obtaining information contained in a "financial record" of a financial institution. The provision may also apply to an individual who hacks into a financial institution computer system. "Financial record" is defined as information derived from any record held by a financial institution pertaining to a customer's relationship with the institution. Another provision applicable to financial institutions is the prohibition on using a "protected" computer without authorization or in excess of authorization to commit fraud. The provisions of 18 U.S.C. § 1030(a)(4) criminalize the knowing use of a protected computer without authorization or in excess or authorization with intent to defraud, and by means of such conduct furthering the intended fraud and obtaining anything of value. Thus, an individual who intentionally uses another person's home banking software and purloins that person's password in order to transfer money fraudulently into his or her personal bank account has committed a crime. The third provision--18 U.S.C. § 1030(a)(5)--with applications to financial institutions is the prohibition on intentional access without authorization that results in "damage" to a protected computer. Damage is defined to include any impairment to the integrity or availability of data, a program, a system, or information that causes loss aggregating at least $5,000 in value during any one-year period. An example may involve a disgruntled former employee who maintains a "back door" into the computer system and uses it to introduce a virus that disrupts the system. Another example may involve an intruder who causes a system outage by flooding an institution's computer system with e-mail requests for information. Other provisions of 18 U.S.C. § 1030 applicable to financial institutions include subsection (a)(6), which outlaws trafficking in passwords knowingly and with intent to defraud. Subsection (a)(7) prohibits transmitting threats to cause damage to a protected computer with intent to extort money or any other thing of value from any legal entity, specifically including financial institutions. This prohibition applies regardless of whether any actual damage is caused, or whether the offender actually had the ability to cause such damage. A violation of 18 U.S.C. § 1030 can result in a fine or imprisonment for up to ten years. Guidance A financial institution should report on a SAR any activity that appears to be violative of 18 U.S.C. § 1030. If a reportable offense is detected, a financial institution should check Box 37r, marked "Other", and describe as completely as possible in Part VII, the narrative section of the SAR, the nature of the illegal or suspicious activity. --- end forwarded text ----------------- Robert Hettinga (rah@shipwright.com), Philodox e$, 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' The e$ Home Page: http://www.shipwright.com/ Ask me about FC98 in Anguilla!: <http://www.fc98.ai/>