May 20: Letters & notes on the MID, new FinCEN rule for financial institutions, and a cybercrime primer

We even have a computer/Big Brother joke today…In the last few weeks we’ve had computer attacks that garnered plenty of publicity, and concern in the public as well as lenders. First it was “WannaCry,” and then it was Adylkuzz. Both attacks relied on a Window bug. Adylkuzz was interesting because it infected several hundred thousand machines around the world, but doesn’t lock up the screen. Instead, per the WSJ, it “slows down systems as it quietly steals processing power to generate a digital currency called Monero.” Monero?


Just because a lender has computers and makes mortgages, does that make it a fintech company? That question aside, cybercrime is an increasingly complex and rampant issue, and starts with computer users. HelpNetSecurity reports 550mm username and password combinations are currently being sold on underground forums. I am sure mine are in there somewhere – who would ever guess, “Passwerd1” right?


A 22-year-old ingeniously stopped an international cybersecurity disaster by spending $10.69, registering a website and triggering a kill switch.


And phishing? They’re called ‘phishing’ emails because the cybercriminals who send them are fishing for victims. These fraudulent emails, which may appear to come from a legitimate company or even a personal acquaintance, are designed to trick people into giving up personal information, such as credit card and social security numbers. (If anyone out there receives an email saying I’m being held hostage in Tahiti and require $1,000 in ransom money, just ignore it.) Here are five ways to tell if it is a phishing email.


Diving a little deeper, what exactly is “ransomware” and “phishing?” In most cases, phishing is an email meant to look like it’s coming from a reputable source such as a bank, email provider, or credit card company. The email is designed to fool you into handing over sensitive personal information such as account #’s, PIN #s and passwords. Ransomware is the act of locking a user out of their own devices and/or encrypting their files until a sum of money or “ransom” is paid. Many times, this occurs from clicking on unsuspected files/links from people they don’t know.


Due to the nature of the residential lending business, documents are being transferred constantly and sometimes it’s easier to click on everything that comes through your inbox. But please be conscious of the fact that awareness is one’s first line of defense – and never click on attachments or links you didn’t ask for.


While inside cyber breaches are not new, these can still be a challenge to battle. As insiders gain a higher and higher level of trust, some portion may turn to the dark side. In fact, IBM research finds that whether intentional or not, 95% of all security incidents involve some kind of human error. Most lenders and banks already have a system in place that trains, monitors and educates employees regularly on the latest cyber threats and issues. This is important because employee education cannot be over-stated and should be part of an ongoing effort to control bank risk.


That said, continuous training cannot be done simply through an email blast or an annual training session. CyberScout points out that for frontline and mid-level employees, it is important to share stories about people who have fallen for tricks and conduct penetration tests with white-hat hackers. Further, cyber security training should be conveyed through a variety of methods that can map to all types of learning styles. These include webinars, live simulations of attacks and even newsletter tips. This approach helps drive the messages and information home for employees as it stays fresh and top of mind.


For executives, the same awareness should apply, if not more so. That’s because executives are often targeted for fraud because they have the greatest access and authority. Another option for community banks to boost cyber security is to track employee behavior. An unusually large file download could warrant cause for concern, as could an employee logging on at an unusual time. Checking work behavior regularly could prevent a small breach from turning into a big event.


A lender/bank-wide cyber risk crisis management plan needs to be in place as well. This should include the steps taken within the bank when a cyberattack occurs, the responsibilities of each department and the content and timing of communications sent to customers and law enforcement. The CIO should be the guardian of this plan and ensure it is updated regularly. While lenders & depository banks only have so much control over the cyber behavior of customers, it is critical to help educate them on cyber etiquette. After all, customers have many potential breach points not only through their financial online practices, but also through their entire online footprint. Communicating regularly through a variety of media including email, newsletters, mobile is important.


Verizon research finds ransomware attacks increased 50% last year, as criminals went after companies to extort money. Let’s keep going with the types of crime.


Baiting – When an attacker leaves a malware-infected physical device, such as a USB flash drive in a place it is sure to be found. The finder then picks up the device and loads it onto their computer, unintentionally installing the malware.

Phishing – As mentioned above, when a malicious party sends a fraudulent email disguised as a legitimate email, purporting to be from a trusted source. The message is meant to trick the recipient into sharing personal or financial information or clicking on a link that installs malware.

Spear phishing – Like phishing, spear phishing is targeted at a specific individual or organization.

Whaling – A type of fraud that targets high-profile end users such as corporate executives, politicians, and celebrities. The email message is often meant to trick the recipient into generating funds transfer requests to their financial institution.

Pretexting – When one party lies to another to gain access to privileged data usually over the phone.

Scareware – Tricking the victim into thinking their computer is infected with malware or has inadvertently downloaded illegal content. The attacker then offers a solution that will fix the problem; in reality, the victim is tricked into downloading and installing the attacker’s malware.

Bank of San Francisco is committed to keeping your account and personal information safe and secure. If you believe that you have received a fraudulent email, mistakenly disclosed confidential information, or have questions about online security, please


The Credit Union Journal put out a piece “This special Q2 report presents the latest fraud trends affecting financial institutions and provides insights on how to prevent being hit…This exclusive report tells you the top three controls from Q2 that form a successful defense.”


On a more global scale there are developments that lenders should know about. For example, this week the G-7 finance chiefs renewed their pledges on forex, cybercrime. Finance ministers and bank governors from the Group of Seven leading industrial nations have renewed a joint commitment to avoid seeking competitive advantage through foreign exchange and to combat the growing threat of cybercrime. However, unlike earlier versions, the communique issued at the end of the meeting in Bari, Italy did not contain an endorsement of global free trade and rejection of protectionism, a change that is thought to have been influenced by the US.


President Donald Trump is striving to improve the cybersecurity of US government agencies through an executive order. The order also is intended to improve the cybersecurity of the financial sector and the energy grid.


A second round of WannaCry? The cyberattacks that began last Friday had slowed by Sunday but cybersecurity experts said there was a risk that new versions of the WannaCry ransomware worm could strike soon. The attacks paralyzed more than 200,000 computers in more than 150 countries.




In a related topic, what happens in less than a year, besides the HMDA changes? On May 11, 2018 is the effective date for the Financial Crimes Enforcement Network (FinCEN) Customer Due Diligence (CDD) enhanced rules and the need for financial institutions to add a fifth pillar to the BSA/AML program. There are two key components of the new requirement. The first is to maintain written procedures that are reasonably designed to identify and verify the beneficial owners of legal entity customers. The second is to have appropriate risk-based procedures for conducting ongoing CDD to understand the nature and purpose of customer relationships. Also, conduct ongoing monitoring to identify and report suspicious transaction, and based on risk, maintain and update customer information. The FinCEN definition of a covered financial institution covers federally-regulated banks and federally insured credit unions, mutual funds, brokers or dealers in securities, futures commission merchants, and introducing brokers in commodities.


Switching gears entirely to MID


NAR, as a matter of principal and not necessarily logic, is deadest against any changes to the deduction. Thanks to Kevin Hardin sent his observations. “Has anyone ever done the math on the mortgage interest deduction? NAR says that losing it impacts the lower and middle-class families. The current administration proposes to raise the individual standard deduction to $15,000 and $30,000 for married. So, if you itemize your deductions and take the mortgage interest deduction it would mean that the interest deduction plus other deductions are greater than the standard.  “So, assuming they are healthy and do not have more than 7.5% of their income in medical expenses they probably only have this deduction to itemize. Child Care Tax Credit and Earned Income is over and above. $15,000 in interest divided by 4.5% expected rate this year = $333,333 mortgage balance. So, for an individual looking to benefit from the MID they would have to have a mortgage greater than $333,333. What kind of income? Well, let’s go old school at 28% for front end DTI (Housing Ratio) what is the payment on a $333,000 mortgage at 4.5% P&I $1,688.95 + est. $300 for HOA, HOI, Tax etc. = 1988.95 / 28% = $6,000 in monthly income. = $72,000 per year. Is $72,000 the income of a Single Tax Payer in Lower to Middle-Class borrower? Probably not. It would double that income for married joint filers as they would get $30,000.  “Would a married couple earning $144,000 a year in income be lower to middle-class? $144,000 is almost triple the average household income for 2015.  “I think this whole fight by NAR is much ado about nothing. They are not protecting the lower class to middle class. They are only helping the top 10% of earners. Even then it is a very tight argument when you consider that $1,000,000 is the maximum mortgage amount to claim the MID.”


Kevin wrapped up with, “Clearly, I am not a CPA. I am just a humble Loan Officer. But, I prefer not to lie to borrowers about the power of the MID.”



(Thanks to Ed R. for this one)

–  Hello! Gordon’s pizza?

– No sir it’s Google’s pizza.

– So, it’s a wrong number? Sorry.

– No sir, Google bought it.

– OK. Take my order please.

– Well sir, you want the usual?”

– The usual? You know me?

– According to our caller ID data sheet, in the last 12 times, you ordered pizza with cheeses, sausage, thick crust.

– OK! This is it …

– May I suggest to you this time ricotta, arugula with dried tomato?

– What? I hate vegetables.

– Your cholesterol is not good, sir.”

– How do you know?

– We crossed the number of your fixed line with your name, through the subscriber’s guide.

We have the result of your blood tests for the last 7 years.

– Okay, but I do not want this pizza! I already take medicine…

-Excuse me, but you have not taken the medicine regularly, from our commercial database, 4 months ago, you only purchased a box with 30 cholesterol tablets at CVS Network.

– I bought more from another drugstore.

– It’s not showing on your credit card statement.

– I paid in cash.

– But you did not withdraw that much cash according to your bank statement.

– I have another source of cash.

– This is not showing as per you last tax form unless you bought them from undeclared income source.


– I’m sorry, sir, we use such information only with the intention of helping you.

– Enough! I’m sick of Google, Facebook, Titter, WhatsApp. I’m going to an island without internet, cable TV, where there is no cell phone line and no one to watch me or spy on me.

– I understand sir but you need to renew your passport first as it has expired 5 weeks ago.






(Copyright 2017 Chrisman LLC. All rights reserved. Occasional paid job listings do appear. This report or any portion hereof may not be reprinted, sold or redistributed without the written consent of Rob Chrisman.)

Rob Chrisman