Why U.S. Banks Must Embrace Fraud Data Sharing: Q&A with Former FBI Agent Dan Larkin

In this expert Q&A, fraud prevention leader Ken Palla sits down with Dan Larkin, former FBI agent and founder of the National Cyber Forensic and Training Alliance (NCFTA).

They discuss:

• Why U.S. financial institutions remain hesitant to share fraud and scam data, and why that needs to change
• What types of data can be shared safely under FinCEN and U.S. Treasury guidance
• How industry collaborations like the National Cyber Forensic and Training Alliance (NCFTA) enable effective, lawful data exchange
• The practical controls and governance required to share data responsibly
• Why better data sharing is a force multiplier for law enforcement and a critical step in protecting consumers

Notice: Before a financial institution shares any fraud and scam data, they should obtain legal counsel. This article is not a legal opinion.

Brief Background on Data Sharing in the United States

I just finished a comprehensive whitepaper with Outseer on some of the best practices on Fraud and Scam Data Sharing Around the World. There were significant examples of really good data sharing. But not so much in the U.S.

As highlighted in my whitepaper, “the United States has been limited in fraud data sharing because of the U.S. Treasury Financial Crimes Enforcement Network (FinCEN) and strict U.S. privacy laws. Datos Insights recently cautioned that “regulatory violation risks consistently rank as the primary deterrent to data sharing, with FCRA (Fair Credit Reporting Act) compliance concerns leading institutional hesitations about collaborative initiatives.” ¹

There is common agreement on two key reasons for sharing data:

1. Learning more quickly how fraudsters commit crime today
2. Build better cases to enable law enforcement to arrest the bad guys

To try and move the needle on fraud and scam data sharing in the U.S., I went to my old friend Dan Larkin. Dan has a very interesting background, and during his time with the FBI, NCFTA and PNC he has been very active in data sharing.

• He spent 24+ years at the FBI
• He founded the National Cyber Forensic and Training Alliance (NCFTA) in 2002.
• Dan then did a tour at PNC Bank

What are the top reasons for financial institutions to share data?

The first thing you need to do is to define why you want to share data and what should be the common goal. This is important for overcoming any potential internal roadblocks. The four reasons to share data include:

1. Identify threats proactively and quickly to protect your customers
2. Prevent criminals from attacking financial institution customers. A key focus is to build cases to get criminals arrested and jailed. Often these entities are transnational organized crime groups using the proceeds for human trafficking or terrorism.
3. Address regulatory expectations around sharing fraud and scam data.
4. Protect your customers.

We need be looking for ways to get smarter about how evolving threats first appear. This is especially true with the growing threat of AI usage by the crooks.

What data is being shared by banks?

It is important to note that most data sharing does not involve sensitive customer data. Here are the three main categories:

1. Details around threats, such as how a crook is getting into the network.
2. Money mule accounts & how money is being laundered
3. Best practices shared among banks and cross-sector sharing between banks and telcos

Aren’t we collecting customer data when we share money mule accounts?

You don’t need to share the money mule account name, until the law enforcement phase of a criminal case. And as far as sharing the routing number and account number of the money mule, once it is determined that a victim was defrauded by an unauthorized transaction or by a scam (coerced authorized transaction), you have a crime. And this crime involves money laundering and potentially organized crime.

In the example of a romance scam where a consumer was conned out of $50,000 that was sent to a receiving bank via wire, this is clearly money laundering. It is made to look like a legitimate transaction but more often than not, you can show credible connections to organized criminal groups.

Is there data that cannot be shared?

If any sensitive data shared involves a crime such as money laundering or organized crime, it is permissible. I am not aware of any taboo data that cannot be shared when it is relevant to how the money flows, how accounts are set up, or the details of money-mule networks and who is behind them.

Can data be shared outside FinCEN 314(b)?

Data can be shared outside of a 314(b) program, based on discussions with government officials. This view aligns with U.S. Treasury, FinCEN, the Office of the Comptroller of the Currency (OCC) and the Department of Justice.

However, there has not been much written government documentation about fraud and scam data sharing - other than FinCEN documents. For example, the FinCEN Section 314(b) Fact Sheet talks about sharing data, with safe harbor, for specified unlawful activities including fraud against individuals. In 2024, Treasury did respond to a Regulatory Intelligence question by saying: “FinCEN is reminding financial institutions that the sharing of underlying account or transaction information does not violate Suspicious Activity Report (SAR) confidentiality restrictions in the Bank Secrecy Act and FinCEN's regulations unless such sharing would potentially reveal the existence of a SAR.”²

Are controls required when sharing data?

You need to have reasonable controls around any data, and it should be shared with a tight, known group of subject matter experts (SMEs).

How did NCFTA share data and why do other banks have a problem with it?

NFCTA are realistic and understand what needs to be shared, and how it is shared and stored in a responsible way. They realize that there are organizations that have not gotten there yet and who look at this in the context of potential liability.

Some of these obstacles to data sharing are more perception than reality and depend on how you frame what it is that you are doing. Overall, it is a growing community that increasingly understands the true context of information sharing.

Why is data sharing so critical?

Good data sharing is a true force multiplier because it not only helps financial institutions fight fraud and scams, but can help build the legal cases to put criminals behind bars. Law enforcement needs help building meaningful cases and this often means aggregating fraud and scam information from multiple entities.

Do banks share data for building criminal cases?

At least 40 U.S. institutions are involved in building criminal cases. Much of this work takes place through the NCFTA, which has over 200 multi-industry partners (banks, telcos, eCommerce, pharmaceutical, manufacturing and others).

Summary: Fraud and Scam Data Sharing is Still a Work in Progress

Many FIs have decided they have the legal authority to share fraud and scam data, especially when it involves details around threats. Others remain apprehensive about misjudging what FinCEN means with its regulations under 314(b) when it comes to sharing the specifics of a fraud or scam case.

In a recent submission to the Federal Reserve and the Office of the Comptroller of the Currency, the Bank Policy Institute said “legal uncertainty continues to hinder information sharing. Institutions often avoid sharing certain information—even to protect the ecosystem—due to fear of litigation or liability.” It added that “nothing explicitly prohibits sharing, but nothing clearly permits it either. This legal gray area results in overly cautious behavior, missed opportunities to disrupt fraud, and unnecessary duplication of effort.”

The criminals love this confusion. But if an FI carefully considers each specific type of data being shared—whether threat intelligence, money-mule information, or data to support criminal cases— it should find assurance that these details meet the definition of money laundering at a minimum. With that understanding, FIs can confidently join the data-sharing community. For those still hesitant, there are several sanctioned 314(b) programs to start with, and partnering with the NCFTA is another strong option.

Always remember: when you start talking about data sharing, be explicit about what data you are referring to.

Let’s not keep our hands tied behind our backs as we fight fraud and scams in the U.S. Dan Larkin’s FBI training is front and center here—get the data, build the cases, and lock these criminals up.

MORE INFO: For further reading on this topic, download the Fraud and Scam Data Sharing Around the World whitepaper, which delves into country-specific examples of successful data sharing programs.

Reference

1. DatosInsights, Collaborative Data Exchange: The Next Frontier in Fraud Prevention

2. U.S. Treasury clarifies recent calls for banks to 'potentially expand' information sharing with foreign counterparts Published 18-Jul-2024 by Brett Wolf, Regulatory Intelligence

‍