Financial Crimes Consultant & National Director Shares Concerns
By Roy Urrico
Finopotamus presents InfoSec People Profiles, a series spotlighting individuals working in information security (infosec), cybersecurity and/or information governance to protect data and transactions at credit unions and other financial institutions, and fintechs serving the financial services industry.
Rene Perez, financial crimes consultant and national director of financial crimes solutions sales at Jack Henry.
Rene Perez has been in the financial crimes industry for almost 25 years. His current role at Jack Henry is as the financial crimes consultant and national director of financial crimes solutions sales. In those positions he leads the company’s financial crimes portfolio, and serves as a thought leader about fraud and anti-money laundering.
Perez also sits on several boards, including the Federal Reserve Bank’s Fraud Work Group and the U.S. Faster Payments Council (FPC) Fraud Board.
Breaking into Information Security
The Puerto Rican born-Perez grew up just outside of Orlando, in Lake Mary, Fla. He went to the University of Alabama (he has remained in Alabama since) to play baseball and study civil engineering. After graduating in 1998, he got his start in the financial services industry by answering an open-house call at Compass Bank (which became BBVA Compass and eventually PNC).
“That led me into information security. More specifically on the fraud, money laundering side of it,” Perez told Finopotamus. “I started in fraud security, card security specifically. Then worked my way up through becoming the BSA (Bank Secrecy Act) officer and the fraud officer at that institution.”
After nearly 10 years at Compass Bank, “Jack Henry came calling,” said Perez. “I have been at Jack Henry now 17 years, all on the financial crime side where we’re now seeing an uptick of fraud and cybercriminals merging into a single unit, sharing information and doing everything together.” Perez is based at the Jack Henry offices in Birmingham, Ala.
Multiple Roles
Perez explained his two current roles at Jack Henry. “As the national director of financial crime solutions sales, there's about seven different products that roll up through my role,” he said. “The other role I play at Jack Henry is as our financial crime subject matter expert. I spend a lot of time on the road, talking at conferences and talking to institutions about what they are doing from a fraud and cybersecurity perspective.” He also serves as one of the hosts of the traveling Jack Henry Cybersecurity and Fraud Forum.
Jack Henry launched its annual Cybersecurity and Fraud Forum on October 7, 2024, at Jack Henry Connect in Fort Worth, Texas. The forum will visit six cities during an expanded road tour intended to help community and regional financial institutions sharpen their security and fraud mitigation plans. The forum brings financial institution peers and risk experts together to simulate a cybersecurity incident and work through real-time responses.
“These are live events and every decision has a consequence,” said Perez. “We go through that exercise for a full day with our institutions, and it's a good networking perspective for them.” Future Forums will visit Tampa Bay, Fla., San Diego, Nashville, Tenn., Seattle, Chicago, and Portland, Maine.
Jack Henry’s Cybersecurity Focus
Perez said Jack Henry is closely watching the ransomware that is going on at institutions, “some of them known, some of them unknown.” Perez further explained the financial services company tries to make sure that “our customers are prepared for those type of events. A lot of times they have to make some really quick and hard decisions when it comes to what is happening during ransomware, and we spend a lot of time on education around that.”
That includes making sure credit unions and other financial institutions have air gaps in their backups. “So that if you are in a situation like that, your backups do not get corrupted. You are able to cordon off the affected terminals, especially if you are (using) virtual desktops to bring your institution right back up and running pretty quickly.”
Perez also pointed out how Jack Henry oversees an extensive amount of financial information protection from a cybersecurity perspective. “We host, not only our customers’ core systems, but we also host their entire networks. We also serve as help desk for a lot of our institutions from a cybersecurity perspective.”
In the event of a disaster such as recent hurricanes, there is extra reason for caution. “Making sure that you have backups, and making sure that you have a disaster avoidance posture is really critical. That is one of the things we learned at Jack Henry from a cybersecurity and overall IT perspective,” he noted. “We move our primary locations through several different data centers now. We do that every six months because we are constantly testing our processes.”
Said Perez, “One of the things that a natural disaster like those (hurricanes) that happened is the number of scams that actually happen during those times. That is one vector that we see happen at every natural disaster. You start seeing the vultures of cybercriminals and fraudsters kind of converging on those areas, stealing credentials and going in and deceiving the customers getting into their accounts and removing the money out of their accounts.”
He continued. “Most of our institutions that were in the hard-hit areas were able to move all their information and traffic to a non-affected area. From an infrastructure perspective, we were able to keep those institutions up and running (if they could get into the building). Some of them had portable ATMs that they could bring around to get people funds.”
Threats Causing Sleepless Nights
Perez admitted there is a lot that keeps him up at night from a cybersecurity perspective “because this is what I do for a living.” However, he is paying particular attention to how sophisticated things are getting in one subset. “The ability for some of the AI (artificial intelligence) to fool different people. Because ultimately people are the weakest link always. As long as there are humans involved, there is going to be an attack vector on that human.”
He cited as a possible example a teller that clicks on a link and gets a popup on their screen that says, “‘Hey, you have just been infected by malware, pay $200.’ And they are terrified of losing their job. So, they pay the $200 and keep it quiet and then 90 days later the institution gets hit by a ransomware attack. It is the things that are unknown. Those are the scariest parts.”
Another frightening scenario Perez presented was at a non-Jack Henry institution where a ransomware attack brought down the financial institution’s branch, website and mobile channels. “They forced the customers out of the branches, out of online and into the call center, which is used to taking like 100 calls an hour; now they are taking 1,500 calls an hour.” From there the fraudsters were able to con an overwhelmed agent to process a substantial wire transaction, he noted.
“That was a situational sleight of hand," explained Perez. "The whole institution was working on getting everything back up and running while the cybercriminal was bleeding money on the back end out of the institution. So, things like these coordinated attacks are what really keep me up at night."
Top Cyber Security Dangers to Credit Unions and Other Financial Institutions
Besides the concerns surrounding the vulnerabilities and ransomware that present reputational risks to the institution, Perez noted the cybersecurity threats presented by moving so many functionalities, especially payments, to the cloud. “We are moving faster and faster and faster. Transactions at institutions are getting faster. FedNow, Zelle, RTP, Same-Day ACH, all moving money in real time. Then you are looking at newer technology to advance how the payment systems are advancing.”
Perez added, “You have to start looking into both private and public clouds, the security, the vendor management part of it, making sure whoever your provider of choice has the right risk processes put into place to make sure you are protecting the customers’ information at an institution. That is one of the biggest things that we need to keep our eye on, not just from a processor perspective, like Jack Henry, but every one of our institutions, including all our credit unions as well.”
Sharing Fraud Knowledge
“There are a couple of things, especially on the fraud side, coming down the pipeline to really keep a pulse on,” suggested Perez. “We are starting to see organizations coming together, to share fraud concerns and observations. Cyber intelligence is covered under safe harbor – fraud is kind of a gray area under safe harbor, so that is why some of the institutions are really looking to expand where they can share fraud data between institutions.”
According to the U.S Treasury Financial Crimes Enforcement Network, the USA PATRIOT Act's Section 314(b) allows financial institutions to voluntarily share information with each other to identify and report suspicious activity. This information sharing is protected by a safe harbor that protects institutions from liability.
Perez mentioned the American Bankers Association (ABA) has announced the Internal Fraud Discussion Group an initiative to help banks fight fraud; and Sardine X (now Sonar), has announced a data sharing platform to prevent money laundering, mule activity and fraud before a transaction happens. “Jack Henry built a product called Financial Crimes Defender, which has an information sharing component built into it, the Federal Reserve’s FraudClassifier,” said Perez.
“You're starting to see that more and more. It is not just which accounts and which transactions but getting to the point where we are looking at IP addresses, we are looking at devices, how many of those devices are then connected to other areas within the institution,” Perez said. “Those are the types of metrics that you are starting to see on the financial crime side.”