If your SaaS was used to commit a financial crime, what should you do?

Question

Hypothetically, if your Solo-Founder SaaS was used a suspicious customer based in Russia to access a USA financial institution.

dogman144 · Accepted Answer

Dump and save all your logs tied to this, and try to go back as far as possible as it pertains to this user and related infra they used. Start an excel sheet w/ , and on the headers, and log everything you do as part of figuring out what to do about this, i.e (Feb 17, asked what to do on hackernews, took advice and called a lawyer). Put it in a gdrive. Essentially, establish an audit trail of you doing the right thing once you realized what was going on.Get a lawyer involved, and then ring up the local cyber crimes unit and be prepared to dump all this evidence. There's a lot of interplay b/t security teams and law enforcement over this stuff so it's not unusual. They'll be happy you reported. Anyone can use a SaaS platform, worst case you might get a rude awakening on the need to do KYC/AML or some sort of user onboarding regulations that you weren't aware you had to follow. This is all about due diligence and if you did it once you knew you had to.Using intermediary infrastructure to dodge OFAC sanctions or w/e like this is isn't uncommon. The uncommon part is being able to get knowledge on the intermediary infra (your saas), so you're doing a solid by reporting it and providing logs.

themodelplumber · Answer

Keep your notes on it handy. Contact your legal rep or team.
When something similar happened to me I was eventually contacted by the California computer crimes task force, IIRC. Very simple phone call, asking for notes I kept on the situation. Polite.
Then I got looped into the prosecution's long and kind of annoying email chain to everybody involved before there was an eventual going-nowhere of it all. Surprising but that's what happened. So you never know but some basic diligence is typically a good idea. This is not legal advice.

tempnow987 · Answer

Ignore all the folks saying don't ask this question. Dealing with fraud / abuse issues is not uncommon.
Generally you do a few things.
If something makes you feel uncomfortable, and your agreement allows it, close out the customers account.
Just like facebook / google and friends, I've found it better NOT to get into a lot of back and forth or just point to a generic policy (ie, overseas accounts not supported).
If you need to refund money, make sure you only refund to same payment method. Ie, a credit card refund should not go out by check. I've seen scammers use this with a stolen card, then try and get the refund by check. A few months later card owner contests bill. If you refund back to same card, then when owner protests, the money is already back, nothing to protest.
Consider a hold on funds if you are concerned that they will be returned to issuing entity if you a in the middle on a payment flow. If so you want to make sure your money handling stuff is compliant anyway with KYC and transfer licensing needs.

8bitbuddhist · Answer

I wouldn't leave this up. Maybe create a retrospective post once the case is over if you want to help others, but don't share details (even minute details) publicly until you've talked to a lawyer first.

ackbar03 · Answer

Is it inappropriate to say that I'm jealous your SaaS is good enough to be used by Russians for financial crime? I mean your gonna take this post down anyways right?

dc-programmer · Answer

1. Delete this post2. Lawyer up

DrWhax · Answer

You can always reach OCCRP securely using our Securedrop instance: https://www.occrp.org/en/become-a-whistleblower/
You might know us from the recent SuisseSecrets (https://www.occrp.org/en/suisse-secrets/) as well as covering russian laundromats through european banks: https://www.occrp.org/en/laundromats/
you can also reach out through jurre[@] occrp dot org

grue_some · Answer

This is the main lawyer that handled PIA's (Private Internet Access) legal challenges: https://www.linkedin.com/in/jarsenault Being a VPN, they would get contacted about a lot of stuff like this. He is a decent guy from my personal experience and maybe he would be a good contact if you don't already have a lawyer handling this.

milesdyson_phd · Answer

Seek counsel prior to anything else

steve_g · Answer

Contact your favorite lawyer first.

conductr · Answer

> Mid-term, I am going to add detailed logging of all customer activity, and a workflow to analyze these logs.I'd recommend not changing anything about how your app functions until you follow the common advise here. Ask your attorney when you can make code changes. You may be destroying evidence even if it's just "the path they took"

prichino · Answer

Why do you care? Don't assume and ask a lawyer. Ban the user for not following TOS and should be good

igammarays · Answer

How can a solo founder SaaS "be used" to access financial institutions? Do you mean simply creating a bank connection through an API like Plaid? People in Russia may have bank accounts in the US, you know?

cjf4 · Answer

Hire a lawyer.

mrintellectual · Answer

Hypothetically, you should report what happened and hire an attorney ASAP.

smarri · Answer

Submit a suspicious activity report to local law enforcement

jamal-kumar · Answer

if you needed a recommendation for legal representation:https://www.torekeland.com/

danso · Answer

I wouldn't leave this up

Taylor_OD · Answer

Yeah take this post down and contact a lawyer who specializes in financial crimes. You shouldnt be taking legal advice from the internet.

stets · Answer

delet this op

eddieh · Answer

Call the FBI!You shouldn't be talking about this publicly either. You could be compromising the future investigation.