Monday, April 24, 2006

AML & Data Theft: Risks to International Banks and Domestic Universities...

If you are a parent of a son or daughter at an institution of higher learning, this is a notice that makes you shake your head in disappointment. And if you are Chief Information Security Officer at University of Texas - McCombs you wonder how this could happen again?

Unauthorized Access of Computer Records Discovered at The University of Texas at Austin

AUSTIN, Texas –The University of Texas at Austin officials announced today (April 23) that an unknown person or persons has gained entry to the McCombs School of Business computers and gained unauthorized access to a large number of McCombs’ electronic records.

“It is our highest priority to notify those who may be affected by this security breach,” said university President William Powers Jr. “We have notified the attorney general and his Internet enforcement unit and are doing everything we can to protect those whose information has been accessed unlawfully.”

The security violation was discovered late Friday, April 21, and the university has devoted all available resources to identify the extent and source of the breach. Some of an estimated 197,000 records were accessed.

An investigation has determined that information from the business school’s computer system was obtained as early as April 11, including some Social Security numbers and possibly other biographical data, including those of alumni, faculty, staff and current and prospective students of the business school as well as corporate recruiters.


Even though the transnational nature of data theft is a major financial concern for law enforcement, the banking community and those potentially consumers impacted at this university, there are other priorities that may be of greater risk to US financial institutions. Money Laundering and the enforcement of the Bank Secrecy Act (BSA) is a continued United States Treasury priority along with the Office of the Comptroller of Currency (OCC).

Metropolitan Bank & Trust is one of the latest institutions to be penalized for violations of BSA.

An examination of Metrobank by the Office of the Comptroller of the Currency found deficiencies in Metrobank's anti-money laundering program, revealing that Metrobank had failed to implement an adequate system of internal controls to ensure compliance with the Bank Secrecy Act and manage the risks of money laundering involving funds transfers. The examination also revealed that Metrobank had failed to conduct adequate independent testing to allow for the timely identification and correction of Bank Secrecy Act compliance failures. These failures in internal controls and independent testing led, in turn, to failures by Metrobank to identify and report suspicious transactions in a timely manner. The failures of Metrobank to comply with the Bank Secrecy Act and the regulations issued pursuant to that Act were
significant.

Metrobank and Metro Remittance handle large volumes of funds transfers involving the Philippines and, since September 2003, the People's Republic of China. The volume of funds transfers to the Philippines in 2003 was 162,000 transactions totaling $208 million. Prior to February 11,2005, the Philippines was included in the list of Non-Cooperative Countries or Territories designated by the Financial Action Task Force on Money Laundering.


While this civil penalty will result in a fine of only $150,000., you could predict that the cost will be much higher. A system implemented to assist with due diligence installed in 2003 has not been effective and the use of manual controls is the source of much of the banks failures in a fully compliant Anit-money laundering (AML) program. The passage of the USA PATRIOT Act, after the terrorist attacks of September 11, 2001, has placed greater emphasis on AML issues. Increased scrutiny of potential laundering, and stringent requirements placed on institutions to increase their efforts to detect money laundering by terrorist groups, reinforces the importance of the need for certified professionals who protect institutions from potentially devastating laundering crimes.

The lack of oversight by banking institutions or universities comes back to a single aspect of Operational Risk Management. Without a framework for managing risk of all kinds and having an effective system for continuous risk monitoring, you are setting yourself up for a major loss.

No comments: