Sunday, January 09, 2011

Cyber Theft Rings: A Nexus with Terrorism...

BSA/AML compliance is an Operational Risk that continues to plague even the largest institutions. The ability to effectively program information systems to address "Politically-Exposed Persons" (PEP) and the risk to the banks reputation are still a challenge for some executives.

Why is this still an OPS Risk issue? In many cases, the lack of procedures being followed by adequate staff in the alert investigations unit where backlogs are prevalent. This becomes a business risk because there continues to be a lack of closure on these alerts. The simple monitoring of funds transfers to ensure timely reporting of suspicious activity associated with PEP's should be AML 101.

Retaining and deploying an independent consultant to review compliance and systems controls is the primary responsibility of an Audit Committee chair of the Board of Directors. For those institutions that have found themselves under the recent oversight of the OCC in the United States, many realize they have underfunded this obligation and the staff requirements to stay in pace with the expanding volume of electronic transactions.

Monitoring accounts of current or former senior political figures is well within the PEP definition and includes their families and any close associates. Therefore, the BSA officer will require even more robust budgets, staffs and systems programming to continue to be effective in regulatory compliance of the Bank Secrecy Act and Anti-Money Laundering statutes. And this just covers the risks associated with the banks regulatory obligations in the United States and many other countries of the world.

Yet this is the area that has traditionally been the foundation for the 20th century criminals and other entities who need to move money to places in large sums or to perpetuate fraudulent activities. Now what about the 21st century asymmetric threat, "Cyber Theft Rings"?

Malware exploiters purchase malware on the black market Internet and use it to steal victims banking credentials. They launch attacks from systems that are already compromised across the globe in small businesses and other commercial or government organizations. This allows the transnational cyber criminal to transfer stolen funds and deter the tracking of their activities. Money Mule networks then transfer funds to other accounts or get cash from ATM's and then buy stored value cards before they ship them back overseas to the crime syndicates.

The victims remain the financial institutions and the owners of the infected systems. So how large is this method of cyber theft? In 2010 the FBI reported close to 400 cases that had attempted loss of $220M and actual losses of $70M.

Today's (October 1, 2010) coordinated operation demonstrates that these 21st-century bank robbers are not completely anonymous; they are not invulnerable. Working with our colleagues here and abroad, we will continue to attack this threat and bring cyber criminals to justice."

Most of the accused hailed from Eastern Europe; many were based in Ukraine, where several worked as Web developers. Ten suspects were arrested in New York on Thursday, with another 10 having been arrested previously. The FBI is still seeking 17 others .


Where is the money going and what is it being used for? In a recent study by officials at the New York State Intelligence Center titled: "The Vigilance Project: An Analysis of 32 Terrorism Cases Against the Homeland", the statistics are the face of the US challenges with money laundering and terrorism:

  • 82 % were between the ages of 18 and 33.
  • 61 % attended some college and of these 64% of the educated terrorists were engineering majors.
  • 50 of the 80 suspects in the study whose citizenship could be identified were born in the U.S. .
  • 11 of the 32 cases studied happened in the past two years. In these cases, 17 of the 19 defendants were in the United States legally.
The banking community understands that it has to remain vigilant when it comes to BSA/AML regulations. Not only to avoid the millions of dollars in potential fines, but also because of the potential nexus with counterterrorism.