The Office of the Investigative Committee of Russia (IC) in Moscow has completed an investigation of the theft of more than a billion rubles (>$14 Million) by the supply of an electronic component for a module, which should be installed on the International Space Station (ISS). The investigation revealed that the money was laundered through Hong Kong and the United Arab Emirates.
Initially, the investigation, initiated by Roscosmos (is a state corporation responsible for space flights, cosmonautics programs, and aerospace research), was conducted against unidentified citizens. Then the charge was brought against eight persons involved in the case, in particular, the former general director of the Rocket and Space Corporation (RSC) Energia, Vladimir Solntsev. According to the materials of the case, a state contract was concluded between the Federal Space Agency and RSC Energia for the creation of a module for the International Space Station worth over 15 billion rubles (>$70 Million) .
However, Solntsev entered into a criminal conspiracy with several accomplices and, by deception, stole about a billion rubles (>$14 Million). The actions of the criminal group inflicted significant material damage on RSC Energia and Roskosmos.
It turned out that in 2017, a contract was signed between Energia and Central Research Institute “CYCLONE”, within the framework of which 1.32 billion rubles were transferred to the company’s accounts. These funds supposed to be used to supply components for the creation of the module which should be installed on the International Space Station (ISS) . The contract was overpriced three times.
As a result, after several transactions, the funds ended up in the accounts of Rosaero FZC and Somontaj general trading LLC in the UAE and Jushi com limited and Seanet trade limited in Hong Kong. According to the investigation, the defendants spent only 278 million on the actual purchase of parts and assemblies. They appropriated the rest of the money. To date, most of the defendants have been charged with large-scale fraud. Two more are also charged with legalization (laundering) of funds acquired by criminal means. The defendants do not admit their guilt.
The world breathed a sigh of relieve when
Donald Trump de-escalated the tensions between the United States and Iran,
which started when an American drone killed General Qasem Soleimani early in
January and continued a few days later when Iran fired 15 missiles at several
Iraqi military bases housing American and coalition forces.
Nevertheless, punitive sanctions remain in
place and there has been an intense standoff since the United States withdrew from
the Iran nuclear agreement. Iran knows it must pursue an asymmetric warfare
strategy, which it is waging mainly through sponsorship of various allied
militia in the Middle East, some of which are designated terrorist
organizations by the United States and the European Union.
But there is another weapon that Iran has
used in the past and may pick up again: cybercrime, and in particular, in order
to destabilize the western banking system. It has form. Between 2012 and 2013 hackers
brought down the internet sites of several American financial institutions,
including global firms such as Bank of America, Morgan Chase, Citigroup and
Wells Fargo. Seven Iranians, who worked for the IT company that serves the
Revolutionary Guards were subsequently arrested and sentenced.
As a form of warfare, cybercrime has the two
distinct advantages of being much less expensive than traditional military
warfare, and much harder to detect. Directly after the killing of Soleimani,
Neil Walsh, who leads the UN’s cybercrime initiative from Vienna, warned both
countries not to resort to cybercrime as a means of retaliation. Walsh
cautioned that targeting computer systems can have as much impact as physical
attacks – and that nation states should think twice before carrying them out.
As reported in the New
Scientist magazine, there is a rather bizarre etiquette evolving around
cyberwarfare. “There is an ongoing cybersecurity diplomatic process, which is
where countries sit together to discuss what they can and can’t do against each
other in cyberspace, and try to agree norms,” Walsh said. He too emphasized the
difficulty of detecting cyberattacks and identifying the people behind them,
and the dangers of misattribution of cyberattacks. “If a country sends a
missile up from one place to another, you see where it came from, you know
where it went. In terms of attribution, that’s relatively easy to do,” he said.
But attributing cyberattacks can be much more difficult, increasing the risk of
escalation. “That gap between is it an individual, is it a criminal, is it a
terrorist, versus an intelligence agency, a military body or an advanced
persistent threat group, is so grey now that for one to say it was a criminal
or state-based activity might be incredibly difficult to do.”
As Iran’s record already shows, it is not
just the military-industrial complex that has a legitimate concern about cyber
terrorism and state-sponsored cyberattacks. Attacks on businesses by
state-sponsored sources have significantly increased over the past few years
for businesses. In this form of warfare,
financial services companies are in the frontline, while healthcare and retail
businesses are not far behind.
Iran is not the only culprit here.
State-sponsored cybercrime is on the increase worldwide. The Centre for Strategic & International Studies
has been tracking major incidents for some time. In December 2019 alone, it
recorded the following:
- Microsoft won a legal battle to
take control of 50 web domains used by a North Korean hacking group to target
government employees, think tank experts, university staff, and others involved
in nuclear proliferation issues.
- An alleged Chinese
state-sponsored hacking group attacked government entities and managed service
providers by bypassing the two-factor authentication used by their targets.
- Chinese hackers used custom
malware to target a Cambodian government organization.
- Unknown hackers stole login
credentials from government agencies in 22 nations across North America,
Europe, and Asia.
- Iran announced that it had
foiled a major cyber-attack by a foreign government targeting the country’s
- A suspected Vietnamese
state-sponsored hacking group attacked BMW and Hyundai networks.
- Russian government hackers
targeted Ukrainian diplomats, government officials, military officers, law
enforcement, journalists, and nongovernmental organizations in a spear phishing
Some businesses already take the threat seriously, which has resulted in a massive growth in the cybersecurity industry. Gartner Inc. values at $124 billion per annum. In a recent survey report into financial crime, cybercrime was identified as by far the biggest external threat and 20% of the respondents said their organizations had been the victims of financial cybercrime in the previous 12 months. Among publicly listed companies, that figure rose to 26%. Refinitiv calculated the total losses from cybercrime by the 2,373 global companies surveyed at $ 241 billion. According to the insurance brokerage and risk management consulting firm Marsh, cybercrime cost half a trillion dollars in economic damage in 2018, far more than the $300 billion in economic losses from natural disasters. Yet spending on cybersecurity insurance premiums ($4 billion in the USA) is dwarfed by the that spent on property insurance ($180 billion).
The threat of state-sponsored cybercrime
was back in the news at the end of January, as the British government debated
whether to award lucrative 5G network contracts to the Chinese firm Huawei. It
decided not to ban the company outright, but to set clear limits that would
exclude Huawei from any infrastructure that the UK government deems sensitive
(what it calls “core” as opposed to “peripheral” infrastructure). At most only
35 percent of 5G or gigabit network traffic will be allowed to pass through
equipment made by “high risk vendors”, and only 35 percent of cellular base
stations can include equipment from those vendors. Without mentioning Huawei by
name, the UK Culture Secretary said, “The government is certain that these
measures, taken together, will allow us to mitigate the potential risk posed by
the supply chain and to combat the range of threats, whether cyber criminals,
or state sponsored attacks.”
The European Union issued similar
guidance. But the US government is less sanguine. It effectively bans
carriers from using the company’s equipment in US networks; it has long warned
that Huawei could build backdoors into its products that could be accessed by
the Chinese government, something the company denies it has done or would do.
Warnings from experts in the field of
cybersecurity suggest that setting percentage limits or distinguishing between
“core” and “peripheral” could be ineffective. The demarcation lines between the
two are blurring as all components become more software driven. As a result,
even the simplest equipment can be vulnerable to hacking. As UC Berkeley
security researcher Nicholas Weaver told Wired
magazine, “5G antennas aren’t simply wires, but complex computers in their own
right doing a lot of signal processing.”
The concerns in the United Kingdom,
expressed by a number of prominent MPs in the House of Commons, have focused
mainly on personal privacy and the security of defense and intelligence
establishments such as GCHQ. As one MP put it, Huawei has more people employed
in its research department (90,000) than the UK has servicemen and intelligence
personnel. But the potential for cybercriminals, state sponsored or otherwise,
to exploit vulnerabilities in new networks should not be underestimated. Even
if the Chinese government is not directly involved in cybercrime, it is not
entirely unreasonable to assume that Huawei will pay rather less attention to
network security matters in the UK than it would in China itself. We know this
because only last year the UK’s National Cyber Security Centre reported that
Huawei has basic but deeply problematic flaws in its product code that create
security risks, which it blamed on low standards of “basic engineering
competence and cyber security hygiene”.
The bottom line is that the threats are there, and they come from an unknown number of invisible actors from many countries. And the attack could come at any time. It is certain that further attacks will come from “rogue” states such as Iran and North Korea, either directly from government intelligence and espionage agencies and departments or from proxies and freelances. The institutions that are most vulnerable to cyberattacks include, perhaps most significantly, small to medium sized banks and financial services companies that do not have strong cybersecurity processes and infrastructure in place. If they have not already done so, they should commission a security audit soon: antivirus and anti-malware apps are simply no match for today’s cyberterrorists and criminals.
Written by Paul Allen Hamilton and Volha Miniuk
To participate or join the AML Knowledge Centre go to https://www.linkedin.com/groups/8196279/
The European Union’s Fifth Anti Money Laundering Directive (5 AMLD) must be implemented in national law by 10 January 2020. The Anti Money Laundering Directive has been continually updated and tightened ever since its introduction in 1990 with a view to making it harder for money launderers and terrorists to move their cash in and out of, and around, the EU. We highlight five things to watch out for in this latest iteration.
- New sectors affected
Until now AML rules have affected banks,
accountants, building societies and gambling operators, plus accountants and
lawyers. In addition to requiring these to comply with new rules and to review
their existing procedures, 5 AMLD will affect new sectors. Most directly
affected will be estate agents and intermediaries for properties with monthly
rents in excess of € 10,000. They now fall under AMLD jurisdiction, as do the
beneficial owners of such properties. Information on real estate ownership must
be made available to the relevant public authorities. Clearly in view here are
investments in valuable properties, for example in central London, which have served
as a useful medium for drug traffickers and illegal arms dealers etc. to
launder the proceeds of their activities. Anyone involved in high-end real
estate will be under pressure to review when and how often they verify the
identity of their customers to establish beneficial ownership.
The art world was not explicitly within the
scope of 4 AMLD or previous iterations of the directive. Now, despite fierce
resistance from the art world, 5 AMLD will require auction houses and art
dealers also to undertake anti money laundering checks on customers.
Establishing systems to carry out such checks will carry significant
resourcing implications, and any failure to undertake checks with
sufficient rigor can attract criminal penalty, for both institutions and
5 AMLD updates the current directive to
include the following within the definition of “obliged entities”: persons
trading or acting as intermediaries in the trade of works of art, including
when this is carried out by art galleries and auction houses, where the value
of the transaction or a series of linked transactions amounts to EUR 10,000 or
more. This applies whatever the method of payment: cash, cheque, bank transfer,
All of this means that the estate agents,
rental intermediaries, art galleries and auction houses affected must act now
to put AML processes and procedures in place, and invest in the necessary
technologies to meet their new obligations. These include registering with the
relevant authority, conducting a money laundering risk assessment and carrying
out customer due diligence especially in relation to transactions or business
relationships that involve persons established in a high risk third country
(see below), politically exposed persons etc.
In other words, quite a few companies will face a new resource burden. This will also affect their financial services providers, lawyers and accountants, so they should seek advice on how to ensure that compliance is cost-effective within their financial means.
2. Catching up with new technologies
The speed with which 5 AMLD has followed hot on the heels of 4 AMLD reflects the speed of technological change and the new ways in which business is conducted. Under 5 AMLD custodian wallet providers and virtual currency exchange platforms will fall within the scope of AML laws, as they too have been added as new “obliged entities”.
5 AMLD also allows and indeed promotes the use of electronic identification for customer due diligence. This directive stipulates a need, whenever possible, to use electronic client verification solutions when undertaking due diligence obligations and KYC procedures. Institutions that have not already done so should invest in the technology for quicker onboarding of new clients through instant results. Not only does it help ensure compliance, it also improves the customer experience.
Also, financial institutions across the globe are transitioning to artificial intelligence and machine learning technologies to help improve pattern detection, increase automation and alert accuracy.
3. Tougher enforcement
There will be new national bank account registers in each EU Member State to enable easy access by law enforcement authorities to bank account information for all bank accounts held in that Member State. The registries will all be interconnected between Member States. In addition, enforcement authorities will be able to request information from an obliged entity even where no Suspicious Activity Report has been filed.
4. Tighter controls on high risk third countries
Credit institutions dealing with business relationships and transactions involving high risk third countries or having establishments in these countries may be particularly affected. The current list includes Afghanistan, Ethiopia, Iran, Iraq, North Korea, Pakistan, Sri Lanka, Syria, Trinidad and Tobago, Tunisia, and Yemen. It has been proposed to add American Samoa, Bahamas, Botswana, Ghana, Guam, Libya, Nigeria, Panama, Puerto Rico, Samoa, Saudi Arabia, and the US Virgin Islands. 5 AMLD prescribes enhanced due diligence measures for business relationships or transactions involving high risk third countries, and also allows Member States to restrict obliged entities from opening branches/subsidiaries in high-risk third countries, and to restrict the opening of branches in a Member State of an obliged entity based in a high-risk third country.
5. Public scrutiny of beneficial ownership
There will be wider access to each Member
State’s central register of beneficial ownership of corporates. Any member of
the general public can access basic information without the need to demonstrate
a “legitimate interest” (this is already the case in the UK). There is also a
new “discrepancy reporting requirement” that will require obliged entities to
report any discrepancies they find between the information that they hold, and
the information on the register.
5 AMLD also extends beneficial ownership reporting requirements to any legal arrangement that is similar to a trust, as well as tax-neutral trusts. It also widens access to the central register of beneficial ownership to any person who can show a “legitimate interest”. It is left to the discretion of individual Member State to define legitimate interest, although 5 AMLD states that the definition should not restrict the concept to cases of pending administrative or legal proceedings, and should take into account the preventive work undertaken by non-governmental organizations and investigative journalists in the field of anti-money laundering, counter-terrorist financing and associated predicate offences.
6. Brexit has no impact
The United Kingdom has committed to adopting 5 AMLD along with the rest of Europe, either as part of the proposed transitional arrangement or some other deal which requires regulatory convergence in return for preferential access to the Single Market. Even in the event of a “no deal” Brexit after the transitional period, the UK – as a leading member of the Financial Action Task Force on Money Laundering (which sets the standards which underpin EU anti-money laundering law) – is unlikely to let UK AML standards fall behind those applicable elsewhere in Europe.
Other new regulations include the ban on anonymous safe-deposit boxes and the subjecting of more prepaid instruments to due diligence (e.g. gift cards and travel cards). The threshold requirement on these has been reduced from €250 to €150. Finally, if that is not enough to take in, Member States will be required to transpose the next iteration – 6 AMLD – into national law by 3 December 2020. After which, relevant regulations must be implemented by firms within Member States by 3 June 2021.
One of the positives about 6 AMLD is that it is more specific on the offences that all EU Member States must criminalize – 22 so-called predicate offences for money laundering in total. In addition to the obvious ones these include environmental offences, cybercrime, and direct and indirect tax offences.
Wishing everyone a Happy and Healthy Holiday Season!
Please join the conversation at AML Knowledge Centre https://www.linkedin.com/groups/8196279/
written by Paul Allen Hamilton https://www.linkedin.com/in/paulhamilton2/
and Volha Miniuk https://www.linkedin.com/in/volhaolgaminiuk/
did we get here?
Since 9/11 financial institutions have made enormous investments in
their anti-money laundering compliance programmes, but they are still faced
with manual processes and complexities in complying with financial crime
regulations. “One would be hard-pressed to suggest that banks are ignoring the
need for better customer due diligence,” KPMG reported in March 2019. “Indeed,
according to a recent Forbes article, some banks spend up to US$ 500 million
each year in an effort to improve and manage their KYC and AML processes. The
average bank spends around US$ 48 million per year. In the US alone, banks are
spending more than US$25 billion a year on AML compliance.”
Much of the growth in costs is driven on the one hand by fear of fines
for non-compliance (US$24 billion in non-compliance fines since 2008, but the
cost to reputation can be higher) on the one hand and, on the other hand, by
the need to address the high false-positive rates resulting in significant
remediation efforts that rules-based systems generate.
Even though, financial institutions are the ones being fined they are by
no means in this alone. There is an ecosystem of consultants, research
companies, software vendors who also need to be held accountable to their
The reality is that few of the first generation AML systems were built
to fight crime! These systems were mostly the by-product of business
intelligence (BI) software products (as opposed to AML or financial crime solutions)
that were originally created to provide insights into corporations’ past
performance. Many of these systems are programmed using code that dates back to
After 9/11, many vendors seized the opportunity to position their BI
software as AML compliance solutions. Consequently,
financial institutions find themselves combatting sophisticated fraud, money
laundering, and terrorist financing schemes with outdated BI software using
code that dates back to the eighties!
This is analogous to competing in this
year’s Formula One driving Jackie Stewart’s Tyrrell or Alain Prost’s Renault.
No wonder, the expectations of many financial institutions’ compliance
departments haven’t been met. With an exceptionally
high rates of false positives, i.e. somewhere between 75 and 90 percent of
alerts. In fact, many financial institutions’ compliance programs have
continuously felt under-resourced compared to the volume of alerts and reports
they must review while trying not to disrupt good
business. Thus, financial institutions felt compelled at least those that
could afford to do so built offshore entities taking advantage of lower labour
costs to maintain their systems and manage their KYC alerts.
With all the attention on false positives, false
negatives have a much better chance of slipping through the workflow.
The risk-based approach was supposed to help financial institutions to
get a grip on the high-rate of false positives by profiling customers and segmenting
them based on their risk exposure. However, clustering customers into
segments/categories based merely on products, channels, transactions,
geographies, and industries and then building generic rules with arbitrarily
selected thresholds was a simplistic approach, to say the least, and somewhat
naïve from regulators.
Moreover, all this is happening at a time when legislation has made it
easier for customers to swap from one financial institution to another. Rather
than risk annoying good customers by constantly asking intrusive questions as a
result of false alerts, banks have often further refined the number of segments
… to the point that they become unmanageable.
The light at the end of the AML tunnel
Everyone in the AML ecosystem has come to realize that a better approach
is needed, especially when it comes to verifying false positives. Basically,
the whole industry is banking (pun intended) on big data, artificial
intelligence (AI) and machine learning (ML) to help simplify complex processes
and automate repetitive tasks. Therefore, the expectations for AI are
overwhelmingly high according to PriceWaterhouse Coopers estimates, the
contribution of AI to the gross world product by 2030 to be around 14 billion
AI has the potential to remove the chains from AML compliance staff allowing
them more time to deal with non-routine events and complex cases as well as
having better information through a cleaner, more traceable process to make
Of course, machine learning models can process tremendous amounts of
data, but ML systems still need to learn the difference between a false
positive and a false negative and that in real-time. But there are challenges
that need to be sorted out.
As with every new technology wave: CRM, business intelligence, big data,
predictive analytics, or artificial intelligence, etc. technology
companies can’t resist the temptation to sprinkle the latest
buzzwords on every bit of their software like fairy dust. This gold-rush
atmosphere also has its downsides. In March the Financial Times reported that
40 percent of European AI start-ups do not actually use AI programs in their
products, according to an investigation by the investment company MMC Ventures.
First, there simply isn’t enough well-structured data at most companies that can be used for teaching these ML / AI models. IBM’s Watson, named after the company’s first CEO, has learned this the hard way. Originally developed to answer questions using natural language processing (NLP), and then as a system to assist in the diagnosis of cancer, as of June 2017, the Watson artificial intelligence platform had been trained on six types of cancers which took years and input from a thousand medical doctors.
A second, challenge is that criminals are always adjusting and trying
new schemas and a third is that the financial services landscape is itself changing
continuously, leaving ML and AI platforms with a real-time knowledge gap.
So, caveat emptor: these systems require months and in many cases
years of laborious training, and a lot of support by expensive compliance
experts and data scientists. The experts must feed vast quantities of
well-structured data into the platform for it to be able to draw meaningful conclusions,
and these conclusions are only based upon the data that it has been trained on,
i.e. what happened in the past. An implementation project will involve:
- Learning the transaction behaviour of similar customers
- Pinpointing customers with similar transactions behaviour
- Discovering the transaction activity of customers with similar traits (business type, geographic location, age, etc.)
- Identifying outlier transactions and outlier customers
- Learning money laundering, fraud, and terrorist financing typologies and identify typology-specific risks
- Dynamically learning correlations between the alerts that produced verified suspicious activity reports and those that generated false positives
- Continuously analysing false-positive alerts and learning common predictors
For the most part, financial crime will be driven by advances in
technology and this marriage of regulation and technology is not new in
itself. However, with the continual increase in regulatory expectations, the
staggering levels of cyber-attacks against financial institutions and the disruption
of new instant payment initiatives will not make it easier on people working in
In brief, these innovations address many gaps in today’s financial crime
programmes by improving automation in the detection of suspicious
activity, which would be a significant move from monitoring to preventing
financial crime while being more cost-effective and agile. Financial
institutions that have already been down this path before and have been
disappointed would be wise to start with small-scale pilot projects with
limited scope, using agile software delivery methodologies.
And above all, they need to invest in data quality as it is a key
component of any successful financial crime program. High-quality data leads to
better analytics and insights that are so important not only for accurately training
ML and AI models, but also to drive better decisions.
Paul Allen Hamilton and Volha Miniuk
Visit us at: AML Knowledge Centre (LinkedIn)
It was a pleasure for me discussing – Blockchain & KYC Hype to Real Applications – with the other panel experts: Roman Stammes, Yana Afanasieva, Robert Engmann and moderator Anne Bailey at the Blockchain Enterprise Days 2019 in Frankfurt
Millions of dollars and countless business hours are being spent on Know Your Customer (KYC) process by banks every year. These costs are increasing due to AML requirements. Blockchain technology can be utilized to ease this process by offering banks and FinTechs transmissible digital identities, saving time and money. Blockchain technology can improve data quality and result in better governance. There has been a buzz about KYC and blockchain for some time now but actual large scale implementations are still to be carried out. In this panel we will talk about the current status & furture of Blockchain for KYC & AML.
The panel discussed the following points:
– What are the benefits of blockchain implementation in KYC process if any?
– Any specific examples of successful implementation?
– We see government collaboration between middle eastern and Asian banks to fast-track the use of blockchain for KYC & AML. Have there been any similar types of collaborative work in Germany and EU?
– Is standardized KYC necessary and would banks agree on that?
It would be interesting to know how many of you feel that Blockchain will help streamline KYC processes?
Also big thanks to @KuppingerCole Analysts AG and their team for organizing this important event!
Follow the AML Knowledge Centre on LinkedIn at https://www.linkedin.com/groups/8196279/ or connect with me at https://www.linkedin.com/in/paulhamilton2/
The new Black
With the rapid advancement of mobile technologies, the internet is now accessible from any- and everywhere. Open banking (PSD2) in the European Union, together with mobile wallets, instance payment initiatives and cryptocurrencies offer consumers a lot of ways to engage with financial institutions 24/7. Therefore, in today’s environment, customer expectations are constantly changing and it’s imperative that financial crime and Anti-Money Laundering units keeps pace.
No doubt that the widespread use of mobile devices is accelerating the rate and impact of financial crime. Today, mobile subscriptions outnumbered the world’s population as illustrated by Statista:
Which in turn, has spurred the use of mobile banking apps and the way consumers pay for generic services, in general altering us into a cashless society.
With new regulations such as the Payment Services Directive (PSD2), the European Union has set the rules for open banking, allowing FinTechs access to traditional financial institutions’ systems and customer data. Everyone is a winner, the benefits of open banking are enhanced customer service for under-served markets, new revenue streams, and improved margins.
While this presents major opportunities for everyone it places a lot of responsibility on those tasked with keeping a financial institution from being compromised by cyberattacks or used as a vehicle to launder money.
How will current financial crime & anti-money laundering systems work in a digital world?
It’s difficult enough for financial institutions to monitor and detect violations of transactions taking at best 24 hours to clear. With digital payments clearing in real time the impossible becomes totally impossible using conventional methods as transactions clear in a matter of milliseconds. By conventional, we mean systems focused on a rule-based approaches, where suspicious transactions are put in a queue and investigated in an overnight batch mode.
Even in a world operating in batch, AML systems generate too many false positives (typically between two and 15% of all transactions) and therefore imposes a huge workload on banks and financial investigation units (FIU).
Number of Suspicious transactions reported to UIF in the UK: +51% (’12-16), from 67K in 2012 to 101K in 2016
As digital payments continue to increase, this problem is greatly scaled because banks are under pressure from customers and consumers to clear transactions as quickly as possible and still make sure that risk and compliance systems flag all risks and suspicious activities.
The Internet of Things
Once upon a time, cybercriminals focused their efforts on PCs. However, with the average user spending about five hours per day on a mobile device, with roughly 70 percent of those smartphone devices not having an anti-virus program installed on them, sensitive data (e.g. contacts, passwords, emails, documents, photos, etc.) are exposed to cyber threats. Therefore, we have witnessed a sharp increase in new mobile malware, because criminals will always take the path of least resistance.
The Internet of Things (IoT) is driving the interoperability of physical devices, vehicles, home appliances and other electronic equipment through sensors and software enabled apps.
The number of online-capable devices was believed to have increased to 8.4 billion by 2017 and by 2020 experts estimated that 30 billion objects would be online, with a global market value of $7.1 trillion.
The Nokia Threat Intelligence Report 2H 2016 estimated that more than 100 million devices worldwide have been infected by malware, including mobile phones, laptops, notepads and a broad range of IoT devices.
The same report stated that smartphones were more often targeted, accounting for 85 percent of all mobile device infections and smartphone infections increased 83 percent during July through December, compared to the first half of the year.
According to Check Point Mobile Threat Research’s 2017 report (“Mobile Cyberattacks Impact Every Business”) financial institutions, as the custodians of their customer’s money and data are a much sought-after target for cyberattacks. Malware attacks by industry:
With the number of mobile devices already infected and the connectivity of devices rapidly expanding, cybercriminals have more routes to target than ever before.
As crazy as it once seemed, cybercriminals attacking financial institutions via a coffee machine, smartphone or even an employee’s wearable health-check device is no longer science fiction. Also, this malware storm isn’t a regional threat but it’s path of destruction is universal. The most impacted regions according to Check Point mobile threat researchers:
Source: Check Point Mobile Cyberattacks Impact Every Business
The Eye of the Storm
That said, financial institutions appreciate the importance of digital technology and are embracing an ecosystem that includes FinTechs. These ecosystems can help to provide more customer value and open new customer segments. At the same time, they bring new types of operational risks with them, such as:
- Risky user behaviour. For example, 70 % of smartphone users have never installed an anti-virus program on their mobile device.
- 24/7 connectivity of mobile devices to hotspots.
- WI-FI networks and Bluetooth technologies making it easier for attackers to carry out a fraud campaign.
- Rogue mobile applications, repacking of apps and ransomware are on the rise.
- Advance malware & viruses for online as well as mobile devices continue to increase.
Currently, the data on mobile fraud isn’t as robust as with other channels. These operational risks need to be continually assessed to build reliable mobile fraud models without jeopardizing the customer experience. 60 percent of digital banking fraud originates from the mobile channel, according to figures published by RSA in 2018. This mobile banking fraud almost always involves thieves using RDC to deposit fraudulent checks, or cybercriminals using stolen identity credentials to hijack consumer bank accounts. This actually caused a dip in the growth of mobile banking as users sensed insecurity. Security and fear of fraud are the top two concerns about using mobile banking for up to 55 percent of consumers, according to Javelin Research. And with more than 25 million mobile devices infected by a single malware variant alone (Agent Smith) it is hardly surprising. The exact number of malware-infected mobile devices is hard to quantify, but in 2018 Kaspersky Labs and products detected:
- 5,321,142 malicious installation packages
- 151,359 new mobile banking Trojans
- 60,176 new mobile ransomware Trojans
A point often overlooked is that your ecosystem is the weak link when trying to protect against external threats. One lesson learned is the degree of difficulty to detect a compromise until bad things start to happen, examples:
The Carbanak malware set in the banks’ computer systems for months, sending back vital information to hackers, who were then able to impersonate bank officers carrying out internal procedures at more than 100 banks around the world.
With complete control of mission-critical systems, they managed the transfer of millions of dollars from banks in Russia, Japan, Switzerland, the United States and the Netherlands into fake bank accounts set up in other countries.
If not for a video surveillance camera filming an ATM machine in Kiev, the Carbanak malware might never have been detected.
From the US$ 81 million stolen from the Bangladesh Bank in February 2016 only US$ 15 million has been recovered and there is still no word on who was responsible. Cyber attackers illegally transferred US$ 81 million from the Central Bank of Bangladesh (CBB), to several fictitious bank accounts around the world, by subverting their SWIFT accounts.
The Bangladesh Bank heist is a perfect illustration of the future complexity involved in monitoring instant payments.
The WannaCry virus, quickly infecting more than 200,000 businesses in 140 countries. locking computers until a ransom was paid.
Fighting Back with Innovation
The only credible answers are detection and transaction monitoring systems built on new technology, with machine learning and artificial intelligence at the core and not relaying only a rule-based approach.
Criminals don’t use rules
Algorithms that continue to improve, with the support from financial crime and AML professionals, these systems learn to identify suspicious activity where there is a higher probability of a financial crime committed and/or money laundering actually occurring. Therefore, bank staff can focus on the real alerts and not get swamped down in false positives.
Another technology-based approach that continues to develop, provides insights by taking large amounts of account data and generating a visual map. Suspicious relationships and payments can be tracked as they move between bank accounts, regardless of whether the payment amount is split between multiple accounts, or those accounts belong to the same or different financial institutions. The software creates a visual map of where and when money has moved, providing new insights and intelligence for fraud and compliance teams to take action.
By bringing together transactional data from multiple financial institutions and running sophisticated algorithms, such solutions can identify the so-called “mule accounts” that are used for money laundering and other illegal activity. Many of these accounts are not set up directly by the criminals themselves but via a number of scams including phishing, spam email, instant messaging etc.
It is worth pointing out that while technology is a necessary condition for successful financial crime and money laundering prevention, however, it is not the only tool. In addition, financial institutions will need to review their compliance procedures, risk assessments, and their service offerings to strike the optimum balance between competitiveness and security.
What should be the upper threshold look like?
Should priority to VIP and profitable customers be given when reviewing suspicious transactions? What about social and political issues? (For example, Muhammad is the world’s most common name, and also appears a lot on sanctions list. But that also means a significantly large number of false positives, which could lead to claims of unfair profiling.)
And finally, even with advanced technology and effective redesign of processes and procedures is meaningless without a sufficiently well-trained staff to detect suspicious customer behaviour and be reliable gatekeepers, especially at on-boarding of new customers.
Author Paul Allen Hamilton
For more articles on financial crime and Anti-Money Laundering join the AML Knowledge Centre at https://www.linkedin.com/groups/8196279/