Cryptocurrency is only used in on Darknet and by Criminals!

I don’t know a topic that is more misunderstood than cryptocurrency. US regulators unofficially coined the umbrella term “virtual currency” to denote bitcoin and other blockchain-based cryptocurrencies. In countless articles, cryptocurrency, virtual, and digital currency are used interchangeably. For example, the Bangkok Post referred to “virtual currencies including the bitcoin”, while the Toronto Star described the collapse of a bitcoin exchange after hackers stole its “digital currency”. On bitcoinmagazine.com an author illustrated the difference between cryptocurrencies and digital currencies while referring to their use in online virtual economies. In reality, one size doesn’t fit all. Therefore, to understand cryptocurrency you need to first understand what it is and what it isn’t.

One Size Doesn’t Fit All 

For many, the confusion starts right away with the coining (no pun intended!) of umbrella terms such as digital and virtual currencies to include cryptocurrencies. Crypto, digital, traditional and virtual currencies have different attributes and traits and knowing them is necessary for the assessment of the individual risk that each pose as a strategic vehicle for money laundering and terrorist financing.

Fiat currency

Fiat currency is also known as traditional currency issued, monitored and regulated by a centralized government agency. In fact, 8 percent of the world’s money is represented by physical notes. They are used to purchase goods and services. Fiat currencies, in most cases, have no underlying assets of value such as gold or silver. Therefore, their material worth is only as good as the faith of their issuing government.

Digital Currency

Digital currencies such as Visa, AMEX, MasterCard, Bank Cards, and PayPal are a digital form of fiat currency. Also, connected to a user’s bank account and transactions are constantly monitored for known money laundering and fraud typologies. Digital currencies in the form of credit cards issued to consumers, giving them an instant form of credit. Digital currencies operate within an enormous ecosystem of banks, consumers, merchants, and the card companies themselves. Therefore, it’s hard to imagine how digital currency would offer an organized crime syndicate a strategic advantage as a vehicle to launder large sums of money. Of course, terrorist financing is another game altogether. Digital currency in the form of a pre-paid gift card is an adequate vehicle to move smaller amounts of money while flying under the radar.

Virtual currency

A form of currency or game tokens, issued by a centralized entity (not to be confused with a centralized government agency). Circulated within the boundary of a virtual economy (e.g. Second Life, World of Warcraft, EVE Online, etc.) as a game currency. Also, the top virtual platforms, which I checked, will only allow established payment methods (e.g. bank accounts, credit cards (aka digital currency), Skrill, etc.) when purchasing their virtual currencies. Again to set up these payment methods the owners or entity should have gone through the KYC. It’s questionable if these virtual platforms offer the necessary liquidity as well as the economic stability to be strategically interesting as a vehicle for laundering large sums of money. Therefore, it seems that these platforms offer more value for someone acting as a lone wolf trying to transfer or launder smaller amounts of money.

Cryptocurrency

Peer-to-Peer electronic cash systems allow payments to be directly sent from one party to another without a financial institution. A fundamental element of any cryptocurrency system is their Blockchain also known as a distributed public ledger, which is shared among network participants. In the absence of a central authority, miners and maintainers are incentivized with native tokens for their support in operating the network. Cryptocurrency can also be exchanged for services and goods similar to digital currencies, but with a substantially smaller merchant clientele base than digital currencies. To date, Bitcoin with 72 percent (as of December 2017) market share is by far the most popular cryptocurrency. Furthermore, any serious exchange or wallet service will conduct a thorough Know Your Customer (KYC) on every new account as part of their onboarding process. That means linking personal identity to your wallet and to your bank account. Accordingly, a serious exchange or e-wallet will only transfer funds for a cash withdrawal to a connected bank account.

There is the Grey Zone

First, it is debatable if cryptocurrency is a currency at all! There are an estimated 5.8 million unique active users of cryptocurrencies (Cambridge Centre for Alternative Finance). Many of which are operating in a grey zone when it comes to rules and regulation around cryptocurrency or a lack of them. In the USA, there have been controversial cases where presiding judges of similar court cases involving cryptocurrency came to contrasting conclusions and rulings. For example, in the case of Michell Espinoza Judge Pooler’s threw out felony charges. At the time, Michell Espinoza had an account on a website, localBitcoins.com, where he allegedly traded Bitcoin for a profit. The defendant accused of transmitting (as a money services business) and laundering $1,500 worth of Bitcoins by Miami Beach Police and the U.S. Secret Service, while acting undercover. On the charges of engaging in a money services business, the judge issued the statement that “attempting to fit the sale of Bitcoin into a statutory scheme regulating money services businesses is like fitting a square peg in a round hole.” Bitcoin is not, she noted “backed by anything” and is “certainly not tangible wealth and cannot be hidden under a mattress like cash and gold bars.” To the charges of money laundering, Judge Pooler clarified that money laundering is “commonly understood to be the method by which proceeds from illicit activity (“dirty money”) becomes legitimized.” The judge also mentioned that Florida law — states that a person can only be charged with money laundering if they engage in a financial transaction that will “promote” illegal activity — is way too vague to apply to Bitcoin. “Judge Pooler there was no financial transaction because Bitcoin is not money”. Judge Pooler also noted that while the court is not an expert in economics; however, it is clear, even to someone with limited knowledge in the area, that Bitcoin has a long way to go before it is the equivalent of money. In a similar case to that of Michell Espinoza, Judge Nathan made precisely the opposite ruling to Judge Pooler. Anthony Murgio, an operator at Coin.mx, indicted in 2016 for working without a money transmission license. He was charged with money laundering and failure to file suspicious activity reports. Murgio’s council has been fighting to have the money laundering charges dismissed, arguing that Bitcoin is not a legal currency. “Judge Nathan rejected arguments to dismiss the money laundering charges, claiming that Bitcoin explicitly qualifies as currency”. She defended her decision by saying Bitcoins are funds within the plain meaning of that term. Bitcoins can be accepted as a payment for goods and services or bought directly from an exchange with a bank account. Therefore, they function as pecuniary resources and used as a medium of exchange and a means of payment. Clearly, governments were caught off guard by the quick adoption of cryptocurrency and now everyone is grappling with fundamental issues like what it is, how to tax and regulate it. 

Cryptocurrency an Enabler of Crime?

Editorial stories like this one “Bitcoin Gains Value Due to Criminal Use [Only], writes a Forbes Columnist” has influenced us into believing that cryptocurrency is only used by organized crime and terrorist on the darknet. Because it provides them with complete anonymity. Subsequently, another article gave the impression that ISIS and organized crime syndicates were using a shadow banking system (aka darknet) and cryptocurrencies to systematically launder tens of millions, if not, hundreds of millions of dollars on a regular basis, while law enforcement watched helplessly. Overall, the conversations concerning cryptocurrency role in enabling cybercrime, money laundering, and terrorist financing are riddled with misconceptions. Of course, criminals are resourceful and will always use whatever means are available that give them the greatest chance to succeed, which according to the UK’s national risk assessment (NRA) of money laundering and terrorist financing that continues to be High-end and cash-based money laundering.  Key findings of the 2017 UK’s national risk assessment (NRA) of money laundering and terrorist financing comes amidst the most significant period for the UK’s anti-money laundering (AML) and counter-terrorist financing (CTF) regime for over a decade the assessment shows that: • High-end money laundering and cash-based money laundering remain the greatest areas of money laundering risk to the UK. New typologies continue to emerge, including risks of money laundering through capital markets and increasing exploitation of technology, though these appear less prevalent than longstanding and well-known risks. • The distinctions between typologies are becoming increasingly blurred. Law enforcement agencies see criminal funds progressing from lower level laundering before accumulating into larger sums to be sent overseas through more sophisticated methods, including retail banking and money transmission services. Maybe, law enforcement panicked in the beginning, but they have adapted and the blockchain technology is not only a digital time-stamp but a digital witness!

Under Attack 

However, such alternatives could leave holders of cryptocurrency with uncalculated risk due to the potential of cyber attacks, theft, and fraud. According to a report by Imperva Incapsula titled “Q3 2017 Global DDoS Threat Landscape.” Digital currency operators and Bitcoin exchanges are already the most common targets of distributed denial of service (DDoS) attacks. Also, the report cited that three out of four Bitcoin sites was a victim of DDoS attacks in the third quarter of 2017 alone. Since 2011 to December 2017, there have been at least 30 heists at cryptocurrency exchanges. No one would argue that Bitcoin holders have suffered the most, in fact, It is estimated that more than 900,000 Bitcoins have been stolen with a potential value of $ 6.3 billion as of Dec 2017. Here a few of the noteworthy ones against Bitcoin:   Even though, blockchain technology offers a high level of security, unfortunately, crypto-exchanges and ICOs don’t offer the same level of protection for their customers. While a great deal of the cyber attacks occurred at Bitcoin exchanges, hackers have been able to help themselves to the digital assets of most exchanges some even repeatedly. These attacks are nothing new to the crypto-community but with market caps soaring to new astronomical highs, we can expect cyber attacks to continue to soar.  Even the smartest criminals get careless and blockchain technology continues to be a bonafide weapon for combating and prosecuting crimes.

Final Take

The anonymity promised by cryptocurrency is a contradiction in itself because their blockchain reveals an entire history of all transactions for the public to see including law enforcement! Also, it really needs to be underlined, for the normal users of cryptocurrency, it means linking a normal bank account to an e-wallet. Anyway, governments have already started regulating cryptocurrency. With that said, miners, exchanges, and e-wallets who conduct transactions that use stealth like technologies (e.g. zero-knowledge proof) would most likely be placed on a sanction list blocking these funds until the financial institution has conducted an enhanced due diligence on the customer and the transaction all to the expense of the customer. At the moment, no other currency offers more anonymity and stability for money launders and terrorist than fiat currency…cash is still king for the time being Written by Paul Hamilton  

“Top Misconceptions of Cryptocurrency as a Payment System”

  Which can be read on Amazon Kindle Unlimited for Free  You can find more interesting articles by visiting us on one of the following platforms: AML Knowledge Centre (LinkedIn) or Anti-Bribery and Compliance at the Front-Lines (LinkedIn)

Disruption in the Financial Industry

Technology has always had the ability to generate hype and excitement. In addition, to the rising cost of risk and compliance executives are battling to drive more business value from these functions. However, the reality is these functions only support the business. Exactly this prompted me to ask what, if any, impact is digital transformation having on risk and compliance functions at financial services institutions. Before we deep dive into the digital transformation of risk and compliance, let’s look at where the financial services industry is in its digital transformation. Despite the fathom rate of change that Fintechs have brought to the financial services industry. The industry on a whole is clearly lagging in digital transformation as pointed out in the graph by McKinsey&Company. While a shift away from the historical product-centric mindset to a customer-centric e-commerce approach is a positive signal for customers. Many financial services institutions have yet to streamline and automate business processes as well as consolidate data sources across the enterprise and at all customer touch points. In the same manner as their e-commerce peers. Therefore, digital adoption in the financial services industry has been slower and lacking depth. As illustrated in the graph by McKinsey&Company. Based on the change management history of the financial services industry, many would agree the people and process dimensions of digital business are the most difficult to transform. Of course, personalizing the customer experience is important to any digital strategy, but risk and compliance are paramount to the overall success of execution.

“Digital transformation is more than building cool customer apps or increasing the number of digital channels”

The Current State of Risk and Compliance

In recent Gartner surveys of CEOs across the globe, more than 77% of CEOs see digital business bringing new and increased levels of risk to their organizations. At the same time, 65% of the CEOs view their risk management investments and maturity as lagging behind their peers. Also, board members and senior management struggle to find intrinsic value in their risk and compliance programs and tend to view them as a cost of doing business. Why are CEOs and senior management responding like this? When hardly any industry spends more on technology than the financial services sector and a significant portion of that spend goes into risk and compliance technology. In a common risk and compliance environment, business units operate in isolation. Relying on decentralized data systems, and manual processes that are not efficient. This current environment does well to support the business, but not drive business value. Likewise, it’s costly to run and maximizes the potential for lost engagement opportunities at most customer touch points.  In addition to lost engagement opportunities, criminals thrive in this current state of complexity it offers them the perfect camouflage. In the Carbanak campaign, malware was installed on the bank’s computer systems, sending back vital information about how the bank carried out business critical tasks. Eventually, leaving 100 banks compromised to the sum of $900 million USD. Highly fragmented IT and data architectures cannot provide an efficient or effective environment for monitoring, and analyzing risks in a real-time world while not disrupting customer transactions.

Driving the Business with a Customer-Centric Risk, and Compliance approach

AML/KYC

Today, customers expect real-time decisions at every touch point in order to complete their transactions. However, compliance can get into the way of transactions before they are completed. In fact, financial services institutions have endured a rough journey with AML. Their reward has been an enormous amount of false alerts, and a lot of manual processes. For good reasons, compliance programs feel under-resourced compared to the volume of alerts and reports they must review, while trying not to disrupt good business. Therefore, many banks have invested massively in additional staff, to review false positive, while also turning away profitable high margin customers. As witnessed by massive lawsuits from Money Transfer Operators against banks trying to prevent them from closing their accounts. The advantages that a Customer-Centric Infrastructure would have on an AML/KYC program:

• Learning transaction behavior of similar customers and clusters to accurately refine and update customer risk segments and individual profiles per their present risk.
• Identifying outlier transactions and outlier customers accordingly.
• Learning money laundering and fraud typologies and identify typology specific risks.
• Dynamically learning correlations between alerts which produced verified suspicious activity reports and those that don’t.
• Continuously analyzing false-positive alerts and learn common predictors.
• Many processes and workflows can be automated for example the KYC, controlling the initial screening of alerts, the filing of suspicious activity reports and parts of the case investigation.
• KYC process would no longer result in delays or potential loss of business.

In particular, streamlining KYC, AML, and Fraud processes at account-opening for a seamless onboarding will go a long way in improving customer satisfaction and ensuring new revenue. AML programs will become more efficient by automating workflow and incorporating technologies such as machine learning and advanced analytics that support the constant improvement of risk assessments and profiling models. This will free up resources and help compliance to go from monitoring to preventing financial crime.

Consumer Credit

As a result of low-interest rates coupled with sparse yields means banks generate fewer profits from the deposits they collect, against the loans they give. Therefore, to increase their return on consumer credit banks need to streamline and automate manual processes, improve risk assessments and stop credit fraud losses. The advantages that a Customer-Centric Infrastructure would have to consumer credit:

• New integrated data sources, as well as unstructured data from social media, can give better insights into the creditworthiness of an applicant, therefore, protecting against fraud.
• Advanced analytics and machine-learning tools can increase the accuracy of credit risk models.
• New data sources, advanced analytics, and machine learning tools can help to detect inconsistencies between application, account and credit card transaction history.
• Learning patterns of similar customer behavior will go a long way to detecting fraud and money laundering.

In general, streamlining loan application processes to enable real-time decision making will improve customer retention, and be a decisive channel for winning new customers. Likewise, advanced analytics and machine-learning can increase the accuracy of credit risk models, therefore, reducing the time needed for structured credit approvals to a few minutes while minimizing a bank’s exposure to default risk.

Mobile Channels

Traditional banks are being challenged by FinTechs with new business models that are offering reduced fees and eliminating access barriers for the unbanked. As a result, this challenge has led to a major shift in the way money is moved around the world. Thus, breaking the dominance of banks in the area of payments. One good reason, the remittance industry accounted for $583 billion, in cross-border payment transfers in 2014 and the World Bank expects the number to climb to $636 billion in 2017. With that said, digital technology is extremely important to the future of financial services industry. Therefore, traditional financial services institutions have embraced an ecosystem with FinTechs and third parties by allowing access to their infrastructure through APIs. Although, these ecosystems can help to provide more customer value or open new customer segments. At the same time, they bring new types of operational risks with them, such as:

• Risky user behavior, especially with a mobile device. For example, 70% of smartphone users have never installed an anti-virus program on their mobile device.
• 24/7 connectivity of mobile devices to a network.
• WI-FI networks and Bluetooth technologies making it easier for attackers to carry out a fraud campaign.
• Rogue mobile applications, repacking of apps and ransomware are on the rise.
• Advance Malware & Viruses for online as well as mobile devices continue to increase.

 “43% percent of merchants in one survey were not able to report what percentage of fraud losses came from their mobile channel”

Currently, the data on mobile fraud isn’t as robust as with other channels. These operational risks need to be continually assessed to build reliable mobile fraud models without jeopardizing the customer experience. In fact, 43% percent of merchants in one survey were not able to report what percentage of fraud losses came from their mobile channel. Per a 2014 report from Alcatel-Lucent’s Motive Security Labs, 16 million mobile devices worldwide are infected with malware. A point often overlooked, is the fact that your ecosystem will make it more difficult for you to protect against external threats. One lesson learned from the Carbanak campaign is the degree of difficulty to detect a compromise until bad things start to happen.

A Customer Centric Risk and Compliance Infrastructure

Marketing and sales have been using customer loyalty, and customer-centric tools for years to effectively maximize sales and measure customer satisfaction. Leveraging sophisticated analytics and CRM tools to conduct market analysis, profile and segment customers to present them with offerings that best address their requirements. It’s clear moving from a state of supporting the business to one of driving it is as much about people and processes as it is about technology. However, true success relays on data quality. Thus, buy-in from stakeholders is mandatory for a data strategy that establishes strong data governance and maintains the highest data quality built around a robust data architecture The cornerstone of the customer-centric risk and compliance architecture is a big data platform, advanced analytics, artificial intelligence, machine learning, workflow automation, and natural-language processing. Not only can the platform aggregate and analyze all data from account and credit card transaction history but also check for inconsistencies between an application with both structured and unstructured data sources. Another plus of this architecture is employees have accessibility to one source of the truth. Therefore, minimizing the uncertainty of unknown risk-levels of exposures to financial & debt markets, counterparty, private credit, compliance risks, legal liabilities, and security threats from adversaries. One survey stated that compliance was mentioned by 47% of participants, as the most mentioned obstacle to impeding their digital maturity thereafter fragmented data sources at 44%. By leveraging a customer-centric risk, and compliance architecture financial services institutions will drive its ability to mature digitally at a much faster pace. Although the rewards are great when decisions are being made in real-time there is little margin for error. That said the journey will continue to be a laborious one for those who stay on the same path they started on. My profession international business development and sales are also my passions. Devoted to helping financial service institutions choose the right technology for their AML programs making them more effective and customer centric. An ex-professional basketballer with a passion for fitness and respect for nature. I enjoy starting inspiring discussions with articles on Anti-Money Laundering, Cryptocurrency, financial technology, Human trafficking, and terrorist financing as well as on sports & fitness. So, visit me at http://aml-knowledge-centre.org/ or http://sports.fastbreak-marketing.com/ or let’s connect on LinkedIn if you would like to discuss a topic… My profession international business development and sales are also my passions. Devoted to helping financial service institutions choose the right technology for their AML programs making them more effective and customer centric. An ex-professional basketballer with a passion for fitness and respect for nature. I enjoy starting inspiring discussions with articles on Anti-Money Laundering, Cryptocurrency, financial technology, Human trafficking, and terrorist financing as well as on sports & fitness. So, visit me at http://aml-knowledge-centre.org/ or http://sports.fastbreak-marketing.com/ or let’s connect on LinkedIn if you would like to discuss a topic… auch gerne auf Deutsch:-)

Why the Carbanak Campaign and the Bangladesh Bank attacks are a wake-up call for every AML compliance program.

Someone once asked me how long will criminals continue to find new ways to circumvent money laundering laws. My reply was simple, so long as crime is profitable they will continue to innovate to avoid AML laws and bank procedures. For any company, survival means consistently adapting to new economic, geographic, and regulatory changes. Therefore, for those syndicates operating illegally the need to launder money will always be there.

If the market value for illegal trade was $650 Billion in 2011, one must wonder how many hundreds of billions are lying under mattresses around the world waiting to be launder. Nevertheless, the direct use of financial institutions for laundering money will be a much more daunting task as in the past.  Employees are well trained to detect the threat of money laundering and terrorist financing. As well, regulators today cooperate globally to align, develop and promote an international response to combating money laundering and terrorist financing. AML laws are continually being amended, for example, know your customer(KYC) and beneficial owner rules have been strengthened in most parts of the world.

Therefore, we need to start thinking about a new scenario where organized crime syndicates start replacing conventional methods to launder money with more advanced methods where technology is the business enabler.

 

A summary of illicit markets and values

 (Source: Transnational Crime In The Developing World February 2011 by GIF)

The Carbanak campaign and the Bangladesh Bank cases are the new normal in financial crime.

Let’s imagine a scenario, where cyber-attackers would exploit a vulnerability in a financial institution’s system. However, unlike other cyber-attacks, these hackers are not out to steal money.  These cyber-attackers hired by an organized crime syndicate who have acquired money from illegal trade. Their mission isn’t to steal money from the bank but place dirty money in the bank(s) and immediately start layering (transferring) it through accounts at other financial institutions. By using sophisticated malware cyber attackers can enter the bank, learn internal procedures and then when ready takeover mission critical banking systems to start the layering process by transferring money to fake or real accounts. With control of the command server(s), they would easily bypass all anti-money laundering systems going undetected by bank officials. They would want to use the different time zones, regional and local holidays and business hours to their advantage.

A report by Kaspersky Lab in 2015, stating that over 100 banks around the world had been compromised to the sum of $900 million USD. It wasn’t detected until an ATM machine in Kiev started dispensing cash and this was no isolated event. The Carbanak malware was installed and sitting on the bank’s computer systems for months, conducting a reconnaissance mission of how the bank carried out business critical tasks. This international group of hackers was then able to successfully impersonate bank officers and carry out internal procedures at over 100 banks around the world. With complete control of mission-critical systems, they turned on various cash machines and managed the transfer of millions of dollars from banks in Russia, Japan, Switzerland, the United States and the Netherlands into fake bank accounts set up in other countries.

The Carbanak Campaign:

The February 2016 cyber attackers illegally transferred (steal) US$951 million from Bangladesh Bank, the central bank of Bangladesh, to several fictitious bank accounts around the world, via the SWIFT network.  This was without questioned a well-planned attack and the way regional holidays and time difference were used was brilliant.

The Bangladesh Bank Campaign:

There has been much debate as to whether cyber and anti-money laundering units at financial institutions should remain distinct entities. Everybody agrees that efforts to share intelligence between the units should be ramped-up but would this will be enough. One of the biggest problems for large financial institutions when it comes to combating fraud and anti-money laundering is everything operates in silos. In a digital era, with people connecting to financial institutions from multiple devices and locations. It’s no longer an option for financial institutions to operate in batch mode when it comes to financial crime. The dots need to connect in real-time or you lose.

It’s only a matter of time when organized crime syndicates start to launder money per the “What If” scenario or they already are, who would realize it since nothing has been stolen and all records deleted!