Terror Attacks, Panama Papers Show Cracks in Post-9/11 Monitoring
Despite strong legislative reforms passed after Sept. 11 requiring banks to track suspicious movements of money, recent news events reveal continued deficiencies in banks' monitoring efforts.
The Paris, Brussels and San Bernardino attacks all call into question the adequacy of banking and other controls to stop the supply of money to terrorists. Meanwhile, the leak of 11.5 million documents from the Panama Papers reveals gaps of a different nature: how can banks feel good about their answer for cyber, fraud and money-laundering risks when so many actors — good or bad — can hide their money in offshore accounts.
The obvious remaining cracks in the system suggest that efforts by banks to report on suspicious activity, as well as share information with each other, aren't strong enough.
Even though data related to multiple cyber, fraud and money-laundering incidents flows through global financial systems, the links between the illegal movement of funds and the sponsorship of terrorism and cyber-crimes is not so obvious. Banks need to focus on integrating systems and strengthening information-sharing so they can convert data into actionable information to prevent future attacks.
Currently, global banks and international bodies have to deal with the confluence of data that emanates from the financial, social and economic aspects of life. With recent technological advancements, tax evaders, terrorists and cyber criminals hide behind and leave their trail in encrypted messages, social media, the cloud, big data and the Internet of Things.
However, this data does exist, albeit in disparate systems, across banks nationally and internationally. But institutions are failing to sufficiently unlock it.
Recent fraud cases, not to mention real-life terrorist financing and human trafficking cases, have shown how weaknesses of integrated controls among financial institutions have been exploited.
If banks cannot strengthen their monitoring and information-sharing efforts on their own, regulatory reforms may be needed. For example, the information-sharing provision of the Patriot Act, passed after Sept. 11, which provides financial institutions with the ability to share anti-money-laundering information, could be strengthened and expanded to include cyber, fraud and other related risks.
Regulations are still evolving related to information-sharing of cyber and fraud risks. For instance, the Financial Services Information Sharing and Analysis Center was set up to collect information from banks on cyber-incidents. However, banks do not share all such relevant information. Similarly, the Cybersecurity Information Sharing Act, enacted late last year, provides liability protections for institutions sharing cyber information, but such sharing is still voluntary.
Fraud incidents are also underreported. According to a report this year by the Association of Certified Fraud Examiners, over 40% of fraud cases were not referred to law enforcement out of fear of bad publicity, among other findings. Perhaps reporting guidelines for fraud and other incidents should be strengthened along the lines of how banks share currency transaction and suspicious activity reports dealing with money-laundering crimes.
Information-sharing has to be operational within individual banks, especially for big and global banks. Functions within banks are still siloed in nature and are not fully integrated to analyze data from different sources. In this regard, banks should consider integrating AML, fraud, and cybersecurity functions within an integrated software platform. This information along with pertinent data from wealthy global clients should be fed into their Security Information and Event Management systems to help banks analyze trends and behavioral red flags, and generate proactive alerts to other banks and government agencies.
Of course, any further steps must be balanced with privacy concerns. But balance does not mean giving automatic deference to privacy to the detriment of security. Banks are already subject to a plethora of privacy rules for information-sharing — even just sharing with a government agency — and criminals can use those privacy rules to their advantage. A fine balance between protecting consumers' privacy and identifying risks from terrorists is needed.
In addition to national authorities, international regulatory bodies also need to intensify efforts to facilitate automatic information exchanges between cross-border financial institutions. The Financial Action Task Force, Organization of Economic Cooperation and Development, Basel Committee on Banking Supervision, the Group of 8 and Group of 20 have worked for years to establish policies which have influenced banking regulations.
Just as the U.S. passed the Foreign Accounts Tax Compliance Act regulations a few years back to clamp down on the movement of legitimate funds for tax evasion, the FATF must provide strict guidelines to its 36 member nations, many of them named in the Panama Papers, and demand transparency in reporting within their banking systems. Similarly, the upcoming anti-corruption summit in London should result in a stern mandate to member nations of the G-20 to provide autonomy to their banks to report illegal deposits and movement of funds, even if it involves funds of the wealthy and powerful.
Investigations of both the Paris and Brussels attacks point to a lack of information exchange between their government agencies and financial systems. The existing information systems and exchange framework did not provide alerts of trails criminals left behind as they conducted their daily transactions for living, purchasing and traveling within the community. Until the global financial systems work together, the effects of illegal movement of money and its devastating link to terrorism and cyber-attacks cannot be stopped.
Senthil Selvaraj is a certified anti-money-laundering and regulatory compliance specialist. He is a former operational risk executive with Bank of America.