From London to St Petersburg Terror attacks and WhatApp encrypted messages and the

Doha, 4th April 2017

Review by Bachir El Nakib, Senior Consultant, Compliance Alert (LLC)

“It’s a challenge when you are dealing with companies that are global by their very nature because they don’t always operate under the same legal framework as us.”

Isis supporters are cheering the attack in St Petersburg that killed at least 10 people and injured 47 at least. While the motivations and cause of the attacks still aren't clear, Vladimir Putin has said that Russia is considering a terror attack "first of all". Isis supporters are cheering what they claim is a terror attack, and sharing images of people caught up in and killed by the blasts. 

The attacks come after waves of Isis propaganda that encouraged its supporters to launch strikes on Moscow. Isis propaganda shows bullet holes through Mr Putin's head as well as a poster circulated just days before the attack that showed a falling Kremlin and included the message "We Will Burn Russia".

Some posters on Isis forums linked the explosions to Russia's backing of Syrian president Bashar al-Assad, who is fighting Isis as well as other groups in the Syrian civil war.

The group hasn't yet claimed responsibility for the attack, but often takes as long as a day to do so. If it does claim responsibility for the incident – which it has done with attacks that officials have later said it had no role in – it would be far from the first time it has done so, after it said it had inspired attempted attacks in Chechnya and Russia earlier this year

Tech firms to set up forum to ‘tackle online terrorist propaganda’ following crunch talks with Amber Rudd 

It comes after the Home Secretary said it was ‘completely unacceptable’ that London terror attacker Khalid Masood’s WhatsApp messages were encrypted. Major international technology firms have announced that they will set up a cross-industry forum to tackle online terrorist propaganda following a crunch meeting with the Home Secretary Amber Rudd.

The commitment from Google, Facebook, Microsoft and Twitter, comes after Ms Rudd criticised Facebook’s WhatsApp earlier this week after it emerged Khalid Masood, the terrorist responsible for the London attack, used the messaging service moments before ploughing into pedestrians on Westminster Bridge. “We need to make sure that organisations like WhatsApp – and there are plenty of others like that – don’t provide a secret place for terrorists to communicate with each other.”

“On this situation we need to make sure that our intelligence services have the ability to get into situations like encrypted WhatsApp,” Ms Rudd said. The Home Secretary admitted that she used the encrypted messaging service herself.

The IS rise to power was fuelled by a confluence of events in Iraq and Syria that resulted in extreme sectarian violence and a breakdown in governance in large p arts of both states. The Arab Spring movement, which saw popular uprisings overthrow authoritarian rulers in Tunisia, Libya, and Egypt, also played a role by inspiring a similar revolt in Syria. The Syrian uprising, however, triggered a full-scale civil war whose chaos and influx of heavy weapons permitted the explosive resurgence of al Qaeda in Iraq (AQI), which later rebranded itself as the Islamic State. 

Strategic withdrawal of IS fighters

In addition to the movement of financial assets, financial institutions must also be aware that IS's pending collapse will trigger the physical movement of thousands of IS fighters through a complex series of human smuggling networks, ultimately leading to Yemen, Pakistan, Afghanistan, Algeria, Sudan, and Mali, among others. The vast majority of former IS members will likely defect to al Qaeda, as the perceived "winner" of modern Sunni militant groups. Most will likely join the Yemen-based affiliate known as al Qaeda in the Arabian Peninsula (AQAP), as well as the West-African counterpart called al Qaeda in the Lands of the Islamic Maghreb (AQIM). 

The next sectarian Islamist battlefront is likely Yemen, which possesses significant geostrategic importance. AQAP has recently strengthened its position in Yemen, which in 2014 was plunged into chaos when Iranian-backed Houthi rebels deposed the country's Sunni-led regime, prompting a highly destructive and destabilizing Saudi-led bombing campaign a year later. Iran is concerned that AQAP's growing strength in Yemen could invite a Western invasion that would give U.S. forces control over both sides of the Gulf of Aden, thereby allowing it to choke off Iran's trade in energy and weapons. 

Another group of IS militants likely intends to return to their homelands in Europe and the Caucasus region. These are hardcore IS loyalists who intend to carry out mass-casualty attacks on the West.

New terror finance paradigm

AML compliance and MLRO specialists should renew their thinking around modern terrorism financing. In 2017, militant organizations are not predominantly financed by third parties (apart from pro-Iranians receiving funds from Iran). Instead, they are self-financed through their own criminal enterprises, and IS is no exception. 

Senior IS leaders are highly educated and will launder illicit assets through outside individuals with legal, compliance, and accounting backgrounds. These individuals will likely understand the regulatory environment and know how to subvert conventional AML optimization strategy based on broad transaction actions and limited Know Your Customer Customer (KYCC) collection data-points. They may take advantage of the lack of integration between KYC and transaction-monitoring within banking compliance programs. Additionally, these facilitators will likely be well-versed in sanctions-screening evasion tactics. Expect significant use of real passports with fake names, which were purchased through bribery of corrupt officials in various diplomatic consulates.

The laundering process will include shell, shelf, and seemingly legitimate front companies not listed by on the U.S Treasury Department's Specially Designated Nationals and Blocked Persons List and other sanctions databases will likely not be listed on any accounts, Still designated names should, however, remain a high-risk concern with respect to beneficial ownership in KYC compliance sanction programs. 

Numerous banking products, from global to retail, will be affected by IS's likely strategic withdrawal. Financial institutions can minimize risk and focus on IS's financial outflow by mobilizing an optimization, rule-tuning, and development program that specifically targets emergent terrorism channels and typologies in their risk assessment, global threat landscape analysis, transaction-monitoring detection, and sanctions-screening methodology. 

Movement Stage 1: Cash-Currency Exchange to Global Wires

Initially, IS can be expected to execute bulk cash-smuggling through its elaborate Hawala informal money-transfer network, utilizing numerous couriers supported by expert smugglers along human smuggling networks. The cash will likely transit through currency exchanges in the United Arab Emirates and Lebanon, followed by channels of international wire transfers that make extensive use of free-trade zones. 

Middle East and free-trade zone banks and currency exchanges with "check-the-box" compliance frameworks, as well as other firms with no interest in escalating illicit activity to regulatory agencies, could facilitate these transactions through willful ignorance or direct corrupt involvement. 

Banks and money transmitters in countries including Turkey, Bulgaria, Cyprus, Lebanon, Egypt, Azerbaijan, Bosnia and Herzegovina, Belgium, Germany, and Sweden, among others, should be of particular concern.

Movement Stage 2: Retail Banking

Moving from global wires and currency exchanges to retail bank accounts, IS will likely make significant use of Western retail institutions, distributing wealth among major banks, credit unions, community banks, and credit card companies alike. Retail money laundering tradecraft could include false invoicing of products through online services, such as eBay or PayPal, and money transmitters, such as Western Union and MoneyGram. 

Of additional concern is purchase activity related to precious metals, digital or blockchain currency, such as bitcoin, and of great significance: mobile applications. IS is staffed by many young, tech-savvy men who are well-versed in mobile technology and could make use of Facebook Payments, the "Cash" application, and others. 

The general retail channels of movement by echelon, as with any global threat organization, will likely include movement from business checking to tactical-level checking, and then credit card accounts. Those accounts may be used to load open-loop, general-purpose reloadable (GPR) prepaid cards through the use of manufactured spending and subversion of third-party payment processor (TPPP) reporting. 

For example, CheckFree, a payment processor, cannot issue a suspicious activity report (SAR) for transactions under $2,000, and it does not require identification under $2,500. Their AML policies and procedures are posted online through open sources. Threat actors could use this information by executing transactions just under $2,000. Once prepaid cards are loaded, operatives could "bust-out" to cash anonymously in their new homeland.

Individual anonymity tradecraft

Banking compliance programs are greatly concerned when the source of funds in a bank account is unknown, as the source could be derived from illicit proceeds. Compliance programs should be even more concerned about patterns of activity that provide anonymity to the physical individual or company. 

Some typologies that indicate "hiding in plain sight" feature KYC information with incorrect email addresses, use of P.O. boxes, and inoperable phone numbers. With respect to telecommunications, compliance staff should look for purchases of "burner" phones from prepaid phone providers, as well as searching the client's phone number against instant-messaging platforms, such as "WhatsApp," which provides encrypted communication used frequently by terrorists and drug traffickers. 

Transactions related to private browsing, encryption, and online video games, such as World of Warcraft, provide unconventional cover for covert communications. Expect to see these purchases on retail prepaid, credit, or checking accounts. 

Other transactions potentially designed to provide personal anonymity include cash-intensive ATM deposits and withdrawals, the loading of open-loop, general-purpose reloadable (GPR) prepaid cards, cyclical manufactured spending, technology purchases, and inter-state or international travel. Look for rental car transactions, as police officers cannot identify the individual by running the license plate of the vehicle.

Pay special attention to false personal identification information, such as the "stacking" of Arabic titles in lieu of actual Arabic naming nomenclature. For example, a name that in English reads as "Son of Doctor Pastor Community Leader" would not look right, and it looks wrong in Arabic, as well. Arabic naming nomenclature includes stacked titles, but naming nomenclature must be present to be valid. 

Look for individual or entity accounts linked to IS hotspots that are owned by a female, but with male names listed as beneficiaries. In many orthodox Islamic countries, women generally do not own bank accounts. A cultural awareness of Islamic societal norms in certain places is helpful in sorting anomalies from conventional practices. 

Also look for Arabic-language naming nomenclature in places where ethnic Arab representation is demographically uncommon. This type of data point has been relevant in identifying other militant groups, such as Houthi. For example, Shiite-specific Arabic naming nomenclature associated with accounts belonging to business types known as high-risk for affiliation with the Iranian Ministry of Intelligence and Security (MOIS), Islamic Republic Guard Corps (IRGC), and pro-Iranian militants have appeared in places like Venezuela and Paraguay, whose populations overwhelmingly carry Hispanic names. 

From KYC and OFAC sanctions-screening perspectives, staff should pay special attention to "real-but-fraudulent" passports, with fake names, derived from corrupt government personnel that profit from the sale of passports. For IS fighters retreating from territories formerly under their control, passports are as important as weapons. In addition to genuine passports obtained through bribery, expect IS fighters to use EU and non-EU counterfeit passports, which are relatively easy to fake, to facilitate travel throughout the Western world.

Hybrid threat finance (HTF) detection

In terms of typologies, the current and future flow of IS funds will include hundreds of combinations of geographic-nexus wire channels (e.g. originating entity, originating bank, beneficiary bank, beneficiary entity), in tandem with complicated transaction-monitoring typology sets. It is critically important to understand and target these channels, typologies, financial-institution facilitators, and front-companies of concern. 

Al Qaeda prefers to use non-profits and shell- or shelf companies, unlike Iran's pro-militant groups, which uses a trade-based money laundering (TBML) system employing seemingly legitimate front companies. Expect IS to have adapted its laundering tactics to accommodate both approaches.

Detection scenarios should be created under the hybrid threat finance (HTF) targeting doctrine. The term "hybrid threat" is an intelligence and warfare targeting doctrinal concept that recognizes the intersection of hostile nation-state and non-nation state threat typologies. 

The HTF doctrine isolates the movement of illicit funds through detection strategies based on threat typologies, organizations, and actual threat actors. This is in sharp contrast to conventional detection strategies that use red-flagging scenarios based on broad actions like ATM withdrawals, structuring, and flow-through-of-funds, which generate excessive false-positives. Threat organizations do not operate within the confines of broad actions.

Source: (Joshua Fruth is the director of AML advisory at Matrix-IFS, and an AML manager for HTF Solutions, LLC. Mr. Fruth is a Van Deman distinguished-honor graduate of the U.S. Army Intelligence Center of Excellence, and a graduate of the Ohio OPOTA Police Academy. Mr. Fruth maintains an active commission as a US Army Intelligence Officer and two active commissions as a Police Officer in the state of Ohio.)


Download File