What we learned at the ACFCS Conference 2016 Part one
Wednesday, June 15, 2016
Posted by: Brian Monroe
The ACFCS 2016 Financial Crime Conference saw hundreds of compliance professionals, regulators and law enforcement representatives come together to tackle persistent and emerging challenges to better detect and prevent financial crime in all of its illicit forms
The packed event in New York City at the Yale Club on June 1st and 2nd and digital conference on June 8th and 9th covered some of the most vexing issues in financial crime, including the aggressive evolution of cyber threats to create virtual insiders, the human mistakes leading to data breaches, the convergent power of anti-money laundering (AML) systems to capture cyber data, the broad compliance program gaps identified by regulators, trade-based money laundering, and more.
While it is difficult to distill and condense the immense breadth of knowledge at both events in the real world and the virtual realm, what follows is our attempt to capture some of the key takeaways, themes and unexpected insights from the conference.
We can’t possibly cover everything in one story, so check back next week for a second part. And a huge thanks to our presenters, attendees and sponsors for our best show yet!
The evolution of cyber attacks
In a panel presented by Ed McAndrew, a partner at Ballard Spahr and former federal cybercrime prosecutor, and Roy Zur, the chief executive of Cybint, the two described the two-pronged evolution taken by cyber attackers:
- Incredibly sophisticated attacks by organized crime, hacking groups and foreign nation states that actually result in assailants sitting in systems for weeks or months and gaining a depth of understanding into the organization’s data, systems and operations. McAndrew cited an instance of a cyber threat actor taking over camera systems to log the movements of individuals at different levels of the organization. In this way, attackers become a “virtual insider,” to get greater access to secure information, time attacks based on when the likelihood of discovery is low, or manipulate employees and internal controls. The panelists described how all of these factors played a role in the recent Bank of Bangladesh hack, and how that case highlighted the increasing trend of cyber threat actors to target not just financial information or account credentials, but to exploit a variety of internal data within an organization.
- Zur described how the second attack vector is the “low hanging fruit,” where less savvy, but equally opportunistic hackers blast organizations with relatively unsophisticated attacks like phishing and spear phishing attacks, preying on the “human element” of cyber attacks. Zur explained how whether it was an employee which clicked on a malicious link or responded to a “business email compromise” attack, nearly every major data breach and cybercrime scheme was aided by human hubris
The IBM 2014 Cyber Intelligence Index stated that roughly 95 percent of attacks were due to human error.
Zur even showed attendees how easy it was to find the leaders of an organization by researching ACFCS’ parent company Barbri, quickly determining who is in what position with publicly available tools and sites online. He explained how hackers can then use open source intelligence tools to try to become their target, looking at their speech patterns, friends and even trips they take, and then start sending emails as if they are the person.
In a second example, he showed how easy it was to hack a company and then break into its wireless surveillance system because the firm never changed the default “admin” password of the cameras.
The panel displayed the six major ways the human element can lead to hacks: weak passwords, using open wi-fi connections, responding to a phishing email, using a thumb drive laden with malware, improper destruction of hardware and even something as simple as not automatically installing program and app updates, which are usually created to address cyber vulnerabilities.
Trade-based money laundering (TBML) takes the financial crime crown
In a session focused on trade-based financial crime Kim Manchester, managing director and founder of ManchesterCF, detailed the enormity of the money laundering problem tied to trade.
For example, the world GDP for 2015 was approximately $73.1 Trillion (International Monetary Fund), of that amount it is estimated that 7 to 15 percent is involved in TBML or $5 trillion to $11 trillion (WCO/WTO).
That figure would be “larger than the economy of any country in the world other than the U.S., China or the E.U,” he noted in the presentation, adding that TBML exists in every country that has access to the international trading community.
Manchester was joined on the session by Tony Tortora, Section Chief of the Department of Homeland Security’s Trade Transparency Unit, who has spent decades hunting illicit funds moving through international trade.
Tortora brought a wealth of case studies and law enforcement perspective to the session. He also detailed some key questions for banks and other businesses to ask when involved in trade deals:
- Does what your seeing make total sense? Business Sense? Logistical Sense? Criminals will try to hide their involvement through shell companies, counterparties, third-parties and multiple jurisdictions and banks. If a compliance officer can’t penetrate to the individuals behind the deals, they should rethink being party to it.
- How do the parties to the transactions know each other? If they seem unrelated or have no solid reason for working with each other, that is a red flag the deal is illicit.
- Excuses are the grease of lies. As a bank, never take a short cut and allow delay tactics and excuses to be part of legitimate deal.
- Shell Companies + International Trade + Cash Based Businesses = ? These are all bright red flags for illicit activity, particularly if they are occurring together.
- Can you explain to me in detail the business relationships of your Bank’s customers? Are you sure? Overly complicated explanations likely mean the person is trying to hide something.
- You can’t make this stuff up. Never underestimate the creativity of criminal groups.
Manchester also touched on reporting gaps tied to trade, noting that while SWIFT MT103, a person-to-person payment – >$10,000, is reported into Canada’s financial intelligence unit, Fintrac, other reports, such as the MT202 & MT203 reports, for settlements between financial institutions, including letters of credit and documentary collections, are not reported to Fintrac, regardless of the size of the deal.
He joked that it’s ironic global investigators, with the freighter-sized hole in trade, are “worried about $5,233.12 at the Western Union counter?”
As well, the panel noted that some banks are not only doing a bad job in examining trade deals, they are actively being set up or infiltrated by criminals.
For instance, some banks in small foreign nations, potentially tied to illicit groups, are taking the name of larger banks in Russia and then doing trade and other deals for criminal organizations.
In the digital conference session on June 8th following up the live event, Manchester gave a roadmap for financial crime compliance staff to better understand trade deals, which included becoming an “apprentice” of a seasoned practitioner of trade finance to understand their world and also teacher to the trade-based arm of a bank on AML practices.
AML compliance, cyber convergence
In another panel focusing on regulatory trends, a presenter noted there is new terminology in suspicious activity report (SAR) forms to better capture the details tied to cyber attacks, described as “unauthorized electronic intrusion.”
The presenter also described how AML programs could assist with capturing and reporting information on cyber threats and incidents, including through SAR reporting. The information AML staffers can collect in SARs that would be helpful to identify these breaches include:
- Description of the magnitude of the incident;
- Known or suspected time, location and characteristics or signatures of the attack;
- Relevant IP addresses and their timestamps;
- Methodology used;
- Device identifiers;
- May attach a comma separated value (CSV) file to report in tabular form.
Banks also have more power and protections to share cyber-related attack details under the Cybersecurity Information Sharing Act of 2015 (CISA), a mandate that also nudges the government to do the same in reverse, sharing attack vectors with vulnerable sectors, including banks.
“The goal of CISA is to encourage cybersecurity information security to advance security by providing a safe harbor from liability,” according to the presentation. It creates a voluntary system of information sharing in which companies are authorized to share certain details with federal and state governments, as well as with other companies and private entities.
The panel also covered the common issues, gaps and problems in regulatory enforcement actions, which were:
- Risk assessment too narrowly focused
- Incorrect customer risk ratings
- Failure to obtain, verify CIP information
- Foreign affiliates not subjected to normal CDD and EDD processes
- Documentation of CDD and EDD
Transaction Monitoring/Suspicious Activity Reporting
- Manual transaction monitoring
- Bank has outgrown monitoring systems
- Data problems caused by mergers
- Model validation issues
- Caps on numbers of alerts
Common Issues/Problems in Regulatory Enforcement Actions
- Compliance Office is unqualified, lacks independence or adequate staff
- Audit lacks independence, is too narrow in scope
- Training is not up-to-date, is not frequent enough, or does not include all relevant employees
- Lack of Board of Director engagement, commitment, and “credible challenge”
- Program is not implemented on an enterprise-wide basis, including business lines
- Root causes: Inadequate risk management, risk governance by the Board and Senior Management
While the conference, which included an executive roundtable discussion of top compliance officers, current and former law enforcement and regulators, couldn’t solve every problem in the quest to eradicate criminal groups, terrorists and their financiers and cyber attackers, attendees and panelists alike left the conference with a plethora of new ideas and best practices.
At the of end of these four days, attendees went back into the world more prepared and armed to change employee behavior patterns, bolster detection processes and communication with other departments, and strengthen relationships with law enforcement to communicate critical information so they can better uncover, monitor and eventually take down the various illicit threats facing the world.
Check back next week for part two of what we learned, covering elder financial fraud and abuse, the rapidly changing landscape of digital currencies, the new era of “hyper-thematic” enforcement, and more.