In aftermath of Paris attacks, investigators more aggressively mining bank filings
Thursday, November 19, 2015
Posted by: Brian Monroe
In the aftermath of ISIS attacks in Paris last week that killed 120 people, one expert sees a deeper reality and shift in tactics in attacks and also urges banks not to immediately shut off all ties to institutions near conflict regions and close a valuable stream of intelligence.
As French investigators track down individuals with ties to the group domestically – reportedly killing its ringleader this week – governments worldwide are realizing that after suffering battleground losses in Iraq and Syria, ISIS is attempting to more aggressively sow terror abroad.
That means investigators, and banks – as a proxy first line of defense in finding terror financiers – have more to worry about than foreign supporters traveling to conflict regions and homegrown, or even lone wolf sympathizers becoming radicalized at home. Now, they have to worry about those foreign fighters attacking domestically, or ISIS getting funding to radicalized cells of residents.
Below is a discussion on some of the financial aftershocks of the Paris attacks with Jennifer Harris, a senior fellow at the Council on Foreign Relations, a Washington, D.C.-based thinktank. It covers both ISIS funding, and wider concerns around terrorist financing.
Prior to joining the Council, Harris was a member of the policy planning staff at the U.S. Department of State responsible for global markets, geo-economic issues and energy security. Before joining the State Department, Harris served on the staff of the U.S. National Intelligence Council, covering a range of economic and financial issues.
What do you see the US government and its intelligence and investigative agencies doing in the wake of the ISIS terror attacks, to either go after terrorists or track financing?
[I do think] you are starting to see the US government really doubling down on financing and revenue streams as a counter-terrorism priority – not simply designating financial institutions, but using the US Treasury’s Financial Crimes Enforcement Network (FinCEN) as connective tissue that is gathering evidence in a more iterative way and helping often-siloed law enforcement and National Security officials to connect the dots.
We have also seen, even in attacks with frustratingly small dollar amounts, bank intelligence playing a critical role. In the attacks in Chattanooga, banks were reaching out in a couple of hours and telling authorities where the shooter purchased the gun. Even where information arrives after an incident, it is important nonetheless because of potential connections to accomplices.
The government can cross-hatch private sector and bank data against its own data in ways that allow our CT efforts to grow smarter, better and faster. The banks can do things that the US government is never going to have the capability to do – often simply because of the dividing lines we have in the U.S. between state and market, and the way that the incredible complexity of the international banking system.
Of course we will see heightened focus on minimizing the likelihood of a repeat of Paris in EU or US; that is something officials are concerned about. If ISIS militants have legitimate Western passports, presumably they may be getting paid by ISIS, and those are funds that will cross national borders. It's difficult, but possible to piece together patterns around how ISIS gets funds to foreign fighters, including by money remitters in borders to ISIS held territory.
Are you seeing a shift in ISIS attack and support tactics, going from a regional terror group to one that can ostensibly strike anywhere in the world?
You are seeing a shift in tactics on ISIS’ part to some degree. Perversely, it’s due to a function of containing ISIS geographically. Even as the group is more hemmed in and losing territory – they still need a steady stream of recruits and recruiting tactics, and seem primed to do so in part by turning to theaters outside of Syria and Iraq. That shift will almost certainly have a large social media component.
This is certainly a shift that is not surprising to anyone who does this for a living but it’s one we have to be ready for. That is a tall task when a lot of the sympathizers have legitimate Western ties and are planning and contemplating attacks that don’t cost very much. Imagine the budget and weapons used and number of attackers, just how fine-grain those needles are in these otherwise large haystacks of information, including financial flows and migration flows. The attacks can be carried out for several thousand dollars, comparable to other attacks like 9-11, Madrid and London.
I know there are risks about foreign fighters coming from abroad to the US and EU, and also risks about lone wolves who are already residents in these jurisdictions. But are there risks for, say, current residents in a country getting support from ISIS?
That is partly why we are seeing a stepped up focus by Western governments on the financial institution pieces related to both parts of that equation [in terms of foreign fighters traveling to the US and EU and sympathizers already living here]. The US must be very forward leaning in sharing as much information as it can, within the constraints of privacy and other laws, with banks and other financial institutions and different private sector entities. Banks can put a lot of their very sophisticated modeling to work – modeling and other efforts that can often rival if not outstrip those used by the public sector. [Sharing that internationally also builds trust].
You have heard about de-risking and domestic and international banks broadly closing accounts in risky regions, including correspondent portals. Is there a risk in losing intelligence there?
Correspondent banking relationships are a valuable source of insight. What you have seen in prior international sanctions cases is the de-risking from this region in particular – often out of an overabundance of caution. Banks are severing the relationships they consider not financially remunerative enough to be worth the risk. That really leaves a vacuum, because you can’t vet what turns up to fill that void. You can be close to certain that whatever regulations come after in those regions will be markedly weaker.
De-risking is happening in places like Turkey, Jordan and in some of those places, those vacuums could be how terrorists are accessing the international banking system. But the best call would be for US financial institutions to mine those correspondent relationships and also persuade their betters in the banks to keep them in place – convincing them they are not too onerous and worth the risk. Hopefully they can find willing partners in US sanctions officials who can help figure out what needs to be done to keep those correspondents in place [and keep open a valuable portal of intelligence for international law enforcement].
There are some red flags for banks and other financial institutions that these customers have now become fighters affiliated with a terror group and could be moving to a terrorist held area to get training, or be in or on their way back to the west and plotting attacks, including:
• IP addresses: A customer historically in one western region starts having IP logins in areas in or near conflict zones, such as the Syrian border, including Turkey, Jordan and Lebanon. Those IP addresses then change to domestic areas with a higher populous or significant financial nexus.
• Transaction hiatus: There are periods of transactional dormancy, which could mean the individual is abroad doing terrorist training. This is more risky if these periods are accompanied by the draining of accounts, meaning the person is using the funds for weapons or bomb materials or could be planning a suicide attack.
• ATM, wire activity: A customer suddenly has ATM withdrawals and wire transfers to areas in or near conflict zones. This is made more risky if the transactions then turn back to domestic regions or incoming wires from multiple remitters in conflict regions, which could evince an attempt by a foreign terror group to support a homegrown cell. This could also be cross referenced with any changes is social media postings, including terrorist propaganda or support.
Here is also some links to past ACFCS coverage on compliance and terror finance: