FINANCIAL CRIME WAVE – FINCEN UPPING CRYPTO COMPLIANCE EXAMS, AI AND AML UPDATE, AND MORE

In this week’s Financial Crime Wave, the U.S. Treasury gauges the financial crime compliance of the crypto sector, noting major uptick in filings, a look at how artificial intelligence can strengthen anti-money laundering compliance, key tips on making training more sticky, and engaging, and more.

Investigations

FinCEN highlights value of AML filings, data in cracking domestic, foreign fraud cases, increasing focus on crypto sector: Director  

The U.S. Treasury’s Financial Crimes Enforcement Network (FinCEN) is more aggressively mining the wealth of data in the form of anti-money laundering (AML) filings to better crush a range of crimes, including large scale fraud cases, where criminals ironically enough impersonate IRS tax agents, cyber hackers monetizing their hauls through virtual currency exchanges and cross-referencing these trends against crypto’s foundational blockchain.

Those are just some of the takeaways from two speeches by newly minted FinCEN Director, Kenneth Blanco, who took over in December. He touched on a host of topics at a crypto conference in Chicago last week and a Las Vegas AML conference Tuesday, noting that just as the country’s financial intelligence unit is trying to maximize its vast data warehouse, all entities subject to counter-crime compliance rules should share more information with each other.

FinCEN and the IRS have also examined over 30 percent of all registered virtual currency exchangers and administrators since 2014, noting soaring filings, to roughly, 1,500 a day, including crypto and other filers. To read the crypto speech, click here, and the casino speech, click here.

Training

Four ways to enhance your organization’s compliance training: Focus on desired outcomes, not rigid rulemaking, make it approachable, interactive

Creating effective and engaging compliance training can be difficult, especially when the topics are complex and not everyone is a compliance expert. On top of that, compliance training is heavily scrutinized because it is one of the pillars of an effective Bank Secrecy Act/anti–money laundering compliance program.

Given these challenges, focusing on engagement as well as content can be tough. But if you keep these four principles at the forefront when developing compliance training for your organization, you’ll have a good start.

Ø  Use a conversational tone instead of legalese: One of the crucial tasks compliance training professionals must perform is translating the difficult language of laws and regulations—what we lovingly call “legalese”—into language that anyone in the workforce can understand.

Ø  Focus more on behaviors and purpose, less on regulations and laws: When training focuses on what types of behaviors we are looking to create or change, rather than the detailed nuances of the regulation or law that require this change or creation, learners understand their roles better and how they can best comply with the regulation or law.

Ø  Make training more interactive: This seems like a no-brainer, but so many times compliance training gets stuck in the lull of presenting facts, asking questions, and presenting more facts. How about mixing in animations or voiceovers with these facts? What about scenarios or gamification?

Ø  Know how and when to use acronyms and abbreviations: Every organization has this problem—a mile-long list of company- and industry-specific acronyms and abbreviations that only seem to confuse and frustrate both new hires and seasoned employees. The general rule is, if you use the term only once, don’t use the abbreviation or acronym, (via ATD).

Cybersecurity

AI in cybersecurity: what works and what doesn’t, separating fact from fiction

Machine learning (ML), one of many subsets of artificial intelligence, is being baked into some security software. But even the term machine learning may be employed somewhat optimistically. Its use in security software today shares more in common with the rules-based “expert systems” of the 1980s and 1990s than it does with true AI. If you’ve ever used a Bayesian spam trap and trained it with thousands of known spam emails and thousands of known good emails, you have a glimmer of how machine learning works, if not the scale.

In most cases, it’s not capable of self-training, and requires human intervention, including programming, to update its training. There are so many variables in security, so many data points, that keeping its training current and therefore effective can be a challenge.

Machine learning, however, can be very effective when it is trained with a high volume of the data from the environment in which it will be used by people who know what they’re doing. Although complex systems are possible, machine learning works better at more targeted tasks or sets of tasks rather than a wide-ranging mission.

One of machine learning’s greater strengths is outlier detection, which is the basis of user and entity behavior analytics (UEBA). When a machine learning system is trained thoroughly and well, in most cases you’ve defined the known good events. That lets your threat intelligence or security monitoring system focus on identifying anomalies, (via CSO).

Hackers hit India bank in global fusillade

Cyber criminals hacked the systems of India’s Cosmos Bank and siphoned off nearly 944 million rupees ($13.5 million) through simultaneous withdrawals across 28 countries over the weekend, the bank has told police, (via Reuters).

Counterfeiting

Connections between counterfeiting and money laundering

Counterfeit Goods: Money Laundering in Plain Sight: (Part 4 — What Financial Institutions Can Do), (via Reuters).

Civil suits

Who is responsible when scammers steal crypto coins from your cell phone?

Cryptocurrency investor robbed via his cellphone account sues AT&T for $224 million over loss, though some doubt victim will ever collect, (via CNBC).

Enforcement

HSBC hits major regulatory milestone in unwrapping overlapping AML compliance actions, penalties, as Fed drops C&D order  

The U.S. operations of London-based HSBC hit a key regulatory milestone Tuesday as one of the many regulatory agencies that has chastised the institution in the past for anti-money laundering failings has terminated one of the many orders, penalties and agreements – this one hanging around for nearly a decade and predating a later historic compliance penalty by two years. Those, and other problems, led to HSBC paying federal regulators and investigators $1.9 billion in a December 2012 deferred prosecution agreement (DPA).

This Fed termination action is another win in recent months for HSBC’s AML function, a solid bit of progress in unwrapping concurrent orders and enforcement actions. In December 2017, the bank stated its DPA with a five-year deadline had expired, (via the Federal Reserve).  

AI

A look at the risks and benefits of using AI to better detect and prevent crime

Companies are using AI to prevent and detect everything from routine employee theft to insider trading. Many banks and large corporations employ artificial intelligence to detect and prevent fraud and money laundering. Businesses are constantly experimenting with new ways to use artificial intelligence for better risk management and faster, more responsive fraud detection — and even to predict and prevent crimes. For instance, banks have been using transaction monitoring systems for decades based on pre-defined binary rules that require the output to be manually checked. The success rate is generally low: On average, only two percent of the transactions flagged by the systems ultimately reflect a true crime or malicious intent. By contrast, today’s machine-learning solutions use predictive rules that automatically recognize anomalies in data sets. These advanced algorithms can significantly reduce the number of false alerts by filtering out cases that were flagged incorrectly, while uncovering others missed using conventional rules.

In time, AI-powered crime-fighting tools could become a requirement for large businesses, in part because there will be no other way to rapidly detect and interpret patterns across billions of pieces of data. Banks, for example, are halting financial crimes much more quickly and cheaply than they used to by using AI for automating processes and conducting multilayered “deep learning” analyses. Even though banks now file 20 times more suspicious activity reports linked to money laundering than they did in 2012, AI tools have permitted them to shrink the armies of people they employ to evaluate alerts for suspicious activities. That’s because their false alerts have fallen by as much as half thanks to AI, and because many banks are now able to automate routine human legwork in document evaluation, (via HBR).

Mobile security

New Man-in-the-Disk attack leaves millions of Android phones vulnerable through apps that use ‘external storage’ options

Security researchers at Check Point Software Technologies have discovered a new attack vector against the Android operating system that could potentially allow attackers to silently infect your smartphones with malicious apps or launch denial of service attacks. Dubbed “Man-in-the-Disk,” the attack takes advantage of the way Android apps utilize “External Storage” system to store app-related data, which if tampered could result in code injection in the privileged context of the targeted application. Google itself offers guidelines to Android application developers urging them to use internal storage, which is an isolated space allocated to each application protected using Android’s built-in sandbox, to store their sensitive files or data.

However, researchers found that many popular apps—including Google Translate itself, along with Yandex Translate, Google Voice Typing, Google Text-to-Speech, Xiaomi Browser—were using unprotected external storage that can be accessed by any application installed on the same device. Similar to the “man-in-the-middle” attack, the concept of “man-in-the-disk” (MitD) attack involves interception and manipulation of data being exchanged between external storage and an application, which if replaced with a carefully crafted derivative “would lead to harmful results.” For instance, researchers found that Xiaomi web browser downloads its latest version on the external storage of the device before installing the update. Since the app fails to validate the integrity of the data, the app’s legitimate update code can be replaced with a malicious one, (via the Hacker News).

Sanctions

New Iran sanctions could also be leverage against China

The newest sanctions placed by the US on the imports of crude oil from Iran, coming online this week, may be targeted at weakening China, but will also hurt India in the cross-fire, due to its voracious and unending appetite. That could also increase pressure on banks dealing with Indian corporates and energy firms – to ensure they don’t surreptitiously still engage the recalcitrant Islamic theocracy.

And it’s not just because India is the second largest importer of crude oil from Iran after China, it’s also because India’s demands are growing faster than any other country in the world, (via Business Insider). 

Fraud

Family of suspected India fraudster ordered to appear

Officials in India have ordered the family members of Nirav Modi, a jewelry tycoon tied to a suspected $2 billion bank fraud, to appear in court or have their assets confiscated, (via the Times of India).

Russia

Russian talking tough on U.S. sanctions on its banking sector

Russia warned the United States on Friday it would regard any U.S. move to curb the activities of its banks as a “declaration of economic war” and would retaliate, as new sanctions took their toll on the ruble and U.S. lawmakers threatened more, (via Reuters).

Blockchain

A look at how companies sleuth the blockchain to divine virtual risks

Video story – Bitcoin Detectives: Cracking the Blockchain. The cryptocurrency Bitcoin has a problem as old as money itself — theft. And that’s giving rise to a new profession: bitcoin detectives, (via the WSJ).

Just the fax

Hacking groups can infiltrate a company just using a fax number, say experts

Check Point researchers have revealed details of two critical remote code execution (RCE) vulnerabilities they discovered in the communication protocols used in tens of millions of fax machines globally. And, believe it or not, your fax number is literally all a hacker needs to gain complete control over the printer and possibly infiltrate the rest of the network connected to it, (via the Hacker News).

ATMs

U.S. warns of ‘imminent’ massive ATM attack against banks around the world

FBI warns of an imminent mass attack on the world’s ATMs, as hackers are planning “to steal millions from cash machines within days,” in sprawling cash-out, jackpotting scheme, with smaller banks potentially face the brunt of the risk due to a dearth of sophisticated systems, (via the Daily Mail).

WMDs

Bank uncovers customer with ties to WMD proliferator

HSBC stated in just-released financials that it dealt with a customer was on a list of suspected weapons traffickers, according to the (via the American Banker).

Canada

Is Canada a money laundering hub? With billions laundered and many banks flubbing on AML, some say the answer is yes

Canada’s record of fighting money laundering is under fire at home and abroad, the WSJ reported. Two-thirds of Canadian banks examined by regulators had “significant levels” of noncompliance with anti-money laundering (AML) rules, according to a report to lawmakers reviewed by WSJ. The Royal Canadian Mounted Police estimated in 2011 that between $3.8 billion to $11.5 billion is laundered in the country annually. Critics of Canada’s approach say several factors stymie its efforts, including strict privacy laws making it difficult to obtain warrants, a reluctance to prosecute and the failure in some cases of banks to report suspicious transactions.

Canada’s finance ministry said it takes the fight against money laundering seriously, but the country logs few convictions compared with its peers, WSJ found, and authorities in other countries often are the ones to act. Money-laundering specialists say regulators also should shoulder responsibility, saying they don’t take a tough-enough stance or in some cases lack the authority to act. For example, one regulator can’t fine banks while the Financial Transactions and Reports Analysis Centre of Canada, or Fintrac, can but sparingly does. Canada also recently found itself the subject of domestic and international scorn on the compliance front when it finally did penalize a financial institution, but then decided not to name the operation, (via the WSJ).

Information sharing

Could a new, collaborative information-sharing framework better support CDD, with the goal of more accurate customer risk scores, lower costs and greater financial inclusion?

Identity verification is the starting point for most financial transactions, but making sure a person is who they claim to be — and that they aren’t engaging in criminal activity — has become a complex and costly process in the digital age.

A consensus is emerging among financial services providers (FSPs) that pooling resources to tackle customer due diligence (CDD) requirements collaboratively — as some are now doing through know-your-customer (KYC) utilities — can lower compliance costs, improve CDD risk management and, thus, facilitate financial inclusion.

Some types of collaborative CDD, such as commercial KYC utilities, have found ways to share some information, but their effectiveness is hampered by a patchwork of laws and regulations that are not fit for this purpose —  i.e., they have not been designed to support AML/CFT objectives.

A new legal framework could:

  • Allow FIUs to confidentially share information with one or more FSPs — and FSPs to share information with one another — if it is reasonably believed that such information will be treated securely and confidentially and aid in AML/CFT efforts.
  • Allow changes to customer information to be shared for AML/CFT purposes among FSPs that have a customer in common, as long as they have a formal agreement and if the customer is informed and has an opportunity to correct the data or prevent sharing.
  • Allow utilities to monitor transactional patterns on behalf of multiple FSPs, possibly even allowing the utility to file reports with FIUs on behalf of the FSPs, subject to appropriate control measures.
  • Regulate data standardization to make it easier for one FSP to share data with another.
  • Outline the conditions for allowing regulated entities to rely on KYC utilities for CDD purposes, relieving them from liability for errors in KYC utilities’ data where their reliance was reasonable (e.g., there was no reason to doubt the accuracy of the data), (via CGAP).

Corruption

EU plans golden visa crackdown due to fears powerful, corrupt elites are buying their way into the bloc

Brussels is planning to crack down on EU countries, including Cyprus, that award citizenships to rich third-country nationalsamid growing concerns over dirty money from Russia, the Financial Times (FT) reported on Sunday. The FT quoted EU Commissioner for Justice, Vera Jurova, as saying that such schemes in eight member states will come under tougher scrutiny from Brussels as part of a broader drive against money laundering and corruption. The EU states with “citizenship by investment” schemes include Malta, Cyprus, but also Austria, Greece, Hungary, Latvia, Lithuania and Portugal. All countries are under more intense pressure to strengthen AML defenses as global watchdog groups, transparency activists and groups like the G20, aggressively seek to find the weak links into the international financial system.

In March, the European Commission announced its intention to scrutinise the golden visa programmes of member states after anti-corruption watchdog Transparency International said that such schemes undermined the EU’s fight against corruption and money laundering. Leaked documents showed that the Cypriot scheme attracted mainly candidates from Russia, Ukraine, the Middle East, and South and East Asian countries, many of which are considered high-risk jurisdictions in terms of money laundering. In 2017, 503 foreign investors acquired a Cypriot passport and a further 510 family members, (via Cyprus Mail).

New York

Authorities use gumshoe tactics crack Gotham counterfeit shoe ring

Scammers smuggle hundreds of thousands of fake Nike Air Jordans into New York, New Jersey, say prosecutors, costing Nike more than $70 million, (via NBC).

Wildlife trafficking

Investigative group details nexus of wildlife trafficking with aviation transport sector

In Plane Sight examines wildlife trafficking through the air transport sector by analyzing nine years’ worth of open source seizure information, noting that over the past year, wildlife trafficking activity has turned out to be truly global in scope, and increasingly so, as trafficking networks continue to seek out new source regions and demand markets for their illicit products, (via C4ADS).