What’s cyber got to do with it?

Cyber

The past 50 years has marked an era where a paradigm shift occurred in the way humans interact with electronics and technology. Societies around the world have witnessed technological advances at a rate not seen since the Industrial Revolution of the 19th century as computers have become an integral part of many nations' infrastructures. From a U.S. perspective, the speed of development, continuous improvement and advanced use of computers as well as the explosion of ancillary industries that nurture computing-related endeavors has been nothing short of astounding. From desktop computers and laptops, to tablets, flat-screen TVs, GPS devices, smart phones and "apps," technology has redefined how people live in modern civilization and holds promise for marvels yet to be discovered.

No aspect of modern living in the world's industrialized economies has been left untouched by technology, and advances in banking and financial services, like many other business sectors, have arguably been at the center of this modern phenomenon. Consider the technological features that have become the cornerstones of modern western-based banking and the multiple access points to the financial system that have emerged for consumers due to computers and, more critically, the capabilities created or enhanced by the Internet: automatic teller machines (ATMs); debit and credit cards; point-of-sale terminals; full-service online banking, brokerage accounts, and online trading; online loan applications and instant credit approvals; banking via mobile devices; and mobile check deposit via smart phone.

Most recently, the rise of virtual or alternative currencies such as "Bitcoin" has only reinforced the upheaval within the banking and financial services sector that continues in the wake of technological advances. And therein lies the problem. As with any number of human advances, discoveries that result in benevolent use can also unfortunately enable equal misuse by persons with ulterior motives. The following discussion highlights some of the impact of technology on regulations and the banking and financial services sector from an anti-money laundering (AML) perspective, possible objectives for AML professionals to consider in executing their duties, and the challenges that lie ahead.

A BSA/AML Look-Back to the Future

The convergence of AML compliance with information technology (IT) solutions has a storied history, but to keep things simple, a U.S. perspective will be taken in review of the topic of cyber-crime due in large part to the country's current role as arguably the epicenter of both technological and regulatory innovation with regard to AML. However, as will be discussed, although the U.S. may have started the technology race, it may not necessarily finish near first place.

Certainly crime has been a part of society since the dawn of human civilization. However, large-scale global criminal activities directly facilitated through the use of technology and involving trafficking and financial crimes of all types are a modern phenomenon. The capabilities for criminals to extend their exploits from the comfort of their laptops grew exponentially as a direct result of advances in computing. This threat to the stability of both the financial services and IT sectors only magnified as years passed, particularly during the 1990s. Although reactively, U.S. regulations were gradually adapted over the years since the 1970s in response to criminal trends and to address gaps in the country's crime fighting and AML regimes as follows:

  • The U.S. Congress passed in 1970 what became known as the Bank Secrecy Act (BSA), establishing requirements for transaction record keeping and reporting by private individuals, banks and other financial institutions;
  • The Money Laundering Control Act of 1986 imposed criminal liability on a person or financial institution that knowingly assists in the laundering of money;
  • The Annunzio–Wylie Anti-Money Laundering Act was enacted in 1992 to strengthen sanctions for BSA violations and the role of the U.S. Treasury;
  • The USA PATRIOT Act was enacted in 2001 in response to the terrorist attacks in New York City;
  • The Fair and Accurate Credit Transactions Act (FACTA) was enacted in 2003 partly in response to the rise of identity theft (which is arguably a crime enabled by computer technology); and
  • The Red Flags Rule was enacted in 2008 to provide regulatory guidance on establishing and administering compliance programs in support of the FACTA.

At the core of each of these regulations perhaps is the coincidental impact of technology's contribution to the increasingly sophisticated means by which criminals, and ultimately even terrorists, exploited gaps in the U.S. banking regulatory regime to facilitate their activities. The convergence of money laundering and computer-based criminal activities is certainly not coincidental, particularly given the potential for large payoffs, the security of anonymity on the Internet, the relative ease of infiltration and the natural barriers against capture and prosecution despite the risks.

Note the years of the last two regulations related to consumer credit card and identity theft. Credit cards were essentially portable loans whose mere existence was enabled by advances in computing, from the consumer credit bureaus that developed credit profiles, to the banks who issued the cards, to the point-of-sale retail terminals that captured purchases. The U.S. consumer credit card industry as a whole spent much of the 1990s and early 2000s suffering increasingly larger numbers of credit card thefts involving both individual and organized criminals of all stripes, domestic and foreign.1 Criminals' techniques targeted operational and technological security gaps inadvertently created during a period of innovation of U.S. banks' product and services and incorporated various methods including:

  • Physical mail, "convenience" cardholder check, and card theft;
  • Use of false identifying documents to facilitate purchases;
  • Counterfeit cards created from stolen magnetic strip data;
  • Balance transfer and so-called "convenience check" fraud via account takeover and check "kiting;"
  • Fraudulent customer address changes to facilitate bogus credit applications; and ultimately,
  • Identity theft—the wholesale "theft" of a person's personal identifying information (PII) to assume their consumer "identity."

The profits from these exploits at the low-end were from several hundred to as much as several thousands of dollars per theft or account compromise. At the high-end, however, bulk card, account takeover and identity theft by organized fraud rings netted tens and sometimes hundreds of thousands of dollars in illicit proceeds. Best of all for the perpetrators, the crimes were increasingly impersonal or "faceless" as their techniques became more sophisticated and the victims more remote from the facilitators.

Legendary U.S. bank robbers of the 1930s took on an "early-adopter" mentality, leveraging advancements in weapon technology to easily outgun law enforcement (LE). Consider this criminal perspective, fast forward 70 years, and arguably street criminals, fraud rings, organized criminal groups and of course hackers alike also took on such a mentality through the 1990s and early 2000s as evidenced by credit card theft. The same telephony network infrastructure established in the late 19th century that underlies the backbone of the modern Internet and the computers and services reliant upon networked systems increasingly became criminals' keys to the banks in the new age, and their early adaptation to computers as tools of crime placed them far ahead of LE. Thus, a new paradigm—this one involving the crime of bank robbery—shifted with technological advances. Technology made stealing too simple, and the days of physically robbing banks were over. From this point forward, only a fool would participate in a stickup at a local bank branch.

Unfortunately, as with any new technology developed throughout human history, advances can yield negative consequences when used to facilitate nefarious activities. The unbridled worldwide drive by governments and financial institutions toward a more technology-driven, globalized and high-velocity financial transaction system thus indirectly enabled anyone anywhere with enough computer know-how to figuratively steal the money right out of a person's wallet, sight unseen. The Internet in its current state seemingly facilitates a Wild West environment where rules, regulations and standards have yet to be established, especially from an international perspective. Meanwhile, AML compliance has taken on increasing importance as a tool to stem this criminal trend in this environment.

Phones, Phreaks, and Ultimate Geeks

To comprehend the rise of cyber-crime and cybercriminals requires a general understanding of the history of telecommunications, computing, the Internet and the series of strange coincidences that spurred technological advances in these industries. Once weighing tons, taking up entire rooms and functioning as tools purely for research use by technologically advanced nations' defense departments and universities, computers were entirely out of the hands of the average citizen. During the 1970s, however, this hierarchy began to change with developments in semiconductors, computer chips and processors that rapidly began to shrink the size and cost of computers while exponentially increasing their speed and processing power. Simultaneously—and ultimately foretelling—telecommunications cables were extended around the globe, and these same advanced nations began launching global communications satellites in an effort to improve telecommunications capacity and capabilities. Finally, in the 1970s, the U.S. Defense Advanced Research Projects Agency (DARPA) spurred research into the possibilities to enable computers in separate locations to communicate with each other through telecommunications links, especially across long distances. Through these initiatives, computer networking and the Internet were born.

This tremendous leap forward in the ability to instantly communicate with others thousands of miles around the planet was revolutionary, and this ultimately stimulated the curiosities of many youth, first in the U.S., to figure out exactly how this technology worked and what its limitations were. Thus, telephone "phreaking" was born. Phreaking is a term that describes the culture and people who study, experiment with and explore telecommunications systems.2 Many people may have forgotten—or do not realize—that Apple founders Steve Jobs and Steve Wozniak are the most notable among many early technology luminaries who started in life as phone phreaks, computer geeks (technology enthusiasts) and hackers. Jobs' and Wozniak's first claim to fame was engineering and marketing a "blue box" to successfully hack AT&T's network by mimicking telephone tones to make free long distance phone calls. Their curiosity and success in engineering and marketing these devices inspired the eventual foundation of what is now the Apple Computer company.3

As telephone networks became more computerized, phreaking became intertwined with computer "hacking" (security circumvention and program modification), as phreaks experienced an epiphany: If computers can communicate on these same networks, what possibilities lay hidden within these machines? Once considered a nuisance offense in the early days of phone "phreaking," computer hacking involved the misadventures of curious geeks, teenagers and thrill seekers. However, unlike "phreaking," hacking went a step further whereby hackers sought to stealthily gain unapproved access by any means necessary to the core operating systems, programs, and infrastructure of any computer that happened to be linked to the Internet. This previously impossible capability proved to be too tempting to pass up for many phreaks and geeks alike. Thus marked the dawn of computer hacking, and one of the most notorious pioneers in the early years was Kevin Mitnick, who successfully crossed the bridge from phreak to criminal hacker, setting the standard for many eventual successors.4

DARPA enabled the Internet to come into being, but undoubtedly no one could have predicted the outcome. The means and techniques employed by hackers are too numerous to mention here, but understand that the entry methods, coding tactics, and underground networks developed and perfected over 30 years ago are the foundation upon which today's worms, viruses, and Distributed Denial of Service (DDoS) exploits are standing.

"It Takes One To Know One," or… "To Catch a Thief"

An age-old retort spoken from the mouths of young grade-school kids in the schoolyard and a movie title—but what do they mean here? What is the purpose of knowing the history of telephony, phreaking, hacking and the Internet for AML professionals?

Technology deserves AML compliance management's full attention

In the 21st century world, a general understanding of what may essentially be the technological backbone of your financial institution could ultimately determine whether your institution's BSA/AML and Office of Foreign Assets Control (OFAC) compliance program can withstand the onslaught of modern computer-based criminal activity. Regardless of an institution's size, scale of operations, or geographic location, unchecked assaults brought on by highly sophisticated and technologically savvy criminals could ultimately threaten consumers' core trust in the foundations of the modern, integrated, and global financial system. Therefore, technology deserves AML compliance management's full attention. The compliance, operational, reputational and legal risks to institutions are high, and failure of this pillar of the financial infrastructure could very well impact future market and growth opportunities.

Arguably, consumer use of modern non-physical currency methodologies could reach a "tipping point" in the U.S., as the slipshod approaches on the part of some merchants, financial service providers and financial institutions to ensure the security of individuals' PII and adopt more secure payment systems infrastructure place increasing pressure on the confidence and trust of the average consumer in the financial system. Recent waves of bulk credit card hacks, data and identity thefts only serve to accelerate this problem. As an AML compliance professional, it is important to understand the dynamics at work here, gain insight into cybercriminals' thought processes, patterns and behaviors, and educate and train personnel in order to survive and/or defend against cyber threats.

As AML professionals in both the private and public sectors, whether or not you realize it, your first directive is to think like a criminal. Each day you must work to identify, monitor and report suspicious activities that may occur at your institution to attempt to minimize risks essentially by understanding and interpreting the nature of such risks through the mind of a money launderer, fraudster or thief. Whether through manual or automated methods, it is essential for AML professionals to understand the motivations of cybercriminals in order to begin to identify potential suspicious transactions and behaviors.

Collaborative communication between IT and AML management should extend well beyond occasional projects and ad hoc support services. Working dialogue and information sharing of both information security issues and AML concerns with regard to identifying and detecting cyber-crime related to possible fraud and money laundering activities should be continuous within the organization. Automated solution systems should receive more than a cursory overview by AML compliance management and staff in order to develop more robust alert rules to focus on significant transaction risks. As a result, solution systems can be more effectively implemented, maintained and adjusted to better detect possible suspicious transactions. With the emergence and integration of automated AML solutions featuring data analytics and dynamic due diligence tools, the detection of cyber-based criminal activity should not be left solely to these solutions. The means and techniques by which cyberthieves exploit system weaknesses change quickly and constantly, and knowledgeable well-trained AML professionals can serve as an effective complement to automated solution systems.

Catch Me if You Can

As criminals have migrated to the Internet, so too have dedicated LE investigators around the world in their attempts to identify, monitor and prosecute the individuals and groups who pose extreme risks to the modern networked financial system. U.S. LE has reaped some early high-profile successes both independently and through international joint task forces, including:

  • The arrest of the aforementioned Kevin Mitnick in 1999;5
  • The 2008 arrest of Albert Gonzalez aka "Cumbajohnny," mastermind behind the massive TJ Maxx credit card hack;
  • The successful identification, arrest, and prosecution of Max Butler aka "Iceman" in 2009, who at the time had become the leader of one of the world's largest illegal credit card forums, largely through the individual dedication and efforts of FBI Special Agent Robert Mukarsky; and,6
  • The shutdown of Liberty Reserve, an online financial institution deemed to be of primary money laundering concern, and subsequently the Silk Road online black marketplace in 2013.

However, on both international and local levels, LE still struggles to gain sway over the onslaught of cyber-crime activity as noted recently in a Wall Street Journal article.7

High-level cyber-crime is generally perpetrated by lone individuals

High-level cyber-crime is generally perpetrated by lone individuals, groups of conspirators or organized criminals that exist in the ether of the Internet outside any regulatory regime and on society's social fringes. In countries such as Russia, Ukraine and China, (each of which can be exceedingly challenging for LE to obtain criminal extradition agreements), cybercriminals' refuge within these countries' borders is no coincidence. In the case of U.S.-based cybercriminals, those who have sought to enrich themselves through online crime tend to operate within their own social underground and shy away from the limelight—until they seek to enjoy the spoils of their crimes.8 AML professionals and LE must remain vigilant in penetrating this underworld and exposing cybercriminals' activities if the networked economy that governments and financial institutions seek to further develop is to survive.

Suggested reading:

Brian Arrington, MBA, CAMS, specialty risk examiner, Federal Reserve Bank of Chicago, Chicago, IL, USA, brian.arrington@chi.frb.org

The views and opinions expressed are those of the author and do not necessarily reflect the views and directives of the Federal Reserve Bank of Chicago, the Federal Reserve System or any other banking regulatory agency.

  1. Financial Crimes Enforcement Center (FinCEN) "Identity Theft: Trends, Patters, and Typologies Reported in Suspicious Activity Reports," October 2010: http://www.fincen.gov/news_room/rp/reports/pdf/ID%20Theft.pdf
  2. "What Ever Happened to Phone Phreaks?" The Atlantic, February 20, 2013: http://www.theatlantic.com/technology/archive/2013/02/whatever-happened-to-the-phone-phreaks/273332/
  3. The Autobiography "Steve Jobs," by Walter Issacson
  4. "Ghost in the Wires: My Adventures as the World's Most Wanted Hacker," by Kevin Mitnick
  5. CNN, http://www.cnn.com/SPECIALS/1999/mitnick.background/
  6. "Kingpin: How One Hacker Took Over the Billion-Dollar Cybercrime Underworld," by Kevin Poulsen
  7. "Grappling with Cybercrime," the Wall Street Journal, April 21, 2014: http://online.wsj.com/news/articles/SB20001424052702304626304579508212978109316
  8. "Kingpin," Poulsen