Buying a new printer from ISIS is probably not how many people envision their stationary shopping to proceed. But it was only a month ago that the FBI announced that it had found a senior Islamic State (ISIS) official sent money to an alleged operative based in the US via a global financial network that used fake eBay sales to mask payments.
US citizen Mohamed Elshinawy allegedly pledged allegiance to the Islamic terrorist group and received about $8,700 from the organisation through PayPal under the cover of fake computer printer sales, it was reported.
This is a timely reminder about how vulnerable businesses can be to terrorist financing. Terror financing is moving clean money to a criminal destination. Whereas money laundering is moving criminal money to a clean destination.
It’s now less than a month until the UK’s Criminal Finances Act comes into force on September 30. The regulations give the UK’s tax, payments and customs authority, HMRC, a global mandate to pursue the possible facilitation of terror financing, money laundering and tax evasion anywhere in the world should it involve a UK tax liability.
“The Criminal Finances Act is extremely far-reaching and will put the spotlight on a huge range of businesses, meaning many people have a lot of work to do in less than a month to ensure their firm is compliant,” says Marie Barber, managing director of tax consulting and accounting services at Duff & Phelps.
“This new legislation is not dissimilar to other legislation designed to influence corporate behaviour, such as the Bribery Act and the GDPR, and as such requires a similar approach to assess risk and put measures in place to prevent the targeted activity from occurring,” she continues.
Corporations already face a host of anti-money laundering regulations which vary by jurisdiction.
Key legislation includes The Patriot Act 2001 in the USA, and the Money Laundering Regulations 2017 in the UK. Companies risk facing heavy penalties and restrictions for any breaches.
High tech terror
As the eBay case shows, groups like ISIS are increasingly using advanced technology to accomplish their goals.
ThetaRay is an algorithm-based anomaly detection company, established to allow financial institutions to uncover previously undetectable threats in large amounts of unstructured data.
James Heinzman, ThetaRay’s executive vice president of financial services solutions, explains that one way terrorists are funding their activities, for example, is by hacking into tens of thousands of online bank accounts and transferring small amounts into their own account. These amounts are so small that they are difficult to detect or trace, but when taken in aggregate they can amount to large sums.
In addition, increasing cases of ‘lone wolf’ terrorists and dormant sympathisers are also a growing challenge their financial transactions can be much more difficult to identify as terror related, says Michael Harris, director of financial crime compliance and reputational risk at LexisNexis Risk Solutions.
“Terrorist atrocities are now being conducted with barely any capital; transactions for the hire of a van or purchase of a knife, for example, would not normally raise alarm bells”
“Geopolitical conflict and uncertainty intensifies these issues, leaving financial services with the challenge of monitoring people’s international movements when, for example, displaced ISIS members return to the UK,” Harris explains.
The way in which terrorists conduct their crimes has evolved significantly too. “Terrorist atrocities are now being conducted with barely any capital; transactions for the hire of a van or purchase of a knife, for example, would not normally raise alarm bells, but unfortunately, as recent news has shown, these items are now utilised to perpetrate significant terrorist events,” says Harris.
An improvised explosion (IE) device may cost about €5,000, which is relatively small in a western country but in some high-risk countries, this is a huge amount of money.
Terrorist and criminal organisations know that they can’t just sell oil and receive a lump sum of $10m – it would be identified as money laundering and intercepted by law enforcement agencies. But through a flood of micro transactions, they can escape detection, acquire the necessary funds, and continue their terror operations.
“We have seen cases where a few customers were acting in concert, using multiple channels, payment methods and low dollar amounts”
“They use credit cards to take cash advances from an ATM in a foreign country, but in small amounts as little as $100. Terrorists then pay off the credit card in a different country with a cash equivalent payment (CEP) such as a traveller’s check or money order, effectively moving money between two countries. We have seen cases where a few customers were acting in concert, using multiple channels, payment methods and low dollar amounts. In total, they might move as much as $15,000-20,000 in this way,” says Heinzman.
In the recent eBay case, the terrorists were using multiple channels in small accounts.
From a data analysis perspective, financial services face three significant challenges when identifying threats, according to Harris.
These are firstly ensuring the reliability of the information or media content used. Second is possessing the resources and operational capabilities available to conduct extensive research.
Thirdly, financial services must have the capabilities to monitor lower value transactions and identify those that may be related to terrorist activity, argues Harris.
Banks are struggling
“Globally, the banks realise they are struggling to catch all that they can,” says Heinzman.
“Many banks have a rules-based approach, where they have to define different rules in order to identify specific problems. But it is very difficult to write a rule about how someone uses a selling platform like eBay, for example. It is difficult to write something that no one has thought about before.
“The people who write these rules are smart, but they can’t keep up. The banks’ systems and processes can also be very slow to respond. They often use behaviour models to identify these risks,” he adds.
ThetaRay has been working with many large global banks, using its data analysis technology to improve the companies’ terror financing protection, Heinzman says.
By analysing all possible transaction data (amount, IP address, telephone number, operating system in use, and thousands more) as well as the relationships between them, ThetaRay can warn banks of potential criminal activity. The company claims its data analysis can spot false positives as well to prevent muddying the waters.
“Many of the rules for the banks’ criminal detection processes, embedded in their legacy systems, are published on the dark web.”
“Dark web experts have told us that many of the rules for the banks’ criminal detection processes, embedded in their legacy systems, are published on the dark web. So, if someone wanted to circumvent them, they could find the rules and develop schemes that go around them,” explains Heinzman.
Finding the needle in the needle stack
“It is difficult to detect terror financing because it’s hard to separate legitimate activity such as migrant workers sending money home from terrorist financing activities. It is difficult to find the needle in the haystack – it’s really more like a needle in a needle stack” he says.
One example of this is a medical aid worker who was gathering donations for a charity organisation and was therefore moving funds from low risk countries to high risk countries. The activity was not captured by the bank’s rules-based system, but was brought to the attention of the bank by a regulator, according to Heinzman, who claims ThetaRay identifies cases like this immediately.
“Terrorist financing is by its nature a random threat,” notes Harris.
“Traditional rules based transaction monitoring systems find it hard to detect terrorist financing activity and the financial services industry is rapidly turning to predictive and advanced behavioural analytical systems to assist with the task,” Harris adds.
ThetaRay claims it can take alerts from banks’ legacy systems and reduce the false positives. “If a system generates 10,000 false positives a month, a bank needs to hire a lot of analysts to review them and determine which are true positives. ThetaRay rapidly and accurately predicts which of the 10,000 anomalies are likely to be true,” says Heinzman.
Another well-known method for transferring funds without the detection of banks is using cryptocurrencies, such as bitcoin.
However, the anonymity of cryptocurrencies is a common misunderstanding. The technology they are based on – blockchain – permanently retains all information attached to any transaction.
If law enforcers have adequate technical expertise, the associated data can create a forensic trail that can suddenly make a criminal’s entire financial history public information. This is how the Federal Bureau of Investigation (FBI) arrested Ross Ulbricht in 2013, a 31-year-old American who created Silk Road, a bitcoin cryptocurrency market facilitating the sale of $1bn in illegal drugs.
ThetaRay can monitor funds in cryptocurrencies – including those using a distributed ledger (such as bitcoin) – to detect potential illicit activity, claims Heinzman.
“The cryptocurrency markets are something we are very interested in. One thing that is happening at the moment is that, as cryptocurrency comes more and more mainstream, the practitioners want to know that the market they are participating in has controls and integrity.
“That is why they are coming to us. I am certain that none of these institutions wants to have their systems used to facilitate terrorist financing or other illicit activity,” Heinzman says.
PSD2 heralds a new dawn for mobile payments, as the regulatory technical standards around the upcoming European open banking regulations are expected to put mobile devices at the heart of new payment techniques. But despite the regulatory environment nudging markets towards certain payment types, it is not easy to predict exactly how consumers will adopt the technology.
Studies show that many organisations are not aware of the fines they could face after GDPR comes into effect, or lack the technology to allow for compliance. The penalties for non-compliance are high: any breaches incur a maximum penalty of 4% of the organisation’s global annual turnover, or €20m, whichever is more.
Working on a lean treasury team can be a difficult job. The large number of areas that have to be covered and the amount of information that needs to be gathered, analyzed and understood is daunting.
As investors wake up to the huge financial damage that can be caused by unethical behaviour, companies should ensure that doing business ethically is a goal shared by all of its workforce.