AML and Cyber Security to Overlap in Coming Years

Cyber security was once considered a problem for information security teams at most financial institutions but anti-money laundering professionals should expect to be more involved in future, officials said. The fields of AML and cyber security are likely to see more overlap in the coming years, as launderers and terrorist financiers find new ways to exploit technological advances, they said.

At most financial firms, AML and sanctions are often in the domain of compliance and legal but there is a growing shift in the sector towards including AML and compliance professionals in cyber security matters. Some banks have reported having organisation-wide emergency IT security and cyber crime committees upon which AML, compliance and legal professional serve.

Regulators are also aware of the overlap between cyber security and money laundering, as evidenced by Jernnifer Shasky Calvery, FinCEN Director given statement speech dated 9 December 2015 on the matter in New York, as well as FinCEN earlier guidance on the application dated 18 March 2013 to the users of virtual currencies.

"Money laundering or terrorist financing can take place through cyber security flaws, so we need to work as one team because everything is joined at the hip," said Dr Amit Kumar, president of U.S.-based AAA International Security Consultants, during a recent webinar hosted by the Association of Certified Anti Money Laundering Specialists (ACAMS).

Professional services firms also see the connection between cyber security and AML. 

"There is a connection in activity if you are doing transaction monitoring and identifying suspicious or potentially suspicious transactions," said Rick Small, a senior advisor for AML and financial crimes at EY and a former U.S. federal prosecutor.

"You see an element of cyber [crime] in that, such as for identity theft through hacking or stolen accounts, or seeing the establishment of new accounts that cannot be tracked back. We are seeing more of a connection between those data points and obligations we have for identifying and reporting suspicious activity. Now, they [compliance staff] take information such as IP addresses and put them in suspicious activity reports (SARs) if available when they are filed," he said.

Related, but not our remit

Institutions should also be cautious to not move too fast in delegating IT security duties to their compliance and legal teams. 

"I and my colleagues are not experts in this area," Small said. "How they [criminals] hack [into systems] and get to the data is best left to other experts; it is not something AML experts should take on."

Such an approach would be prudent as maintaining an IT system, including its quality and structural integrity, also entails its security, which, functionally and practically, lies with experts elsewhere within an organisation, not with AML teams, he said.

"The more we as AML professionals know about our institutions and how things happen, particularly bad things, we get better at our jobs. I am a firm believer in having a central source for reporting out for suspicious activity. Even though different groups deal with law enforcement within an organisation; when it comes to the official [SAR] reporting, I think AML should own it," Small said.

Synergy between IT and compliance existed but Small did not want to see the underlying responsibility for cyber security moved over to AML professionals. 

Words are weapons

Technology has also allowed the proliferation of messages of support and avenues for recruitment for terrorist organisations such as ISIS. Kumar said regulators and policymakers should look more closely at the larger issue of material support for terrorism, which includes money, as well as messages — irrespective of the medium through which they were delivered. 

"Given the prolific use of cyber security tools, computers, YouTube [videos] and the Internet, everything is coming together," he said.

Kumar, an adjunct professor at Georgetown University's strategic studies programme, said the United Nations and the Financial Action Task Force (FATF), the international AML and CTF standard setter based in Paris, have been too fixated on the financial flows and sanctions related to terrorist funding. They had not focused sufficiently on the messages that can give rise to such criminal mind sets and support for them. 

"We need to look at the intersection of cyber security with terrorist financing by disabling YouTube videos that are incendiary and radicalise populations across the world," he said.

He said tougher rules should be introduced amongst the UN, FATF and national legislatures to target material support for terrorism, as the United States has with its USA Patriot Act..

"We have to look at messages, men, money and material movements because that is what is causing terrorism and terrorist financing. It has been relatively unexplored and uncharted until now, but for 2016, it should be looked into further," Kumar said. 

Anything with value was fair game, including messages. To that end, Kumar recommended nation states work with social media companies because it was crucial governments forged such relationships to thwart money laundering and terrorist financing. 

"We have to remove silos between the public and private sector," he said.


  • Ajay Shamdasani is a senior staff writer with Thomson Reuters Regulatory Intelligence in Hong Kong. He covers regulatory developments in Hong Kong, India and South Korea. He also writes about money laundering, fraud, corruption, data privacy and cybercrime.