Are we really stopping the bad guys?
The nature of terrorist attacks has shifted in recent years, with a greater focus on 'lone wolf' or small cell attacks. A panel discussion at Sibos 2017 considered the evolving nature of terrorist financing, the challenges faced by counter terrorist financing teams and how to measure success effectively.
- High-value terrorist financing hasn’t gone away, but we are seeing more lone-wolf attacks – which cost less to orchestrate.
- As regulation develops, the conflict between security and privacy may be problematic.
- Developments such as robotics and AI could help to drive down the cost of compliance, but the number of people involved in reviewing alerts will still be costly.
- Often the compliance industry is motivated by fear – so it’s important to “extract the positive” and learn from past successes.
Rise of ‘lone wolf’ attacks
'Lone wolf' type attacks are increasingly common – and they are difficult to spot. They also cost less: tactics like weaponizing a van may cost hundreds of dollars, rather than hundreds of thousands of dollars. As a result, “terrorists are hiding in plain sight.”
This leads to difficulties when chasing down leads. For example, automating rules or triggers, and focusing on factors such as vehicle rentals, means that “your false positive rate just goes through the roof” – so it’s important to address this intelligently.
“We have shut down a lot of the traditional avenues of funding. The new avenues of funding are emerging. They’ll always be emerging. We must respond to that.”
Aside from new regulations around beneficial ownership for companies, “there hasn’t been a great deal of change” in the US where AML is concerned. But the US Financial Intelligence Unit is using existing regulations to analyse activity in a more targeted way.
We have seen efforts to bolster information sharing in Canada under the Bank Act, but this was “watered down” following lobbying from privacy advocates. There is a conflict between security and privacy: “You can’t have absolute protection of privacy and be able to collect information to be able to prevent attacks, at least in my view.”
In Europe, the Fourth Anti-Money Laundering Directive seeks to emphasise a more risk-based approach - so the way in which regulation is applied can be tailored on a risk-led basis – although, as one expert said, “it’s still quite prescriptive.”
Adapting existing processes
So what can banks do to adapt the processes they already have in place? A common challenge is the “gap between technical compliance and effective compliance.” It’s possible to have well-written policies and procedures, and execute perfectly against them. “But if we’re looking over here, and the bad stuff’s happening over there, it’s not very effective.”
Costs could be driven down through the use of robotics and artificial intelligence, but significant numbers of people will still be needed to review files and alerts, which comes with significant cost.
Fintechs that process payments “should be subject to the same standards as banks” from a regulatory perspective.
The rise in low value attacks could be seen as a measure of success, in that the tactics used to finance terrorist organisations in the past are no longer possible today - but CTF is always going to be a moving target.
Although banks are unlikely to hear that their actions have prevented an attack, when analysts report high quality files, they receive acknowledgements that investigations have been opened. “To me, that’s a measure of success.”
FinCEN periodically publishes acknowledgements of successful cases, and while banks are not named, “I guarantee that if any of your staff worked on any of those cases, they know who they are. They are absolutely thrilled.”
Extracting the positive
In the compliance industry, people tend to be motivated by the fear of auditors and examiners – and that it’s important to “extract the positive.” For example, if an analyst’s work has been recognised, it’s important to dissect that case and consider what was different about it in order to become more effective in the future.
“How do we measure success in way that is something other than the absence of failure?”