Link cyber and anti-money laundering units, but do not combine them — experts

March 30, 2016

(Thomson Reuters Regulatory Intelligence) – Last month’s cyber attack against Bangladesh’s central bank in which hackers stole $81 million from the bank’s account at the Federal Reserve Bank of New York and then laundered the funds has ignited a debate at U.S. financial institutions regarding whether cyber security and anti-money laundering units should be merged to better combat financial crime.

Although cyber and anti-money laundering compliance units at banks and broker-dealers should remain distinct entities, efforts to share information across the units should be ramped-up, possibly by cross-training select members of the teams, senior compliance officers, consultants and law enforcement sources say.

“While there should be coordination, I don’t know that they need to be in the same place,” said Ellen Zimiles, head of global investigations and compliance at Navigant Consulting.

To date, banks have found it “more efficient” to approach cyber and AML separately, said Rob Rowe, a lawyer with the American Bankers Association.

“That’s not to say that the two areas of the banks, especially at larger institutions, are segregated,” he said.

What increased coordination might look like

One method of more closely linking AML and cyber being discussed at large banks involves creating databases containing cyber data such as names, email address, phone numbers, and IP addresses thought to be linked to “bad actors” and allowing AML to query the data, said a bank compliance officer with a background in military intelligence.

A second approach under consideration involves training some AML compliance officers to be cyber-AML professionals capable of accessing “certain tools and websites in the dark web that would allow them to exploit cyber in a way that AML analysts are not normally trained to do,” said the source, who like other compliance officers interviewed for this article asked not to be named as he was not authorized to publicly discuss the matter.

“They could take that data out to the rest of the AML team, they could do training for the rest of your AML organization and explain how to exploit things for potential linkages and they would develop the model for integrating cyber into AML,” he said.

While the first approach is less costly, it might be of limited value, the source said.

“Even if the data is available, how does your AML team know when to check it? How do they know what kind of data to check for? Do they know where your AML vulnerabilities are if you’re just logging in and checking a database? You need people who understand the intersection of AML and cyber activities,” he said.

Most cyber attacks are about money, the source said.

“It’s about financial crime and that money has to flow somewhere, and it might not flow through the institution that experienced the theft, but it will through others, just as it did in (the hack of Bangladesh’s central bank). How would a traditional AML analyst know that these kinds of flows are potentially linked to financial fraud? What would the cyber crime signature look like?” he said.

“You just have to know what to look for.”

Potential liaisons

Privacy officers detailed to securities industry AML departments, professionals responsible for addressing breaches where “someone saw something they weren’t supposed to see,” can connect cyber security and AML, said a senior securities industry compliance officer.

“I don’t think they need to be merged, I just think they need to be coordinated,” the source said. “The chief privacy officer should talk to the head of information security daily as one is the front wall protector and one guards the back wall.”

Still, in the end, the AML team alone will need to prepare and file and Suspicious Activity Reports (SARs) required by the Bank Secrecy Act (BSA), the primary U.S. anti-money laundering law, the source said.

“If the AML team is doing an investigation and it needs IP addresses to figure something out – Is someone using our front end to do something they weren’t authorized to do? – we’re going to leverage privacy and cyber security to get us those details,” the source said.

Keep AML and cyber separate – law enforcement official

Combining cyber and AML will put a financial institution “in a vulnerable position,” said a federal law enforcement official.

If cyber and AML are merged and a bank is hacked and loses millions of dollars, the bank could not only be sued by those who lost money, but could potentially be prosecuted for failing to put in place an effective AML program, the source said.

“Those kind of accusations have already begun,” said the source, who declined to elaborate.

(This article was produced by Thomson Reuters Regulatory Intelligence and initially posted on Mar. 24. Regulatory Intelligence provides a single source for regulatory news, analysis, rules and developments, with global coverage of more than 400 regulators and exchanges. Follow Regulatory Intelligence compliance news on Twitter: @thomsonreuters)

No comments so far

We welcome comments that advance the story through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can flag it to our editors by using the report abuse links. Views expressed in the comments do not represent those of Reuters. For more information on our comment policy, see http://blogs.reuters.com/fulldisclosure/2010/09/27/toward-a-more-thoughtful-conversation-on-stories/