06:45 AM
Connect Directly
RSS
E-Mail
50%
50%

Anti-Terror Law Puts Banks In The Hot Seat

IMLA-FATA places new responsibilities on banks to detect and trace funds held by criminals or intended for use by terrorists.

The International Money Laundering Abatement and Financial Anti-Terrorism Act of 2001 (IMLA-FATA) places new responsibilities on U.S. banks to detect and trace funds either held by criminals or intended for use by terrorists.

That's no small task-the International Monetary Fund estimates that laundered funds comprise 2% to 5% of global GDP, or at least $600 billion annually. Stopping clean money from harming others may prove even more challenging.

"Whatever approaches are taken, they've got to have at the core of them the principle of 'know your customer,'" said Ian Horobin, global product offering manager at Searchspace, a New York-based artificial intelligence software firm, at last month's Financial Technology Expo in New York.

But "know your customer" isn't just about capturing up-front information or conducting background research. Banks also should monitor transactions and understand how clients use banking services, said Horobin. "You've got to identify transactions that are unusual, irregular and unexpected, and therefore high-risk."

The risk of a particular transaction depends mostly on the customer. "What's suspicious for one customer is not for another," said Don Temple, a money laundering and bank secrecy act (BSA) expert at Mantas, a Fairfax, Va., software firm. "In order to understand what truly are suspicious transactions, you have to understand all of the currency reporting requirements of the BSA and the IRS, and the money laundering strategies."

"To do that manually is pretty much impossible," added Temple. "You really need a software solution."

In some respects, the task of providing government agencies and law enforcement with customer information falls under the heading of CRM. "Customer relationship management software now has to track the relationship between accounts and between clients in different areas of the institution," said Tom Obermaier, head of risk management at Deutsche Bank's global cash services division. "Those software systems really need to be put in place quickly."

In practice, however, there are limitations to the ability of a single financial institution to gather knowledge about its customers. "You are not really going to know all of the transactions that a client does, especially post-September 11th," said Obermaier. "You're going to see diversification of providers of financial services."

Despite their lacking complete information, banks will still have to answer for the activity that takes place on their watch. "You'll only see that which goes through your institution, so it's critical that you at least know that aspect of your clients' business that goes through your four walls," said Obermaier.

In theory, the government could create a clearinghouse for all transactions that would create a comprehensive information exchange between law enforcement and financial institutions. But enormous systems hurdles exist, not to mention legal ones. "A clearinghouse would be very, very helpful, but it would require significant changes to existing systems, with significant safeguards," said Obermaier.

---

The Key Provisions To IMLA-FATA

The new law affects the way banks deal with their customers and the U.S. Treasury and other government agencies. Among its key provisions, financial institutions will be required to: designate a bank officer to monitor named persons and entities; block named persons and entities from access to accounts; block unaffiliated shell banks from access to accounts; disclose customer and account information within 120 hours of initial request by government agency, without notifying the accountholder; terminate correspondent relationships upon government request; increase supervision of "concentration" accounts that mask the originator and beneficiary of a transfer; and use the highly-secure network of FinCEN (Financial Crimes Enforcement Network) to file reports and receive alerts on suspicious activities.

Other key provisions of the anti-money laundering law include: securities broker-dealers must file suspicious activity reports; nonfinancial businesses must meet currency reporting requirements; government can seize laundered funds deposited in a foreign bank by going after interbank accounts located in this country; the U.S. Treasury or Attorney General may subpoena foreign banks with U.S. correspondent accounts; foreign governments will be encouraged to require wire transfers to include name of originator, and carry that information all the way through to final disbursement.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This is a secure windows pc.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.