Showing posts with label money laundering. Show all posts
Showing posts with label money laundering. Show all posts

11 May 2019

Insider Threat: Corporate Integrity Culture...

Does your organization have a culture of "Corporate Integrity?" One can only wonder how these findings have changed since these results.

The depth and breadth of Operational Risks were apparent over eight years ago in the 2011 CyberSecurity Watch Survey by CSO Magazine, USSS, CERT and Deloitte.

The most common insider e-crime at 63% is unauthorized access to / use of corporate information. Here are the others:
  • 57% - Unintentional exposure of private or sensitive data
  • 37% - Virus, worms or other malicious code
  • 32% - Theft of intellectual property
When asked which electronic crimes were most costly or damaging the results were:
  • 38% - Outsiders
  • 33% - Insiders
  • 29% - Unknown
Regarding the "Insiders" reasons were given for not referring for legal action, the one that stands out in our mind is this one. 40% could not identify the individual(s) responsible for committing the eCrime. And maybe even more astonishing is that 39% did not have enough information or a lack of evidence, to proceed with either civil or criminal litigation.

So what is really going on with these survey results presented so far? Even though the respondents say that 33% "Insiders", they have done little to collect enough evidence to identify who the responsible parties are to the incident. This may be for several reasons including the lack of internal expertise to preserve evidence and conduct timely investigations.

We have addressed the "Insiders" that make up one third of the digital incidents, yet what about the "Unknowns" who add an additional 29%. The combination of the two make up 62% of all the incidents in the study.

This is where Operational Risk professionals can have a significant impact within the enterprise.

The unauthorized access to information and use of that information is at the center of this issue. When an organization realizes that this "information" has impacted them, the funds have been stolen, the trades have been placed or the press has published a trade or national security secret.

Regardless of the high tech tools utilized or the systems and controls within the organization, there are always methods and processes that if properly implemented, will reduce the number of "Unknowns" and "Insider" threats.

In your particular case, it just may come down to developing more effective situational awareness with your employees.

Suppose you create a mandatory program for all employees that is focused on corporate integrity and each year the CEO kicks off the first session with their own attendance and their own direct reports, including the Board of Directors.

Next, all senior staff attend the program and posted on the corporate Intranet are webcast shows with several 5 minute clips of parts of the one day session.

Finally, the roll out for the remainder of the employees is tied to the annual 360 degree review, that each manager does with their subordinates in the company.

Employees must understand the ethical behavior expected of them. New employee orientation should detail the organization's mission, values and code of conduct, types of fraud, compliance, their responsibility to report violations of ethical behavior and impropriety, and details of the hotline or other ways to report incidents and other integrity concerns.

Periodic training throughout an employee's career reinforces awareness and the cost of internal incidents.

If your organization does not currently have a program as we have described earlier, then maybe it's time to start one.

If you already have one in place, how effective is it in detecting the "Insider Threat" and the spectrum of Operational Risks within your organization...
Posted by at No comments:
Labels: , , , , , , , , , ,

24 September 2017

OSAC: The Insider Threat...

In November 2007, the "Insider Threat" was on the minds of Global Security Executives that year as evidenced by a half day emphasis on the current trends and issues.  We wonder what will have changed over a decade later, at the 2017 OSAC Annual Briefing.

In any global enterprise doing business across multiple continents with a diversity of personnel comprised of expats and country nationals; you can bet on being consistently subjected to the operational risks instigated by people. Fraud, embezzlement, conflicts of interest, economic espionage, workplace violence and disruption of business schemes are the norm.

In a converging organization with outsourced services around every corner, the enterprise becomes more disjointed and incapable of a continuous level of readiness or preparedness to the next organized plot by the insider.

So back to square one. Keep an eye on your employees, contractors and suppliers. Run those new employee awareness sessions and lock down the access to sensitive corporate assets. Now do it again with the same budget we gave you last year!

You can just see these great patriots from all over the world searching for the answer to their continuous woes as a Global Security Director. It's a thankless position and severely underfunded in a time when the threats are increasing exponentially.

In evaluating the current information security, regulatory and legal environment, consider these five key flaws with today’s ORM solution programs:
1. Dependence on inadequate and incomplete technology-based point solutions;

2. Failure to integrate people, process and systems into an effective and comprehensive operational risk program;

3. Lack of adequate decision support and an actionable understanding of the threat to the entire spectrum of corporate assets;

4. Reactive response to perceived problems rather than proactive initiatives based on sound risk management principles; and

5. Cost and shortage of properly skilled IT personnel to support the programs.
The Gartner Group has identified three major questions that executives and boards of directors need to answer when confronting significant issues:
  • Is your policy enforced fairly, consistently and legally across the enterprise. 
  • Would our employees, contractors and partners know if a violation was being committed? 
  • Would they know what to do about it if they did recognize a violation?
If you don't know the answers to these questions, then there is much more work to do and much more strategic planning necessary before any software or system is implemented for Operational Risk Management.

Perhaps it is time for the Private Sector to get serious about the "Insider Threat."  The U.S. Department of Defense has been on point with the issue now for years:
The Defense Department is preparing to add 500,000 employees to its continuous evaluation pilot by Jan. 1 as part of DoD’s effort to add rigor to the security clearance process.

Daniel Payne, the director of the Defense Security Services, said Sept. 20 that the additional half-million employees would bring the total uniformed and civilian employees enrolled in continuous evaluation to 1 million. There are more than 4.3 million cleared employees and service members across the government, including 1.3 million at the top-secret level, according to the Office of the Director of National Intelligence’s 2015 report.
Yet, in the back of everyone's mind is still the possibility of being connected with a significant terrorist incident. What these CxO's are looking for, are the means to gain a larger budget for their departments and to be able to invest in new "Insider Threat" technologies and tools.

Human behavior will always be the center of the controversy on whether these new systems will be able to mitigate the insider threat any more efficiently or effectively...
Posted by at No comments:
Labels: , , , , , , , , ,

31 May 2015

Trust Decisions: Human-to-Human Open Transaction Systems...

"Let us not look back in anger, not forward in fear, but around us in awareness"
-James Thurber-

When you become independent of the core group and the impact of your own bias, a whole new world unfolds before you.  The truth is discovered and the true reality becomes clear.  How often does the Board of Directors convene an emergency meeting as a result of a surprise Operational Risk loss event?

When you start listening to the explanation and you hear words such as "complex" and "3rd parties" this should sound an alert.  From the "Boardroom to the Battlefield" executive management is still flying blind on many fronts.  They have become so risk adverse, that in many cases the automated machines have taken over group think with their sophisticated high technology sensors.

Trusted sources from a human perspective are still the basis for vital decision support and monetary transactions.  Human-to-human information transfer via a trusted chain of sources is still thriving.  Trust is at the center of systems for significant transfer of information and assets to this day:
Hawala or Hewala (Arabic: حِوالة‎, meaning transfer), also known as hundi, is an informal value transfer system based on the performance and honour of a huge network of money brokers, primarily located in the Middle East, North Africa, the Horn of Africa, and the Indian subcontinent, operating outside of, or parallel to, traditional banking, financial channels, and remittance systems.
Does the Hawala have an emerging digital variant?  Why is the understanding of a blockchain-enabled digital ledger important in this day and age?  The reason becomes more apparent as we study how it works and where it is being utilized and for what purpose:

Example A
Silk Road was an online black market, best known as a platform for selling illegal drugs. As part of the Dark Web,[7] it was operated as a Tor hidden service, such that online users were able to browse it anonymously and securely without potential traffic monitoring. The website was launched in February 2011; development had begun six months prior.[8][9] Initially there were a limited number of new seller accounts available; new sellers had to purchase an account in an auction. Later, a fixed fee was charged for each new seller account.[10][11]
 Example B
NEW YORK, May 11, 2015 (GLOBE NEWSWIRE) -- Nasdaq (Nasdaq:NDAQ) today announced plans to leverage blockchain technology as part of an enterprise-wide initiative. Nasdaq will initially leverage the Open Assets Protocol, a colored coin innovation built upon the blockchain. In its first application expected later this year, Nasdaq will launch blockchain-enabled digital ledger technology that will be used to expand and enhance the equity management capabilities offered by its Nasdaq Private Market platform.

Importantly, the creation of a securities distributed ledger function using blockchain technology will provide extensive integrity, audit ability, governance and transfer of ownership capabilities.

"Utilizing the blockchain is a natural digital evolution for managing physical securities," said Bob Greifeld, CEO, Nasdaq. "Once you cut the apron strings of need for the physical, the opportunities we can envision blockchain providing stand to benefit not only our clients, but the broader global capital markets."
 Whether the "Digital Hawala" continues to thrive in the years ahead will depend on several key market issues.  Transparency, accountability and documentation.  Accurate record keeping.

At the center of this evolving system are two key attributes.  Speed and trust.  That is why you now see the private equity and venture capital community investing in companies such as Ripple Labs:
Ripple Labs (formerly OpenCoin) developed the Ripple protocol. Its team of experienced cryptographers, security experts, distributed network developers, Silicon Valley and Wall Street veterans contributes code to the open-source software and works with financial institutions and payment networks to accelerate the growth of the protocol. The team shepherds a movement to evolve finance so that payment systems are open, secure, constructive and globally inclusive.
"Trust Decisions" are at the heart of the future of trading, decision support and the speed of human knowledge.  The fusion of ancient and modern protocols for global commerce and achieving digital trust are on our door step.  Let your awareness begin...

Posted by at No comments:
Labels: , , , , , , , , ,

01 December 2014

Courage: Risk of Physical & Moral Fear...

The effective implementation of Operational Risk Management (ORM) requires two types of courage; both physical and moral.  What are some examples?  "Physical Courage" is the act by an individual to run into the burning building to save those caught on the upper floors.  "Moral Courage" is the decision to finally expose the multi-year fraud scheme executed by the company controller, who happens to be your boss and is a former college class mate.

The courage component is different, yet the same.  The existence of fear in a "physical sense" may be harder to overcome since it will expose you to bodily harm and potential death.  The fear associated in a "moral sense" will impact your reputation or standing in the community that you live in, or the profession you operate within.  This fear could be greater for some than even risking ones own life.

Is it possible to learn and improve your skills for both physical and moral courage?  The answer is yes and it has been a factor of education and training for hundreds of years.  The goal is to ensure that your organization, enterprise, team or community is learning both and creating effective habits.  The continuous and repetitive exercises to deal with the fear of bodily harm or blowing-the-whistle on your best friend is the bottom line here.
"What are you doing to overcome your fear to save a life?  What are you doing to overcome your fear of reputation loss?  The ratio of learning both and exercising them in the field or when needed inside the institution, enterprise or government is what is at stake."
Once the education and training programs are in place to learn new skills then the fear of action will diminish, when the time comes.  Who do you have coming to work each day who has the balanced ability to carry an adult out of the burning building or simultaneously detect a multi-layered accounts payable scheme?

Unfortunately, these are only two examples of a wide spectrum of courage that is required each day. In New York City or the SahelBoard Room to the Break Room, from the Class Room to the Conference Room both physical and moral courage will be required.  In seconds.  The courageous decision you make may cause bodily harm or the end of a career.  What are you going to do to learn and train to deal with the fear that you will encounter?  What kind of courage will you be called upon to utilize in order to act, to behave correctly and expeditiously?

Operational Risk Management (ORM) is a vital factor in your city, your business and your virtual community.  It spans the spectrum of courage from physical to moral.  The question remains,  will you act when the time and moment arises?

Posted by at No comments:
Labels: , , , , , , , , ,

15 June 2014

TOC: The Implications of Consumer Privacy...

Operational Risks are pervasive in most every business both large and small. A small business can learn a tremendous amount from those failures by large corporate enterprises. Privacy laws in the United States are for all business owners whether they be a sole practitioner or a soon to be corporation with a $100 Billion valuation.  Operational Risk Management (ORM) is present in any serious business that makes important "Trust Decisions" on a minute-by-minute basis.

Consumer privacy and the risks associated with the protection of personal identifiable information of clients, members and customers is at stake. Learning the lessons from the organizations who have made changes and are working on a daily basis to comply with the regulatory frameworks, can be a very beneficial lesson to all.

Beyond the cost of a breach of data, Operational Risk Management (ORM) professionals understand that human behavior is the reason behind many of these incidents. Employees and supply chain insiders not clandestine hackers or malicious code sent from afar can be the major threat. So what can a Chief Privacy Officer or CISO do to mitigate the risks of employees and their behavior? All of the education and awareness campaigns may help, but the "Trust Decision" process itself is the place to begin.

Information Governance and the steps that are utilized to ingest or acquire and process that information is also paramount.  Hayley Tsukayama from the Washington Post highlights part of the issue:
Facebook came under fire Thursday from privacy advocates who say that changes to its ad network mark an unprecedented expansion of its ability to collect users' personal data. The advocates are also criticizing the Federal Trade Commission for allowing Facebook to make the changes and argue that the network's size gives it too much knowledge about its users.
Whether you are in the business of "Social Networking" like Facebook or you are the regional health care system in your state, the privacy of information of the consumer is at stake. Where that stolen information ends up in many cases, is in the hands of "Transnational Criminal Organizations" where it becomes of the lifeblood of their business operations to perpetuate their fraud schemes. These schemes are impacting the economic security of major organizations in the private sector and so the U.S. government (USG) has ramped up in the past 3 years to address the threat. Combined with other factors associated with legitimate business operations, organized digital crime syndicates have infiltrated the country and is costing the United States billions of dollars per year.

Here are several actions USG will be taking as the TOC strategy continues to be enabled:

Action

  • Implement a new Executive Order to prohibit the transactions and block the assets under U.S. jurisdiction of TOC networks and their associates that threaten critical U.S. interests.
  • Prevent or disrupt criminal involvement in emerging and strategic markets.
  • Increase awareness and provide incentives and alternatives for the private sector to reduce facilita- tion of TOC.
  • Develop a mechanism that would make unclassified data on TOC available to private sector partners.
  • Implement the Administration’s joint strategic plan on intellectual property enforcement to target, investigate, and prosecute intellectual property crimes committed by TOC.
  • Enhance domestic and foreign capabilities to combat the increasing involvement of TOC networks in cybercrime and build international capacity to forensically exploit and judicially process digital evidence.
  • Use authorities under the USA PATRIOT Act to designate foreign jurisdictions, institutions, or classes of transactions as ‘‘primary money-laundering concerns,” allowing for the introduction of various restrictive measures on financial dealings by U.S. persons with those entities.
  • Identify foreign kleptocrats who have corrupt relationships with TOC networks and target their assets for freezing, forfeiture, and repatriation to victimized governments.
  • Work with Congress to enact legislation to require disclosure of beneficial ownership information of legal entities at the time of company formation in order to enhance transparency for law enforce- ment and other purposes.
  • Support the work of the Financial Action Task Force, which sets and enforces global standards to combat both money laundering and the financing of terrorism.

The FTC is continuously working with companies like Facebook. The White House NSC is working on strategies that have a nexus with stealing consumers information to exploit the financial system. Yet all of this will be for nothing, if the private sector does not work in concert with government. Public-Private partnerships are in full swing and are making some progress.

In addition, nation state industrial intellectual property theft and economic espionage has eroded our global competitive advantage in several industry segments.  Ellen Nakashima explains:
A Washington think tank has estimated the likely annual cost of cybercrime and economic espionage to the world economy at more than $445 billion — or almost 1 percent of global income. 
The estimate by the Center for Strategic and International Studies is lower than the eye-popping $1 trillion figure cited by President Obama, but it nonetheless puts cybercrime in the ranks of drug trafficking in terms of worldwide economic harm. 
“This is a global problem and we aren’t doing enough to manage risk,” said James A. Lewis, CSIS senior fellow and co-author of the report, released Monday.
Changing peoples behavior inside your own business will require substantial oversight and continuous education. Remain vigilant at the risk of your organizations own peril!

Posted by at No comments:
Labels: , , , , , , , , ,

16 November 2013

Insider Threat: Corporate Integrity Culture...

In August 2011, this Operational Risk Management (ORM) blog posted the following.  In light of the increasing impact of "Insider Incidents" in 2013, this is worth revisiting:

Does your organization have a culture of "Corporate Integrity?" The depth and breadth of Operational Risks are apparent in the 2011 CyberSecurity Watch Survey by CSO Magazine, USSS, CERT and Deloitte.

46% of the respondents said damage caused by "Insider Attacks" is more damaging than "Outsider Attacks". The most common insider e-crime at 63% is unauthorized access to / use of corporate information. Here are the others:
  • 57% - Unintentional exposure of private or sensitive data
  • 37% - Virus, worms or other malicious code
  • 32% - Theft of intellectual property
When asked which electronic crimes were most costly or damaging the results were:
  • 38% - Outsiders
  • 33% - Insiders
  • 29% - Unknown
Regarding the "Insiders," the reasons that were given for not referring for legal action, the one that stands out in our mind is this one:
40% could not identify the individual(s) responsible for committing the eCrime.  And maybe even more astonishing is that 39% did not have enough information or a lack of evidence to proceed with either civil or criminal litigation.
So what is really going on with the facts presented so far? Even though the respondents say that "Insiders" are the most damaging, they have done little to collect enough evidence to identify who the responsible parties are to the incident. This may be for several reasons including the lack of internal expertise to preserve evidence and conduct timely investigations.

We have addressed the "Insiders" that make up one third of the digital incidents but what about the "Unknowns," who add an additional 29%. The combination of the two make up 62% of all the incidents in the study. This is where Operational Risk professionals can have a significant impact within the enterprise.
The unauthorized access to information and use of that information is at the center of this issue. When an organization realizes that this "information" has impacted them, the funds have been stolen, the trades have been placed or the press has published a trade or national security secret. To narrow this down further, you might say the Fraudsters and the WikiLeakers are bringing the institution into a torrential storm of criminal activities.
Regardless of the high tech tools utilized or the systems and controls within the organization there are always methods and processes that if properly implemented, will reduce the number of "Unknowns" and "Insiders."
 
In your particular case, it just may come down to developing more effective situational awareness with your employees. This particular educational and awareness building process may indeed also uncover the individuals within your company, who may be already down a path of fraud, embezzlement, insider trading or corporate espionage.

Suppose you create a mandatory program for all employees that is focused on corporate integrity and each year the CEO kicks off the first session with their own attendance and their own direct reports, including the Board of Directors.
 
No one that we know of can explain the basis for this process better than Martin T. Biegelman:
"Obviously, a poor working environment provides a motive and rationalization to commit fraud. Here's a quick health check: does management appear not to care about their employees? Does it have unreasonable expectations or financial targets? Is the organization autocratic or participative? Is there a lack of training or promotion opportunities? Does management say one thing but do another? Are senior executives treated differently than rank and file employees when it comes to discipline?" 
Employees must understand the ethical behavior expected of them. New employee orientation should detail the organization's mission, values and code of conduct, types of fraud, compliance, their responsibility to report violations of ethical behavior and impropriety, and details of the hotline or other ways to report fraud and other integrity concerns. Periodic training throughout an employee's career reinforces fraud awareness and the cost of fraud to an entity."
So what?  
 
If your organization does not currently have a program as we have described earlier, then maybe it's time to start one. If you already have one in place, how effective is it in detecting the "Insider Threat" and the spectrum of Operational Risks within your organization?

Posted by at No comments:
Labels: , , , , , , ,

04 May 2013

Offshore Strategies: Global Integrity Risk...

Global 500 organizations are managing Operational Risks across their respective enterprises, utilizing a portfolio of controls, tools and strategies.  One of those strategies, is getting more attention by nation states and treasury departments.  Larger than Wikileaks, this ICIJ investigation, is a digital peek behind the offshore strategy that is legal in many jurisdictions across the world:
An anonymous source has provided extensive insights into a worldwide network of tax evaders. 
Media in more than 30 countries are currently sifting through a mountain of data.
260 gigabytes of documents - that's the printed equivalent of 500,000 copies of the Bible. 
This is the massive amount of data that was passed on more than a year ago by an anonymous whistleblower to the International Consortium for Investigative Journalism (ICIJ) in Washington. More than two million emails and other confidential documents sketch a picture of a dubious shadow world. More than 130,000 people from 170 countries are alleged to have secreted their money in tax havens. Analyzing the data is a mammoth task that is still nowhere near completion.
The governance and the transparency that a global enterprise displays to its shareholders, employees and the governments is continuously at stake.  Some countries are considered more corrupt and global organizations operating in that part of the world, shall be more aware of the risks of doing business there.
Some other interesting revelations:
  • The largest shares of the people setting up offshore accounts live in China, Hong Kong, Taiwan, Russia or another former Soviet republic. 
  • In turbulent Greece, both the upper and middle class are increasingly keeping their money in undeclared accounts — a situation that finance officials have since vowed to investigate.
  • A number of the world’s largest collectors use offshore accounts to buy and sell art without paying taxes. 
  • Offshore accounts are popular in Russia, where President Vladimir Putin has repeatedly asked politicians to stop using them: the deputy prime minister’s wife and top managers of Russian military contractors and government-controlled companies are thought to have secret offshore investments. 
  • Offshore accounts are a major source of investment in China and Russia. China’s second-largest source of capital investment is the British Virgin Islands.
  • You can read the full ICIJ report here.
Billionaires and politicians are hedging risks on the advice of tax attorneys, accountants and the financial strategies that are as old as tax laws.  Inside the private business compliance and legal departments, lie a vast staff of dedicated personnel who are tasked with mitigating risks to the organization.  Some global enterprises such as Siemens AG have paid the price, of a governance architecture that was in failure.  Today, those lessons learned are still being taught even as others are implicated in alleged wrong doing:
IBM Says Justice Department Investigating Bribe Allegations
By Sarah Frier on May 03, 2013

International Business Machines Corp. (IBM) is being probed by the U.S. Justice Department over corruption allegations in Poland, Argentina, Bangladesh and Ukraine, adding to bribery charges from the Securities and Exchange Commission. 
The Justice Department is investigating whether IBM violated the Foreign Corrupt Practices Act, the company said in an April 30filing (IBM). In Poland, the department is focusing on a transaction that the Polish Central Anti-Corruption Bureau already was studying, the company said. It involves allegations of a former IBM employee selling to the Polish government. 
The Justice Department probe adds scrutiny in new territory as IBM tries to settle with the SEC over activity in China and South Korea. The global reach of the investigation indicates that this isn’t an isolated matter, said Charles Elson, corporate-governance professor at the University of Delaware. 
“If it happens in one country, you can say it’s an individual,” Elson said. “If it happens in multiple, you have to ask, is it systemic? And how well was the compliance program put in place to prevent it?”
So what can a General Counsel, VP of Operational Risk, Chief Risk Officer or even the Audit Committee do, in light of these continuous incidents?  The trust that any person or organization has with its bankers, outside counsel, compliance subject matter experts, accounting advisory and management consultants is at stake.  The integrity of the entire global payments and economic ecosystem is at risk.  This source of systemic risk to governments, global enterprises, stock markets and average consumers is growing beyond control.

What can be done?  The serious conversation going on right now between your independent counselors  continues to focus on trust and the people who are behind that trust.  You have got to have that serious conversation as a CEO, not with your first line of management Vice-Presidents, but several layers below them in the corporate hierarchy.  Believe us when we say, as the CEO, you can't see two layers below you, where all of the real work on daily transactions is getting done everyday.  You are not on the front lines, where deals are being made and information is being exchanged that can have a material impact on daily business.

You see, it really all still comes back to people communicating information ethically.  How and when people act on that information.  Why people behave the way they do when they learn the information.  As a CEO in charge of a global enterprise you will never have the transparency or the integrity being controlled from HQ on the executive floor, or on your executive analytic GRC dashboard.  Your only chance is to reach those people, who are at the source of doing business in your line processes, not staff, but "line".  The "line" is the life blood of daily business commerce and the power base for making a difference on how business is done and the integrity behind it.  The future of your enterprise depends on these people, communicating information that is true, validated and researched to uncover any possible errors, omissions or other ethical issues.

The power base of the global economy is constantly changing.  The risks to the economic enterprise continues and the investigations are just beginning.  Offshore strategies are at the core of global integrity risk.

Posted by at No comments:
Labels: , , , , , , , , ,

09 January 2011

Cyber Theft Rings: A Nexus with Terrorism...

BSA/AML compliance is an Operational Risk that continues to plague even the largest institutions. The ability to effectively program information systems to address "Politically-Exposed Persons" (PEP) and the risk to the banks reputation are still a challenge for some executives.

Why is this still an OPS Risk issue? In many cases, the lack of procedures being followed by adequate staff in the alert investigations unit where backlogs are prevalent. This becomes a business risk because there continues to be a lack of closure on these alerts. The simple monitoring of funds transfers to ensure timely reporting of suspicious activity associated with PEP's should be AML 101.

Retaining and deploying an independent consultant to review compliance and systems controls is the primary responsibility of an Audit Committee chair of the Board of Directors. For those institutions that have found themselves under the recent oversight of the OCC in the United States, many realize they have underfunded this obligation and the staff requirements to stay in pace with the expanding volume of electronic transactions.

Monitoring accounts of current or former senior political figures is well within the PEP definition and includes their families and any close associates. Therefore, the BSA officer will require even more robust budgets, staffs and systems programming to continue to be effective in regulatory compliance of the Bank Secrecy Act and Anti-Money Laundering statutes. And this just covers the risks associated with the banks regulatory obligations in the United States and many other countries of the world.

Yet this is the area that has traditionally been the foundation for the 20th century criminals and other entities who need to move money to places in large sums or to perpetuate fraudulent activities. Now what about the 21st century asymmetric threat, "Cyber Theft Rings"?

Malware exploiters purchase malware on the black market Internet and use it to steal victims banking credentials. They launch attacks from systems that are already compromised across the globe in small businesses and other commercial or government organizations. This allows the transnational cyber criminal to transfer stolen funds and deter the tracking of their activities. Money Mule networks then transfer funds to other accounts or get cash from ATM's and then buy stored value cards before they ship them back overseas to the crime syndicates.

The victims remain the financial institutions and the owners of the infected systems. So how large is this method of cyber theft? In 2010 the FBI reported close to 400 cases that had attempted loss of $220M and actual losses of $70M.

Today's (October 1, 2010) coordinated operation demonstrates that these 21st-century bank robbers are not completely anonymous; they are not invulnerable. Working with our colleagues here and abroad, we will continue to attack this threat and bring cyber criminals to justice."

Most of the accused hailed from Eastern Europe; many were based in Ukraine, where several worked as Web developers. Ten suspects were arrested in New York on Thursday, with another 10 having been arrested previously. The FBI is still seeking 17 others .


Where is the money going and what is it being used for? In a recent study by officials at the New York State Intelligence Center titled: "The Vigilance Project: An Analysis of 32 Terrorism Cases Against the Homeland", the statistics are the face of the US challenges with money laundering and terrorism:

  • 82 % were between the ages of 18 and 33.
  • 61 % attended some college and of these 64% of the educated terrorists were engineering majors.
  • 50 of the 80 suspects in the study whose citizenship could be identified were born in the U.S. .
  • 11 of the 32 cases studied happened in the past two years. In these cases, 17 of the 19 defendants were in the United States legally.
The banking community understands that it has to remain vigilant when it comes to BSA/AML regulations. Not only to avoid the millions of dollars in potential fines, but also because of the potential nexus with counterterrorism.

Posted by at No comments:
Labels: , , , , , , ,

19 May 2010

Hawaladars: Domestic Extremism Risk...

Are a network of "Hawaladars" operating within your organization? Or perhaps your online charity? Maybe it's both. This Operational Risk is real and still not on the radar of many NGO's or charitable non-profits. The clandestine method for moving money without a paper trail is ancient and it is still operating to fuel transnational criminal and terrorist operations in the high tech world of mobile phones, money service businesses and stored-value cards. "Domestic Extremism" is a national security issue. Bryan Bender of the Boston Globe explains:

An informal money-exchange network known as “hawala’’ — a centuries-old system that operates outside conventional banking networks — is at the center of the investigation into three Pakistanis arrested Thursday in Massachusetts and Maine with alleged ties to the suspect in the failed Times Square bomb plot, law enforcement officials said yesterday.

The men, who were detained on immigration charges after several raids across the Northeast, were described by government officials as having funneled money to Pakistani-born Faisal Shahzad, who is in federal custody for trying to set off a car bomb earlier this month. The three men are being investigated for possibly using the hawala system to provide money that Shahzad used to finance the plot, the officials said yesterday.

Detecting the use of a "Hawala"-based system is not going to be easy with high technology tools, systems and software that are in place with financial institutions. Even those legal citizens in country have found ways to move money back to relatives still in their native homeland before they took the citizenship exam and pledged their allegiance to their new country.

Operational Risks in your environment include the behaviors by employees, suppliers and 3rd parties that touch this anonymous and prolific network for moving money for potential use by criminal or terrorist non-state actors. Do you run the operations for a large charitable organization or non-governmental organization (NGO)? How many entities now are operating alone on the Internet acting as 501(c)3 organizations in the United States involved with Haiti Relief, Aide to Congo Refugees or even now environmentalists who claim to be advocates for cleaning up the Gulf of Mexico oil disaster?

The financial safeguards for even the most legitimate organizations who operate in the movement of funds for use in religious, community food banks and other non-profit charities must be continuously monitored. The controls for detecting the possible illegal transfer of money from an individual or business to another individual or transnational entity is a risk management priority. Utilizing capabilities from firms like World-Check in combination with even the most simple system for cross-checking transactions can be an initial step for those legitimate businesses who are still Operational Risk neophytes.

Anti-Money Laundering compliance has been part of the banking systems regulatory framework for decades. According to World-Check:

According to the KPMG Global Anti Money Laundering Survey published in 2007, a staggering US$ 1 trillion per year is being laundered by financial criminals, drugs dealers and arms traffickers worldwide. With this much laundered money in the wrong hands, criminal syndicates are able to expand their operations, resulting in more violence, higher levels of addiction and a range of related socio-economic problems throughout the world.

Laundered money is also known to finance highly coordinated international terrorist activities; a phenomenon that poses a clear and present danger to worldwide political and economic stability.

As such, Anti Money Laundering and the Combating of Terrorist Financing (CTF) can only be treated as pressing objectives of global concern. A sharp worldwide increase in the amount of wealth in private hands, combined with the multinational expansion of leading financial institutions, further necessitated the expansion of supranational legislation and law enforcement structures to combat money laundering and related financial crimes.


Entities such as the Financial Action Task Force (FATF), Wolfsberg Group and Basel Committee are key drivers of the regulatory policy-making process, and are closely involved in the standardization and enforcement of related compliance mandates.

So where do you begin as a consumer or a small and legitimate charitable organization? One place is with the "Top Ten Best Practices of Savvy Donors" at Charity Navigator. As a consumer this will give you a better idea on what to look for when you are providing money to a particular cause or to aid your favorite religious organization. As a charitable organization, it will give you an understanding of what you should be putting in place to become compliant and to attract the kind of donors you are looking for online. Here are "Six Questions to Ask Before Donating":

At Charity Navigator, we advocate that all potential donors take the time to ask charities questions about their programs, mission, and goals before they decide to support them. For those people who don't have the time or resources for this, we provide our services as a guide, so you can give with confidence. In addition, we have developed a list of questions that you as a donor should ask before you begin the act of supporting a charity.

Be alert and be vigilant. If the entity that you are engaging with doesn't pass the sniff test on these 16 questions then observe, document and report what you have experienced with the proper authorities within your organization or by contacting your local law enforcement. Follow the money.

Posted by at 1 comment:
Labels: , , , , ,

16 June 2009

Proactive Risk Strategy: Transnational Asset Forfeiture...

Effective strategy execution and the application of intelligence to gain increased mission efficiency is the name of the game. The public / private convergence of people, processes, systems and the fusion of relevant international incidents data establishes the playing field. The threats to the very fabric of our economic and security well-being is directly tied to the rule of law, the safety of the environment and the ability for capital to be invested with prudent risk management mechanisms in place.

If any component of this fabric becomes frayed or torn, this vulnerability threatens the overall resiliency of this "Transnational Ecosystem". The homeostasis of the "Transnational Ecosystem" is dependent on the factors associated with it ability to gain new energy, (food, water, power, money) and to continually "Adapt" to it changing environment. The ability to adapt rapidly within this ecosystem will determine who the winners are and also the survivors. So what is a good example of this "Transnational Ecosystem" that we can apply to public / private convergence and Operational Risk Management?

Although pioneered in the USA, there now appears to be a global trend to use stand-alone civil proceedings as a means of recovering the proceeds of crime in the hope that they will be more effective than proceedings that are ancillary to and dependent on a criminal prosecution. Recent examples of jurisdictions that have introduced civil forfeiture legislation include Italy, South Africa, Ireland, the United Kingdom, Fiji, the Canadian Provinces of Ontario, Alberta, Manitoba, Saskatchewan and British Columbia, Australia and its individual States, and Antigua and Barbuda. In addition, the Commonwealth has produced model provisions to serve as a template for jurisdictions that wish to introduce such legislation.

This trend towards civil forfeiture has been prompted by the nature of organized crime. Organized crime heads use their resources to keep themselves distant from the crime that they are controlling and to mask the criminal origin of their assets. For this reason it has become extremely difficult to carry out successful criminal investigations leading to the prosecution and conviction of such individuals, with the result that finances derived from crime are often effectively out of the reach of the law and are available to be used to finance more crime. Such peaceful enjoyment of the proceeds of crime damages public confidence in the rule of law and provides harmful role models. This has led to a recognition that criminal confiscation regimes may be inadequate and ineffective in certain cases.


Traditionally, the use of OPS Risk strategies associated with civil asset forfeiture have their intersection with AML (Anti-Money Laundering) and Terrorist Financing. Moving money on a global basis utilizing the modern day "Hawala" or informal value transfer system requires smart people and sophisticated systems. Putting the person at the right place with the right evidence is the investigators "Holy Grail" yet there are other effective means for increasing that resiliency in the ecosystem.

The financial meltdown and economic crisis has impacted both the "Boy Scouts" and the "Wise Guys" on how to continue to prosper. The use of such tools such as Asset Forfeiture in combination with timely intelligence both Open Source and proprietary can provide the means for another effective Operational Risk strategy in a public / private consortium. The cooperation, coordination and collaboration of banking, hedge funds, broker dealers, insurance companies and private equity firms with federal and state task forces is a growing trend.

The mantra "Need to Know" is quickly being replaced with "A Responsibility to Provide" in the intelligence community and soon to be in the ranks of the financial private sector as it pertains to adapting to the transnational ecosystem. One good example of this momentum can be found in the rapidly growing education and awareness programs focused on this very subject:

Mission Statement

AssetForfeitureWatch.com is the indispensable source of news, information and training for law enforcement professionals and others working in the asset forfeiture field. At AssetForfeitureWatch.com, we understand that turning the proceeds of crime against criminals is one of the most powerful tools law enforcement agencies have for keeping communities safe, eliminating corruption, and crippling cross-border criminal enterprises. In offering training and education, an annual conference, live and Web seminars and an interactive community, AssetForfeitureWatch.com keeps its members on the leading edge of asset forfeiture strategy and practice.


The goal is to utilize the existing international legal framework to improve the resiliency of the "Transnational Ecosystem." Beyond the banking institutions are the governments and countries themselves who must make their decisions about their own business and commerce models. These havens across the globe will continue to exist because they don't have manufacturing capacity, IT outsourcing services or a port for trading and exporting raw materials. Therefore, they will continue to cater to the needs of suspect enterprises, non-state actors and even some rogue nations states.

So what is the lesson here? Reading between the lines. Assets in your portfolio, on your books, in the warehouse or even in your personal possession may soon be the property of a government entity near you.

Posted by at No comments:
Labels: , , , , , , , , ,

31 December 2008

2009 Outlook: OPS Risk Top Priorities...

In light of the 2009 outlook and the fact that Operational Risk is now a much greater priority, here are vital areas to focus on for the New Year. As restructuring, downsizing, layoffs and overall corporate strategy and governance initiatives are kicked-off for the 2009 calendar year; here are the top priorities according to Peter L. Higgins, Managing Director of OPS Risk advisory firm 1SecureAudit.

"Operational Risk will continue to be a major focus for Boards of Directors in 2009 and for good reason. Governance Strategy Execution, Information and Records Management and Legal Risk are all in need of a critical review and a robust injection of new resources. We are at the beginning of a new "S" curve cycle on the down slope just as we saw in late 2001 post 9/11 and the "Dot Com" era, Higgins said."

"This requires a renewed and substantial commitment to keeping our code of practice guidance and implementation advice narrowly focused on several key areas of the corporate enterprise:"

  • Organizational Security
  • Information Security Infrastructure: Cooperation between organizations
  • Appropriate contacts with law enforcement authorities, regulatory bodies, information service providers and telecommunications operators shall be maintained.
  • Asset classification and control
  • Information Classification: Information labelling and handling
  • A set of procedures shall be defined for information labelling and handling in accordance with the classification scheme adopted by the organization.
  • Personnel Security
  • Responding to security incidents and malfunctions: Reporting security weaknesses
  • Users of information services shall be required to note and report any observed or suspected security weaknesses in, or threats to, systems or services.
  • Communications and operations management
  • Operational procedures and responsibilities: External facilities management
  • Prior to using external facilities management services, the risks shall be identified and appropriate controls agreed with the contractor, and incorporated into a contract.
  • Exchanges of information and software: Security of electronic mail
  • A policy for the use of electronic mail shall be developed and controls put in place to reduce security risks created by electronic mail.
  • Access Control
  • Monitoring system access and use: Monitoring system use
  • Procedures for monitoring the use of information processing facilities shall be established and the result of the monitoring activities reviewed regularly.
  • Business Continuity
  • Aspects of Business Continuity Management: Testing, maintaining and re-assessing BCP
  • Business continuity plans shall be tested regularly and maintained by regular reviews to ensure that they are up to date and effective.
  • Compliance
  • Compliance with legal requirements: Collection of evidence
  • Where action against a person or organization involves the law, either civil or criminal, the evidence presented shall conform to the rules for evidence laid down in the relevant law or in the rules of the specific court in which the case will be heard. This shall include compliance with any published standard or code of practice for the production of admissible evidence.
Here are some of the top cases to review for OPS Risk lessons learned in 2008:

01/04/08 - Detroit: Eleven Indictments in International Illegal Spamming and Stock Fraud Scheme - Eleven individuals were indicted in a wide-ranging international fraud scheme which manipulated stock prices through illegal spam e-mail promotions.

02/15/08 - Washington: DOD Employee Arrested in Chinese Espionage Case - Gregg William Bergersen, a Weapons Systems Policy Analyst at the Defense Security Cooperation Agency, Department of Defense, was arrested for passing classified documents to the People’s Republic of China.

02/22/08 - Miami: Five Individuals Indicted for $200 Million Hedge Fund Fraud - Michael Lauer, founder of Lancer Group Hedge Fund, and four others were indicted on conspiracy and wire fraud charges in a $200 million hedge fund fraud.

02/29/08 - Houston: Chinese Chemist Indicted for Theft of Trade Secrets - Qinggui Zeng, aka Jensen Zeng, a legal permanent resident from China, was indicted and charged with theft of trade secrets and computer fraud.

03/14/08 - Cincinnati: Financial Enterprise Executives Found Guilty in $3 Billion Fraud Scheme - Five former executives of National Century Financial Enterprises were found guilty of conspiracy, fraud and money laundering in a $3 billion security fraud scheme.

05/16/08 - Washington: Guilty Plea in Espionage Charge Involving China - Tai Shen Kuo pled guilty to conspiracy to deliver national defense information to the People’s Republic of China.

06/20/08 - Operation Malicious Mortgage Nets 406 Individuals - Charges in Operation Malicious Mortgage, a nationwide takedown of mortgage fraud schemes which inflicted approximately $1 billion in losses, were brought in every region of the country.

10/17/08 - FBI Coordinates Global Effort to Nab “Dark Market” Cyber Criminals - A two year undercover operation, Dark Market, which joined forces with international law enforcement, resulted in 56 arrests and $70 million in economic loss prevention.

11/28/08 - Dallas: Holy Land Foundation and Leaders Convicted - The Holy Land Foundation of Relief and Development and five of its leaders were found guilty of illegally funneling at least $12 million to the Palestinian terrorist group, Hamas.

12/12/08 - Chicago: Illinois Governor Arrested - Governor Rod R. Blagojevich and his Chief of Staff John Harris were arrested on federal corruption charges including conspiring to trade or sell the Illinois’ Senate seat vacated by President-elect Barack Obama.

Beyond the Bernie Madoff fraud scheme that rocked the Hedge Fund universe the real systemic risks to deal with in 2009 will continue to be tied to the housing and mortgage sector:
  • Recent statistics suggest that escalating foreclosures provide criminals with the opportunity to exploit and defraud vulnerable homeowners seeking financial guidance.
  • Perpetrators are exploiting the home equity line of credit (HELOC) application process to conduct mortgage fraud, check fraud, and potentially money laundering-related activity.
The Operational Risks in corporate enterprises will be increasing as the economy adjusts and finds it's new equilibrium. Hang on for a wild ride in 2009!

Posted by at No comments:
Labels: , , , , , , , ,

11 November 2008

AML: Transnational eCrime Ecosystem...

The Operational Risk threat matrix from "Advance Fee Fraud", "Nigerian Letter (419) Fraud, Foreign Lottery/Sweepstakes Fraud and "Overpayment Fraud" is still growing exponentially. During our current economic crisis, the spike in these consumer Mass Marketing schemes is to be expected. Global Anti-Money Laundering (AML) operations are in high gear at home and abroad.

The "Transnational Economic Crime Ecosystem" is thriving and the major phases of the environment continue to be a major challenge for global financial institutions and law enforcement:

  1. Collection
  2. Monetization
  3. Laundering

Let's take a closer look at "Overpayment Fraud":

Overpayment Fraud - Victims who have advertised some item for sale are contacted by buyers who remit counterfeit instruments, in excess of the purchase price, for payment. The victims are told to cash the payments, deduct any expenses, and return or forward the excess funds to an individual identified by the buyer, only to discover they must reimburse their financial institution for cashing a counterfeit instrument.

The predominantly transnational nature of the mass marketing fraud crime problem presents significant impediments to effective investigation by any single agency or national jurisdiction. Typically, victims will reside in one or more countries, perpetrators will operate from another and the financial/money services infrastructure of numerous additional countries utilized for the rapid movement and laundering of funds. For these reasons, the FBI is uniquely positioned to assist in the investigation of these frauds through its network of Legal Attache offices located in over 60 U.S. embassies around the world. By leveraging its global presence and network of liaison contacts, the FBI has successfully cooperated with other domestic and foreign law enforcement agencies to combat, disrupt, and dismantle international mass marketing fraud groups.

Despite the best inter-agency enforcement efforts to combat mass farketing fraud, the FBI remains cognizant of the fact that the only enduring remedy for this crime problem lies in consumer education and fraud prevention programs. Towards this end, the FBI has not only produced its own mass marketing fraud prevention pamphlet but coordinates on other public information efforts with the DOJ, FTC, and the USPIS. The FBI also supports a consumer fraud prevention website in conjunction with the USPIS which can be located on the web at: http://www.lookstoogoodtobetrue.gov.

While the number of Mass Marketing Fraud cases has declined over the past few years, the number of new money laundering cases has risen to over 500 in FY 2007 alone. This is to some degree as a result of the cooperation being given to law enforcement by the financial instituions themselves. And for good reason. There is a new sheriff in town.

(Reuters) - A U.S. tax investigation into UBS AG (UBSN.VX: Quote, Profile, Research, Stock Buzz) is concentrating on senior and midlevel executives and bankers, and could result in one or more indictments, the New York Times said, citing people briefed on the matter.

Investigators are sifting through more than 70 names and related account details of American clients provided by UBS over the last few months to the Justice Department, which has passed the details to the Internal Revenue Service for further scrutiny, the paper said.

The Justice Department and the IRS plan to build both civil and criminal tax-evasion cases against some of the clients, the people told the paper.

The U.S. tax investigation risks compounding damage to UBS's reputation at a time it has been forced to make bigger writedowns than any other European bank in the credit crisis.

The U.S. Department of Justice is investigating UBS over offshore services provided to U.S. clients from 2000 to 2007 to find out whether UBS helped wealthy Americans dodge taxes. The Swiss bank was singled out by U.S. President-elect Barack Obama as one of the banks who helped "tax cheats." It decided earlier this year to stop offering offshore Swiss bank accounts to U.S. citizens.


Yet the collection phase of mass marketing fraud is not about "70" or a "100" UBS clients who are trying to cheat on their taxes. It is still about the millions of phishing and spam messages that circle the digital globe in search of their targets or prey. These illusive criminal organizations behind this organized cybercrime wave are continually exploiting the vulnerabilities of our financial institutions and our own human behavior.

"Merchandise Mules" are being recruited by the hundreds if not thousands to reship goods outside North America. These criminals are utilizing stolen identities and credit cards to purchase goods on eCommerce sites and eBay and then requesting to ship the goods overseas. Unfortunately, those who are elderly or even just down on their economic luck fall victim to this tremendous economic crime tsunami:

Much of the modern organized crimes are very similar to the old. The most significant transformation from the streets to cyberspace has enlarged the territory of individuals and organized groups.

Enabled by the Internet, criminals can operate in cyberspace where less governance, a transnational stage, and a multitude of transactions to monitor complicate surveillance and enforcement. From counterfeiting drugs and software to identity theft and credit-card fraud, illegal transactions are increasingly infiltrating legitimate businesses where counterfeited goods and money laundering are buried in the billions of legitimate computer transactions made daily around the globe.

Counterfeited products are rising through global distribution via Internet sites. According to the World Health Organization, 50 percent of the medicines sold online are counterfeit.

The expanse of international criminal activity has been followed with an increase in prosecution through cooperating international law enforcement agencies willing to join the fight against globalized crime.


Posted by at No comments:
Labels: , , , , , , , , , ,

17 October 2008

Ethics: Management 101 to the rescue...

A few years ago there was an anonymous posting on CSO Online about "Doing the Right Thing". It could only be about the rules and policies set down by the ethics committee. Right?

"Directors and executives now must take an active leadership role for the content and operation of compliance and ethics programs," the U.S. Sentencing Commission's statement reads in part. "Companies that seek reduced criminal fines now must demonstrate that they have identified areas of risk where criminal violations may occur, trained high-level officials as well as employees in relevant legal standards and obligations, and given their compliance officers sufficient authority and resources to carry out their responsibilities."

The commission notably adds: "If companies hope to mitigate criminal fines and penalties, they must also promote an organizational culture that encourages a commitment to compliance with the law and ethical conduct by exercising due diligence in meeting the criteria."


Every Fortune caliber organization from financial services to health care has already implemented a pervasive compliance program to mitigate the risk of ending up with the SEC or US Attorney in the lobby.

The catalyst behind these initiatives is generated from the U.S. Sentencing Commission's Organizational Sentencing Guidelines. They allow for more lenient sentencing if an organization has evidence of an "effective program to prevent and detect violations of law."

The Guidelines contain criteria for establishing an "effective compliance program."

These include oversight by high level officers, effective communication to all employees, and reasonable steps to achieve compliance such as:

  • · Systems for monitoring and auditing
  • · Incident response and reporting
  • · Consistent enforcement including disciplinary actions

Yet the corporate incivility continues. Why is it that we can’t pick up the morning paper or listen to the news on the way to work without hearing about a new indictment of a top ranking officer?

Here lies the question many Board of Directors are scratching their heads about these days. How can we avoid these ethical and legal dilemmas and how can they be addressed without creating a state of fear and panic?

That’s when we really learned that this game of business is just about the human factors. It’s really not about the controls, the monitoring or even the awareness programs. It’s about being a model manager, and a model human being.

The odds are it will be the human factors that are going to be what gets you on the steps of the local federal building. And it all comes back to good old-fashioned management 101.

As indicated, the great manager can impact the lives of tens or hundreds of people in your company. Conversely, the uncivil manager can wreak havoc with a similar numbers of lives. The position of management is ever so powerful to influence those around them.

Your company wide compliance initiative has the elements that provide guidance for creating a program that the government is likely to look favorably upon. The problem is that these same criteria inadvertently communicate the message that implies building a program based on this formula is enough. It isn’t.

Posted by at No comments:
Labels: , , , , , , , , , ,

18 March 2008

Information Risk: The Zero's & One's Don't Lie...

The Bear Stearns implosion has been predicted as a casualty of failed hedge funds. These entities are less regulated than banks and don't have to keep a minimum capital reserve. The limits on the amount of leverage they utilize can sometimes come back to burn you.

Angry Bear Stearns Co Inc shareholders have wasted no time in bringing legal claims following the company's stunning stock collapse and $2-a-share fire sale to JPMorgan Chase & Co.

At least one federal lawsuit in New York seeking class- action status for alleged securities fraud was filed on Monday by an investor contending the company hid its true financial condition from shareholders.


"Who Knew What When" is the focus of the legal mechanism now in full swing as investigators at the SEC and other federal regulators begin their forensic examinations and interviews. Eliot Spitzer is finally a back story after his demise in the FINCEN money laundering investigation:

But what really snared Spitzer was a money laundering investigation that was flagged by suspicious activity reports (SARs) that banks have to file with the Treasury to surface everything from money laundering to terrorist activity. This network has been around for a while, but its importance escalated following the Sept. 11, 2001 terrorist attacks. According to the FBI’s charges the prostitution ring that counted Spitzer as a customer was investigated due to some shady bank accounts, checks and wire transfers with big totals ($39,000, $400,000 and others).

The nexus of eDiscovery, Data Mining and Operational Risk Management are in the news as these incidents are unraveled. The information and evidence from the data analysis will reveal the truth and those caught shredding documents or deleting files will no doubt become part of one of these inquiries.

Even today at 2AM JP Morgan Chase was searching Google with the terms "information operations risk management" and landed here on this Operational Risk Management Blog. Then they "Out Clicked" to A Defensible Standard of Care in hopes of finding answers to their questions.

The law suits and the lawyers are busy these days with the Federal Rules of Civil Procedure (FRCP) as they defend ongoing data breaches and bad behavior by employees and interested 3rd parties:

A security breach at an East Coast supermarket chain exposed 4.2 million credit and debit card numbers and led to 1,800 cases of fraud, the Hannaford Bros. grocery chain announced Monday.

Hannaford said credit and debit card numbers were stolen during the card authorization process and about 4.2 million unique account numbers were exposed.

The breach affected all of its 165 stores in the Northeast, 106 Sweetbay stores in Florida and a smaller number of independent groceries that sell Hannaford products.

The company is aware of about 1,800 cases of fraud reported so far relating to the breach.


If the latest economic studies are correct, that's going to cost about $98.00 per record on the low side when it comes to the amount of money that these organizations will spend (unless insured) to clean up this operational risk related incident.

New York State has a new Governor at the same time the Bears are descending on Wall Street:

David A. Paterson became New York’s 55th Governor on March 17, 2008. In his first address as Governor, Paterson spoke about the challenges New York faces and his plan for New York’s future.

This month it's New York in the news but our prediction is that California will soon be next to capture the nations headlines. The legal buzzards are soaring overhead...

Posted by at No comments:
Labels: , , , , , , , , , , ,

06 March 2008

Policing The Globe: Transnational Risk...

The nature of transnational crime today can be broken down into three fundamental steps. Collection, Monetization and Laundering. This is not anything new yet the evolution of "Policing The Globe" has made dramatic leaps in the past few years. New Legal Attaches (Legats), Memorandums of Understanding with INTERPOL and other national law enforcement entities has created an increased coordination and cooperation across borders and continents.

Data warehousing, convergence of records data and more sophisticated methods for link analysis from companies such as i2 has made the detection and investigation of potential incidents more effective.

When the Collection phase is focused on harvesting Personal Identifiable Information (PII) for the purpose of ID Theft using Botnets or other cyber-related ploys the consumer will consistently suffer the direct effects. The retail banking institutions will be the ultimate target of the next phase of the criminal life cycle, the Monetization phase.

Using PII to gain access to bank accounts is taking on different forms these days, especially during times of economic hardship. The HELOC refinancing trends are upon us and at the same time the unsuspecting homeowner may be giving up vital equity that still exists in their loans or lines of credit, to criminal elements. Once any of these scams and frauds are completed the funds are quickly turned into cash using wire transfers, ACH and or even the old reliable ATM using 3rd parties. And it doesn't even have to go this far, when you can sell PII for cents or dollars per record in terms of it's quality and whether the targets have a stellar credit score or deep equity.

And finally we find that funds are then turned around into other business ventures to help conceal the source or origin of the proceeds, so that the money goes through the enevitable Laundering phase.

Now let's look at it through the lens of an OPS Risk perspective?

"Pirates, bandits, and smugglers have bedeviled governments since time immemorial. Politicians and media today obsess over terrorism and trafficking in drugs, arms, people and money. Far less is said or known, however, about the expanding global reach of the police, prosecutors, and agencies like Interpol and Europol charged with targeting transnational crime."

Peter Andreas and Ethan Nadelmann in their book, "Policing The Globe: Criminalization and Crime Control in International Relations" provide analysis and bridge the connections between justice and politics.

To what degree does your institution actually initiate proactive due diligence on your own, to try and identify who is attacking your organization or your assets? The nexus with Operational Risk has to do with the legal compliance and transnational agreements with other nations on what the "Rules of the Game" are for privacy, investigations and obtaining evidence. More importantly what are the coordination and cooperation activities with your own domestic and the foreign jurisdictions for a prosecution strategy, especially if you have employees and operations in-country?

This morning an explosive device was detonated in front of a defense recruiting office in Times Square, New York City by a bicyclist. This incident could be a precursor to a potential terrorist suicide attack or most likely, just a disgruntled war activist. A few days earlier, domestic Ecoterrorism is suspected in the burning of three high value homes in the Seattle, Washington area.

"The mention of a bicyclist raised possible links to a May 2005 bombing at the British Consulate and an Oct. 26 explosion at the Mexican Consulate," the New York Daily News notes. "In both cases, police said, the suspect was possibly riding a bicycle when hollowed-out grenades - filled with black powder and a fuse - were tossed into the consulates. No arrests were made in those attacks."

Whether the ID theft crimes are committed online collecting zeros and ones from unsuspecting consumers or businesses without the proper controls in place or the direct physical attack on specific or symbolic assets, the transnational question is in the forefront of many peoples minds.

While it's too early to try and connect these two incidents to the same individuals or to countries outside the United States, one thing is certain. The laws, tools and capabilities of International Law Enforcement are accelerating at a more rapid pace, as new operational risks emerge on a global scale. Politics will in some cases, try to influence the agenda and to unleash sanctions that diplomats and State Departments will work on collaboratively to achieve preemptive law enforcement agendas.

Here then are some of the steps the State Department said Barbados had taken in recent years to prevent fraud and money laundering:

  • Extended the money laundering laws to cover offenses other than those involving drugs.
  • Forced financial institutions to report suspicious transactions that may involve criminal activities, such as terrorism.
  • Enabled the police to pursue "all potential prosecutions" of money laundering.

Placed the burden of proof on accused persons to demonstrate that property in their possession was "derived from a legitimate source". Failure to do so could lead to a presumption that it was acquired through illegal means.

The transnational ecosystem of crime control and international relations will continue to be a challenging arena for global enterprises. Ensuring that Operational Risk Teams are well equipped to provide assistance to investigators, law enforcement and government agencies is essential. Simultaneously preparing your employees for their inevitable exposure to these cases, law suits and incidents is a proactive strategy executives are actively investing in.

Liechtenstein remains vulnerable to money-laundering despite efforts by authorities to tighten regulations, International Monetary Fund and Council of Europe experts said Wednesday.

The tiny Alpine principality, currently at the heart of an international tax evasion scandal, offers "discreet and flexible legal structures, strict bank secrecy and favourable tax arrangements," the IMF said in a report.

Around 90 percent of Liechtenstein's financial services business is provided to non-residents, it noted.

"By it's nature, Liechtenstein's financial sector business creates a particular money laundering risk," the IMF said.


Posted by at No comments:
Labels: , , , , , , , , , , , ,

07 September 2007

BMPE: Internal Audit Awareness...

Risk in the supply chain may not always come from that vendor who provides your power, water or telecommunications. Black Market Peso Exchange (BMPE) is an Operational Risk that is starting to gain more awareness with Internal Auditors. This has been around since the 1980's yet even today some of our most sophisticated financial services institutions are being subjected to this system of fraud. The BMPE has been another way for money laundering from illicit criminal drug proceeds to impact our risk management controls:
American Express Bank International's anti-money laundering program was deficient in three of the four core elements. Namely, the Bank failed to implement adequate internal controls, failed to conduct adequate independent testing, and failed to designate compliance personnel to ensure compliance with the Bank Secrecy Act. American Express Bank International's high-risk customer base, product lines, and international jurisdiction of operations required elevated measures to manage the risk of money laundering and other financial crimes.

Nevertheless, the Bank conducted business without adequate systems and controls reasonably designed to manage the risk of money laundering, including the potential for Black Market Peso Exchange transactions that may be used by Colombian drug cartels to launder the proceeds of narcotics sales. American Express Bank International's failure to comply with the Bank Secrecy Act and the regulations issued pursuant to that Act were serious, repeated and systemic.

This method of money laundering is effective for the drug traffickers and requires more awareness on the behalf of fraud examiners and independent auditors. The IRS form 8300 requiring companies and financial entities to disclose receipts in excess of $10K in cash or equivalents doesn't work very well as wire transfers are not considered cash or cash equivalents.

Javier Sarmiento with GlassRatner has a substantive article on the subject in the last issue of the ACFE Fraud Magazine.

A point is made that needs to be emphasized here. "Don't rely on banks and financial institutions to conduct anti-money laundering (BSA/AML) procedures on behalf of the company." Is it possible that your organization has purchased inventory with funds that have been utilized as part of the BMPE scheme? What about resellers and distributors that are part of your own revenue supply chain.

In terms of Independent testing, make sure that your Internal Audit department is educated and aware of this particular mechanism for use by money launderers:

American Express Bank International's independent testing of its Bank Secrecy Act program was ineffective. Internal Audit Staff lacked sufficient training and knowledge to facilitate compliance with the Bank Secrecy Act. Audit scopes were not always tailored or designed to capture and test for compliance with certain requirements of the Bank Secrecy Act.

Internal Audit staff also failed to conduct sufficient customer transaction testing to adequately evaluate the overall sufficiency of the anti-money laundering program at the Bank. Furthermore, Internal Audit failed to assist management with tracking and following-up on previously identified regulatory examination deficiencies. In addition, Internal Audit failed to conduct adequate testing of the suspicious activity monitoring system or identify the numerous data integrity concerns associated with this system for an extended period of time. The ineffectiveness of the Internal Audit function at American Express Bank International contributed to the failure to identify significant deficiencies in this system before 2007.

Posted by at No comments:
Labels: , , , , , , , ,
Subscribe to: Posts (Atom)