A study has made a link between powerful bank CEOs and the risk of money laundering. Syed Rahman of business crime specialists Rahman Ravelli considers the research and argues that prevention is everyone’s responsibility.

It may not please certain figures at the top of a number of financial institutions, but research has linked powerful bank CEOs with money laundering dangers.

According to researchers at the University of East Anglia, banks that have such CEOs and smaller, less independent boards will probably take more risks and, as a result, be more prone to money laundering than those with a different concentration of power at the top.

The researchers’ study examined a sample of 960 publicly-listed US banks for the period from 2004 to 2015. The study’s results showed that money laundering enforcement was associated with an increase in bank risk. From its findings, researchers stated that the impact of money laundering is more pronounced where a powerful CEO is present – and is only partly reduced by the presence of a large, independent executive board. They concluded that banks that have powerful CEOs attract the attention of regulators engaged in anti-money laundering efforts, and that this is especially the case if the bank’s board of directors is small and lacks independence.

The study has been viewed by some as the first to demonstrate that money laundering is a significant driver of bank risk. This effectively means that it can take its place alongside business models, ownership structures, competition in the marketplace and regulation as having an impact on risk.

[ymal]

It is perhaps surprising that previous research on banks’ risk-taking has not explicitly homed in on the possible effect of money laundering, especially as regulators have made no secret of the importance they attach to tackling it. But now, it could be argued, is an appropriate time to make that link. The increased numbers of cross-border transactions – and the sheer scale of many of them – have made banks more vulnerable to money laundering. Regulators are carrying out ongoing assessment of money laundering risks posed by organised crime and those with terrorist links while states – many of which have had obligations placed on them in recent years – are increasing their use of sanctions against countries, organisations and individuals.

The banks that do not recognise and respond appropriately to this state of affairs could well find themselves suffering fines, claims against them and significant reputational damage. Such outcomes are the logical consequences for any bank that can be shown not to have done all it could or should to minimise the dangers of money laundering.

It is worth noting, at this point, the researchers’ argument that the size and independence of a bank’s board can mitigate the impact of money laundering on bank risk but cannot fully compensate for the possible adverse effects. Aside from the study’s conclusions, what also needs to be emphasised is that the shape of fraud and money laundering is constantly changing and developing. As the risks posed by money laundering grow, the regulators adapt to rise to the challenges and the banks themselves have to meet their obligation to identify and assess the risks to which they are exposed. Just as importantly, the banks need to ensure that those risk assessments are kept up to date.

Such procedures can and will, of course, be instigated by those at the top. But regardless of the concentration of power in the upper echelons, once those procedures are in place the bank needs to make sure that its employees understand and comply with them. Those procedures need to be subject to regular monitoring, review and, when necessary, revision to ensure they are effective in countering the threat posed by money laundering. Banks have many methods available to them to ensure this is achieved. It almost goes without saying that banks will have a money laundering officer to supervise all anti-money laundering activities. Investing in anti-money laundering controls involving artificial intelligence (AI) technology is another approach, as it can support enhanced due diligence, transaction monitoring and automated audit trails. But what cannot happen is that the CEO or the board simply issues an edict about the wish to prevent money laundering: genuine prevention will only succeed if it is adopted and carried out by all levels of personnel.

Investing in anti-money laundering controls involving artificial intelligence (AI) technology is another approach, as it can support enhanced due diligence, transaction monitoring and automated audit trails.

The standing of a CEO in a bank and the relative power of its board may well have an impact on the risk posed by money laundering. But a bank will always be vulnerable if its approach to tackling that risk is not embraced by all levels of its workforce.

A report from BuzzFeed and other outlets on Sunday cited documents leaked from the US Financial Crimes Investigation Network (FinCEN) which indicated suspicious transactions being conducted through numerous banks, alleging that banking officials allowed criminals to shuttle money through their organisations.

Around 2,100 suspicious activity reports (SARs) were leaked, along with over 17,600 other records, which are being collectively referred to as the FinCEN files. They cover roughly $2 trillion in transactions between 1999 and 2017.

The documents were shared with the International Consortium of Investigative Journalists (ICIJ) and have been combed for evidence of wrongdoing. Among the revelations known so far are signs that HSBC enabled fraudsters to move millions of dollars of stolen money around the globe even after learning of the scam; JP Morgan allowed a company potentially owned by an FBI-wanted mobster to transfer over $1 billion through a London account, and a confidant of Russian President Vladimir Putin may have been using Barclays Bank in London to dodge sanctions imposed across the West.

Documents also revealed that the UK was known to the intelligence division of FinCEN as a “higher risk jurisdiction” comparable to Cyprus, and that the husband of a major Conservative Party donor was being secretly funded by another Russian oligarch close to Putin.

Shares in HSBC dipped by 4% in Hong Kong after the leaked documents came to light, the bank’s highest stock fall to date.

Anti-corruption organisation Transparency International UK said the leaked SARs “repeatedly cite weak money laundering defences in the UK financial sector as a major problem”, with chief executive Daniel Bruce adding that the revelations “are a damning indictment of the system that is supposed to prevent the UK and other financial centres becoming havens for dirty money.”

[ymal]

John Dobson, CEO at anti-money laundering specialists SmartSearch, also commented on the content of the FinCEN files. “This is nothing short of a betrayal for all those thousands of businesses doing their bit in the global fight against money laundering and financial fraud,” he said.

“We speak to customers in the UK and the US day-in, day-out, who are all working hard to make sure they have the best tools and technology available to prevent money laundering, and to be compliant with the law. While at the same time, if these documents can be believed, one of the world’s biggest banks has effectively turned a blind eye and enabled criminals to take full advantage.”

In a statement, HSBC said “All of the information provided by the ICIJ is historical.” As of 2012, the bank said, “HSBC embarked on a multi-year journey to overhaul its ability to combat financial crime across more than 60 jurisdictions.”

Other banks implicated in the FinCEN files have also issued statements.

The Financial Market Supervisory Authority (FINMA), Switzerland’s financial watchdog, announced on Wednesday that it had opened enforcement proceedings against Credit Suisse over a spying scandal that came to light in 2019.

In a statement, FINMA said that it would “pursue indications of violations of supervisory law in the context of the bank’s observation and security activities and in particular the question of how these activities were documented and controlled,” adding that such proceedings “can be expected to take several months.”

Credit Suisse announced that it would cooperate with the investigation “to ensure a complete and expeditious conclusion of the review of this episode and incorporate lessons learned.”

FINMA’s announcement follows the completion of a review of the bank’s corporate governance and its surveillance of former employees. The employees targeted were former head of wealth management Iqbal Khan, who was leaving for a post in Suisse Credit rival UBS, and former head of human resources Peter Goerke.

[ymal]

Credit Suisse CEO Tidjane Thiam resigned in February amid the investigations, maintaining that he was not aware of the spying operation. An internal probe by the company concluded that COO Pierre-Olivier Bouee bore responsibility, leading to Bouee’s termination.

Thiam has since been replaced as CEO by banking veteran Thomas Gottstein.

As curiosity rises around this topic Equifax has devised this educational infographic which helps answer the fundamental questions; including what a money mule is, how money muling works and how to spot ads for money mules. Equifax explores what could happen if you’re involved with such suspicious activity highlighting the severity of falling victim to becoming a money mule. 

Educating the public is as crucial as ever, particularly as the latest Fraudscape report by Cifas found that in 2018, organisations reported over 40,00 cases of fraudulent abuse of bank accounts that bore the hallmark of money mule activity. This widespread issue only seems to be escalating as cases involving mule activity were up by 26% in 2018 compared to 2017.

The interactive infographic will lie within the Equifax ‘Knowledge Centre’ on their main website. This informational hub provides readers and customers with relevant content and guidance surrounding a variety of financial categories. You can read Equifax’s full interactive guide to Money Mules here.

However, not all crime is conducted directly online. Some people are tricked into giving away details over the phone or are told to use their banking app to transfer money into a safe account. This multi-channel approach means that at every touchpoint, an organization must be aware that their customers could be at risk; they need to put systems and processes in place to mitigate cybercrime. 

According to a report by McAfee, the European economy is one of the worst affected areas in the world. The statistics suggest that 0.84% of Europe's GDP is affected. Looking at the UK specifically, it is estimated that the cost of cyber-crime to the UK economy is £27bn – and it is growing.

GDPR and Customer Data Breaches

One of the latest and most high-profile risks that have come to people's attention over the past 18 months are customer data breaches. Customers are increasingly aware that organizations hold a lot of their personal data and they want to be sure that it is safe. The General Data Protection Regulation was brought into place to ensure that organizations are acting responsibly when it comes to processing and storing customer data.

The financial impact of not following these guidelines, or for not having the correct systems in place, has been significant. Just months after the new regulation came into place, British Airways were one of the first companies to fall foul when 500,000 pieces of customer data were stolen, which resulted in them receiving a £183m fine.

The Financial Fallout of Cyber Crime

Before any cyber-crime has taken place, there is a significant cost to businesses that need to purchase software, implement new processes and training, and even employ new cybersecurity teams to deal with threats. For global organizations, there may also be a need to hire consultants to advise on what they need to do to keep themselves and their customers safe.

One of the consequences of cybercrime that will affect every business is the direct costs. This could be money lost by the business or by consumers. It could also be the loss of reputation to a brand. If a bank suffers a cyberattack and customers lose money, they are likely to lose confidence, which can have a huge knock-on impact on business performance and profits.

Following on from an attack, there may also be payments that need to be made. On top of losing money in an attack a business, may also need to pay out compensation, fines, and legal costs. Depending on the type and severity of the attack and the data that was lost, this can amount to millions of pounds, as demonstrated by the British Airways case.

Here Syedur Rahman of business crime solicitors Rahman Ravelli questions the effectiveness of big fines and the likelihood of criminal prosecutions in the future.

Standard Chartered has hit the headlines for the size of the fines imposed on it on both sides of the Atlantic.

But behind all the big numbers and the column inches it is hard not to wonder if such a costly slap on the wrists is now being viewed by the big banks as nothing more than the cost of doing big business.

Standard Chartered has been ordered to pay a total of $1.1 billion by US and UK authorities to settle allegations of poor money laundering controls and sanctions breaching. It is paying $947M to American agencies over allegations that it violated sanctions against six countries and has been fined £102M by the UK’s Financial Conduct Authority (FCA) for anti-money-laundering breaches; including shortcomings in its counter-terrorism finance controls in the Middle East.

These fines had been expected. Standard Chartered said two months before the fines were imposed that it had put $900M aside to cover them. But this isn’t the first time that Standard and Chartered has had to pay out for its wrongdoing.

Seven years ago, it paid a $667M fine in the US. Like its latest US penalty, it related to alleged sanctions breaches. At the time, it also entered into a deferred prosecution agreement (DPA) with the US Department of Justice and the New York county district attorney’s office over Iranian sanctions breaches beyond 2007. That DPA would have expired by now but has been extended until April 2021 in the wake of the latest allegations.

Will this be the end of Standard Chartered’s problems and the start of a new allegation-free era? It is hard to believe so. But it is fair to point out that it is not the only bank to be hit by huge fines for wrongdoing and then be found to be repeating its illegal behaviour. Which is why it is hard to believe that fines are having any real impact on the way that some of the biggest banks function. If they are prepared to keep paying the fines and / or giving assurances about keeping to the terms of a DPA while reaping the benefits of breaking the law it is hard to see the cycle of behaviour changing.

Let’s be clear, any failure by Standard Chartered to abide by the terms of its DPA could see it facing criminal prosecution. And any bank’s weak approach to money laundering is now increasingly likely to be pounced on by the authorities. The Standard Chartered investigation was a co-ordinated multi-jurisdictional effort by the FCA, the US agencies and the United Arab Emirates. And while Standard Chartered’s full cooperation with the FCA saw it receive a 30% discount on its fine, relying on cooperation to gain a lesser punishment cannot be viewed as a safe approach.

The authorities around the world that investigate the activities of banks and other financial institutions are now more coordinated than ever. They have more legal powers than ever before and are unlikely to be reluctant to use them against those in the financial marketplace that come to be seen as repeat offenders.

There is no clear indication or evidence that the era of big fines may be about to pass or that the authorities are set to view convictions as a more effective deterrent to financial crime than hefty financial penalties. There may also be difficulties when it comes to corporate liability which, in the UK, requires proof that those involved in the wrongdoing are sufficiently senior to be considered the ‘controlling mind and will’ of the company.

But if fines continue to be ineffective in curbing the behaviour of certain banks it can surely only be a matter of time before the authorities rethink their approach to enforcement.

For much of 2017, tech news headlines were dominated by the wide-reaching and incredibly costly effects of ransomware. WannaCry and NotPetya infected thousands of computers, holding their data hostage and demanding that the user pay a significant sum for it to be returned to them. These attacks didn’t just affect general users, but businesses and national infrastructure as well, resulting in damage to reputations and a significant loss of capital due to downtime. But in 2018 we find ourselves faced by a different kind of threat, one that arguably hides in plain sight: cryptojacking. Cryptojacking sees malicious actors run cryptocurrency-mining software in the background of a user’s computer without their permission or knowledge. This can have a serious financial impact on a company, with a combination of costs in electricity and lost productivity being enough to be of a concern to financial teams in charge of budgets, as well as the issue of reputational damage associated with unknowingly aiding criminal activity.

Different Shades of Cryptojacking

These attacks generally come in two forms. Firstly, cryptojacking malware works in a similar way to other malware variants, oftentimes with hackers sneaking cryptocurrency miners into software (ranging from apps on a smartphone to videogames on the world’s largest PC gaming platform) which then runs in a computer’s background processing. Cryptojacking malware can gain access to core systems through a variety of attack vectors, including out-of-date applications and operating systems, like Windows XP. In one instance of a cryptojacking malware attack, hackers created a botnet (army of connected devices) of cryptominers, dubbed ‘Smominru’ by security researchers, which exploited over 520,000 machines – that's nearly as large as the Mirai botnet that nearly ‘broke the internet’ in 2016. This attack amassed nearly $2.3 million in the Monero cryptocurrency.

The second form of cryptojacking is far sneakier: ‘drive-by’ cryptojacking attacks can be performed on any device using a web browser. Simply put, these attacks happen when web pages infected with a so-called mining script are open on a user’s computer. The website will then, without the user’s knowledge or consent, mine for cryptocurrency using their PC. Attackers can then use the power of the user’s Core Processing Unit (CPU) to mine for currency – though the criminals lose access immediately when the user leaves the page. A recent, high-profile ‘drive-by’ attack saw 5,000 websites affected by the cryptojacking malware. The attack also infiltrated websites belonging to the UK Information Commissioner and several NHS and local council services.

The fact that cryptojacking lucratively operates “under the radar”, as well as crypto’s rise in popularity, has meant that the number of reported cases of cryptojacking rose by more than 600% in Q1, 2018. Cryptojacking is very hard to detect, particularly if criminals use currencies like Monero which is famous for its level of privacy. Like other cryptocurrencies, Monero uses a public ledger but the difference is that Monero’s is obfuscated to the point where no one can tell its source, amount or destination. For these reasons, it is a popular choice for cybercriminals, including cryptojackers. ‘Drive-by’ attacks are easier to execute than other cyberattacks and, from a cybercriminal’s perspective, can have a higher ROI as they only have to hack one website in order to target all visiting devices. As of the 9^th July, 2018, over 30,000 websites have been infected with malicious crypto mining scripts, including sites belonging to Tesla and Aviva. Finally, crypto-mining criminals aren’t relying on users or organisations choosing to transfer money in order to regain access to their data or systems as in the case of ransomware attacks; instead, they are able to mine for as long as the malicious script is running. Experts are even arguing that cryptojacking could soon overtake the use of ransomware because it is simple, more straightforward and less risky.

Running out of Energy: The Effects of Crypto-Mining

The effects of cryptojacking on a PC should be fairly noticeable. Mining for cryptocurrency runs complicated equations which are time and processor intensive. Tell-tale signs are if a device starts acting uncharacteristically sluggishly, or if its fans seem overactive. If the affected device is a laptop the battery will drain noticeably quicker. These symptoms can go undetected, however, particularly if devices are still operational and users don’t think to alert the IT help desk.

Some may argue that cryptojacking is thus just a minor nuisance and a largely victimless crime, but in fact the damage comes from just how energy intensive it is. While the immediate effects may not be as crippling as a large-scale ransomware attack, costs build up because cryptojacking can slow down systems and destroy technology, which are costly on their own but can also lead to downtime. Drains on electricity can also cause incredibly high bills, and are bad for the environment. The electric cost of cryptojacking (Coinhive in this case) on just one desktop computer was 1.212kWh of electricity over the space of 24 hours. According to the Energy Savings Trust, the average cost of electricity in the UK per kWh is 14.37p, so this would cost 17.42p per day, or £5.22 per month. For an organisation made up of hundreds (if not thousands) of computers, this could quickly become very expensive. In some cases, cryptojacking has also been known to completely destroy IT equipment due to the heavy and unrelenting strain that the hardware is put under by mining software. Organisations need to tackle cryptojacking head on in order to protect IT hardware and software, save on extra energy costs and ultimately retain business that may be lost due to downtime.

A Layered Defence against Cryptojackers

To prevent these attacks, organisations need to make sure that everything on their network is monitored and checked regularly, from PCs to websites. And when using third party tools, they should put protections into place and not link directly to source codes (the behind-the-scenes workings of what makes any computer program function) which aren’t their own. Businesses should also invest in resources for IT and security teams that give them a holistic view of what is going on in their environments, because they can’t protect or defend against threats they don’t know about. Finally, a layered approach to cybersecurity reduces attack surfaces, detects attacks that do get through, and helps cybersecurity professionals to take rapid action to contain malicious activity and software vulnerabilities. The financial outlay on a layered cybersecurity solution might seem costly, but finance teams in charge of investing in technology should see this as a critical insurance policy against cyberattacks that could completely cripple a business. Investment in cybersecurity is nothing compared to what cryptojacking could cost an unprotected organisation.

Users, including financial teams who are often targets of cyberattacks, can also do their bit to stop the spread of cryptojacking. It’s important not to download files from suspicious websites, or open attachments from email addresses you don’t recognise. Furthermore, users can protect themselves online through the use of browser plug-ins that block attempts from websites trying to hijack their PCs.

However necessary it may be to introduce precautions, what ultimately might end up being the cure for cryptojacking is cryptocurrency itself. At time of writing, Bitcoin has just experienced a crash of a little under $1,000 in just shy of 24 hours. This volatility – particularly if crypto continues its downward trend since Bitcoin peaked at $19,783.06 in December 2017 (it is currently at $6,431.70 less than 10 months later) – might put criminals off. If cryptojacking can no longer prove to be profitable because the investment in the tools required is not matched by the reward, then it may well be the markets that solve the cryptojacking issue.

While market volatility is out of the control of individual businesses, what is within their means is the ability to shore up their infrastructure. Hackers are at the cutting edge in their attempts to exploit any sort of flaw that exists in a system’s makeup and cryptojacking is currently the shiniest plaything in their toy box. The positive outlook however is that cryptojacking can be protected against with the right tools and mind-set. Out-of-date applications and operating systems are a favourite attack vector for bad guys, but they can easily be fixed. It is the responsibility of IT and Security teams, along with key decision makers who are in charge of purchasing, to stop them. By investing in cybersecurity technology, as well as training users, organisations defend against cryptominers trying to gain access to precious resources and can help to make cryptojacking a less attractive prospect for hackers.

There is a rush to improve speed, convenience and user experience in financial interactions, but at what cost to security?

While for the most part bankers are positive about their ability to improve their financial performance in 2018 and beyond, evolving risks – particularly cyber risk – are no doubt preoccupying their thoughts.  A recent report by professional services firm, EY, puts cybersecurity as the number one priority for banks in the coming year, and it comes as no surprise, especially with Britain’s National Cyber Crime Unit data showing 68% of large UK businesses across sectors were subject to a cybersecurity attack or breach in the past 12 months.

It’s a mounting problem, and the financial services industry needs to fight back. We’ve picked out the four key ways of countering the continuing threat to banks’ cybersecurity – and it’s a case of fighting cyber with cyber.

1. Artificial intelligence

Like it is in retail and manufacturing, for example, artificial intelligence (AI) and advanced analytics will play a key role in banking moving forwards.

And the financial services industry is looking to this technology to play a major part in the prevention of cyber attacks, reducing conduct risk and improving monitoring to prevent financial crime.  Mitigating such external and internal threats is critical to both business continuity and limiting operating losses, and so AI shouldn’t be overlooked as a key tool in reaching this goal.

2. Electronic identification

In order to meet the regulatory technical standards, which will be enforced in September 2019 as part of the European Union’s PSD2 payments legislation, the number of transactions requiring two-factor authentication will rise in the coming months.

What has been deemed by the industry as “Strong Customer Authentication” will be required, and this should result in payments and account access relying on customers providing and using a combination of the following: something they know, like a password; something they have, like a phone or card; and something they are, such as a fingerprint.

More factors equals more security is the industry theory here.

3. Biometrics

Which leads us neatly on to point three: biometrics. This push for two-factor authentication and new electronic identification will pave the way for more biometrics use.  With some of the largest players in card payments, including Mastercard, investing heavily in such solutions, we expect others to start to follow suit.

As Ajay Bhalla, President for global enterprise risk and security at Mastercard puts it: “The use of passwords to authenticate someone is woefully outdated, with consumers forgetting them and retailers facing abandoned shopping baskets.

“In payments technology this is something we’re closing in on as we move from cash to card, password to thumbprint, and beyond to innovative technologies, such as AI.”

4. Blockchain

According to the EY research report, 20-40% of financial service providers are investing in Blockchain now and are planning to increase investment, while approximately the same percentage are investing now but planning to reduce expenditure.

Either way, it shows that Blockchain is very much on the agenda for banks. The main attraction of Blockchain is that it creates an indelible audit trail which is distributed across multiple servers, so there’s no single weak link for cyber attackers to target. This provides banks with unparalleled transparency and increases trust.

Blockchain also has the potential to make a complex global financial system less complicated and reduce the number of middlemen involved in the transferring of money.

So, that’s the technology on offer, but what are the next steps?

Unless banks collaborate more with their peers, or improve their use of the wider ecosystem, the required investment in advanced technologies to address issues of growing cybercrime will be substantial and could strain their ability improve financial performance and grow their businesses.

And, as bank leadership teams focus on investing in the relevant people and technology – and it is the combination of both that’s crucial here – to enhance cybersecurity, they may struggle to find the right skill sets or the right methods for integrating cyber experts into their organisations.

Raising their knowledge of the technology available to help stem the tidal wave of cyber threats is a key requirement for banks, if they don’t want to end up washed up on the shore as a result of their defences being breached.

Cryptocurrency values have risen and fallen in spectacular fashion over the last year and while financial watchdogs are looking to tighten the regulatory grip on how cryptocurrency trading operates, some traders have already profited from the volatility in the new currencies – and they’re not the only ones. Below Martin Voorzanger, EclecticIQ, explains for Finance Monthly how criminals are making the most of the current crypto sphere.

Another group making profits from the turbulent cryptocurrency market is cybercriminals. In fact, last year there was a marked increase in cryptomalware reports and breaches of crypto exchanges and it’s clear that 2018 will be no different. After all, where there is money, there is crime.

The future ‘bank job’

In some cases, criminals are adapting tried and tested cybercrime techniques – such as hacking email accounts, social engineering and spoofing emails – to prise digital coins out of the hands of those that own them.

For example, in late 2017, criminals pulled off the classic bank heist – with a twist. Making off with approximately 4,700 Bitcoins (valued at the time as $70m) in a raid on digital currency exchange, NiceHash, hackers gained access to the company’s payment services through an employee’s PC. The organisation described the attack as “sophisticated social engineering”.

Hackers found a similar route into Bithumb – South Korea’s biggest cryptocurrency exchange – earlier in 2017. Again, the weak link was an employee – and this time it was their home computer which was compromised. While, in this case, no currency was stolen, a vast amount of personal computer data was. Despite Bithumb suffering no real, initial monetary loss, the theft of sensitive personal data can actually be even more damaging to a business. In this instance, Bithumb stated that no passwords were stolen, but customers reported receiving calls and emails that scammed them out of funds, ultimately resulting in financial loss for Bithumb and potentially an irreversibly damaged reputation.

While, bitcoin and other cryptocurrencies may have been designed with security in mind through the blockchain platform, to keep their crypto assets and data safe, organisations can’t rely on this alone. Yes, blockchain is notoriously difficult to tamper with, however opportunist criminals have found something much easier to compromise – the computers and employees within exchanges.

It is for this reason that organisations must exercise more caution and ensure all security technology and practices are fit for purpose. Good security hygiene should always be front of mind in finance matters – whether it’s around cryptocurrency or not.

A new kind of ‘botnet’

Potentially more worrying than these older, but still successful, cybercrime tactics, is when criminals start to adapt new techniques specifically with the intention of defrauding holders of crypto assets. One of the methods that is becoming popular with criminals in a bid to exploit digital currencies is cryptojacking – where cybercriminals take over employees’ computers to secretly mine cryptocurrency. While the method itself has been around for some time, the surge in the value of cryptocurrencies means mining coins has become an incredibly enticing prospect for criminals. And although each infected device can only mine a small amount of value, criminals are collecting enough machines to create data-mining ‘botnets’ which collectively, can deliver a large profit.

While cryptojacking in itself may not carry the destructive payload of ransomware or other malware, it still represents a device compromise and one which, at best, affects the performance and longevity of devices and, at worst, provides an open doorway for more destructive threats, such as ransomware.

Furthermore, it’s not just the cryptocurrencies themselves that are under threat of attack. Worryingly, earlier this year, security firm Radiflow reported that a European water provider had been compromised. This attack represented the first public discovery of cryptocurrency mining malware in the systems of a critical national infrastructure organisation proving that criminals are no longer just after currency – they want power.

The threat to cryptocurrencies is real and growing - whether the end game of the criminals is financial gain or to disrupt critical infrastructures. Indeed, Microsoft warned earlier this year that it has seen a surge in currency-mining malware infecting Windows PCs in enterprises around the world. The company believes this could be the work of external criminals or, equally, insiders with access to company systems.

Ultimately, while cryptocurrencies themselves are secure, the exchanges and the systems that surround them are not. Humans remain the weakest link – whether intentionally or not – criminals continue to use the same tried and tested vectors of attack and humans are still just as vulnerable to being conned or manipulated by social engineering.

One thing is for certain though – cybercrime activities in this area will not decrease anytime soon. Organisations need to make sure they have the correct security measures in place, including ensuring that employees understand the threats associated with social engineering, to best protect against this new kind of threat.

Last weekend, British shoppers were predicted to have spent almost £8bn on Black Friday sales – nearly four percent higher than last year. While this busy shopping period is certainly good for the British economy, it raises concerns about the opportunities for scammers and cyber criminals. Ross Brewer, VP and MD EMEA at LogRhythm, discusses for Finance Monthly below.

Indeed, all eyes have been on who – and there will be some – will fall victim to hackers’ increasingly persistent and clever tactics. Retailers are prime targets because of the confidential data they hold – whether it’s bank details, email addresses or personal information. There’s absolutely no doubt that cyber criminals will have tried to take advantage of the past week’s online sales peaks to access networks unnoticed or execute malware that has been sitting on the network for months. Retailers have a lot to prove when it comes to showing consumers that they are taking modern-day threats seriously.

As we only saw this week with Uber, it isn’t always a breach that makes headlines, it can be how it’s contained and disclosed. In such a competitive industry, retailers rely heavily on loyalty, which means reputation is key. They need to understand the true value of the data they hold and take the necessary steps to protect it.

Monitoring and detection is key

It’s hugely important that retailers are investing in tools that continuously monitors networks for any signs of a compromise. Indeed, online activity and network communications between components in the card processing chain need to be tightly controlled; a process that is specifically mandated by PCI-DSS. With time increasingly of the essence, it is also critical that, rather than simply scanning for threats and raising an alarm if something suspicious is identified, these systems are able to deliver actionable insight with supporting forensic data and contextually rich intelligence. Not only does this ensure that the right information is delivered at the right time, to the right people, but it guarantees that the appropriate context will be attached, significantly decreasing the amount of time it takes to detect and respond to threats.

Most retailers know by now that they cannot afford to take shortcuts when it comes to cyber security. With breaches now a case of when, not if, it’s essential that they are on high alert at all times – particularly during busy shopping periods. Despite growing concerns over the cyber threat, consumers are spending more and more money in store and online each year, but retailers cannot take this for granted. It only takes one data breach to damage a company’s reputation, hinder future sales and/or disrupt pending investments and deals.

The good news is that security intelligence has become so advanced that companies can now automatically detect a compromise as soon as it happens, enabling security teams to stop a cyberattack before any damage is done. With GDPR only a matter of months away, enterprise organisations and retailers are feeling the pressure to identify, mitigate and disclose an attack at the time that it happens. Only with rapid detection and response capabilities will retailers be able to take cyberattackers head on and protect their customers.

Since 1968, there have been 1,516,863 gun-related deaths on US territory compared to 1,396,733 war deaths since the founding of the United States[i]. This means that up to 2015, according to data collected by Politifact, the death toll for citizens and visitors of the United States from domestic gun violence exceeds that of all the deaths from all the wars the US has participated in since its inception.

The statistics on US gun violence remain mind-boggling to many. A study by Health Affairs states that more than 100,000 people are shot each year in the US. 350 people are estimated to have been killed in American mass shootings[ii] this year, according to data gathered by GunsAreCool - a sarcastically named community that tracks gun violence in the country. In comparison, 432 people were killed in mass shootings in 2016 and 369 in 2015, which means that on average, more than one person is killed in a mass shooting for every day of the year. According to the Small Arms Survey via the Guardian, America has 4.4% of the world’s population, but almost half of the civilian-owned guns around the world.

Win $25 Free With $25 Kroger Gift Cards

For both individuals and society as a whole, gun violence imposes heavy psychological burdens. The media regularly highlight the emotional cost, and rightly so. But what is the economic cost of US gun violence? What is the financial cost to society from all that carnage?

The price tag

Back in 2012, Mother Jones, the liberal magazine, launched a three-year investigation, following the Colorado cinema shooting rampage in July, when James Holmes killed 12 people and injured 70. The magazine went through the combined annual impact of a total of about 11,000 murders, approximately 22,000 suicides and 75,000 injuries that are the result of gunfire. The findings of the investigation showed that the annual cost of fatal and non-fatal gun violence to the US was $229 billion, representing 1.4% of total gross domestic product. In comparison, obesity in the US costs the country $224bn, which makes the economic impact of gun violence higher than that of obesity. These $229bn are also the equivalent of the size of Portugal’s economy or the equivalent of $700 for every American citizen.

The study notes that about $8.6bn is direct cost, including emergency care and hospital charges, the expense of police investigations, the price of court proceedings, as well as jail costs. According to the investigation, $169bn goes to the estimated impact of victims’ quality of life, based on jury awards for pain and suffering in cases of wrongful injury and death, and the rest $49bn account for lost wages and spending.

It is of course worth mentioning the positive economic impact that the gun and ammunition manufacturing industry has on the country, which according to IBIS World was $13.5 billion in 2015, with a $1.5 billion profit. However, it is also worth pointing out the distinction between the profit from manufacturing the very products used in shootings, in comparison to the financial loss seen due to gun violence.

The impact on US firearm manufacturers 

In recent years, firearms sales tend to increase and gun stocks tend to rally in the immediate aftermath of mass shootings in particular. Shares on gun manufacturers such as Sturm, Ruger & Co. (RGR, +1.91%) and Smith & Wesson maker American Outdoor Brands (AOBC, +0.74%) rose sharply right after the mass shooting in Las Vegas from earlier this month, when 59 people were killed and hundreds were injured. Only a few hours after the deadliest mass shooting in modern US history, shares of Sturm, Ruger & Co. rose 3%, American Outdoor Brands jumped 5%, while Vista Outdoor (VSTO, -0.67%) popped 2%. The explanation behind this is quite simple - investors predict a rise in sales as people buy firearms to defend themselves and their families in the event of another potential attack. Sales are also likely to spike due to the fear that an attack may result in law changes and guns becoming harder to buy.

Despite the fact that mass shootings lead to increased firearm sales, research by Anandasivam Gopal and Brad N. Greenwood published on 28^th May 2017, points out that when mass shootings occur, investors appear to be reducing their valuations of publicly traded firearms manufacturers – an effect driven by the threat of impending regulation. However, these tendencies were most prevalent in 2009 and 2010, but seem to disappear in later events, indicating the possible markets’ acceptance of mass shootings as the ‘new normal’.

How do local economies respond to increased gun violence?

A report by the Urban Institute, published on 1^st June 2017, found that surges in gun violence in the US can ‘significantly reduce the growth of new retail and service businesses and slow home value appreciation’. According to the study, higher levels of neighbourhood gun violence drives depopulation, discourages business and decreases property values, resulting in fewer retail and service establishments, fewer new jobs, lower home values, credit scores and homeownership rates. The report features interviews with local stakeholders (homeowners, renters, business owners, non-profits, etc.), who confirm the findings, which state that  ‘Business owners in neighbourhoods that experience heightened gun violence reported additional challenges and costs, and residents and business owners alike asserted that gun violence hurts housing prices and drives people to relocate from or avoid moving to affected neighbourhoods’. In Minneapolis for example, the report finds that each additional gun homicide in a census tract in a given year was associated with 80 fewer jobs the next year, while average home values in Minneapolis census tracts dropped by $22,000.

Is gun violence really the ‘new normal’?

It seems as if the US lawmakers, and indeed large swathes of the US population, are now willing to accept gun violence as a part of their daily lives in a manner that may shock others. But what is more surprising is that a country founded on capitalism permits this as the status quo in the knowledge that gun violence is having a severe and negative impact on the US economy. From hospital fees through to deterring business investment, mass shootings and gun crime are the cause of considerable financial losses to the United States. These acts of violence cost the country a great deal of money, but most importantly – they cost lives. And although markets have seemed to accept mass shootings as ‘the new normal’, should this be the case for the rest of us too?

_______________________________________________________________________________________

[i] That figure includes American lives lost in the revolutionary war, the Mexican war, the civil war (Union and Confederate, estimate), the Spanish-American war, the first world war, the second world war, the Korean war, the Vietnam war, the Gulf war, the Afghanistan war, the Iraq war, as well as other conflicts, including in Lebanon, Grenada, Panama, Somalia and Haiti.

[ii] Mass shooting being defined by the FBI as any incident where at least four persons are killed with a firearm in a random act with little or no premeditation.

Here Laura Hutton, Executive Director at Quantexa, explains the money laundering phenomenon, describing the typical profile of a money laundering ring, the added variety some display, and the challenges banking systems currently face in identifying money laundering systems.

Global money laundering transactions are currently estimated at 2 to 5% of global GDP, or up to US$2 trillion, funding crimes such as terrorism, corruption, tax evasion, drug and human trafficking. By 2020, experts predict that there will be more than 50 billion connected devices across the world. This is a cause for concern for banks and financial institutions alike, as criminals will be attracted to fresh ways to communicate and partake in criminal activity.

Shockingly, over 25% of financial services firms have not conducted AML/CFT risk assessments across their global footprint (PWC) – so it is no surprise that criminals are still finding loop holes. However, according to Wealth Insight, global AML spending is predicted to rise from US$5.9 billion in 2013 to US$8.2 billion in 2017 – promising a stronger barrier to money laundering activities. In part, this has been driven by the increasingly strict regulatory landscape and some eyewatering fines, but organisations are also keen to tackle the problem for both moral and reputational reasons.

The profile of a money laundering ring

The vast majority of money laundering is committed by organised criminal gangs and involves a complex web of individuals, businesses, domestic payments, overseas wires and increasingly trades and settlements. These gangs will need many low-level individuals who deposit cash into the banking system, typically in low volumes to avoid detection. The gangs will then need to move the aggregated funds around in larger volumes and overseas. This is a complex structure and designed to avoid raising suspicion.

One size doesn’t fit all

All banks will have AML systems in place, but this doesn’t mean they are correctly suited. At first, financial institutions put in place systems to detect money laundering within their retail book, looking for simple patterns like large cash deposits in short time periods or transactions which are unexpectedly large for a standard domestic customer. This may flag some of the low-level criminals, but the modern organised criminal is choosing to hide the activity elsewhere, for example, cash-heavy businesses and financial markets where the transaction volumes are significantly bigger and where overseas transactions are the norm.

Banks and regulators realised that these non-retail products had money laundering risk, but no tailored AML systems existed for these complex products. As a result, many organisations have simply repurposed existing retail and market abuse systems that inevitably aren’t suited to the product line that they are trying to protect. A pre-configured AML system for retail banking will focus on finding individual high-risk transactions without the context of corporate structures, geographical money flows and the complex behaviour of that product type. Consequently, these systems are less able to identity suspicious behaviour and do not effectively prevent money laundering.

Time for a new approach

To address the more pressing money laundering risks, and greatly reduce their vulnerability, banks need to take a different approach that can interpret and risk assess these complex webs of activity and present them assembled and ready for investigation. Money launderers are not transactions, they are individuals, and they need to be modelled as such.

The contextual monitoring approach uses entity and network analysis techniques, in combination with advanced analytical methods to uncover the hidden web of criminal activity and highlight these holistically as an aggregated view of risk across multiple products and data sources.

This eliminates the vast number of alerts generated at the transactional level and focusses the attention on the high-risk people, businesses and networks that underpin these criminal gangs.

Money laundering remains a great issue for banks and financial institutions alike. As the criminals get smarter, current AML systems are falling behind. To beat the criminals at their own game, banks must adopt new compliance technologies to make constructive use of the infinite data accessible, join the dots in their customer network, and then become more efficient when acting against illegal money laundering activity.