This week, two large Western European banks, Danske Bank and ING, got slapped with what could be close to one billion Euro in fines, for similar reasons. They failed to prevent large scale money laundry operations. In a statement by the ING CEO, he’s remorseful as he announces hardened controls. Is this as straight forward as it seems? Or is there more to money laundry and banking? In this article, I am not talking about specific banks, but I am drawing upon lessons learned in four continents.
The news about ING and Danske Bank is the latest in many similar cases. Australian Commonwealth Bank, Indian Canara Bank have been fined similar amounts just months ago, Deutsche has been fined in 2017, and the list goes on. Large scale money laundry seems to happen all over the place. If anything, reports about fines seem to increase.
The fines for Danske Bank were reportedly related to activity from 2007 to 2015. For ING this was 2010 to 2015. This is an interesting snippet of information we need to keep in the back of our minds. The period coincides with global banks’ digital transformation, when banks closed off brick and mortar offices and replaced them with on-line channels.
Money laundry, fraud and cybercrime
Generally speaking, banks in the late 00’s had anti-fraud and anti-money laundry teams. When cybercriminals started to target on-line channels the first yearly damages were in the hundreds of thousands of euro’s (to be clear: that’s not a lot for a bank). Banking associations famously spoke of a trivial issue, and criminals moved from automated attacks to automated phishing and social engineering. In Europe, cybercrime losses for banks peaked around 2012. In that period, banks rallied to build cybercrime departments combating the issue. In many larger banks, money laundry, fraud and cybercrime departments were run separately.
Detecting money laundry is usually about finding incidental, strange and large financial streams going in certain directions. Fraud was typically about detecting medium size and strange transactions. Cybercrime, in those days, was about detecting thousands of small transactions, in the thousands of euro’s range, usually in near real-time. There was no software that did all of this. The three separate teams used separate tools and workflows, and were sometimes even run in different business units.
With cybercrime suddenly becoming rampant, and malware assisted fraud earning the bad guys hundreds of millions, the banks sprang into action. The incentive was never the monetary loss; it was always about maintaining the confidence in the newly opened digital channels. That’s why banks shifted their attention to online fraud and cybercrime. In large scale malware attacks, like with ZeuS, Citadel or Dridex, it was all hands-on deck as larger banks were pummeled by thousands of fraud attempts. The period that all of this happened during, was, unsurprisingly, roughly around 2008 through 2014. The banks’ focus paid off. Teams became bigger and better. Losses went down dramatically. Today, it’s a fraction of what is was in the heydays. The banks were victorious.
Slipping through the cracks
But, there’s other crime than cybercrime. The last phase of the process is always money laundry. Criminals need to wash the money in order to be able to use it, whether it’s accrued with drugs, arms, prostitution, cybercrime or tax evasion. Attention had shifted to the front line of attacks, while money laundry is a process in the rear. This shift seems to correlate with the perceived ”laxness” of the banks. While they focused on the castle door, there were cracks appearing in the back wall.
Obviously, this is strengthened by another issue. Sales people are incentivised by targets. So, criminals turn to the banks and make themselves look good. Eager bank salespeople will sigh with relief when they receive the legal minimum of paperwork. Who can resist a nice big account with all the right credentials?
Banks are money making machines. Criminals need banks in order to launder serious money. Electronic currency doesn’t cut it, because you convert your coins to dollars in order to spend them. Asking banks to be the gatekeepers while they are incentivized by profit, is the same paradox that casinos have: they offer anti-addiction programs to customers who gamble too much.
The wisdom of hindsight
Money laundry, fraud and cybercrime will be here to stay. They are different processes and need to be approached differently. For large organisations such as banks, aligning these complex processes is difficult. As InfoSec professionals, we tend to have tunnel vision on the technology aspect of attacks. In reality it fits a holistic process where money laundry is the last phase of a crime, whether it’s tax evasion or drugs. Historical context makes us understand banks difficulties a bit better – but in the end, our financial networks deserve better, to protect us and our societies.