Interview: Pitfalls of BSA/AML Research on the Web

The pressure on financial services organizations of all sizes to comply with federal Bank Secrecy Act (BSA) and Anti-Money Laundering (AML) regulations is steadily increasing. Banks and investment firms are facing stiff regulatory fines, civil penalties, and industry disbarment for compliance violations.

Industry observers point out that many cases resulting in enforcement action follow a common pattern. Often, the entities found in violation neglected to file Suspicious Activity Reports (SARs) about suspicious transactions.

Then, to make matters worse, during a subsequent investigation they also “failed to promptly produce certain documents” as requested by investigators (PDF).

Online Research as BSA/AML Compliance Bottleneck

Research indicates a direct correlation between the negligence of affected financial institutions to sufficiently investigate, report and document suspicious transaction, and the lack of a compliance-friendly and compliance-ready browsing environment at the disposal of their BSA/AML specialists. Check out the Authentic8 white paper Secure AML Research: Cracking the Efficiency Code on this problem and how financial firms are solving it.

For our podcast The Silo Sessions, Authentic8’s Drew Paik sat down with veteran AML investigator and consultant Kevin Sullivan, head of the Anti-Money Laundering Training Academy, to discuss his book, "Anti-Money Laundering in a Nutshell: Awareness and Compliance for Financial Personnel and Business Managers".

Drew Paik: Kevin, I’ll leave it to you introduce yourself and your book.

Kevin Sullivan: Thank you, Drew, I appreciate being here. I’m retired investigator from the New York State Police, where I spent over 22 years working Financial Crimes, anti-terrorism and anti-terrorism financing, detail to the FBI, White-Collar Crimes, and then something called the El Dorado Money Laundering Task Force, which is the largest money laundering task force in the world, based out of Manhattan.

When I retired about seven years ago, I created the Anti-Money Laundering Training Academy, which now goes out all over the world. It will help various financial institutions and governments with Anti-Money Laundering training, whether it’s as an investigator or as a financial institution researcher or investigator, from Hong Kong to the Cayman Islands to Paraguay Brazil, and of course in the United States.

I try to focus on some of the smaller markets in the US. Smaller financial institutions do not have access to go to the big seminars in New York. So I come to [them]. And I wrote this book called Anti-Money Laundering in a Nutshell.

I wanted to make this very simple to read for someone who’s just getting into the field or is new to the field, so it’s not like reading a book – it’s a couple of us hanging out at the bar, having a beer and discussing the stuff.

Drew Paik: Can you tell me more about why we have AML requirements?

Kevin Sullivan: The whole concept of money laundering is taking the illegally gotten gains, profits from a crime. If you’re a drug dealer, the profits that you make from dealing drugs – you can’t just go out spend them willy-nilly. With drug money, they just got to launder it first. You can’t spend it without laundering because that would raise too many red flags.

So we came up with anti-money laundering methods – those things to look out for. And, of course, anything involving terrorism – that’s a whole different level of intensity.

Drew Paik: Can you give us an idea who the parties are that are involved in these AML and anti-fraud efforts?

Kevin Sullivan: In 95 percent of all crimes that are committed, the reason is money. Then if you look at who commits them, 95 percent of those crimes are committed by some form of organized crime. So that’s the bad guys’ side.

On the good guys’ side, it’s law in the United States that all financial institutions must have an anti-money laundering policy. That’s every bank, every money service business, every life insurance company, every casino, other financial institutions….

You have your AML directors, your compliance officers, researchers. You have analysts, investigators, people dedicated to doing customer due diligence, people in the sanctions field looking at the background of individuals for sanctions. So you have all sorts of departments, depending on the size of the institution.

One may be focused on doing negative news research. One will focus on just doing background checks. Another one is focused on looking into the transparency of business connections.

Drew Paik: How much of their work takes place online?

Kevin Sullivan: I’d say a significant portion of their activity is done in front of a computer screen, and that’s not just in-house, but also using external resources.

Drew Paik: What are some of the things the problems that you’ve seen these investigators run up against?

Kevin Sullivan: When I was a government agent, the largest problem I had as an investigator was with social media sites. For an investigator, social media offer a wealth of information. Our IT had numerous problems with social media. It was just too dangerous, and they would shut it down.

They didn’t want us to go there. Which became an issue when during an investigation I needed to look these things up, but now I’m being told I can’t go there. So we have come up with some solutions for that.

I know there’s been a big issue with a Polish bank, where I think the problem was with a site the bank itself was going to, the site of the Polish financial supervisory authority. So anytime the Polish bankers went there, they get infected. [Ed.: Kevin is referring to this 2017 watering hole attack against the banks in Poland]

It’s easier for some IT folks just to say “shut everything down,” and it’s kind of… – if you never drive a car, you’ll never get in an accident. But you’ll never go anyplace either.

I was looking into virtual money laundering, which is money laundering via online gaming. Well, I couldn’t investigate it, unless I went to sites and looked at it and jumped on board and tried to figure it out and play some of the game.

But because it was a two-way connection, IT said “no, no – he can’t do that,” you know, “this is too dangerous.” So it came to the conclusion there that one method to use was a separate computer, not attached to the network whatsoever. The solution can’t be “just don’t investigate that.”

Drew Paik: “Can you give me an example of where these priorities and the AML program requirements came into conflict and how that can be resolved?

Kevin Sullivan: Those come into conflict especially in the area of social media. Social media,for investigators, is a plethora of information. IT needs to do their job. Investigators need to do their job. So how are we going to get there?

Drew Paik: I’ve read that the average Suspicious Activity Report has to collect more than a hundred and twenty data points. That might include screenshots or downloading files and so on. What’s the impact on the time it takes to file and resolve these reports?

Kevin Sullivan: That’s an interesting question. And the more risk you take on… – well, the more chances of bad things happening that could lead to public relations damage. It certainly leads to regulatory fines. There have been serious regulatory fines in the last few years, well into billions of dollar.

Drew Paik: Based on your experience in preparing your book, your time in the field – what would you tell IT professionals on how to protect the AML team from today’s web-based threats?

Kevin Sullivan: I would tell them the same thing that I tell the law enforcement people: to talk to the [AML] people in the bank. If there’s not a specific training session – then at least craft some memos or newsletters or something that goes out. “Hey, look at all these things that have been going on: phishing, spear phishing, harpooning, waterholing…”

I guarantee you, folks have no idea what you’re talking about. You don’t have to sit around and hold hands and sing Kumbaya, but – my goodness – at least communicate with each other.

Drew Paik: I think that’s a great message to enter our chat on, for IT and AML to talk and to share information about their challenges and their priorities. Thanks a lot, Kevin!

*

“Anti-Money Laundering in a Nutshell” by Kevin Sullivan (publisher: a press) is available on Amazon.

The blog version of this interview was slightly edited for clarity.