Cyber laundering threats should put all bankers on alert, FATF warns –4/1/2001

Dear MLA:

I am a compliance officer at a California bank. Our bank is about to launch a new online banking service. We are trying to set up a state-of-the-art anti-money laundering system. Are there are any concerns in the cyberbanking field that we should be especially worried about? What guidance is available?

Virtually Vigilant

Dear Virtually:

Online banking, say the experts, is increasingly vulnerable to cyberlaundering. It has become a major concern for banks whose customers have Internet access to their accounts. Any financial institution that offers services such as direct payments, electronic funds transfers, issuance of checks, securities transactions, opening or closing of accounts has to be especially vigilant of cyber launderers.

Online convenience

That is easier said than done, says the Financial Action Task Force in its Report on Money Laundering Typologies, 2000-2001. Online banking presents a convenient way to do business for all customers of a financial institution, especially those trying to launder crime proceeds that prefer the anonymity of a computer screen.

The Paris-based FATF’s annual report highlights cyberlaundering for the second straight year because its 26 member countries voiced concern about the “vulnerabilities that the Internet might offer for money laundering.” They see this threat expanding as online banking becomes the norm.

The FATF names three particularly acute vulnerabilities:

  • Ease of access to accounts through the Internet
  • Absence of face-to-face transactions between the online bank and the customer
  • The immediacy of electronic transactions. v Click vs. brick

Just like “brick and mortar” banks, those that offer online banking should have procedures, whether it be driven by software, humans or a mix of the two, that verify the identity of the persons who seek to do business with the institution. This can be difficult for online banks that often rely on customers to confirm who they are
through passwords. The FATF says that anyone can access an open account online and that determining the identity of the person may not be possible.

This problem is complicated by the fact that some servers do not use “log files” to trace the origin of the computer through which the transaction is made. Thus, the Internet-protocol number of the server and the date and time of connection are not kept in an electronic file. The roots of the transmissions are effectively kept private and virtually untraceable, says the FATF.

Internet gambling as laundering tool

Money Laundering Alert began writing about cyberlaundering six years ago. Since then, the great value of the Internet has become obvious to everyone, especially money launderers. A growing use of the Internet involves gambling to launder money. It is an excellent method of laundering because transactions are conducted principally through credit or debit cards. The site operators are unregulated offshore firms, which opens the door to laundering and other criminal mischief.

This can affect a bank because the Internet gambling sites often have their accounts in offshore banks that, in turn, use a reputable U.S. correspondent bank. The tracing of the source and ownership of the illegal money that moves through these accounts is difficult or impossible for enforcement and regulatory agencies in the U.S. and elsewhere.

Recent hearings by the U.S. Senate Permanent Subcommittee on Investigations found that correspondent banks at Bank of America and J.P. Morgan Chase Manhattan moved millions of dollars in Internet gambling proceeds (MLA, March 2001).

FATF recommendations

To combat cyberlaundering, the FATF suggests that:

  • Internet service providers establish log files with traffic data providing Internet protocol numbers of subscriber and telephone numbers used for server connection
  • Information collected through the servers be shared with enforcement agencies
  • Information collected be maintained for up to a year
  • Internet service providers keep records, including identification information, on those who transit through their servers.
  • In this virgin field, the best advice is to remain vigilant to vulnerabilities, guidance from regulators, industry findings and new schemes. Utilize or hire skilled analysts to make sense of the data that your systems provide. The FBI’s website, to which a link is provided at has much current information on Internet manipulations by criminals.