The Anti-Money Laundering (AML) agenda far predates even our imagination about the internet. It has been in place for ever since the USA inked the Bank Secrecy Act in 1970. These bills require better record keeping and reporting requirements. The policy goal; to protect the integrity of the financial system and limit abuse. Likewise in the cyber security world, we wish to protect the integrity of our digital systems and limit abuse. Yet in many corporate organisations and policies these considerations remain separate. With cybercrime estimated to cost the global economy $445 billion a year (McAfee 2014), it is now on par with the global drug trade.
In 2015, the Bitlicense was the first bill to be passed in the US that contained considerations of both AML and cyber security. The controversy it caused in the digital currency industry gave it landmark status. Yet, its legacy may be creating a more holistic approach to cyber security and AML.
As more people and devices come online, the amount of economic value transacted online continues to grow. Sadly, abuse is omnipresent. Cyber criminals are usually divided up into economically motivated cyber crime, hacktivism and espionage. Each of these have distinct patterns and geographic centers. Understanding their motivations, capabilities and impact has never been more important. Financial institutions rely on scenarios to identify unusual activity. Defining these scenarios requires an in-depth knowledge of their customers but also of the patterns of crime.
Part of the reason that the AML agenda attracts so much attention can be found in the success of the racketeering legislation in the USA. Organized criminal gangs were now able to be broken up even if the boss never touched a weapon. The trail of money was good enough to link a person with the illegal activity. Proving the economic benefit in court is an essential part of the evidence. Hence, concealing trails of money though electronic payment systems is often the lifeblood of the economically motivated cyber criminals (Europol 2015). Ensuring these payment technologies are not abused is a massive opportunity for innovation compliance stack.
Yet the private sector continues to sit and wait for changes in the polices of governments which continue to not recognize this reality. The recent announcement of the fourth EU AML directive in June makes the EU more aligned with USA’s risk based approach. The risk based approach is technology neutral. Any risk of money laundering should be addressed in the same way regardless of technology. Yet, the assessment of the underlying risks requires a good grasp of the cyber risks themselves. For example, a Hacktivist getting hold of personal records and publishing them on the deep web bears soft costs. Personal damages, service outages and potential money laundering risks in the future as identities are compromised.
The convergence of cyber security and AML policies raises the concern that higher requirements for AML can create a barrier to entry for smaller players. Policymakers and financial institutions have realised that these barriers inflict huge costs in restricting financial inclusion. It is important that compliance tools are available to smaller firms and not just the major players. In Bitcoin, this was made possible due to the openness of the ledger. Tools like Chainalysis are able to provide equal levels of insight to large financial institutions and one man shops. In the current, more fragmented, financial system, information sharing is critical to protect of the system more generally. Never has this been more important.
The future of cyber security and AML need to be imagined together. With increasingly similar objectives, threat actors and challenges; the industries have much to learn from each other. Both industries face the challenge to continue being effective and yet minimize the amount of information they harvest from regular citizens. In doing so, we can protect our fundamental rights and limit the cost of cyber attacks. Many eyes are falling on the regulators and FATF for guidance and yet there is a strong economic argument for the private sector to take a more proactive approach.