Connect ► twitter| youtube|  Log In ► Members Only  |  Corporate One Safekeeping  |  Search

BSA/AML Hot topics: Beware of sanctions evasion through online banking and other digital channels

By Jennifer Morrison, VP, Senior Risk Manager

Technology makes lives easier in many respects, but technological advances continue to pose challenges for compliance professionals. According to an Association of Certified Anti-Money Laundering Specialists (ACAMS) interview with six former officials and senior compliance professionals, Office of Foreign Asset Control (OFAC) sanctions evaders have logged into online accounts and moved funds from countries like Iran and North Korea for years, either directly or by using anonymizing tools to mask their IP addresses, and as a result, their locations, from financial institutions.

BSA Latest Information, Regulatory Update and Examiner Focus compliance webinar

Get up to speed on the most current industry news and information in just one hour.

Thursday, October 31
2:00 p.m. - 3:00 p.m. ET

However, since at least 2016, financial institutions have been screening clients’ IP addresses more regularly, including against lists of virtual private networks (VPNs) and The Onion Router (Tor) exit points, blocking any matches, according to Jason Rhoades, a former OFAC official. But screening IP addresses, VPN server addresses, and Tor exit points is not foolproof. VPNs enable Internet users to scramble their IP addresses by funneling traffic through a distinct, standalone network. Tor routs traffic through multiple services in several disparate geographic locations to mask the customer’s location. These addresses change all the time, especially if someone is actively attempting to evade sanctions, making it tough to identify sanctions evaders.

Recommendations for your credit union’s OFAC Risk Assessment

If your credit union offers online banking and/or account-opening services, include the cyber threats mentioned above in your OFAC risk assessment. When assessing new account openings, payment products or other services that can be initiated online, the use of VPN server addresses and Tor exit nodes for fraudulent access are among the threats to consider. Measure the threat level across the impact of unauthorized access (including fines and penalties that could be levied along with financial losses, insurance costs, legal and forensic audit expenses), against the likelihood of such an exploitation.

While sanctions are typically international in nature, remember that your “domestic” new member might be spoofing his/her real location. For example, the threat assessment should consider how many new accounts you have opened online in previous years, the trend in that number across the years, and the extent to which you allow a new member to transact before conducting documentary and non-documentary validation.

Your validation efforts are among the set of controls your credit union uses to mitigate risk from this threat, along with IT efforts to block access from known threats. Remember that your credit union’s inherent risk is determined based on impact and likelihood scoring before controls; and with controls in place and tested, you have your credit union’s level of residual risk. Residual risk should be in line with your credit union’s risk tolerance as determined by your board.

Tips for dynamic identification and monitoring

The “know your member” moniker faces new challenges in today’s online banking world. It matters where your member lives and what your member does, but for OFAC sanctions compliance, it also matters where your member conducts his/her business. Compliance needs your member due diligence (MDD) effort to be dynamic and ongoing.

MDD is never a one-and-done effort at the time the member joins. The challenge is to find ways to re-engage your member throughout their membership, not only updating their home address when they move, but also periodically making contact to update employer information. Account monitoring must touch your higher-risk members, but do not ignore those members who present less risk. Your branch staff are the “eyes and ears” of your MDD effort. They must be trained to look for changes in member engagement. A few red flags to look for include the following:

  • Your member is traveling to countries that may be located near a sanctioned country. How do you learn this? Perhaps when the member calls about using his/her credit card outside the U.S.
  • Your member stops coming into the branch or starts visiting the branch suddenly with family members or non-family members.
  • Your member is engaging in new transactions without explanation, such as requests to wire money outside the U.S.
  • Your member’s transactions have changed in dollar volume and velocity.
  • Your member asks about using their credit or debit card outside the U.S.

Periodically monitoring accounts that have been open for years can be eye-opening, too. (Remember that aging members are increasingly at risk for elder exploitation and financial abuse.) Make sure to compare accounts belonging to family members and business partners, as well. Disguising the source and use of funds often involves several seemingly disconnected transactions across and through several accounts (useful for tax evasion and for breaking up large amounts of cash, too). Additionally, ensure that you have worked with your IT staff to block access to your banking platform from sanctioned countries, including account-opening features. Block access to your online banking from known IP addresses, VPNs, and Tor nodes. If your credit union has not yet done this and the credit union is exploited, the regulatory authorities may not look upon this ambivalence kindly. There are companies who constantly hunt for VPN- and Tor-linked services and make their addresses available to the public on a limited basis or through subscription.

Making sure your MDD procedures are up to date

In a May 5, 2019 advisory, FinCEN specifically identified the use of VPNs and Tor in cryptocurrency as red flags of illicit finance, but since October 2016, FinCEN has instructed financial institutions to incorporate any cyber-related information associated with suspicious transactions they report, meaning your MDD procedures should have been updated for cyber threats almost three years ago. Many automated AML systems are programmed to look for OFAC sanctions red flags, but make sure that you also engage your provider periodically to ensure your programming is updated for new trends and typologies.

As last month’s article on the new OFAC compliance framework reminds us, your credit union can be given credit for the effort even in the event of a failure. The U.S. Treasury is increasingly realistic in their expectations for staying one step ahead of the cyber criminals; it may be nearly impossible 100% of the time. “I think the key to whether there will be enforcement will remain if the institution knew or should have known of access by parties in prohibited jurisdictions,” said Brian O’Toole, a former senior official with OFAC.

In the realm of OFAC sanctions compliance, be aware of the threats to your online banking system and take steps to mitigate your risks to maintain that “culture of compliance” and to get credit for the effort in case something goes wrong!