When AML compliance and cybersecurity work together, both are more effective
It is no secret that financial institutions have become fat targets for cyber criminals. Stories of spectacular data breaches — of hacking, identity theft, and all manner of suspicious financial transactions — are now as common as they are disconcerting.
Many of these stories involve some form of data intrusion, closely linked to some form of money-laundering. To a bank, these two types of crime have traditionally been two separate concerns, each with its own silo. Data intrusions have fallen under cybersecurity, money-laundering under AML compliance. Communication between the two silos has generally been minimal.
If financial institutions are to effectively combat these threats, it is clear that the silos need to be torn down. Going forward, every suspicious customer activity should be assumed to involve a data breach, while every data breach should be assumed to be a financial crime in the making.
Cybersecurity and AML, in other words, need to work together. Each group can dramatically enhance the effectiveness of the other, and there is simply too much at stake for them to continue working in isolation.
Different cultures, different mindsets
The gaps in communication between the two groups are hardly surprising. Each has its own personnel and culture. AML is a compliance function, a natural outgrowth of proliferating financial regulation. Cybersecurity is a technology function, a confluence of IT and security interests. The languages, work processes, and mindsets are fundamentally different.
But despite this, both teams now have much to say to each other. As most of the world’s financial information now moves through cyberspace, most financial crime now occurs — at least in part — online.
Where compliance professionals once concerned themselves with check kiting and other quaintly low-tech scams, today’s super-sophisticated global frauds move money in and out of multiple IT systems, literally, at the speed of light. It takes a technology mindset — specifically, cybersecurity expertise — to keep up.
At the same time, cyber crime frequently goes hand-in-hand with suspicious financial transactions. Bank accounts, credit card accounts, and ATMs are illegally accessed via “spear-phishing” emails or other “social engineering” ploys. Often, it takes an anti-money laundering mindset to detect the crime — or even to understand that a crime has been committed.
Two sides of the same coin
With the bad guys now moving at the speed of light, now the banks must do so as well. What is needed is a freer, more streamlined sharing of information between AML and cyber.
There are plenty of opportunities for cross-pollination. The two groups are both now invested in similar big-data technologies — powerful analytical tools that are used by the cyber team to investigate data breaches and by the AML team to scrutinize suspicious transactions. Integrating these into a single fraud information exchange would go a long way toward making sure one hand always knows what the other is doing.
Watching the bad guys monetize
Transaction monitoring is a great place to start this integration. A typical assault on a bank starts with online customer data being stolen. But that data — account numbers, PIN numbers, social security numbers, debit and credit card numbers — has no value to the thieves until they can convert it into cash. This is classic money-laundering, now playing out online.
The AML team — having set up the rules and triggers that detect fraudulent transactions — can provide the cyber team with vital information about dates, times, dollar amounts, and the frequency of all sorts of anomalous activity. The two groups can then work together to cross-reference this information with any spikes in wire transfers, online purchases, ATM withdrawals, or other vulnerable banking activities. In this way, information flowing from AML to cyber can help detect — and prevent — attempts to monetize stolen data.
Sounding the alarm
Of course, the information needs to go in the other direction as well. Whenever the cyber team detects a breach in the bank’s firewall, the AML team needs to hear the alarm. The sooner they know about the intrusion, the sooner they can raise alert levels and heighten scrutiny of suspicious transactions.
Both teams can then walk back the incident to identify any early indicators. What happened in the preceding days, weeks, or even months? Was money moved into or out of suspect accounts? Are there patterns to the suspicious behaviors? While AML works the transaction information, cyber can track the IP addresses involved in the incident. Working together, the two groups can accomplish what neither could by itself.
A meeting of the mindsets
Successfully bringing the two cultures together is not automatically given, and may require the help of a third party. An astute consultancy — one thoroughly steeped in both cultures — can add value by bridging the gaps in communication and technology, while providing the big-picture perspective gained from working with a wide range of financial institutions.
However, the task is clear. With or without help, AML and cybersecurity must discover what they have in common, identify mutual strengths and weaknesses, and move toward an effective fusion of functions, processes, and mindsets.
