AML in the Age of Cybersecurity

Compliance in finance is getting complicated. But there is an upside.

The existence of money-laundering hasn’t changed, but the methods have evolved greatly. Now financial enterprises are bracing themselves as the rules, established in 1970, finally get the upgrade they’ve needed.

Almost 50 years after Congress passed the Bank Secrecy Act (BSA)—mandating the reporting of suspected laundering or fraud—the Financial Crimes Enforcement Network (FinCEN) has expanded those anti-money laundering (AML) requirements. The Department of Treasury agency outlined rules for institutions to include “reporting cyber-enabled crime and cyber-events” through their Suspicious Activity Reports (SARs).

This continues to include questionable activity by customers (namely, transactions). But now it also includes suspicious activity on the bank level (i.e. networks and systems). Complexity of rules has already made AML compliance difficult, and according to the FinOps Report, “the majority of alerts generated by transaction monitoring and other systems often end up being false alarms.”

Threats are so multidimensional these days, they require machine learning for detection. “Another challenge found in AML is the fact that it hardly ever signifies as the activity of just one transaction, account, business or person,” writes Cloud Tech. “It is nearly impossible for personnel to investigate all cases in a timely manner.” Analytics-based security would use machine learning to quickly find what existing systems and humans cannot. It would also offer complete-picture precision—the who, what, where, when, and how—that’s essential to SAR fillings.

AML compliance cybersecurity finance

The Office of Compliance Inspections and Examinations at the SEC has announced its intentions to likewise police AML violations, even going so far as to hire former FinCEN employees. And the Financial Industry Regulation Authority, a non-government organization that regulates brokerage firms, reportedly doled out $176 million in penalties last year (double the amount from 2015). It’s said to be focused on scrutinizing cybersecurity.

On the state level, New York is once again leading the charge. Banking regulator Maria Vullo has, says Bloomberg, “finalized a wide-ranging cybersecurity rule and levied substantial penalties against several major foreign banks for anti-money laundering violations.”

“Other violations pertaining to AML reporting have opened up banks to the risk of criminal prosecution,” opines American Banker, noting the millions banks already invest in BSA compliance. “Will inadequate reporting of cyber threats have the same effect?”

These changes make sense when you think of recent SARs filings such as the one in which FinCEN and the FBI traced a $7 million withdrawal from a U.S. bank to criminals in Russia and the Ukraine, using a botnet virus. Still, translating cyber threats into SARs is a challenge unto itself. A FinOps story cites a large bank, which estimates that new regulations will cost it an additional $9.6 million per year. In reality, SAR requirements will probably impact smaller banks and firms the most, since they’d ostensibly have to hire more security-skilled compliance staff.

There is a solution to this conundrum. While it’s not practical for IT and AML staffs to merge, it is imperative that they find a way to collaborate on compliance. This hurdle can be surmounted by the right security-analytic technology, which functions, holistically, as both threat-detection and business-intel solutions.

When automated, it eliminates the need for specialized labor. And the actionable information it yields—which ties activities to events to extent of damage—would likewise benefit everyone from human-resources to risk-management teams. Once finance gets over the initial shock of AML expansion, they’ll find that they can actually use it to grow stronger.