Federal Financial Regulators Should Provide More Guidance to Stop Terrorists

By Andrew Cochran

As a senior counsel on the U.S. House Financial Services Committee, I participated in the building of the current relationships between the U.S. financial institutions, the federal financial regulators (Treasury and component agencies, FDIC, SEC, and the Federal Reserve Board), and law enforcement to prevent terrorist financing and money laundering. Over the past six years, the parties have quietly worked together to prevent numerous terrorist attacks (I know of six) and to build an infrastructure protection mechanism that is considered the best in American business. But the information flow must undergo continuous improvement as threats change.

This week, I attended the biggest and best conference in America on these issues, sponsored by the American Bankers Association and American Bar Association. From my discussions with government and industry experts there, I've identified three areas in which federal financial regulators should provide new guidance to help financial institutions and law enforcement stop terrorist financing. The regulators should issue the following: (1) regulatory guidance on the issuance and maintenance of stored value cards (also known as prepaid cards) by non-money service businesses (MSBs); (2) a U.S. government list of "Politically Exposed Persons" (PEPs) for use in identifying customers; and (3) the AML examination manual used by the Securities and Exchange Commission to ensure compliance by securities firms with the Bank Secrecy Act, as amended by the Patriot Act.

In all three areas, financial institutions are basically operating in the dark without guidance, and the risk of the unknown is the most fearsome and costly of all in this arena. As arcane as these might sound to those not working in or around the industry, I am confident that these three steps would reduce the risk of terrorist financing through financial institutions, often the first set of eyes and ears in contact with potential terrorists. I can discuss each one in more detail.

(1) Stored value (or prepaid) cards not issued by MSBs

The regulators told conference participants that they want to wait for law enforcement to identify the risks. But law enforcement already did that almost two years ago in the first "U.S. Money Laundering Threat Assessment," released in January 2006 (see my post about it and download a copy). Federal regulations classify stored value cards as services provided by money service businesses (MSBs), which are already subject to BSA/Patriot Act regulation, but numerous non-MSBs are also offering stored value cards as a means of paying for goods and services. Financial institutions provide many of the back-end servicing of the cards.

The industry also already recognizes the risk inherent in their use, as indicated by the increased time in this conference devoted to the issues. Experts working in this area tell stories of boxes of stored value cards uncovered in drug raids in Latin America and the Caribbean. Debra Geister, the Director of Fraud Prevention & Compliance Solutions at LexisNexis, discussed with me the following scenario in which a terrorist could combine the use of stored value cards and mobile payment technology:

1. The terrorist financier purchases a stored value card, and loads it until it holds whatever the maximum amount allowed to be stored, or he reloads it as many times as is necessary.

2. He then purchases a disposable (also known as throwaway) prepaid mobile telephone.

3. Next, he registers with a mobile payments service provider. using his prepaid phone, the stored value card, and an anonymous free e-mail account.

4. Using the mobile telephone, he logs on to his account with the m-payments company, and provides it with the telephone number of his recipient.

5. The m-service payments provider then transmits a message to the recipient's telephone number advising that he is transferring the payment or payments to the recipient, who confirms that they are to go to his own stored value card.

6. The recipient then take the stored value card and withdraws the funds from an automated teller machine (ATM).

7. The cash in hand, both the sender and the recipient destroy their disposable telephones and stored value cards, the only evidence that can tie them to the transaction. There is no audit trail, and no regulatory oversight; the transaction cannot be traced.

8. The cycle begins anew, as the terrorist financier and the recipient then acquire new disposable prepaid mobile telephones and new stored value cards.

The financial institution(s) which could be involved in any phase of stored value card transactions initiated outside their systems need to know what regulators expect of them to comply with the BSA. Such guidance should include a requirement for a non-obtrusive, widely recognized identity verification mechanism, to reduce the risk of identity theft and provide an audit and forensics trail.

There's no reason for the regulators to lag two years behind law enforcement and the industry.

(2) U.S. government list of "Politically Exposed Persons"

In January 2001, federal financial regulators issued "Guidance on Enhanced Scrutiny for Transactions That May Involve the Proceeds of Foreign Official Corruption," which set forth principles for identifying transactions of senior foreign political figures, their immediate family members, and close associates. That broad description has been shortened to "Politically Exposed Persons," or "PEPs," for BSA/Patriot Act purposes. Financial institutions must take reasonable steps to ensure that they do not assist in hiding or moving proceeds of corruption by PEPs. The post-9/11 amendments to the BSA in the Patriot Act mandating customer identification programs and the high number of terrorist designations markedly increased the number of PEPs to be considered. An entire industry has since grown around the assembly and maintenance of PEPs lists. But without a list of PEPs as determined by Treasury, financial institutions have to face the liability and reputational risk of missing one corrupt foreign official or his "close associate."

Industry leaders, former senior federal regulators, and former terrorism investigators now favor the establishment of a minimum PEPs list by federal financial regulators. Proponents who spoke for the record to me incllude John Byrne of Bank of America, one of the premier industry experts on money laundering; William Fox, former Director of FinCEN and now a senior officer with Bank of America; and CTB Contributing Expert Dennis Lormel, who investigated the financing of the 9-11 attacks for the FBI.

The regulators are needlessly fearful that a PEPs list would be too much work and require constant updates. But the industry has years of experience using the current list of Treasury and State Department terrorist designations, which are also updated periodically. At this point, probably 80 percent of all PEPs in all lists in use are identical. It wouldn't be difficult to determine the most commonly cited names in the most commonly used lists. Providing a minimum list would also enable law enforcement to reduce the "false positives" often enountered in an investigation or intelligence-gathering exercise.

One of the leading industry experts, who was previously a widely respected regulatory official, predicted that a PEPs list would come "when hell freezes over." It's time to drop the temperature.

(3) Publication of the SEC's AML examination manual

The Securities and Exchange Commission is the only federal financial regulator which will not release its anti-money laundering examination manual to the public. On August 24, the federal and state banking agencies announced the release of a revised BSA AML Examination Manual, which provides guidance on the "policies, procedures, and processes for banking organizations to comply with the BSA and safeguard operations from money laundering and terrorist financing" (quoting from the press release). The agencies have done this several times since the Patriot Act was implemented, each time improving the quality and reliability of the guidance. But for some reason, the SEC refuses to even commit to a timetable within which it will provide that assurance to firms under its jurisdiction. I don't understand that reluctance, and the SEC has no sound justification for it.

All three of these could be addressed through the BSA Advisory Group, which consists of representatives from the Federal regulators, law enforcement agencies, financial institutions, and trade groups and meets to discuss and review the administration of the BSA. Hopefully, Congress will see fit to employ its oversight authority to pursue these issues and enahnce our security.

TrackBack