Kevin Sullivan has a philosophy that he has carried through his two-plus decades in security and law enforcement: All crimes, whether they are digital or physical, are connected at the hip. A former FBI investigator who cut his teeth on financial crimes, what he found is that typically most fraud can be traced back to some kind of organised group. This particularly holds true for money laundering.
Money laundering is the act of making illegally-obtained funds to appear to have come from a legitimate source. The criminal must figure out a way to make the cash appear legitimate so as not to alert the authorities to his real occupation and the actual source of the income.
"Money that is laundered is money that taxes would have been paid on if things were done legitimately," he said. "It's money that enables drug lords to buy new guns and new bullets to kill more people. There are a lot of bad things connected to it. People think it's just a non-violent crime. But there is actually a lot of violence that can go on to get that money. By allowing criminals to launder money, it allows them to continue what they are doing. "
Sullivan, who is retired from law enforcement, is now owner and director of the AML Training Academy, a consultancy and education organization that counsels businesses about money laundering programs. By law, every U.S. financial institution is required to have such a program.
Sullivan spoke with CSO about the latest tricks money-laundering criminals are using to pull of their schemes.
What's the scope of money laundering right now? Are there any trends you are seeing this year?
The best possible estimate is that it's a one-and-a-half trillion dollars a year that gets laundered worldwide. Trends crop up so frequently there could be a trend of the day. Every time the good guys build a ten-foot ladder, the bad guys build an eleven foot wall. At best, we are trying to keep up with them. They spend a tremendous amount of time and resources trying to get around the latest plug you put in the dyke.
There are hundreds of money-laundering techniques being used. A new trend is virtual-money laundering. There are popular online games like 'Second Life' and 'World of Warcraft.' Criminals can launder money through these now. In the case of the virtual worlds, technically, money can be laundered by creating several online identities. Real currency is exchanged for virtual currency and then moved to other identities and the virtual cash redeemed for real money. It is quite simple in process. However, at this time, the amount of money that can be moved is very low and this method would not classify as one of the better ways to move a lot of money. However, it is a method and money launderers will use any and all methods. If the good guys start to believe that a certain method is not good, then that alone is reason enough for the bad guys to go there and use is as the feeling is that that it might be easier to fly under the radar. Currently, awareness of virtual money laundering should be in every money-laundering investigators play book. As the virtual worlds develop, the authorities should re-visit and re-analyze to determine the effectiveness of this method in the future.
Also, mobile phones are opening up new opportunities for laundering (Related: The mobile security survival guide). Mobile phone technology has come a long way and we will soon be able to pay bills and wire digital money via our cell phones. Once again, this is some pretty cool stuff. This too was not invented for or by bad guys. However, bad buys love new technologies as it takes quite some time before the good guys catch on as to what the bad guys are doing. With mobile phones, it operates much like a typical money service business - think Western Union. A person can go to a phone center in New York and put real cash down. The cash is then transformed into a digital format, just like a wire transfer, and you can send a text message to your recipient in Los Angeles. He in turn can go to a phone redemption center, provide the code that you sent him, say the secret word and give the secret handshake and: Presto! The center gives him the appropriate amount of cash. Currently, and thankfully, this is not yet big in the U.S., but be forewarned, this will be coming down the pike.
Questions that surround this will be, what type of due diligence will be done by the phone centers that provide this service? Who and what will be responsible for BSA compliance and monitoring? What government agency will regulate and provide oversight?
What about social networking sites? Are these being used?
We have heard rumors that criminals are using many of the IM and virtual aspects of these sites to converse back and forth. They are using these now because they know phones are often wired.
Like I said before, every time there is a new technology, it takes awhile to figure out the technology, how it's used and how it can be exploited. Any system a criminal can use will be used until it is stamped out.
Who is most at risk for finding themselves caught in a money-laundering scheme? Are any particular organizations being targeted or used now?
Any type of financial institution is at risk. But any type of business can be at risk because they can be used inadvertently in a money laundering scam. One example I will use is Bell Helicopter, which was used in a scam. Drug lords were buying helicopters and parts. Obviously they didn't call and say 'We need to buy a helicopter.' They did it through cover individuals. 26 different payments from different businesses were used to buy one helicopter.
Government officials who investigated the case claimed Bell Helicopter didn't do their due diligence. You get numerous payments from different business to buy one helicopter and no one questions it? It doesn't add up. If you are going to buy a car, you don't use 15 separate checks to do it. The dealer would probably scratch their head. The government claimed the company selling the helicopter should have looked into it. Ultimately, it turns out this company was used inadvertently in a money-laundering scheme. Even though this company didn't go out of its way to sell a helicopter to a drug lord, the press that came out of it was terrible.
Government estimates are that approximately $7 billion a year in Colombian and Mexican drug money is laundered through American corporations via the Black Market Peso Exchange. The BMPE is an underground banking system that allows drug traffickers exchange American dollars for Pesos. Those dollars, which never actually leave the US are bought by foreign companies that use them to buy American goods for sale back in their home country. As per the regulations of the U.S. Patriot Act prohibits nearly all business dealings with individuals and entities that are on the OFAC list. Further there is limited exceptions for unknowingly entering into prohibited transactions with no intent to violate the law. A U.S. business can commit both civil and criminal money laundering violations that can result in penalties of not less than twice the amount involved up to $1 million per violation, as well as asset freezes and forfeitures. The classic example of the government oversight on this is this case of Bell Helicopter.
How can companies avoid becoming involved? There are numerous enterprise-level software anti-money laundering packages organizations can use that are readily available and customizable to your particular organization and requirements that can be used to detect some of these anomalous behaviors. Some may provide OFAC assistance, BSA oversight, due diligence and money-laundering red-flag detection.
You train employees at organisations about anti-money laundering techniques. What are the red flags you advise people to look out for?
Whatever particular business you are in, whether you're a financial institution or selling sneakers, there are red flags. The most common is a transaction that makes no sense. The most important thing for any business to do is due diligence. Just accepting someone's word and check isn't good enough. You can get greedy and just take checks. But what if what you've accepted ends up connected to a terrorist event? What kind of mud is going to be on your face if you are the reason that terrorist event was allowed to go through? I dont think anyone wants to be in that position.
Is non-compliance with money laundering laws discovered through audits? Or after an actual criminal event has taken place?
Both. Every financial institution has audits by regulators. Every regulator will come in and audit their client. If they come in and find egregious errors, then there will be serious repercussions.
No one is 100 percent compliant. You can strive for perfection, that's a good thing. But if you don't have a program, or an adequate program , you will be fined. And not will an organization face a fine, but also reputational damage. If your company is on the front page of the New York Times for having allowed drug dealers to launder money, your stock price is going to take a dip.