Big Data A Twenty First Century Arms Race

BIG DATA
A Twenty-First
Century Arms Race
BIG DATA
A Twenty-First
Century Arms Race
ISBN: 978-1-61977-428-5.
This report is written and published in accordance with the Atlantic Council Policy
on Intellectual
Independence. The authors are solely responsible for its analysis and
recommendations. The Atlantic
Council and its donors do not determine, nor do they necessarily endorse or
advocate for, any of this
report’s conclusions.
June 2017
About Thomson Reuters
Thomson Reuters is the world’s leading source of news and information for
professional markets. Our
customers rely on us to deliver the intelligence, technology and expertise they
need to find trusted
answers. The business has operated in more than 100 countries for more than 100
years. Thomson
Reuters shares are listed on the Toronto and New York Stock Exchanges (symbol:
TRI). For more
information, visit www.thomsonreuters.com.
About the Foresight, Strategy, and Risks Initiative

The Foresight, Strategy, and Risks Initiative (FSR) identifies trends, designs
strategies, and analyzes
risk to help decision makers navigate toward a more just, peaceful, and prosperous
future. Using
advanced tools like data analytics, scenario modeling, and simulation exercises, as
well as engaging
experts and the public, FSR pinpoints the most pertinent signals from the noise
that become the
driving force in tomorrow’s reality.
BIG DATA: A TWENTY-FIRST CENTURY ARMS RACE
CONTENTS
Foreword 1
Executive Summary 3
Chapter 1
Big Data: The Conflict Between Protecting Privacy 5
and Securing Nations
Chapter 2
17
Big Data: Exposing the Risks from Within
Chapter 3
29
Big Data: The Latest Tool in Fighting Crime
Chapter 4
41
Big Data: Tackling Illicit Financial Flows
Chapter 5
53
Big Data: Mitigating Financial Crime Risk
Authors 80
FOREWORD
T oday’s threat environment is more fast-paced and complex than ever before.
Around the globe,
increasingly sophisticated state and non-state actors are engaged in harming
the political and
economic fabric of the United States and its allies and partners. Adversaries
are stepping up their
use of cyber and other technologies in their attacks. Non-state actors, such as
transnational organized
criminals, exploit regulatory and supervisory gaps in the global financial
architecture to perpetrate money
laundering and fraud despite stepped up international efforts to counter them.
Terrorist groups leverage
cheap, easily assessable technologies to recruit adherents and plan their assaults.
Needless to say, law
enforcement, intelligence, and financial institutions all have their hands full
trying to fend off the growing
threats.
Fortunately, the big data revolution—the explosion of data and the ability to
analyze them—is providing
a new toolkit to help confront such a dynamic and highly unpredictable security
landscape. Increasingly
ubiquitous web-connected sensors and mobile technologies are creating more data,
while advances
in machine learning and computational power are allowing this data to be more
quickly and efficiently
processed. Now, US intelligence and law enforcement agencies as well as global
financial institutions can
connect disparate information from a variety of sources to provide wider awareness
of emerging threats.
And they can do it at lightning speed. Big data is not only opening the door for
entirely new ways of
detecting and mitigating threats, but it is also helping to streamline and
accelerate existing processes.
We have seen this work firsthand at the Institute of International Finance, where
we have worked to help
our firms realize the benefits of the data and analytics revolution for financial
institutions. While finance
has long been a data-intensive industry, the big data revolution is unlocking new
ways to store, access, and
analyze information. Our firms are using machine learning–based algorithms to
detect complex fraud, while
reducing the number of false alerts. Some are using robots to autonomously act on
alerts by gathering 1
information from internal databases and systems, Internet-based sources, and social
media.
To make full use of new technologies, firms and governments will need to further
improve data quality and
security, upgrade legacy information technology infrastructures and information
sharing mechanisms, and
adapt their internal cultures to fast-paced technological change. They also will
need to work together to
address regulatory obstacles.
In this Atlantic Council report undertaken in partnership with Thomson Reuters,

five subject matter experts
explore the broader security and financial implications of the big data revolution.
They explain how to
take advantage of the opportunities, while breaking down the challenges and policy
changes that need
to be addressed. Stakeholders across the security, finance, and legal communities
are investing significant
time and money into developing big data capabilities. The security and financial
communities must stay
aware of the existing analytic capabilities at their disposal and remain committed
to adopting new ones
to stay one step ahead of today’s threats. If these tools are not properly
developed and implemented, we
risk becoming overwhelmed by the multitude of threats, putting the United States
and the global financial
system in peril.
Timothy D. Adams
President and CEO
Institute of International Finance;
Board Director
Atlantic Council
EXECUTIVE SUMMARY
W e are living in a world awash in data. big data

capabilities. There are many opportunities
Accelerated interconnectivity, driven by for data to
help improve security, from better
the proliferation of Internet-connected detecting,
tracking, and preventing external threats,
devices, has led to an explosion of data—big data. A to identifying
insider threats and malicious behavior
race is now underway to develop new technologies from within an
organization.
and implement innovative methods that can handle The November
2015 Paris bombings renewed
the volume, variety, velocity, and veracity of big data European law
enforcement’s focus on data and
and apply it smartly to provide decisive advantage the important
role it can play in the fight against
and help solve major challenges facing companies terrorism.
Before 2015, Europol’s database contained
and governments. 1.5 million
terrorism entries; the investigation into
For policy makers in government, big data and the Paris
bombings added 1.1 million entries, which
associated technologies like machine learning and highlights not
only advanced collection methods,
artificial intelligence have the potential to drastically but the means
to sort, filter, and analyze data to
improve their decision-making capabilities. The uncover
leads.1
national security community particularly is focused Police
departments in the United States are also
on how insight and analysis gleaned from massive exploring the
application of big data and predictive
and disparate datasets can help them better analytics to
their law enforcement work. For instance,
identify, prevent, disrupt, and mitigate threats in 2015, a
University of California, Los Angeles–led
to governments throughout the world. Big data team of
scholars and law enforcement officials used
analytics provides an unparalleled opportunity historical
crime data and a mathematical model to
to improve the speed, accuracy, and consistency help the Los
Angeles and Kent (United Kingdom)
of decision making. How governments use big Police
Departments predict the times and places
data may be a key factor in improved economic where serious
crimes routinely occur in the city.
3
performance and national security. The model led
to lower crime rates over twenty-
Big data also has its drawbacks. The flood of one months.2
According to The Predictive Policing
information—some of it useful, some not—can Company
(PredPol), the success of the predictive
overwhelm one’s ability to quickly and efficiently model used by
the Los Angeles Police Department
process data and take appropriate action. If we and Kent
Police has not only led to its permanent
fail to create and utilize methodologies and tools adoption by
both departments but also sparked
for effectively using big data, we may continue to deployment
across the United States in over fifty
drown in it. In the context of national security, lacking police
departments including in Atlanta, Georgia,
adequate big data tools could have profound, even and Modesto,
California.3
deadly, consequences. However, there are steps In the
financial realm, increases in the amount and
that we can take now—steps that are already being type of data
that can be collected, processed, and
taken in many cases—to ensure that we successfully analyzed help
central banks, private banks, and
harness the power of big data. other
financial institutions better ensure compliance,
This publication looks at how big data can maximize conduct due
diligence, and mitigate risk. Whether
the efficiency and effectiveness of government tracking
cybercrime, unravelling a web of terrorist
and business, while minimizing modern risks. Five financing, or
putting an end to money laundering,
authors explore big data across three cross-cutting big data can
offer these institutions new methods
issues: security, finance, and law. for ensuring
economic security.
From a security standpoint, militaries, law The underlying

legal frameworks governing cross-
enforcement, and intelligence agencies have been border data
flows are also important for helping
at the forefront of developing and implementing governments
use big data to increase global
security. Law
enforcement agencies in Europe and
1 Aline Robert, “Big Data Revolutionises Europe’s Fight Against Terrorism,”

Euractiv, June 23, 2016, https://www.euractiv.com/
section/digital/news/big-data-revolutionises-europes-fight-against-terrorism/.
2 Stuart Wolpert, “Predictive policing substantially reduces crime in Los
Angeles during months-long test,” UCLA Newsroom,
October 7, 2015, http://newsroom.ucla.edu/releases/predictive-policing-
substantially-reduces-crime-in-los-angeles-during-
months-long-test.
3 PredPol, “UCLA Study on Predictive Policing,” November 11, 2015,
http://www.predpol.com/ucla-predictive-policing-study/.
the United States need to be able to share threat In Chapter 3, “Big

Data: The Latest Tool in Fighting
information to stop terrorist attacks, while banks Crime,” Benjamin C.
Dean, president, Iconoclast
need to be able to share due diligence information Tech, formerly a
fellow for cyber-security and
to better know their customers. Working to make Internet governance
at Columbia University focuses
legal frameworks that address data more modern, on how digital
technologies and analysis of big data
efficient, and compatible is key and just as important can be used to
identify external threats, including
to global security as the algorithms designed to the detection and
prevention of fraud, money
identify and stop potential attacks. laundering, bribery,
terrorism, and other criminal
activities. There are
a range of big data analytic
While big data offers many opportunities, there techniques discussed,
ranging from metadata
are still challenges that must be addressed and collection and
network analysis to data fusion and
overcome. As new technologies and methodologies predictive analytics.
A key recommendation is the
develop, we will need to work diligently to verify the need to find and
invest in people who have the
trustworthiness of the collected data; properly store right knowledge,
skills, and abilities to effectively
it and manage its utilization; reconcile divergent and correctly use
these analytic techniques.
legal and regulatory regimes; protect individuals’ Additionally, at the
strategic level, organizations
privacy; and consider the ethical concerns about need to understand
how big data analytics fit into a
possible inadvertent discrimination resulting from wider organizational
strategy.
the improper analysis and application of data.
In Chapter 4, “Big
Data: Tackling Illicit Financial
In Chapter 1, “Big Data: The Conflict between Flows,” Tatiana
Tropina, a senior researcher at the
Protecting Privacy and Securing Nations,” Els De Max Planck Institute
for Foreign and International
Busser, a senior lecturer and senior researcher at Criminal Law,
explores how big data can help tackle
The Hague University’s Centre of Expertise Cyber the spread of online
cybercrime and illicit financial
Security, explains the conflicts between the data flows—money that is
illegally earned, transferred,
privacy and protection laws that apply to law or used. Digital
technologies are facilitating illicit
enforcement and intelligence agencies versus those financial flows and
the rise of an underground
that apply to commercial entities in the private economy where bad
actors can finance terrorism,
sector. The increasing localization of privacy laws evade taxes, and
launder money. Faced with the
4 has placed strain on cross-border data flows, both changing nature of
crime, big data promises to
for law enforcement and for economic monitors. provide law
enforcement and intelligence agencies
Exacerbating the problem are the different legal the tools needed to
detect, trace, and investigate
approaches taken in Europe and the United States, this crime.
Additionally, addressing the proper legal
with the former tending to adopt more holistic legal frameworks for cross-
border criminal investigations
frameworks, while the latter adopts more sector- is important. To reap
the benefits of big data,
specific frameworks. governments will need
to implement appropriate
In Chapter 2, “Big Data: Exposing the Risks from laws and regulations
that take into account new
Within,” Erica J. Briscoe, a senior research scientist digital technologies.
and lab chief scientist at the Georgia Tech Research In Chapter 5, “Big
Data: Mitigating Financial
Institute, explores how institutions can leverage big Crime Risk,” Miren B.
Aparicio, counsel and senior
data to decrease their risk from malicious human consultant, The World
Bank Global Practice, reveals
behavior, such as insider threats. Dr. Briscoe explores how to use big data
to reduce financial crime threats.
how organizations can use big data techniques, This chapter analyzes
best practices and new trends
including behavior modeling and anomaly detection, in anti-money
laundering laws in the United States
to identify, monitor, and prevent malicious behavior. and European Union,
with a focus on identifying the
In addition, she argues that building and maintaining current gaps
exploited by bad actors. Big data tools
trust between employers and employees is critical to can be applied to
existing risk mitigation efforts,
discouraging malicious behavior and insider threats. including sanctions
screening, customer profiling,
To create such a trusting environment, Dr. Briscoe and transaction
monitoring, to help close existing
recommends protecting personally identifiable gaps. The rise of
regulation technology (regtech)
information to assuage fears that data could be solutions provides
further opportunities for
used to negatively affect employees; monitoring taking advantage of
big data to mitigate financial
both known threats and user behavior concurrently; risk. Blockchain
ledger technologies and smart
and fostering a cybersecurity mindset, attained contracts are
currently being explored by banks
through a leadership-driven effort that is able to and financial
institutions to enhance due diligence
adapt to changing threats. A sidebar exploring the and compliance.
future of trust in an increasingly automated world is
also included.
CHAPTER 1 Big Data: The Conflict Between Protecting Privacy and Securing
Nations
BIG DATA
A Twenty-First
Century Arms Race
CHAPTER 1
Big Data: The Conflict Between

Protecting Privacy
and Securing Nations
Els De Busser
L
Els De Busser
aw enforcement and intelligence agencies need to
comply with
Senior Lecturer,
5
European Criminal Law; specific legal frameworks when gathering and
processing personal
Senior Researcher, data for the purposes of criminal investigations
and national security.
Centre of Expertise Private companies need to comply with specific legal
frameworks when
Cyber Security, The
Hague University of gathering and processing personal data for the purpose
of commercial
Applied Sciences activities.
Both law enforcement and intelligence agencies, as

well as multinational
private companies, engage in cross-border data
gathering. This means that
two countries’ legal frameworks could be applicable to
their activities: one
in the territory where the data are gathered and
another in the territory
where the data are processed—for example, personal
data gathered in
the European Union (EU) but processed or stored in the
United States.
Another conflict can arise even amongst laws in the
same country—i.e.,
laws applicable to personal data gathered for the
purpose of commercial
activities versus laws applicable to personal data
processed for the purpose
of criminal investigations/intelligence activities.
When two or more legal frameworks contain conflicting

provisions or
requirements, it can create confusing situations for
law enforcement or
intelligence agencies and private companies. Two
developments have added
to the confusion. The first is the continuously
increasing digitalization of the
way citizens communicate, purchase items, manage
finances, and do other
common activities, which increase the possibility that
law enforcement
and intelligence authorities may need this information
in the context of an
investigation. The second is the growing use by
private companies of cloud
storage and servers located in other jurisdictions.
The last decade has shown that this dilemma is more

than just theoretical.
Both territorial and material conflicts have surfaced
in the last several years.
Fundamentally different data protection legal
frameworks, combined
with intensive cooperation in criminal and
intelligence matters in the EU
and United States, have contributed to this dilemma.
In the aftermath of
the September 11, 2001, attacks on US territory, protection

of the country and its citizens from
two types of data transfers were set up between national
crises.
the EU and the United States. First, in 2002, the
US Bureau of Customs and Border Protection Data
protection and privacy laws tend to be
requested passenger name record data (PNR data) regulated
on a national level as well, often in line
from EU air carriers flying to airports located in the with a
regionally binding legal framework, such as
United States. Then, in 2006, journalists revealed the Council
of Europe’s (CoE) Convention 1085 and
that Belgium-based private company SWIFT had the EU’s
legal instruments. Nevertheless, we can
transferred financial messaging data—including see
different ways of regulating privacy and data
personal data—to the US Department of the Treasury protection.
In 1999, Banisar and Davies distinguished
for the purpose of investigations into the financing four
models: comprehensive laws, sector-specific
of terrorist activities. In both cases, agreements laws, self-
regulation, and technologies of privacy.6
were ultimately signed to offer a legal framework Whereas in
Europe the first model of comprehensive
for such transfers. In 2016, a ruling by the US Court or umbrella
laws is clearly the preferred one, the
of Appeals for the Second Circuit Court drew much United
States uses a combination of the three
attention from the industry when it ruled in favor other
models. Apart from binding laws and rules,
of Microsoft in a case against the US government we should
not overlook the importance of non-
challenging a warrant for personal data held on a binding
guidelines on privacy and data protection.
server located in Ireland.4 Both the
United Nations (UN) and the Organisation
for
Economic Co-operation and Development
This paper focuses on these territorial conflicts, (OECD) have
developed such rules. Of these two,
the mechanisms for preventing or solving related the OECD’s
“Guidelines on the Protection of Privacy
conflicts of laws, and the implications for relevant and
Transborder Flows of Personal Data” is the
stakeholders. only set of
guidelines that includes a paragraph on
conflict of
laws.7
National Laws With regard
to the binding legal frameworks on data
Criminal and national security investigations are protection,
the aforementioned CoE Convention
traditionally regulated on a national level. Data 108 is the
widest in territorial scope as well as the
protection and privacy are also typically covered in most
generally formulated set of standards on data
6
national and regional laws. Criminal law—especially protection
that—in spite of the Convention currently
criminal procedure—is traditionally regulated at the going
through a modernization—remain valid.8
national level due to its inherent connection to the
political and historical identity of a country. Hence, The two
most relevant9 EU legal instruments based
EU institutions have only limited competence to on the CoE
standards are Directive 95/46/EC10
regulate criminal law. National security is regulated covering
data processing in commercial activities,
exclusively on a national level as it relates to the and
Framework Decision 2008/677/JHA11 covering
4 On January 24, 2017, the Second Circuit Court of Appeals denied the US
Department of Justice’s petition for a rehearing.
5 Council of Europe, “Convention for the Protection of Individuals with
regard to Automatic Processing of Personal
Data (the Convention),” January 28, 1981, ETS No. 108,
http://www.coe.int/en/web/conventions/full-list/-/conventions/
rms/0900001680078b37.
6 Daniel Banisar and Simon Davies, “Global trends in privacy protection: an
international survey of privacy, data protection and
surveillance laws and developments,” J. Marshall J. Computer & Info. L., 18
(1999): 13-14 and William J. Long and M.P. Quek,
“Personal data privacy protection in an age of globalization: the US-EU
safe harbor compromise,” Journal of European Public
Policy, 9 (2002): 330.
7 OECD, “Guidelines on the Protection of Privacy and Transborder Flows of
Personal Data,” 2013, http://www.oecd.org/sti/
ieconomy/privacy.htm.
8 The draft protocol amending the Convention for the Protection of Individuals
with regard to Automatic Processing of
Personal Data (Convention 108) was finalized by the responsible Ad Hoc
Committee on Data Protection on June 15-16,
2016, and is awaiting adoption by the CoE Committee of Ministers following
consultation of the Parliamentary Assembly.
For the full text of the draft protocol, see: CoE, September 2016, “Draft
Modernised Convention for the Protection of
Individuals with Regard to the Processing of Personal Data,”
https://rm.coe.int/CoERMPublicCommonSearchServices/
DisplayDCTMContent?documentId=09000016806a616c.
9 These legal instruments are considered most relevant because they cover the
two widest categories of data processing:
processing for commercial purposes and processing for law enforcement
purposes. Further legal instruments covering data
protection are Regulation (EC) No 45/2001, “On The Protection Of
Individuals With Regard To The Processing Of Personal
Data By The Community Institutions And Bodies And On The Free Movement Of
Such Data,” Official Journal of the European
Communities, L 8, January 12, 2001; Directive 2002/58/EC, “Concerning The
Processing Of Personal Data And The Protection Of
Privacy In The Electronic Communications Sector,” Official Journal of the
European Communities, L 201 , July 31, 2002, http://eur-
lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2002:201:0037:0047:en:PDF.
10 Directive 95/46/EC, “On the Protection of Individuals with Regard to
the Processing of Personal Data and On the Free Movement
of Such Data,” Official Journal of the European Communities, L 281,
November 23, 1995, http://eur-lex.europa.eu/LexUriServ/
LexUriServ.do?uri=OJ:L:1995:281:0031:0050:EN:PDF.
11 Framework Decision 2008/977/JHA, “On the Protection of Personal Data
Processed in the Framework of Police and
Nations
data processing for the purpose of criminal data

exchanged between the member states;
investigations and prosecutions. Both are being domestically
collected data were excluded. The
replaced by two newly adopted legal instruments: latter was
governed only by national law. The scope
1) the General Data Protection Regulation (GDPR)12 of the new
directive does include domestically
covering data processing in commercial activities, gathered
data, which means that both data transfers
which will be effective as of May 25, 2018; and 2) within the EU
and data transfers outside the EU are
the directive on the protection of natural persons regulated by
the same directive.
“with regard to the processing of personal data by
competent authorities for the purposes” of “the
prevention, investigation, detection or prosecution
of criminal offences or the execution of criminal
“The right to
have inaccurate,
penalties” and on “the free movement of such data” inadequate,
irrelevant, or
(directive on data protection for law enforcement
purposes),13 which will be effective as of May 6, 2018. excessive
data removed has
A significant aspect of the new GDPR is its always been a
right under
expanded territorial application. The GDPR applies
to companies that have no establishment in the
European data
protection
EU but direct their activities at or monitor the
standards. . .”
behavior of EU citizens. This expanded scope will
lengthen the list of companies from countries
outside the EU—such as US companies active on Unlike the
EU, the United States has approximately
the EU market—that will be confronted soon with a twenty
sector-specific or medium-specific16
set of EU legal provisions with which they need to national
privacy or data security laws as well as
comply. One legal provision included in the GDPR hundreds of
such laws among its states and its
that gained attention from US companies is the
territories.17 Examples of national sector-specific
“right to be forgotten,” which really is a right to privacy and
data protection laws include the 1996
have personal data removed when it is no longer Health
Insurance Portability and Accountability
accurate, adequate, or relevant, or if it is excessive. Act,18
regulating the processing and disclosure
Thus, it is not an absolute “right to be forgotten” of protected
health information, and the 1999 7
as the catchphrase may make one believe. The Financial
Services Modernization Act,19 also known
right to have inaccurate, inadequate, irrelevant, or as the Gramm-
Leach-Bliley Act (GLBA), requiring
excessive data removed has always been a right financial
institutions to provide their customers with
under European data protection standards, but a a privacy
notice.
2014 Court of Justice14 ruling requiring Google to
remove links containing personal data inspired With respect
to criminal investigations, the US
a more specific “right to erasure” provision in the Fourth
Amendment offers privacy safeguards, such
GDPR.15 as a warrant
requirement, when law enforcement
and
intelligence authorities gather data. However,
The reform of the EU legal instruments on data the warrant
requirement, which necessitates a
protection also implied an expansion of the territorial showing of
probable cause, can slow things down.
scope of the directive on data protection for law Quicker ways
of obtaining data outside the scope
enforcement purposes. The first instrument on law of Fourth
Amendment searches are administrative
enforcement data protection, the 2008 Framework subpoenas and
national security letters (NSLs).
Decision—since expanded—covered only personal For an
administrative subpoena, a warrant is not
Judicial Cooperation in Criminal Matters,” Official Journal of the European

Union, L350, December 30, 2008, http://eur-lex.
europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2008:350:0060:0071:en:PDF.
12 Regulation (EU) 2016/679, GDPR, Official Journal of the European Union, L
119, May 4, 2016, http://eur-lex.europa.eu/legal-
content/EN/TXT/?uri=OJ%3AL%3A2016%3A119%3ATOC.
13 Directive (EU) 2016/680, Official Journal of the European Union, L 119,
May 4, 2016, http://eur-lex.europa.eu/legal-content/EN/
TXT/?uri=OJ%3AL%3A2016%3A119%3ATOC.
14 Google Spain SL, Google Inc. v Agencia Española de Protección de Datos,
Mario Costeja González, Case C-131/12, May 13, 2014,
http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A62012CJ0131.
15 GDPR, Article 17.
16 Privacy or data security laws focused on a specific medium—for example an
electronic medium—rather than a certain industry
sector.
17 DLA Piper, “Data Protection Laws of the World, 2016, 503.
18 Health Insurance Portability And Accountability Act of 1996, Public Law
(Pub.L.) 104–191, August 21, 1996, https://www.gpo.gov/
fdsys/pkg/PLAW-104publ191/pdf/PLAW-104publ191.pdf.
19 Gramm–Leach–Bliley Act, Pub.L. 106–102, November 12, 1999,
https://www.gpo.gov/fdsys/pkg/PLAW-106publ102/pdf/PLAW-
106publ102.pdf.
Members of the European Parliament vote on the EU Passenger Name Record (PNR)
Directive, which would
oblige airlines to hand EU countries their passengers’ data in order to help
the authorities to fight terrorism
and serious crimes. Photo credit: Reuters/Vincent Kessler.
required; rather, it is sufficient for the subpoena

investigating or analyzing international terrorism
to be reasonable and give opportunity for the can use
them.23 Government agencies responsible
individual (hereafter, “data subject”) to receive a for certain
foreign intelligence investigations can
judicial review of its reasonableness.20 Administrative issue NSLs
to obtain customer transaction data
subpoenas can be used by federal agencies to order from
communication providers, banks, and credit
an individual to appear or deliver documents or agencies
for the purpose of national security
items. The statute granting this power describes
investigations.24 The 2015 USA Freedom Act25
the circumstances under which subpoenas may be
strengthened judicial review of NSLs and restricted
issued.21 bulk
collection of communications or financial
records.26
It is the use of NSLs and subpoenas in an
Likewise, the 2001 USA Patriot Act22 expanded
extraterritorial manner that has caused conflicts of
the use of NSLs, so that any government agency laws
between the EU and the United States.
20 Laura K. Donahue, “Anglo-American Privacy and Surveillance,” J. Crim.

L. & Criminology 96 (2006): 1109 (footnote 278). Charles
Doyle, Administrative subpoenas in criminal investigations: a sketch, CRS
Report for Congress, March 17, 2006, https://fas.org/
sgp/crs/intel/RS22407.pdf.
21 Charles Doyle, Administrative subpoenas in criminal investigations.
22 Uniting and Strengthening America By Providing Appropriate Tools
Required To Intercept And Obstruct Terrorism (USA Patriot
Act) Act Of 2001, Pub.L. 107−56, October 26, 2001,
https://www.sec.gov/about/offices/ocie/aml/patriotact2001.pdf.
23 Charles Doyle, National Security Letters in Foreign Intelligence
Investigations: Legal Background, CRS Report for Congress, July
30, 2015, https://fas.org/sgp/crs/intel/RL33320.pdf.
24 Ibid.
25 USA Freedom Act, Publ.L. 114-23.
26 Charles Doyle, National Security Letters in Foreign Intelligence
Investigations.
Nations
This brings us to the main differences facing two used to be

conducted by US air carriers. In 2001,27
entities often involved in cross-border data flows the Aviation
and Transportation Security Act moved
and in the resulting conflict of laws between the the authority
to perform a pre-screening process of
EU and the United States. The first difference is passengers to
the Department of Homeland Security
the model of data protection legal framework that (DHS). When
the Aviation and Transportation
is used. The EU’s reliance on omnibus legislation Security Act
was expanded by the 2004
stands in stark contrast to the American system of Intelligence
Reform and Terrorism Prevention Act,28
sector- and data-specific laws, self-regulation, and an agreement
with the EU became necessary due
privacy technologies. Secondly, the substance of to the
requirement that the European Commission
data protection laws tends to differ between the (EC) assess
the data protection laws of a non-
EU and the United States. That does not mean that EU country
before a transfer of EU personal data
one offers higher data protection than the other; it can take
place. If the EC determines that the data
means that protection is differently organized and protection
law(s) in the recipient country are not
different elements of protection are prioritized. adequate,
appropriate safeguards must be agreed
These differences make the exchange of personal upon. With
respect to PNR data, this led to arduous
data between jurisdictions a challenge. Transferring negotiations
between EU and US representatives
personal data from one country to the other for the resulting in
several successive agreements,29 with the
purpose of a criminal investigation or a national most recent
concluded in 2012.30 The negotiations
security investigation heightens the challenge, since were complex—
the main issues were the types of
such transfers should comply with two sets of data data included
in the pre-screening, the purpose
protection laws as well as two sets of criminal laws for which they
would be used, and the time limits
or national security laws. for storing
the data. Another key discussion point
was direct
access. Giving a country direct access to
Conflicts of Laws the databases
of another country’s air carriers (in
As mentioned above, the EU and US data protection this case a
region of twenty-eight member states)
legal frameworks have led to several conflicts amounts to a
significant sovereignty issue. When
between the two systems. A request for EU-based compared with
a request for data or even a warrant
personal data from US authorities would put EU for data, the
problem was the unspecified and large
companies in a dilemma. Refusing to comply with amount of
data.
9
the request would trigger consequences in the One of the
data protection standards applicable
United States, but complying with it may violate EU in the CoE,
and thus in the EU, is the purpose
data protection laws. This section focuses on the limitation
principle and the necessity requirement
instruments used for requesting personal data and that is
inherently connected to it. This means that
some of the conflicts that have arisen. the gathering
of personal data should be done only
for a specific
and legitimate purpose. Processing
Direct Access for a purpose
that is incompatible with the original
Direct access to data is the most intrusive type of purpose is not
allowed unless the following
instrument for one country to obtain data held by conditions are
met: the processing should be
another country, as it touches upon the sovereignty provided for
by law, it should be necessary, and it
of the country granting access. Additionally, the should be
proportionate. The necessity requirement
country granting access wishes to retain some kind includes those
cases in which personal data need
of control over the processing of its data by the to be
processed for the purpose of the suppression
other country. For these reasons, both countries of criminal
offenses. This allows, in particular, the
involved will have to reach a prior agreement on use—by law
enforcement authorities—of data that
the circumstances under which direct access can be were
previously gathered in a commercial setting
allowed. such as data
related to the purchase of an airline
ticket. The
necessity requirement implies, however,
Direct access to PNR data, before those passengers that the data
are necessary in a specific criminal
board a flight from the EU to any US destination, investigation,
and thus mass collection of data is
was the subject of a number of PNR agreements not considered
necessary, even if such data could
between 2004 and 2012. The reason for the request be useful.
for direct access was a pre-screening process that
27 Aviation and Transportation Security Act, Public Law no. 107-71, November
19, 2001.
28 See Section 7210, Exchange of Terrorist Information and Increased
Preinspection at Foreign Airports, Intelligence Reform and
Terrorism Prevention Act of 2004, Public Law no. 108-458, December 17, 2004.
29 For an overview, see Els De Busser, EU-US Data Protection Cooperation in
Criminal Matters (Antwerp: Maklu, 2009), 358-384.
30 Agreement between the United States of America and the European Union on the
use and transfer of passenger name records
to the United States Department of Homeland Security (PNR Agreement), Official
Journal, L 215, August 11, 20121, http://eur-lex.
europa.eu/legal-content/EN/TXT/?uri=CELEX%3A22012A0811(01).
The purpose limitation principle is known in the In the

aftermath of the September 11, 2001, attacks,
United States as well. It is, however, not a general efforts
increased to investigate the financing
principle in the American system, but is included in of terrorism
by setting up the Terrorist Finance
specific laws only; however, while these laws may be Tracking
Program (TFTP) of the US Treasury
specific, they can nonetheless have a relatively wide Department.
Belgium-based SWIFT company is
scope such as the 1974 Privacy Act. not a bank and
does not handle money; however,
it handles the
financial messaging data instructing
For compliance with the EU data protection banks to
transfer a specific amount of money in
standard of purpose limitation, the method of a specific
currency from one account to another.
accessing the data—the “push” or “pull” method—is As SWIFT
organizes the majority of worldwide
therefore crucial. The push method means that only money
transfers, it was the ideal partner for the
the data that are necessary for the purposes of a US Treasury
Department when investigating the
specific investigation are sent by the EU air carriers financing of
terrorism under the TFTP. The targeted
to the US Department of Homeland Security. The data held by
SWIFT included personal data. When
pull method would allow access by DHS to the air media coverage
revealed that personal data from
carriers’ databases to retrieve the data needed. EU citizens
had been transferred from SWIFT’s
The pull method is considered the more intrusive EU servers in
the Netherlands to the US Treasury
method, taking into account that direct access Department
following what was described as “non-
to a database is granted to another country. The individualized
mass requests,”35 the European
difference between the methods can be described Commission and
the Belgian Privacy Commission
as the equivalent of giving the keys to one’s home stepped in.
SWIFT had been complying with US
to another person—the pull method—versus giving subpoenas in
order to avoid prosecution in a US
another person exactly what is necessary from one’s court, but
this policy had breached Belgian data
home—the push method. The 2012 PNR agreement protection
law. This resulted in a procedure before
provides that air carriers shall be required to transfer the Belgian
Privacy Commission and in a new EU-
PNR to DHS using the less intrusive push method.31 US agreement,
which provided a compromise on
the safeguards
for data transfers for the purposes
Subpoenas of the
Terrorist Finance Tracking Program, also
US authorities can rely on administrative known as the
TFTP Agreement.36
10
subpoenas32 for obtaining data from private
companies for the purpose of an investigation Warrants
into international terrorism.33 The conditions under The Fourth
Amendment requires probable cause
which these subpoenas can be issued are laid down for warrants
issued to collect personal data for
in statutes such as the aforementioned 1996 Health the purpose of
criminal investigations, although
Insurance Portability and Accountability Act or exceptions
apply.37 Obtaining a warrant is slower
the 1999 Gramm-Leach-Bliley Act (GLBA).34 The in comparison
to a subpoena, but offers more
latter protects customers’ financial data including protection to
the person involved. In the context
account numbers and bank balances. Financial of private
companies supplying data to law
institutions based outside the United States, but enforcement,
the 1986 Stored Communications
offering products or services to US customers, must Act (SCA)38
allows the government to obtain a
also comply with the GLBA including by giving warrant
requiring an electronic communication
citizens a privacy notice explaining how their data service
provider to produce data such as customer
would be processed. information,
emails, and other materials provided
31 Agreement between the United States of America and the European Union
on the use and transfer of passenger name records to
the United States Department of Homeland Security (PNR Agreement), Article
15.
32 Charles Doyle, Administrative subpoenas in criminal investigations.
33 See, The International Emergency Economic Powers Act (IEEPA), which
followed the signing by President George W. Bush of
Executive Order 13224, “Blocking Property and Prohibiting Transactions
With Persons Who Commit, Threaten to Commit, or
Support Terrorism,” 50 USC § 1702, September 23, 2001.
34 Gramm–Leach–Bliley Act, Pub.L. 106–102, November 12, 1999.
35 Belgian Data Protection Commission, Opinion no. 37/2006, Opinion on
the transfer of personal data by the CSLR SWIFT by
virtue of UST (OFAC) subpoenas, September 27, 2006.
36 Agreement between the European Union and the United States of America
on the processing and transfer of Financial
Messaging Data from the European Union to the United States for the
purposes of the Terrorist Finance Tracking
Program, Official Journal of the European Union, L 195, July 27, 2010,
http://eur-lex.europa.eu/legal-content/EN/
ALL/?uri=OJ%3AL%3A2010%3A195%3ATOC.
37 Applicable US legislation is 18 USC Chapter 109 and Rule 41 of the
Federal Rules of Criminal Procedure.
38 Required disclosure of customer communications or records, 18 US Code
(USC) § 2703, https://www.law.cornell.edu/uscode/
text/18/2703.
Nations
that probable cause is shown.39 SCA warrants are of crimes now

rests entirely outside the reach
not typical warrants but have some characteristics of any law
enforcement anywhere in the world,
of subpoenas and are referred to as “hybrids.” The and the
randomness of where within an intricate
latter means that the warrant is obtained upon web of
servers the requested content resides at a
showing probable cause, but it “is executed like a particular
moment determines its accessibility to
subpoena” since “it is served on the provider and law
enforcement.”44
does not involve government agents entering the
premises” of the provider “to search its servers and On January
24, 2017, the appellate court denied the
seize the e-mail account in question.”40 The matter petition in a
4-4 vote, confirming the ruling in favor
raises questions regarding the extraterritoriality of of Microsoft.
Whether the case will be submitted
such hybrid warrants. before the
Supreme Court is, at this moment,
unknown. The
only current alternative is a time-
That was exactly the concern in the recent Microsoft consuming
mutual legal assistance request—but
case. In 2014, when Microsoft was served with an even this is
not always possible due to the limited
SCA warrant for obtaining data on an email account list of
bilateral agreements. Scholars are expecting
that was located on the company’s server in Ireland, Congress to
pass laws giving extraterritorial
the US District Court denied Microsoft’s attempt applicability
to US warrants,45 much like the Belgian
to quash the warrant by stating that “even when law allowing
for the extraterritorial collection of
applied to information that is stored in servers data in a
criminal investigation with a post factum
abroad, an SCA Warrant does not violate the approval of
the target country. Note that the CoE
presumption against extraterritorial application of Cybercrime
Convention allows for extraterritorial
American law.”41 Microsoft appealed and received collection of
data, provided that consent of the
wide support from the industry in the form of person who
has the lawful authority to disclose the
several amicus curiae briefs. On July 14, 2016, the data is
obtained.46
Second Circuit Court of Appeals ruled in favor of
Microsoft by limiting the SCA warrants to data held National
Security Letters
within the United States regardless of whether the Issued by
high-ranking officials for the purpose of
data pertain to a US citizen or not. It is relevant to national
security investigations,47 National Security
point out here that it is unknown whether the data Letters are
orders allowing law enforcement and
subject is a US citizen or not. However, the Microsoft
11
intelligence
agencies to obtain data by avoiding the
case is not over yet; on October 13, 2016, the US requirements
of the Fourth Amendment. Certain
government filed a petition for a rehearing,42 and US laws allow
for the use of NSLs48 to order private
the reasons given are of essential importance for companies
such as banks, phone companies, and
the extraterritorial seizing of data. In the appeal Internet
service providers to hand over “non-content
ruling, the Second Circuit Court acted on the information.”
What can be produced in response to
assumption that providers know exactly where an NSL are
log data including phone numbers or
data are stored. The government’s petition clarifies email
addresses of senders and receivers, as well
that this is not always the case43 and stresses that as
information stored by banks, credit unions, and
due to companies working with changing facilities credit card
companies. These disclosures may still
in different locations worldwide, “critical evidence
39 Recent cases, “In re Warrant to Search a Certain Email Account Controlled &
Maintained by Microsoft Corp., 15 F. Supp. 3d 466
(US District Court New York, 2014),” Harvard Law Review, 128 (2015): 1019.
40 In re Warrant to Search a Certain Email Account Controlled & Maintained by
Microsoft Corp., 15 F. Supp. 3d 466 (United States
District Court, SDNY, 2014), 25.4.2014, 12, https://casetext.com/case/in-re-
of-184.
41 Ibid.
42 US Court of Appeals for the Second Circuit, No. 14-2985, In the Matter of a
Warrant to Search a Certain E-mail Account
Controlled and Maintained by Microsoft Corporation.
43 See also Orin Kerr, “The surprising implications of the Microsoft/Ireland
warrant case,” Washington Post, November 29, 2016,
https://www.washingtonpost.com/news/volokh-conspiracy/wp/2016/11/29/the-
surprising-implications-of-the-microsoftireland-
warrant-case/?utm_term=.b12c9264b191.
44 US Court of Appeals for the Second Circuit, No. 14-2985, In the Matter of a
Warrant to Search.
45 See Jennifer Daskal, “A proposed fix to the Microsoft Ireland Case,” Just
Security, January 27, 2017, Microsoft v US, 2nd US Circuit
Court of Appeals, No. 14-2985; Jennifer Daskal, “Congress needs to fix our
outdated email privacy law,” Slate, January 26, 2017,
http://www.slate.com/articles/technology/
future_tense/2017/01/the_confusing_court_case_over_microsoft_data_on_servers_
in_ireland.html; and Centre for Democracy and Technology, “Latest Microsoft-
Ireland case ruling affirms U.S. warrants do not
reach data stored outside the U.S.,” January 26, 2017,
https://cdt.org/press/latest-microsoft-ireland-case-ruling-affirms-u-s-
warrants-do-not-reach-data-stored-outside-the-u-s/.
46 Council of Europe, Cybercrime Convention, ETS No. 185, November 23, 2001,
http://www.europarl.europa.eu/
meetdocs/2014_2019/documents/libe/dv/7_conv_budapest_/7_conv_budapest_en.pdf.
47 50 USC §436, Requests by Authorized Investigative Agencies, and 438,
Definitions.
48 The Fair Credit Reporting Act, the Electronic Communication Privacy Act and
the Right to Financial Privacy Act.
include personal data that identify or enable the third

country or international” organization.50 Such
identification of an individual.
transparency requirements make gag orders sent
by US
authorities to EU data subjects infeasible.
From an EU perspective, NSLs are problematic
because they do not require probable cause;
Second, Article 23 of the GDPR allows for restrictions
rather, the data must be relevant to an authorized to its
other provisions. The duty to inform the data
investigation to protect against international
subject when the data were accessed for the purpose
terrorism or clandestine intelligence activities. of
criminal or national security investigations can
Due to the purpose limitation principle and the also
be restricted. However, such restriction is
requirement for necessity and proportionality, the
dependent on the member states or the EU creating
use of an NSL in the EU is highly questionable. a
separate legislative measure. In order to protect
the
secrecy that goes with criminal and national
security investigations, we can anticipate that

“. . . [C]onflicts of laws member
states will be providing for this exception
create legal uncertainty in
their national laws. That means that the scope of
the
exception, and whether or not this will include
and confusion for law
foreign law enforcement requests, is left to the
member
states’ discretion. The relevance for private
enforcement and intelligence
companies lies in the fines for non-compliance with
agencies.”
Article 14 of the GDPR, which requires companies
to
notify the data subject. Companies that fail to
comply
with the GDPR risk an administrative fine
In addition, the GDPR creates severe difficulties for of up
to €20 million or up to 4 percent of the total
the use of NSLs by US authorities. US companies
worldwide annual turnover, whichever is higher.
will fall within the territorial scope of the GDPR This
means that if a US company offering electronic
when they offer goods or services to citizens in the
communications in the EU market receives an NSL
EU—regardless of whether payment is required—so with a
gag order,51 to transfer personal data to a
even free social media services such as Facebook
Federal Bureau of Investigation (FBI) field office,
are included. US companies will also be subject to the
effect of the gag order will depend on the
12 EU jurisdiction if they monitor the behavior of EU
national law of the EU member state in which the US
citizens within the EU.49 This will have a number of
company has its EU headquarters. If such member
consequences.
state’s national law provides for an exception to
First, NSLs often come with gag orders prohibiting
Article 14 for criminal investigations and national
the recipient of the NSL from disclosing their
security purposes, the gag order could be upheld.
existence. The GDPR, however, introduces higher If
not, the company would violate the gag order if
transparency standards for personal data. Thus, it
informed the data subject to comply with Article
NSLs with a gag order requesting data on EU 14,
thereby facing a fine of up to €20 million or 4
citizens become difficult due to these transparency
percent of its total worldwide annual turnover.
rules. Article 14 of the GDPR thus creates a conflict
of laws. The article lists the information that the data
Implications of Conflicts of Laws
controller shall provide to the data subject in case As
illustrated above, conflicts of laws create legal
personal data are processed that were not obtained
uncertainty and confusion for law enforcement and
directly from the data subject. The information
intelligence agencies, whose efforts in collecting
to be provided includes the “purposes of the cross-
border information and intelligence could
processing for which the data are intended [and] be
blocked. If they proceed, they risk collecting
the legal basis for the processing; the recipients of
information that would be inadmissible as evidence
the data” and, where applicable, that “the controller in a
later criminal trial. For those countries that
intends to transfer personal data to a [recipient in a] follow
the “fruit of the poisonous tree doctrine,”52
49 GDPR, Article 3, §2.

50 Directive (EU) 2016/680, On The Protection Of Natural Persons With
Regard To The Processing Of Personal Data By Competent
Authorities For The Purposes Of The Prevention, Investigation,
Detection Or Prosecution Of Criminal Offences Or The Execution
Of Criminal Penalties, And On The Free Movement Of Such Data, And
Repealing Council Framework Decision 2008/977/JHA,
Official Journal of the European Union, L 119, May 4, 2016.
51 In accordance with 18 USC 2709—which was inserted by the Patriot Act—
wire or electronic communications providers have
a duty to comply with requests for subscriber information and toll
billing records information, or electronic communication
transactional records in their custody or possession. These requests
can be made by the Director of the FBI as defined by 18 USC
2709. The provision concerns stored data, and not data in transit. This
is relevant since the standards for obtaining stored data
by the FBI are lower—NSLs do not require judicial review—than they are
for data in transit—to be obtained by search warrant.
52 The fruit of the poisonous tree doctrine is a theory on the
admissibility of evidence upheld by some EU member states. It
means that evidence that infringes on the right to a private life is
inadmissible and that all evidence that derived from it is also
Nations
all evidence derived from such inadmissible country’s

level of data protection. If the level of
evidence likewise cannot be used in court. This data
protection was not considered adequate,
outcome is a waste of time and resources as well the transfer
would not happen unless appropriate
as a discouragement for law enforcement and safeguards for
processing the data were in place.54
intelligence agencies. Because the US
level of data protection was not
considered
adequate and in order to maintain
For companies offering goods or services in trade, a
compromise was reached consisting of
several countries, conflicting laws may pose an the self-
certification system called the Safe Harbor
expensive problem. In addition to regulatory fines, agreement.55
After Safe Harbor’s annulment by
which are direct costs, indirect costs include legal the Court of
Justice of the EU in 2015,56 the EU-US
expenses and the effect on reputation when the Privacy Shield
replaced it.57
company is taken to court for non-compliance
with—for example—a subpoena in one country Box 1.1.
Is the adequacy requirement a form
because it complied with another country’s law. The of
extraterritorial application of EU legal
aforementioned Microsoft case illustrates that such
provisions on data protection?
proceedings can take a significant amount of time.
In essence,
the adequacy requirement
Citizens whose personal data are at the heart of attaches a
condition to a transfer of personal
these conflicts might have their data processed data in
order to protect these data from
in accordance with a law that is contradictory to being
processed by a third state’s companies
the law that they know. This can result in unlawful or
authorities in a manner that would be
processing from their point of view. In addition, it considered
unlawful under the EU legal
can be problematic for such individuals to submit framework.
Defining extraterritorial application
a complaint or initiate a proceeding in the country of legal
provisions as the interference with
where the unlawful processing took place. For another
state’s sovereignty, we can state that
example, the lack of judicial redress for EU citizens the
adequacy requirement to a certain extent
under the 1974 US Privacy Act resulted in years of constitutes
extraterritorial application. There is
negotiations and ultimately led the US Congress to an
extraterritorial effect since the EU essentially
pass the 2016 Judicial Redress Act.53 imposes its
level of data protection on certain
third
states. However, the effect is limited; 13
Answers to Conflicts of Laws if a third
state does not pass the adequacy
test, the
transfer of data does not happen or
Ad Hoc Agreements and Adequacy appropriate
safeguards can be agreed upon. If
Requirement both
parties—the EU member state transferring
Ad hoc agreements, which can resolve conflicts by personal
data and the recipient third state that
presenting a hierarchy between conflicting laws did not
pass the adequacy test—agree on such
and provisions, offer a possible solution. Several safeguards,
there really is no extraterritorial
agreements were concluded in the past decades application
of EU legal provisions, but rather a
between EU and US authorities covering the bilateral
agreement.
exchange of personal data, but the EU required
the United States to have an adequate level of data Ad hoc
agreements can offer a solution for the
protection before any exchange could take place. conflict of
laws in the context of a particular transfer
of data, but
they do not offer general solutions for
After the entry into force of Directive 95/46/EC, all data
transfers. Examples of ad hoc agreements
any transfer of personal data to a third country had are the 2012
PNR Agreement58 and the 2010 TFTP
to be preceded by an assessment of the recipient Agreement.59
Both these agreements, together
inadmissible. For example if during a house search, a laptop containing

criminal information is seized without proper legal
authority, this criminal evidence will be inadmissible if the house search
was conducted illegally.
53 House Resolution (HR)1428—Judicial Redress Act of 2015,
https://www.congress.gov/bill/114th-congress/house-bill/1428.
54 EU Directive, Articles 25 and 26 of Directive 95/46/EC, Data Protection
Commissioner, https://www.dataprotection.ie/docs/EU-
Directive-95-46-EC-Chapters-3-to-7-Final-Provisions/94.htm.
55 European Commission, Commission Decision, Official Journal, L 215, August
25, 2000.
56 Judgement of the Court (Grand Chamber), Schrems v Data Protection
Commissioner, C-362/14, October 6, 2015, http://eur-lex.
europa.eu/legal-content/EN/TXT/?uri=CELEX%3A62014CJ0362.
57 Commission Implementing Decision (EU) 2016/1250, On the Adequacy of the
Protection Provided by the EU-US Privacy Shield,
Official Journal, L 207, August 1, 2016.
58 Agreement between the United States of America and the European Union on
the use and transfer of passenger name records
to the United States Department of Homeland Security, Official Journal, L
215, August 11, 2012.
59 Agreement between the European Union and the United States of America on
the processing and transfer of Financial
Messaging Data from the European Union to the United States for the purposes
of the Terrorist Finance Tracking Program,
Official Journal, L 195, July 27, 2010.
14
A robotic tape library used for mass storage of digital data is pictured at
the Konrad-Zuse Centre for applied
mathematics and computer science (ZIB), in Berlin. Photo credit:
Reuters/Thomas Peter.
with the 2003 EU-US mutual legal assistance to non-US

citizens, allowing them to challenge the
agreement,60 the 2002 Europol-US Agreement,61 processing of
their personal data by US authorities
and the 2006 Eurojust-US Agreement,62 were via court
redress.
complemented with the 2016 agreement between
the United States and the EU on the protection of Supervision by
Courts and Supervisory
personal information relating to the prevention, Authorities
investigation, detection, and prosecution of The
aforementioned Microsoft case shows that
criminal offenses.63 This “Umbrella Agreement” judges, at
times, rely on laws that were adopted
offers a “superstructure” to the prior agreements, decades ago,
when a global communication
consisting of a set of safeguards protecting data infrastructure
and cloud service providers were
exchanged under the terms of the agreements. not envisioned
by the legislator. Today, judges
Most importantly, the European Commission made should
interpret such laws and are faced with new
the signing of the Umbrella Agreement dependent questions on
the extraterritorial obtaining of data.
on the adoption of the US Judicial Redress Act.64 Supervisory
authorities will also continue to play a
The latter expands the scope of the 1974 Privacy Act
60 Official Journal of the European Union, L 181, July 19, 2003.

61 Supplemental Agreement between the Europol Police Office and the
United States of America on the exchange of personal data
and related information, December 20, 2002 (not published in the Official
Journal).
62 Agreement between Eurojust and the United States of America, November
6, 2006 (not published in the Official Journal).
63 Agreement on mutual legal assistance between the European Union and
the United States of America, Official Journal of the
European Union, L 336, December 10, 2016, http://eur-lex.europa.eu/legal-
content/EN/TXT/?uri=OJ:L:2016:336:FULL.
64 House Resolution 1428—Judicial Redress Act of 2015, February 1, 2016,
https://www.congress.gov/bill/114th-congress/house-
bill/1428.
Nations
role in how data transfers work in practice under Mutual Legal

Assistance
the GDPR. They will continue to advise national Why do
countries rely on tools involving direct
parliaments and governments on legislative and access,
extraterritorial subpoenas, and warrants
administrative measures related to personal data when a
request-based cooperation mechanism—
processing, promote awareness of data controllers based on
mutual legal assistance treaties—has been
and processors of their obligations, handle in place for
several decades? Mutual legal assistance
complaints, and ensure consistent application and in criminal
matters no longer seems to be part of the
enforcement of the GDPR. narrative.
Mutual legal assistance has the reputation
of being slow
and leaves substantial discretion to
International Guidelines the state
receiving the request in finding grounds
The OECD guidelines described earlier are the only for refusing
the request.67 In addition, mutual legal
non-binding rules that explicitly refer to potential assistance
requests are linked to a specific criminal
conflicts of data protection and privacy laws. investigation,
leaving no chance for a bulk transfer
Even though it was of essential importance that of data.68
the expert group charged with developing the
OECD guidelines paid attention to the issue, no Could the
solution to these difficulties lie in one
detailed solution was offered. Rather, the guidelines expanded
mutual legal assistance treaty? The idea
recommend that countries work toward their own is not that
far-fetched and was even raised in the
solutions. Nevertheless, the expert group mentioned aforementioned
Microsoft case,69 but it would
a few possible solutions in the explanatory note to require
significant investments in speeding up
the guidelines.65 Two of the solutions suggested by the system of
mutual legal assistance requests.
the expert group are highlighted here. Investments
would be needed in creating new
legal
provisions on allowing direct and secure
The expert group, first of all, stated that identifying communication
between authorities from different
one or more connecting factors that, at best, indicate countries but
also in human resources to handle
one applicable law, is one way of approaching the mutual
assistance requests. One suggestion that
issue. Connecting factors would have to be multiple lies along the
same line of reasoning is expanding
and precise. Left imprecise, they would not solve the CoE
Cybercrime Convention70 to include more
the issues described earlier, for example, in the types of
criminal offenses.71
15
Microsoft case.66
Recommendations
A second indication offered by the expert group is
As described
above, national rather than regional
to make a distinct choice for the law offering the
laws are the
primary binding legal instruments for
best protection of personal data. As much as this
data
protection and criminal or national security
could be a morally valuable criterion, the question
investigations.
is: how does one define “best protection”? When
considering systems like those of the United States Traditionally,
ad hoc agreements have been used in
and the EU, where protections take different forms, an attempt to
bridge conflicts of laws, but they have
the criterion of best protection could be defined triggered
difficult and protracted negotiations,
only by means of general requirements including leaving the
parties and affected citizens in legal
the presence of supervisory authorities, judicial uncertainty
for quite some time. Likewise, the
complaint mechanisms, transparency, etc. Using existing
mutual legal assistance mechanisms are
general requirements for deciding on the most unpopular
since they do not bring quick results in
protective system defies the purpose, because a context
where fast responses are essential. There
both countries will fulfill the requirements—e.g., the are possible
alternatives, however, which include
presence of supervisory authorities—but with their the following:
own version of them.
65 OECD, “Guidelines on the Protection of Privacy and Transborder Flows of

Personal Data,” 2013, “Explanatory Memorandum,”
http://www.oecd.org/sti/ieconomy/privacy.htm.
66 Data controlled by Microsoft as a US company but sitting on a server located
in Ireland have a clear connection with both the
United States (data controller) and Ireland (data location). Thus, more
precise connecting factors than data control or location
are necessary in order to decide on one country’s law.
67 See also Jennifer Daskal, “The Un-Territoriality of Data,” Yale Law Journal,
125 (2015): 393.
68 The latter has been at the heart of PNR data and the TFTP Agreement
discussions, due to the EU’s “necessity” and
“proportionality” requirements.
69 Brief for Appellant, 16, In re Warrant to Search a certain E-mail Account
Controlled & Maintained by Microsoft Corp., No. 14-2985-
CV, (2d Circuit, December 8, 2014).
70 Council of Europe, Convention on Cybercrime, Articles 17-18, ETS No. 185,
November 23, 2001.
71 Jennifer Daskal, The Un-Territoriality of Data, Yale Law Journal, 125
(2015): 394.
• Create a variation to request-based cooperation

national security investigations. An example
that functions in a more efficient and effective could be
taken from Article 32 of the
way. This would mean that responding to Cybercrime
Convention, but the guidance
requests for personal data from other countries would need
to be more specific with respect
would become more automatic; however, this to consent.
type of arrangement implies some form of
“blind” recognition of other countries’ national ·· Given the
challenges of supranational fora,
security and data protection regimes. The EU such as the
EU, for regulating criminal and
mutual recognition system demonstrates that national
security matters, a non-binding set
such a system may fail when mutual trust among of criteria
may be a good option. Drawing
participating countries is deficient. on the
adequacy decisions under Article 45
of the
GDPR, the criteria should include, at
• Create international guidelines with a list of a
minimum, effective and enforceable data
criteria for determining which law applies subject
rights; effective administrative and
when a conflict of laws emerges. International judicial
redress for data subjects; and one or
guidelines seem feasible and attainable using more
independent and effective supervisory
the OECD guidelines as a benchmark. These
authorities.72
guidelines should allow personal data located
abroad to be obtained fast, efficiently, and most Conclusion
importantly, with due protection for the data The exponentially
expanding volume of digital data
subject’s rights. creates new
challenges for criminal and national
·· Such criteria should be established security
investigations. There is a tension between
either at a supranational level—i.e., by an the need for
digital data for the purpose of such
authority that either has the competence to investigations and
the need to respect a country’s
legislate in a manner that legally binds the sovereignty in
order to protect the privacy of its
participating countries—or by means of an citizens. Any
solution to these challenges will also
agreement that is ratified by countries. In have to take into
account the speed with which data
the latter option, countries would commit are needed for the
purpose of a criminal or national
themselves to complying with these criteria security
investigation and the fact that the data
16
in handling extraterritorial data requests for might be hard to
locate.
the purpose of criminal investigations and
72 GDPR, Article 45.

CHAPTER 2 Big Data: Exposing the Risks from Within
BIG DATA
A Twenty-First
Century Arms Race
CHAPTER 2
Big Data: Exposing the Risks from

Within
Erica J. Briscoe
A
Erica J. Briscoe
critical element in any institution is the
existence of a trusting
Chief Scientist ATAS
17
Laboratory, Georgia Tech environment, which allows people to interact
with one another
Research Institute without fear of adverse effects either on
their professional or
personal lives. Preservation of trust, however, is
challenging. The rising
number of threats to cybersecurity, fueled by an
increasing reliance on
data-driven devices, is coupled with a growing unease
about the power
that overseers tasked with ensuring that security (both
corporate and
government) possess as a result of their access. When
taken in context with
several high-profile cases of espionage, intellectual
property (IP) theft, and
workplace violence, both the private and public sectors
are faced with a
common challenge: How can institutions leverage
technology to decrease
their risks, especially those that involve malicious
human behavior (such
as insider threats)? This question cannot be answered
without a careful
consideration of how technology solutions affect those
involved. How can
these institutions minimize their vulnerability to
threats, while maintaining
an ethical, legal, and privacy-respecting environment?
While there are no
easy answers to these questions, recent research and
security programs
have shed some light on how a balance may be achieved,
through a
combination of technology and policy-driven solutions.
Regardless of
the responses devised to suffice today, given our
increasingly automated
world, institutions and the public will likely need to
revisit this question
continuously, ideally informed by both shared
experiences and evolving
research into human behavior.
Trust in Public and Private Sectors

The general concept of trust is not only complex, but
its manifestation
and characterization depend highly on the participating
parties and the
specific context in which trust exists. Whether
considering individuals,
governments, or machines (and all combinations
thereof), there are several
critical components73 of trust. The first is that trust
is made necessary
73 Christel Lane and Reinhard Bachmann, eds.,

Trust within and between organizations:
Conceptual issues and empirical applications (New
York: Oxford University Press, 1998).
when one party’s actions are consequential or The last

type, identification-based trust, involves
require cooperation with another. The second is one party
acting as an agent for the other, serving
that relationships require risk (e.g., that a vendor as a
substitute for that entity in interpersonal
will fulfill an order on time), which trust is used to
transactions. Trust of this type takes time and effort
mitigate. The third is that working together requires to build and
often results in the most surprising and
parties to become vulnerable, where trust ensures devastating
responses when broken. Something
that one party does not take advantage of the akin to this
type of trust is found in the relationships
other’s vulnerability. Though these aspects are between the
federal government and its contractors,
usually unavoidable, trust does not mean that an who are
often seen as acting on behalf of the
organization or entity must necessarily give their government;
however, rather than having that bond
partners unrestricted access to information and build
through time and dedication, the trust is
sensitive resources; rather, successful institutional derived from
intensive security screens and usually
trust usually resides in a (sometimes delicate) coupled with
deterrence-based methods (which are
balance between adequate security controls and questionably
reliable given the recent high-profile
acceptable risk. This balance is not static or well- security
breaches, for example).75
defined, but requires comprehensive approaches
that allow an organization to dynamically perform Building a
Trusted Environment
identity management and access controls, as well Early in
2013, President Barack Obama issued
as flexible governance coupled with education and an executive
order titled “Improving Critical
empowerment.
Infrastructure Cybersecurity”76 describing the need
Though it is widely accepted that organizations for the
development of a voluntary cybersecurity
require trust, each may engender different types, framework to
manage cybersecurity risks associated
either intentionally or inadvertently. Lewicki with
critical infrastructure services. This order was
and Bunker74 outline three types of trust that the federal
government’s acknowledgement of
are commonly found in work environments. the extreme
vulnerability of many of the country’s
Deterrence-based trust, as it uses reprisal to deter critical
systems, as well as a call for organizations to
undesired behavior, is the most explicit and fitting develop and
instantiate processes that effectively
for new institutional relationships or for those in maximize and
maintain trust within and between
18 an environment with low levels of information
organizations.
control. This type is often imposed through The
president’s acknowledgement of cybersecurity
government agency or corporate policies, where risks
coincides with a seemingly universal interest
the consequences for violations are clear and able in
harnessing the power of big data, that is, the
to be imposed. ability to
derive insights from the huge amount
Knowledge-based trust requires that the involved of
information generated by the many computing
parties have enough familiarity to be able to predict devices that
are used every day. Though the
one another’s behavior. This predictability reinforces threats to
information systems take familiar
the trust over time. Interestingly, even if one party forms,
including common criminals, disgruntled
is consistently untrustworthy (e.g., an employee employees,
terrorists, and dishonest business
often fails to clock in on time though there is an partners,
potential indicators of these threats may
explicit policy that employees must be on time), the be
increasingly determined by recent developments
predictability of this behavior substantiates trust (in in high-
performance computing, machine learning,
the belief that he will always be late). This type of and new
analytic techniques that leverage this large-
trust may be relevant to organizational security in scale data
collection. This utilization, in addition to
many aspects. Certain violations (such as being late the
increasing sophistication of potential threats,
to work) may serve as poor indicators of a person’s is feeding a
common realization that traditional
malicious character (or lack of trustworthiness) if reliance on
information technology (IT) specialists
that behavior is consistently inconsistent (as later alone cannot
protect an enterprise from malicious
discussed relevant to detecting insider threats that behavior.
Organizations must focus not only on
behave anomalously). Changes in predictability common
technological solutions (such as password
(where behavior is increasingly anomalous) is a change
policies), but also by leveraging advances
potential red flag for diminishing trustworthiness. in
computationally driven methods that benefit
74 Roy Lewicki and Barbara Bunker, “Developing and maintaining trust in

work relationships,” in Roderick Kramer and Tom Tyler,
eds., Trust in organizations: Frontiers of theory and research (Newbury
Park, CA: SAGE Publications, 1995), 114–139.
75 Ellen Nakashima, Matt Zapotosky, and John Woodrow Cox, “NSA contractor
charged with stealing top secret data,” Washington
Post, October 5, 2016, https://www.washingtonpost.com/world/national-
security/government-contractor-arrested-for-stealing-
top-secret-data/2016/10/05/99eeb62a-8b19-11e6-875e-
2c1bfe943b66_story.html.
76 White House, “Executive Order no. 13636, Improving Critical
Infrastructure Cybersecurity, DCPD-201300091,” February 12, 2013,
http://www.gpo.gov/fdsys/pkg/FR-2013-02-19/pdf/2013-03915.pdf.
19
Passengers watch a television screen broadcasting news on Edward Snowden, a

contractor at the National
Security Agency (NSA), on a train in Hong Kong June 14, 2013. Photo credit:
Reuters/Bobby Yip.
from the wealth of information that is produced by interest in

viewing the communication.”77 Protection
modern computing systems, both at the individual of employee
privacy has become a popular
and network level. Additionally, most security topic, which
can be broadly classified into three
experts agree that a comprehensive approach that types:
statutes restricting unauthorized access
integrates best practices across policy, technology, or monitoring
of data; health-related information
and people while building secure, transparent (the Genetic
Information Nondiscrimination Act,
relationships is a necessary and effective security the Americans
with Disabilities Act, the Family and
strategy. Medical Leave
Act, the Health Insurance Portability
and
Accountability Act); and statutes protecting
Policies and Privacy personally
identifiable information (PII), such as
The extent to which an employer may monitor identity theft
statutes, the Fair and Accurate Credit
employees is dependent on a number of factors, Transactions
Act, and state data breach laws.78 With
including the ownership of the information systems, the blending
of work and personal lives (such as
“what the state’s laws and employer’s policies on social
media) and increasing efforts to improve
are, what the employee’s objective expectations employee home
and work life balance (e.g., by
of privacy are,” where the employee is physically allowing
employees to work from home), these
located, and “whether the employer has a legitimate issues are
becoming more complex and salient.79
77 “The Generation Gap...Tell me about it!” The Creative Network, Inc.,

accessed April 4, 2017, http://creativenetworkinc.com/blog/
blog1.php.
78 Karen McGinnis, “The Ever Expanding Scope of Employee Privacy Protections,”
ACC Charlotte Chapter Q4 2014 Newsletter,
December 2014, http://www.mvalaw.com/news-publications-373.html.
79 “The Generation Gap...Tell me about it!”.
Table 2.1: Identified Insider Threat Types and Their Associated Behavior
and Related Indicators.
Threat Behavior Associated Activities
Behavioral Indicators
Email, texting, social media

Contact with foreigners
Unauthorized access attempts,

Security violations
Espionage
sharing passwords
Mishandling of sensitive
Unauthorized copying/
information
downloading
Theft of financial information
downloading
Fraud Modification of sensitive
Stress indicators, e.g., from

information
financial hardship
Unauthorized access
Communications exhibiting
Destruction or modification of
unprofessional behavior or
Sabotage sensitive information or software
grievances
that will have detrimental
results
Stress indicators, such as from
anger/resentment
Transmission of sensitive
downloading
IP Theft information
Unauthorized access attempts

Unjustified access to IP
Foreign or competitor contacts

20
Expectations on the type or level of trust and of an
employee’s tenure at an organization. This
privacy may be set or influenced by explicitly stated impression,
along with the anxiety that arises from
policies (at the government agency or corporate an employee
being aware that he is under constant
level) and laws (at the state and federal level). Often
surveillance, may be a catalyst for subversive and
these policies run up against privacy issues, where malicious
behavior.
data collected on employees meant to ensure
cybersecurity, for example, may not coincide with Insider
Threats
an individual’s expectations of privacy. These issues Perhaps the
most devastating case of a breakdown
are becoming more and more relevant as the world in trust
occurs when an individual, who is part
sees an explosion of “smart” devices. The prevalence of an
organization, uses his or her access for
of these devices allows for a much greater ability activities
that are detrimental to that organization.
to see into the lives and behaviors of citizens These
insider threats are often described as
and employees. At the extreme, the situation has current or
former employees or trusted partners
become a case of big brother meeting big data, within an
organization that abuse (or have the
where, for example, China’s use of the “Sesame potential
to abuse) their authorized access to
Credit” scoring system means that all aspects of a the
organization’s system.81 As found in a recent
citizen’s life may be evaluated to determine his or survey
conducted by CSO magazine, the US Secret
her trustworthiness by keeping track of individuals’ Service,
PricewaterhouseCoopers, and the Software
financial and consumer data.80 Additionally, formal Engineering
Institute CERT, around 30 percent
government agency or corporate policies that of
electronic attacks on both public and private
require employees to sign consent to monitoring
organizations came from the inside.82
as a condition of employment may set the tone
of an environment of mistrust from the beginning
80 Celia Hatton, “China ‘social credit,’ Beijing sets up huge system,”

BBC News, October 2015, http://www.bbc.com/news/world-
asia-china-34592186.
81 Jeffrey Hunker and Christian W. Probst, “Insiders and Insider Threats-
An Overview of Definitions and Mitigation Techniques,”
Journal of Wireless Mobile Networks, Ubiquitous Computing, and Dependable
Applications, 2011.
82 Roger Parloff, “Spy Tech That Reads Your Mind,” Fortune, June 30,
2016, fortune.com/insider-threats-email-scout.
Table 2.2: Example of Notable Insider Threat Cases

Insider Threat
Incident
Case Description
Threat Indicators
Case
Type
In 2006, Yu, a product engineer for the Ford
Email, texting, social
Motor Company with access to Ford trade
media
secrets, accepted a new job at a Beijing-
Unauthorized access
based automotive company that was a
Xiang Dong Yu IP Theft
attempts, sharing
direct competitor of Ford. Before resigning,
passwords
Yu copied 4,000 system design documents
onto an external hard drive, which he later
copied onto his new employer’s computer.a
downloading
In 1996, after being told he was fired,
Lloyd planted a software “time bomb”
in a server at Omega Engineering’s
Bridgeport, NJ, manufacturing plant. “The
downloading
Tim Lloyd
Sabotage
software destroyed the programs that ran
Stress indicators, e.g.,
the company’s manufacturing machines,
from financial hardship
costing Omega more than $10 million in
losses.”b
Unauthorized access
Discovered in 2007, Sullivan stole 2.3
million bank and credit card records from
Communications
his employer, Certegy, a check processing
exhibiting unprofessional
William Sullivan Fraud
company, including names, addresses,
behavior or grievances
phone numbers, birth dates, and bank
account information to sell.c
Stress indicators, such as
from anger/resentment
Snowden worked as a US National Security
21
Agency contractor who, in 2013, leaked
a trove of documents about top-secret
surveillance programs. He has been
Edward
Unauthorized copying,
charged “in the United States with theft
Espionage
Snowden of government property, unauthorized
downloading
communication of national defense
information, and willful communication of
classified [communications] intelligence.”d
a. US Attorney’s Office, Eastern District of Michigan, “Chinese national
sentenced for stealing ford trade secrets,” April 12, 2011,
https://archives.fbi.gov/archives/detroit/press-releases/2011/de041211.htm.
b. Sharon Gaudin, “Computer sabotage verdict set aside,” Computer World, July
12, 2000, http://www.computerworld.com/
article/2596062/networking/computer-sabotage-verdict-set-aside.html.
c. Reuters, “Guilty plea in fidelity Nat’l data theft case,” November 29, 2007,
http://www.reuters.com/article/certegy-theft-
idUSN2933291420071129.
d. Peter Finn and Sari Horwitz, “U.S. charges Snowden with espionage,”
Washington Post, June 21, 2014, https://www.
washingtonpost.com/world/national-security/us-charges-snowden-with-
espionage/2013/06/21/507497d8-dab1-11e2-a016-
92547bf094cc_story.html.
The difficulties in preventing, detecting, and potential,

there remain many questions and areas
countering insider threats are an increasingly for further
research.83 Advancement in this area is
major task for information security professionals, also met by
multiple challenges, many arising from
highlighted most prominently in the United States the
difficulty in balancing expectations of privacy
by Edward Snowden’s actions involved with leaking while
maintaining a trust-maximizing environment.
National Security Agency data. With the collection
and analysis of big data, especially through corporate Types of
Insider Threats and Behavior
insider threat programs, it is likely that the prevention Based on
the analysis of historical cases, several
and detection of malicious activities are much more descriptive
taxonomies have been developed to
feasible than previously possible; however, with this describe
insider malicious activities. For example,
83 Carly L. Huth, David W. Chadwick, William R. Claycomb, and Ilsun You, “Guest
editorial: A brief overview of data leakage and
insider threats,” Information Systems Frontiers 15, 2013.
Phyo and Furnell’s taxonomy84 is based on the often have

complicated factors contributing to their
level(s) of information systems in which each type behavior.
Of course, the infrequency of these events
of incident may be detected or monitored. Internet- makes it
difficult to develop scientific studies into the
based activities are classified at the network level, variety of
motivations for such behavior; however,
while theft of sensitive information occurs at the case
studies86 show that analyzing individual
operating system level. Nefarious interactions psycho-
social motivations and the developmental
between users exist at the application level. This histories
of formerly trusted insiders can lead to
type of breakdown may be useful for creating a better
insight into security vulnerabilities and
security strategy that applies to each level. Table 2.1
preventative strategies.
presents an overview of the most common types of
insider threat behavior and the associated activities Based on
historical cases, Shaw et al.87 suggest six
and indicators with each. personal
qualities that may contribute to malicious
insider
behavior:
•
“False sense of entitlement” or a “lack of ac-
“The motivations behind
knowledgement” causing a “desire for revenge”
insider threat behavior •
“Personal and social frustrations, anger,
differ according to the
alienation, dislike of authority and an inclination
for
revenge”
specific individuals and their •
Computer-focused, aggressive loners, intrin-
particular circumstances.”
sically rewarded by exploring networks, code
breaking, and hacking
While much attention has been given to prominent •

“Ethical flexibility lacking moral inhibitions that
insider threat cases (see table 2.2), these individuals would
normally prevent malicious” behavior
exemplify the rarest type of threat, that which results
•
“Reduced loyalty identifying more with their”
from intentional, directed malicious behavior. These
job
or tasks than with their employer
malicious insiders possess the greatest potential
22 to cause significant harm to an organization, •
“Lack of empathy or inability to appreciate the
especially because they are likely to try to hide or
impact” of behavior on others
cover up their behavior, making them more difficult
to detect. Exploited insiders are those who may be The
motivations behind insider threat behavior
vulnerable to the influence of outside parties, such differ
according to the specific individuals and
as through social engineering (the intentional social their
particular circumstances. For example, the
manipulation of individuals by adversarial actors motivation
for committing fraud may be more
to acquire confidential or personal information) commonly
due to financial reasons,88 while
or targeted spear phishing campaigns. Careless espionage
may be committed for ideological or
insiders are irresponsible with regard to security,
narcissistic reasons. A common pattern for insider
and their accidental behavior may have detrimental activity
is that “attacks are typically preceded by
consequences.85 high rates
of stressful events including work-related
and
personal events,” such as following employment
Motivation and Indications for Insider Threats suspension
or termination.89 Despite known
Careless and exploited insiders are not malicious; patterns,
many insider activities are discovered but
rather, their actions result from lack of awareness, never made
public, in order for organizations to
naivety, or lax security precautions. Malicious insiders avoid any
detrimental effect on their reputational or
are a much more thoroughly researched group, as perceived
security practices.
they pose the greatest danger to organizations and
84 William Cheswick, Steven M. Bellovin, and Aviel D. Rubin, Firewalls

and Internet Security: Repelling the Wily Hacker (Boston:
Addison-Wesley Longman Publishing Co., 2003).
85 Russell Miller and Merritt Maxim, “I have to Trust someone…Don’t I?,”
CA Technologies, 2015.
86 Stephen Band, Dawn M. Cappelli, Lynn F. Fischer, Andrew P. Moore, Eric
D. Shaw, and Randall F. Trzeciak, “Comparing insider IT
sabotage and espionage: A model-based analysis,” (Pittsburgh, PA:
Carnegie Mellon University, 2005).
87 Eric D. Shaw, Jerrold M. Post, and Kevin G. Ruby, “Inside the Mind of
the Insider,” Security Management 43, 1999.
88 Adam Cummings, Todd Lewellen, David McIntire, Andrew P. Moore, and
Randall Trzeciak,” Insider threat study: Illicit cyber
activity involving fraud in the US financial services sector,”
(Pittsburgh, PA: Carnegie Mellon University, 2005).
89 Stephen Band, Dawn M. Cappelli, Lynn F. Fischer, Andrew P. Moore, Eric
D. Shaw, and Randall F. Trzeciak. “Comparing insider IT
sabotage and espionage: A model-based analysis” No. CMU/SEI-2006-TR-026,
Carnegie-Mellon University, Software Engineering
Inst, 2006; Andrew P. Moore, Dawn M. Cappelli, and Randall F. Trzeciak,
“The “big picture” of insider IT sabotage across US
critical infrastructures,” In Insider Attack and Cyber Security, (Santa
Clara, CA: Springer-Verlag TELOS, 2008), 17-52.
Insider Threat Detection and Prevention behaviors,

which means that only previously known
Security measures, such as data-loss prevention types of
attacks will be detected.
software, database activity, and network traffic
Another clever
approach that is relatively
monitoring programs, as well as security information
straightforward is through the use of honeypots. A

event management systems, provide organizations
honeypot is
some type of digital asset (such as a file)
with basic defenses, but do not much help to
that is put on
a network specifically so that it can be
identify and prevent damage from insider threats.
monitored.
Because the honeypot has been created
Although enterprise-wide defenses are becoming
to test for
malicious behavior, no users should have
more sophisticated, the human aspect of security
a legitimate
use for it (though it is often made to
remains a weak link. A study of insider threat cases
look
attractive to would-be threats). This means
by the Computer Emergency Response Team
that any
interaction with the honeypot, such as a
(CERT) Insider Threat Center, a federally funded
rogue user
accessing it, is, by definition, suspect.
research and development entity at Carnegie
Mellon University, found that 27 percent of insiders A group of
much more computationally sophisticated
who became threats had drawn the attention of a methods use
anomaly detection, which focuses on
co-worker because of his/her behavior prior to the discovering
rare activities within a large corpus
incident.90 These reports provide good support of observation
data. When considered from the
for the development of methods and systems that perspective of
an organization, the vast majority
monitor individuals’ behavior to detect and alert of user
activities are normal and the insider threat
security professionals when their behavior first actions are
outliers.92 Within the outlier set, insider
becomes detrimental or otherwise abnormal. threat
activities represent an even smaller set of
actions; the
task is then identifying this subset of
The benefit of focusing on user behavior has
outlier
actions.93 At best, a successful insider threat
recently resulted in the incorporation of user
detection
capability would result in the identification
behavior-focused methods as a critical component
of the actions
that correspond to truly threatening
of many current enterprise systems that work
behavior, but
given the inherent ambiguity in
to maximize cybersecurity. This often involves
determining
threatening behavior, an intermediate
applications that monitor user behavior across
success is the
paring down of the dataset so that
multiple networks.91 For example, users’ computers
a human may
reasonably comprehend it.94 A 23
may run an application that collects behavioral
successfully
implemented system would allow, for
traces, which are then batched and sent to a central
example,
security personnel to produce a report that
server to be processed at specified intervals (usually
would show
which employees in the organization
daily). The central server will also correlate and fuse
were the most
anomalous or even disgruntled,95
information to create risk scores, which are more
which may, in
turn, provide an opportunity for early
easily visualized and communicated to non-expert
intervention
or an increase in security measures.
users, such as the managers who must assess the
threat on a personal level. Anomaly
detection approaches usually require
three
components. First, information that represents
Technical approaches for the continuous monitoring
“normal”
behavior must be collected and stored.
of insider behavior vary. The most straightforward
This could be
employees’ daily logs on activity or
method involves the direct identification of malicious
file accesses,
for example. This information becomes
activity, using what is referred to as rule-based
the training
data on which behavioral norms are
detection, where observed events are matched
modeled using
a variety of machine-learning
against known models of threatening behavior. For
approaches,
such as Markov models, support vector
example, a known threatening behavior may be the
machines, or
neural networks. Once these models of
activities associated with a user accessing files that
normal
behavior are created (and, ideally, frequently
are outside of his security clearance level. While
updated), each
individual’s regular activity is
these approaches are likely to result in accurate
monitored and
compared against the model to
detections, they require precise identification of the
determine if
significant deviation occurs, which
90 Marisa Randazzo, Michelle Keeney, Eileen Kowalski, Dawn Cappelli, and Andrew
Moore, Insider threat study: Illicit cyber activity
in the banking and finance sector, No. CMU/SEI-2004-TR-021, Carnegie-Mellon
University, Software Engineering Institute, 2005.
91 Splunk, “Machine Learning Reveals Insider Threats,” last accessed March 20,
2017, https://www.splunk.com/en_us/products/
premium-solutions/user-behavior-analytics/insider-threats.html.
92 David B. Skillicorn, “Computational approaches to suspicion in adversarial
settings,” Information Systems Frontiers 13, 2011.
93 Rudolph L. Mappus and Erica Briscoe, “Layered behavioral trace modeling for
threat detection,” International Conference on
Intelligence and Security Informatics, 2013.
94 Scott Shane and David E. Sanger, “N.S.A. suspect is a hoarder. But a leaker?
Investigators aren’t sure,” New York Times, October
6, 2016, http://www.nytimes.com/2016/10/07/us/politics/nsa-suspect-is-a-
hoarder-but-a-leaker-investigators-arent-sure.html.
95 Roger Parloff, “Spy tech that reads your mind.”
Table 2.3: Example Anomaly Detection Methods with Associated Elements

Method Elements Method 1
Method 2
Method Type Cross-sectional
Temporal
Entity Comparison Individual user
Users
Baseline Population All users / groups
Users
Baseline Feature(s) Number of emails per day
URLs visited each day
Baseline Feature(s) Distribution Normal (mu, sigma)
Vector of URL counts
Baseline Time Period N/A
Last six months
Number of standard deviations
Degree of Difference
Vector distance
from mean
may trigger an alert, for example, to signal a human indicators

or “tells,” new government research is
supervisor for further investigation. Table 2.3 outlines evaluating
whether these passive detectors can be
two examples of anomaly detection methods combined
with active indicators—those that arise
and their distinguishing elements. Method one from
specific, intentional stimuli.96
determines the difference in email volume between
an individual user and his or her peers at one point While
corporations are usually limited to user data
in time compared to their average behavior over collected
while their employees are on corporate-
the past year. Method two compares the previous owned
devices, recent government employee
Internet activity (by creating lists of websites insider
threat incidents have emphasized the need
visited) of each user with more recent activity of to
incorporate external data sources as well. This
that user. The primary difference between the two need is
exacerbated by the potential detrimental
methods is that method one determines anomalies effects
that these employees can have with their
24 by comparing users to other users, while method access to
highly classified information. While these
two evaluates how a particular user changes his or workers are
required to undergo fairly intensive
her behavior over time. Comprehensive approaches background
checks of both their financial and
that include this type of variability in methods is private
lives, notable recent cases, such as that
necessary for catching the variety of potentially of Aaron
Alexis, a former Navy reservist and
malicious anomalies that may occur. military
contractor who killed twelve people at
the
Washington Navy Yard in 2013, highlight the
Though these detection methods usually focus potential
inadequacy of traditional background
on detecting deviations in normal computer checks and
lack of agency coordination. Former
usage activity, early detection methods may also Director of
National Intelligence James Clapper
concentrate on finding more subtle changes in user told
Congress that what is needed is a “system of
behavior that arise from either personal stress (which continuous
evaluation where when someone is in
may be the motivation for becoming a threat) or the the system
and they are cleared initially, then we
stress associated with a user knowingly committing have a way
of monitoring their behavior, both their
an illegal act. The variability in a person’s response electronic
behavior on the job as well as off the
to stress depends on various factors, including job.”97
This type of employee monitoring systems
individual differences and the situation in which might
access multiple data sources in an attempt to
that response takes place. The effect of stress on discover
patterns of suspicious behavior not caught
performance can be seen as a continuum, ranging by
traditional background checks, which may be
from no effect to a significant degradation in appropriate
given the potential vulnerabilities for
performance (e.g., the person makes errors or national
security but seem much too invasive for
inadequately slow responses). This resulting change ordinary
citizens and employees. Examples of
in behavior due to stress is another potential source external
sources include “private credit agencies, law
for anomaly detection methods. Additionally, enforcement
databases and threat lists, military and
though most anomaly detection systems currently other
government records, licenses, data services
concentrate on passive detection of these types of
96 GCN Staff, “IARPA preps insider threat monitoring projects,” GCN,

March 19, 2015, https://gcn.com/articles/2015/03/19/iarpa-
scite-insider-threat.aspx.
97 Stephen Braun, “U.S. intelligence officials to monitor federal
employees with security clearances,” PBS News Hour, March 10,
2014, http://www.pbs.org/newshour/rundown/us-intelligence-officials-
monitor-federal-employees-security-clearances/.
and public record repositories,”98 and social media, example,

studies show that highly self-referencing
in addition to potential electronic surveillance. messaging,
such as those using wording that focuses
on the
specific individual or their personal data, is
Challenges more
effective than appealing to the community
Regardless of the type or number of sources used, or
corporation. A message “Protect your personal
there are several challenges to using analytic data by
changing your password every month” is
methods to detect insider threats.99 Of course, likely to be
more effective than “IT policy requires
most malicious insiders do not wish to be detected; a password
change to increase cybersecurity.”
therefore, they try to hide their detrimental actions Also,
research demonstrates that perceived threat
by concealing them within legitimate activity. severity can
have a negative impact on self-efficacy,
This concealment makes detection much more which is the
belief that one is capable of taking
difficult even for advanced anomaly detectors. effective
actions to avoid the threat. These findings
Most algorithmic approaches also require training suggest that
security messages should include
data, which consist of labeled cases of both known references to
the user and information to increase
“normal” and nefarious behavior; however, the self-efficacy
beliefs.
collection of these sets is difficult due to the rarity
of cases and the reluctance of government agencies
and companies to share information regarding their
“. . .
Insider threat detection
identified vulnerabilities. In application, the ratio of programs are
growing more
“bad” to “good” users in an organization is extremely
low, which makes for few opportunities to test the
sophisticated. . .”
effectiveness of implemented approaches. Given
a large number of employees and multiple data Evaluation of
the effectiveness of security awareness
sources, reducing a mass amount of information campaigns
often take the form of mimicked attacks
down to simplistic measures, such as risk scores, may initiated by
security management. Subsequent
still result in too much information for a person to security
awareness messages after these “tests”
process, making continuous monitoring ineffective. are likely to
be particularly effective, as users are
immediately
made aware of their risky behavior.
Preventative Measures With precise
test construction, it is possible to 25
While insider threat detection programs are ascertain
exactly what attack methods are likely
growing more sophisticated, so should approaches to result in
security breaches.100 This information,
that concentrate on the individual before he or she along with
observed user responses, can then be
starts down the criminal path. These techniques used to
target future messaging, campaigns, and/
probably best address the careless and exploited or training.
This is more nuanced than merely
threat types, but may also deter malicious insiders understanding
what types of threats people are
by increasing the visibility of an organization’s more likely
to succumb to, but which characteristics
security presence. Increasingly, effort is invested of those
threats influence the users’ perceptions and
in the development of security awareness and actions. For
example, “normal” security indicators,
risk communication programs to raise computer such as a
padlock icon, often go unnoticed and,
users’ awareness about practicing safe habits and therefore,
serve little purpose.
recognizing security threats. Communications
usually take five forms: warning dialogues, notices, Looking to
the Future: Trust in an
status indicators, training, and corporate policies. Increasingly
Automated World
These programs may also be informed by massive
Traditional
sources of institutional trust are usually
data analytics, usually through large-scale testing
found in the
relationships that exist between
and analysis that helps to pinpoint who the most
employers and
employees or citizens and their
vulnerable users are.
government,
but as humans become more
Because malicious attacks can take many forms, technology-
reliant, socio-technical trust, which
so must preventative training. A growing body of results from
the complicated interactions between
research shows that there are several useful factors people and
technology,101 is a significant aspect
to a successful security awareness campaign. As one in everyday
life. Given the recent advances of
and attention
to autonomous systems, the topic
98 Stephen Braun, “U.S. intelligence officials to monitor federal employees

with security clearances.”
99 Amos Azaria, Ariella Richardson, Sarit Kraus, and V. S. Subrahmanian,
“Behavioral analysis of insider threat: a survey and
bootstrapped prediction in imbalanced data,” IEEE Transactions on
Computational Social Systems 1, No. 2, 2014.
100 Ronald C. Dodge, Curtis Carver, and Aaron J. Ferguson, “Phishing for user
security awareness,” Computers & Security 26,
February 2007.
101 Albert Bandura, “Social cognitive theory: An agentic perspective,” Annual
review of psychology 52, 2001.
26
US Department of Homeland Security employees work in front of US threat level

displays inside the National
Cybersecurity and Communications Integration Center. Photo credit:
Reuters/Kevin Lamarque.
of human-machine trust has risen to prominence negates

typical social cues and expectations,
in recent years102 and will continue to increase as which in
turn causes people to trust and react to
automation becomes more ubiquitous, requires less machines in
a dissimilar manner than they do to
human involvement, and is increasingly relied upon other
humans. The facilitation of trust between
throughout society. humans and
machines is currently most focused on
the
appropriate design of interfaces; however, with
Although there is an abundance of research that the
increasing complexity of artificial intelligence,
suggests that trust is the appropriate concept for interface
design alone is still insufficient to establish
describing human-machine interaction, there are the trust
that is necessary for humans to put their
several notable differences between that and what faith in
automation. This is leading to research into
is understood about human-to-human trust. The how to open
up the “black box,” where transparency
most notable is that machines (even with their in the
computational reasoning behind a machine’s
increasing personalization, e.g., Amazon’s Echo) behavior is
expected to increase the human’s trust
lack intentionality, which is a necessary component in it.104
This transparency may be difficult in many
for other trust-inducing characteristics, such as cases,
especially when the machine’s reasoning
loyalty, benevolence, and value congruence.103 mechanisms
utilize representations that are not
The asymmetry between humans and machines
102 Lee Hutchinson, “Four hundred miles with Tesla’s autopilot forced me
to trust the machine,” May 22, 2016, http://arstechnica.
com/cars/2016/05/four-hundred-miles-with-teslas-autopilot-forced-me-to-
trust-the-machine/.
103 John Lee and Katrina A. See, “Trust in automation: Designing for
appropriate reliance,” Human Factors: The Journal of the Human
Factors and Ergonomics Society 46, 2004.
104 Davide Castelvecchi, “Can we open the blackbox of AI?,” Nature 538,
2016.
human interpretable (such as deep learning Recommendations

networks).105 The following
actions are recommended to create a
As fallible and risky as human behavior is, it is secure yet
trust-respecting environment.
certainly not a given that machines are (or will • Efforts
and policies toward protecting personally
be) much better. Their risks are similar to those
identifiable information may assuage some of the
assumed with humans, in that detrimental behavior fears that
collected information could be used
may arise from both intentional and unintentional to
negatively affect employees (a legitimate fear
actions (where software bugs or hacks may cause given
recent corporate and government data
a machine to behave unpredictably or maliciously). breaches).
PII protection policies may include
As technology improves, machines will become encrypting
employee PII, maintaining adequate
“smarter” and more social, able to communicate firewalls
and anti-virus software, avoiding use of
among themselves (creating the so-called Internet employee
social security numbers as means of
of Things),106 and therefore less likely to require employee
identification, running an adequate
“humans in the loop.” These decentralized systems, record
retention program, and employing
those that are not monitored by a single executive measures
that ensure business partners who
function and that have no prior knowledge of one access
data also employ similar processes.
another (but are flexible and scalable), are potentially
ripe for malicious behavior. Recent approaches for • Tools to
manage access to data and personal
managing the inherent risk within these types of
information require the right balance of
systems have been inspired by other human-based
permissiveness and monitoring, achieved
techniques, such as the use of reputation.107 through
fostering accountability, continuous
training,
security procedures (such as user
Research has found that while consumers are
monitoring), and control mechanisms. No matter
aware that their data are being collected on what the
strategy, communicating the intent of
a continuous basis, they do not necessarily both
security and privacy-respecting processes
understand the specifics or motivations behind will
provide people with more confidence in their
that collection. This lack of understanding is a employers
and government. Balanced programs
source of anxiety.108 Studies on consumer-based involve
monitoring both known threats and user
data have found that transparency about the use behavior
concurrently, so as to quickly inform 27
and protection of consumers’ data reinforces trust, users to
new threats and to augment methods
but that this trust varies across the identities of used to
assess those threats. This approach
the collectors.109 Internet-based finance firms, will pave
the way for a unified approach (both
such as PayPal, are generally perceived to be the human- and
enterprise-focused) to information
most highly trusted, followed by e-commerce security.
companies, consumer electronics makers, banks
and insurance companies, telecommunications •
Institutions need to foster a cybersecurity
carriers, large Internet companies (e.g., Google), mindset
that is capable of continually adapting
and the government. Interestingly, retailers and to counter
changing threats. This mindset
entertainment-focused companies were the lowest is likely
best attained through a leadership-
trusted organizations, rated above only social driven
cybersecurity culture throughout the
networking sites, such as Facebook. These findings enterprise
that results in shared “digital trust.”
point to the fact that both government and private Therefore,
the responsibility for maintaining this
institutions should aspire to increase their levels trust not
only lies with those in an organization
of transparency in order to counteract feelings tasked
with monitoring information systems
of mistrust and anxiety that may accompany (such as
that found in a security operations
necessary cybersecurity programs. center—SOC
—a group within an organization
whose
mission is to continuously monitor and
improve an
organization’s security posture
while
preventing, detecting, analyzing, and
responding
to cybersecurity incidents with
the aid of
both technology and well-defined
105 Yann LeCun, Yoshua Bengio, and Geoffrey Hinton, “Deep learning,” Nature 521,
2015.
106 Jayavardhana Gubbi, Rajkumar Buyya, Slaven Marusic, and Marimuthu
Palaniswami. “Internet of Things (IoT): A vision,
architectural elements, and future directions,” Future Generation Computer
Systems 29, 2013.
107 Euijin Choo, Jianchun Jiang, and Ting Yu, “COMPARS: toward an empirical
approach for comparing the resilience of reputation
systems,” Proceedings of the 4th ACM conference on Data and application
security and privacy, March 3–5, 2014.
108 Timothy Morey, Theodore Theo Forbath, and Allison Schoop, “Customer data:
Designing for transparency and trust,” Harvard
Business Review 93, 2015, https://hbr.org/2015/05/customer-data-designing-
for-transparency-and-trust.
109 Ibid.
processes and procedures), but extends from

Conclusion
the top leadership to the entire workforce.110
Organizations must place trust in each employee
Governments and other organizations that that
accesses sensitive data or systems; however, a
implement insider threat programs should be well-
trusting environment does not mean that users
transparent and make clear to their workforces what have
unrestricted access to information or that an
types of personnel data and activities they monitor
institution must accept massive amounts of risk. By
to help identify insider threats with the intent of
analyzing employees’ cyber footprints as well as
protecting the workforce, sensitive information, and non-IT–
based behavioral indicators, organizations
the viability of the organization itself. may have
a more complete picture of potential
risks.
To ensure a healthy and trusting environment
requires
that institutions facilitate a cultural norm
around
security; one that includes high levels
of
transparency and standardization and that is
capable
of adapting to evolving threats, including
non-
human ones.
110 Pierluigi Paganini, “What Is a SOC (Security Operations Center)?”

Security Affairs, May 24, 2016, http://securityaffairs.co/
wordpress/47631/breaking-news/soc-security-operations-center.html.
28
CHAPTER 3 Big Data: The Latest Tool in Fighting Crime
BIG DATA
A Twenty-First
Century Arms Race
CHAPTER 3
Big Data: The Latest Tool

in Fighting Crime
Benjamin C. Dean
A
Benjamin C. Dean
confluence of trends around digital
technologies, data collection,
President, Iconoclast Tech
29
and data analysis over the past two decades
has brought new
opportunities and challenges to public and
private organizations
alike. Digital technologies and data analysis can and
are increasingly used
to identify “bad actors” so as to detect and deter or
prevent fraud, money
laundering, bribery, terrorism, regulatory non-
compliance, and other
criminal activities. A variety of techniques are now
used including profiling,
metadata collection, network analysis, data fusion,
and predictive analytics.
While powerful when used properly, data and data
analysis are still subject
to statistical and economic limitations.
Organizations require people with
new skills and a realistic understanding of what
these technologies can
and cannot do to be able to effectively deploy these
technologies and
analytical techniques.
After briefly defining relevant terms and outlining

trends that have driven
advances in digital technologies, this chapter
provides an overview of
ways in which organizations are taking advantage of
advances in digital
technologies and data analysis to profile, track, and
mitigate malicious
actors. Case studies are provided throughout to
illustrate the strengths and
weaknesses of each of these methods. The final
section provides some
recommendations based on the issues raised throughout
the chapter.
Definitions
“Bad actors” are defined as those individuals or
entities whose activities
are in contravention of the laws or policies of the
United States and
other authorities. Examples of such actors include
transnational criminal
organizations and human traffickers; those conducting
financial crimes
such as counterfeiting, money laundering, and fraud;
terrorists and terrorist
organizations; and malicious actors in cyberspace,
which encompasses
30
An illegal diamond dealer from Zimbabwe displays diamonds for sale in Manica,
near the border with
Zimbabwe. Photo credit: Reuters/Goran Tomasevic.
threats emanating from a range of entities—from price

of a fixed amount of computing power halved
nation-states to individual actors.111
approximately every eighteen months.113 Network
bandwidth has become faster, doubling every nine

“Digital technologies” are defined as technologies
months.114 Growing data storage has seen the cost
that “fulfil the function of information processing of data
storage halved approximately every twelve
and communication by electronic means, including
months.115
transmission and display, or use electronic
processing to detect, measure and/or record physical These
technological advances have the potential
phenomena, or to control a physical process.”112 to
create new opportunities for governments and
Data, the plural of datum, are information in binary
corporations. The adoption of big data analytics
form that can be digitally transmitted or processed. has
grown in parallel with these advances and has
allowed
for increased use and experimentation to
Technology Trends help
increase tax transparency, decrease corruption,
Three technological trends related to digital counter
terrorism, and reduce fraud.
technologies have dovetailed over the past two At the
same time, these same technologies are also
decades: Faster and cheaper computing power,
enabling state and non-state actors to promote
commonly referred to as Moore’s Law, has seen the
111 Department of Defense, Identity Activities Joint Doctrine, Note 2-16,

August 3, 2016, http://www.dtic.mil/doctrine/notes/jdn2_16.pdf.
112 This is an adaptation of the definition from the Organisation for
Economic Co-operation and Development Glossary of Statistical
Terms (2004) for information and communication technology goods.
113 Ibid.
114 Dan Geer, “Data and Open Source Security,” nominal delivery draft for
Recorded Future, October 21, 2014.
115 Ibid.
Table 3.1: DoD Categories of Identity Attributes

Biographical Biological Behavioral
Reputational
Identity Attribute Sub-Elements
Core personal Individual static Financial
transactions Judicial judgements
Addresses Physical attributes (hair/ Law enforcement

records Sworn statements
eye color)
Employment Digital personas
Public licenses
Scars, marks, tattoos
Educational Social
affiliations Financial (historical)
Familial
Military service Commercial
transactions Community observations
Group
Family Media
consumption/ Employer evaluations
Fingerprints, iris, face, production
Cohabitants palm print, voice, and
DNA Body language
(gait,
Aliases posture, eye
movements,
hand gestures,
typing
patterns)
Micro-expressions
(brief
involuntary facial
expressions)
Source: DoD, Identity Activities.
violent ideologies; obtain and transfer illicit funds; attributes can

subsequently be organized into
recruit and train personnel; arrange transport, multiple sub-
elements to support data collection,
arms, and equipment; and sustain operational analysis, and
management. The US Department of 31
communications.”116 The impacts of these crimes can Defense (DoD) has
developed at least five hundred
be costly for public and private organizations alike. such data types
and sub-types associated with
identify
attributes (see table 3.1).119
Opportunities of Data and Digital If the attributes
commonly associated with a
Technologies particular
category of bad actor can be identified, a
Advances in digital technologies around collection, “signature” (or
“fingerprint”) can be constructed for
analysis, and secure storage over the past two that actor.
Subjects’ profiles can then be compared
decades have thus simultaneously brought against this
signature to flag potentially undesirable
immense opportunities and significant challenges. actors and
activities.
Many organizations are now taking advantage of
advances in digital technologies and data analysis Box 3.1.
The Total Information Awareness
to profile, track, and mitigate malicious actors. This
Project and Its Ancestors
section examines some of the ways in which these
technologies and data analysis are being used for In 2002, the
Information Awareness Office
this purpose. of the Defense
Advanced Research Projects
Agency
(DARPA), led by Dr. John Poindexter,
Profiling began
developing the Total Information
Awareness
project (later the Terrorism
Profiling is the act or process of extrapolating
Information
Awareness project). The project
information about known identity attributes
was premised
on the belief that terrorist
(traits and tendencies) pertaining to an individual,
activity has
an information signature.120 It was
organization, or circumstance.117 Identity attributes
hoped that by
identifying these signatures,
can be categorized in four ways: biographical,
patterns of
activity or transactions that
biological, behavioral, and reputational.118 Identity
116 Department of Defense, Identity Activities.

117 Adapted from the Merriam-Webster Learner’s Dictionary full definition of
“profiling.”
118 Department of Defense, Identity Activities.
119 Ibid.
120 John Poindexter remarks, Overview of the Information Awareness Office,
DARPATech 2002 Conference, Anaheim, California,
August 2, 2002, https://fas.org/irp/agency/dod/poindexter.html.
analysts had predetermined were associated Profiling

has been used for many decades. Advances
with terrorist attacks could be used to scan in
technologies are making it more practical and
through databases (containing phone calls, cheaper
to integrate identity attribute data from
emails, text messages, rental car reservations, many
sources into a single or multi-layered profile.
credit card transactions, prescription records, However,
some forms of profiling—by their nature—
etc.) to investigate past terrorist incidents and create
privacy and civil liberty concerns. Ensuring
preempt potential incidents in the future.121 that
adequate oversight is in place to avoid infringing
Profiling by determining which individuals upon
relevant legislation is essential to the success
exhibited attributes previously associated of
profiling activities.
with terrorists was considered essential to
preempting potential incidents. Metadata
Following congressional concerns about the At the
most basic level, metadata are data that
project, linked to privacy issues, the Total provide
information about other data, giving people
Information Awareness project was defunded an
understanding of what the data constitute. For
in 2003.122 Components of the project were later instance,
statisticians use metadata to help data
transferred from DARPA to other government users
understand characteristics of data. For survey
agencies including the Advanced Research data,
this might include the sample population, the
and Development Activity.123 One of these unit of
analysis, and the reference period. For a
components was the core architecture, later more
practical example, when a phone call is made
named Basketball, which was described as a the data
can be considered the content of the call
“closed-loop, end-to-end prototype system itself.
The metadata of the call would include the
for early warning and decision-making.”124 caller,
the recipient, the time of the call, and the
Another component was Genoa II, later location
of the call.
renamed Topsail, which analyzed domestic call Metadata
are typically divided into the following
metadata to help analysts and policy makers
categories:129
anticipate and preempt terrorist attacks.125
•
Descriptive metadata, which describe a resource
Today, the ancestors of these elements of for
purposes such as discovery and identification,
32 the Total Information Awareness project live
e.g., title, abstract, author, and keywords.
on in the counterterrorism-related activities
of intelligence agencies, law enforcement •
Structural metadata, which indicate how
authorities, and the private companies that
compound objects are put together, e.g., how
develop these services for public authorities. In
pages are ordered to form chapters.
spite of long-standing issues with regard to the
effectiveness of profiling for counterterrorism •
Administrative metadata, which provide
purposes, both for methodological126 and
information to help manage a resource, e.g., the
practical127 reasons, a new generation of
origin of data as well as whether and/or how the
machine learning and artificial intelligence data
may have been altered. There are several
techniques is now being applied in the hope of
subsets of administrative data; two that are
overcoming these prior issues.128
sometimes listed as separate metadata types are
rights management metadata, which deal with
intellectual property rights, and preservation
metadata, which contain information needed to
archive and preserve a resource.
121 Shane Harris, The Watchers: The Rise of America’s Surveillance State
(New York: Penguin Books, 2010).
122 Federation of American Scientists, Congressional Record: September 24,
2003 (House) H8500-H8550, 2003, https://fas.org/sgp/
congress/2003/tia.html.
123 Mark Williams Pontin, The Total Information Awareness Project Lives
On, MIT Technology Review, 2006, https://www.
technologyreview.com/s/405707/the-total-information-awareness-project-
lives-on/.
124 Shane Harris, “TIA Lives On,” National Journal, February 23, 2006,
https://web.archive.org/web/20110528231531/http://
shaneharris.com/magazinestories/tia-lives-on/.
125 Ibid.
126 Jonathan Rae, “Will It Ever Be Possible to Profile the Terrorist?”
Journal of Terrorism Research 3, no. 2 (2012): DOI: http://doi.
org/10.15664/jtr.380.
127 William Press, “Strong Profiling Is Not Mathematically Optimal for
Discovering Rare Malfeasors,” Proceedings of the National
Academy of Sciences of the United States of America 106, no. 6 (2008):
1716-1719.
128 Aline Robert, “Big Data Revolutionises Europe’s Fight against
Terrorism,” Euroactiv.fr, June 23, 2016, https://www.euractiv.com/
section/digital/news/big-data-revolutionises-europes-fight-against-
terrorism/.
129 Jenn Riley, Understanding Metadata: What Is Metadata, and What Is It
For?, National Information Standards Organization, 2004,
http://www.niso.org/publications/press/UnderstandingMetadata.pdf.
Box 3.2. The Panama Papers: Tracking Once mapped,

a network can be analyzed to
Tax Evasion through Analysis of Large determine
characteristics of specific nodes, e.g.,
Datasets130 those that
have the most direct connections to
other nodes
(degree centrality, degree distribution),
In early 2016, a network of journalistic outlets those that
are best connected in the network
began releasing stories collectively known (betweenness
centrality), or those that have best
as the Panama Papers. The stories centered access to
the network (closeness centrality). The
on a law firm, Mossack Fonseca, which had entire
network (or “network topology”) can be
facilitated tax avoidance or evasion for many
characterized by how efficiently information can be
decades. An unknown person with access to exchanged
(efficiency), the density of links between
the firm’s internal communications began nodes in a
network (modularity), and many other
leaking this information to a journalist at the
attributes.133
Süddeutsche Zeitung. At least 2.6 terabytes of
data were leaked. After many
years of theoretical development,
network
analysis capabilities were greatly enhanced
So overwhelmed was the newspaper that by
technological advances surrounding telephony
received this enormous amount of data since the
1980s, computing advancements during
that it enlisted the help of the International and since
the 1990s, and the emergence of online
Consortium of Journalists, who in turn fed the social
networks in the 2000s. These advances
data to over four hundred other journalists. provided
both the computational capability and
Entirely new kinds of journalistic teams had to data sources
necessary to undertake large-scale
be assembled to secure (e.g., encrypt), scan, network
analysis.
index, search, store, order, distribute, edit,
and share the data across continents. Making Box 3.3.
Network Analysis and Mapping Out
sense out of the data required skills in data
Criminal or Terrorist Organizations
visualization and graphics.
Much has
changed since the 1990s, when
Some governments are now using these large Harvard
University Professor Malcolm Sparrow
databases—and the metadata they contain— lamented
that “the concepts of network
to connect the dots and crack down on tax analysis
are highly pertinent to many forms 33
evasion. For instance, Denmark recently paid of
intelligence analysis and are currently
approximately US$1.3 million for a leaked being
used seldom, if at all.”134 Spurred-on, in
dataset from the Panama Papers containing
particular, by the overhauling of intelligence
information on potential Danish tax evaders.131
activities following the attacks on September
11, 2001,
network analysis and metadata
Metadata are data about data. The metadata
collection have been increasingly used as
associated with data contained in large datasets tools for
mapping out criminal or terrorist
can be analyzed, and potentially used as inputs to networks
and organizations, identifying central
visualizations, to provide an analyst or audience
individuals, and monitoring communications
with a better understanding of the contents of a of
individuals in these networks.
large dataset.
One
publicly available example of network
Network Analysis analysis
put into practice for such purposes is a
The origins of network analysis lie in the mid-1700s 2002
paper by Valdis Krebs entitled “Mapping
with Swiss mathematician Leonhard Euler, whose of
Terrorist Cells.”135 Krebs constructed a
work led to graph theory.132 In essence, graph theory network
graph—based on publicly available
is concerned with nodes (which could be people,
information—of those who hijacked flights on
devices, organizations, or other entities) and links September
11, 2001.
between those nodes, which, in sum, represent a
Unfortunately, there is limited publicly available
network.
information on the workings of terrorism-
related
work undertaken by government
130 Information primarily taken from Alan Rusbridger, “Panama: The Hidden
Trillions,” New York Review of Books, Issue 27, October 2016.
131 Glyn Moody, “Panama Papers: Denmark to Pay $1.3M Plus for Leaked Data to
Probe Tax Evasion,” Ars Technica, September 9,
2016, http://arstechnica.com/tech-policy/2016/09/panama-papers-denmark-
payout-data-tax-evasion-probe/.
132 Greg Satell, How the NSA Uses Social Network Analysis to Map Terrorist
Networks, DigitalTonto, June 12, 2013, http://www.
digitaltonto.com/2013/how-the-nsa-uses-social-network-analysis-to-map-
terrorist-networks/.
133 Linton C. Freeman, Centrality in Social Networks: Conceptual Clarification,
Social Networks 1 (1978/79): 215-239.
134 Malcolm K. Sparrow, “Application of Network Analysis to Criminal
Intelligence,” Social Networks 13, no. 3 (September 1991): 251-274.
135 Valdis Krebs, “Mapping Networks of Terrorist Cells,” Connections 24, no. 3
(2001): 43-52.
agencies.136 One instance that is known is up-front

because, if they are not rectified, any error
the US National Security Agency’s bulk-
introduced will be magnified in later output.142
telephony metadata collection program. This
program uses network analysis to identify and
Predictive Analytics and Machine Learning
link suspect individuals based on metadata
Predicative analytics uses statistical techniques
collected from their call records.137 Network to
derive a probabilistic score for the likelihood
analysis methods are also used for social an
entity will perform a given action in the future.
media monitoring, which allows analysts to The
analysis is typically based on its current and
link profiles associated with terrorist-related past
profile attributes relative to a comparable
content to other profiles that have interacted
population.
with the original profile.138
In the
past, regression techniques have been a
The use of metadata and network analysis provides mainstay
of predictive analytics. Regression involves
a powerful combination for understanding how
determining a relationship (correlation) between a
entities interact and the emergent behavior
dependent variable and an independent variable in a
networks of entities. Social networks have created given
population. There are many regression models
a new source of data, and associated metadata, (e.g.,
linear, logistic, probit) that might be used
which are used by intelligence and law enforcement
depending on the phenomenon under examination.
agencies in their counterterrorism activities.
In
recent years, machine learning techniques
Data Fusion have
become increasingly popular for predictive
Data fusion describes the process by which several
analytics. Machine learning involves the application
datasets are brought together from multiple of
induction algorithms, which intake specific
sources to create a new, singular dataset. The Joint
instances and produce a model that generalizes
Directors of Laboratories, which pioneered a multi- beyond
those instances.143 Rather than program
level data fusion model in the early 1990s, defines a
computer to perform a certain task, machine
data fusion as a “multi-level, multifaceted process learning
involves inputting data into an algorithm
handling the automatic detection, association, that
then leads the computer to change its analysis
correlation, estimation, and combination of data
technique.
34
and information from several sources.”139 There
are two broad categories of machine learning
The advantages of data fusion mainly involve
algorithms: supervised and unsupervised. The
enhancements in data authenticity or availability.140 former
uses labelled records to sort data inputs
into
known outputs. The latter does not use labelled
The field of data fusion has developed to address records
so the outputs are not known ex ante. The
four broad challenges associated with data
algorithm explores data, finds some structure, then
inputs: data imperfection, data correlation, data uses
this to determine the outputs. This is particularly
inconsistency, and disparateness of data form.141 useful
for use cases like fraud detection or malicious
Different algorithms are used to address these network
activity, where the phenomenon to be
varying challenges. No single data fusion algorithm detected
is too rare or its outward characteristics
is capable of addressing all of them. are
unknown. Unsupervised learning algorithms
are
better at searching for anomalies, which signal
Different combinations of these challenges will
significant deviation from some sort of “normal.”
arise depending on the use case in question due to
the various data inputs being used. It is crucial to Machine
learning and other more advanced
identify which of these challenges may be present
analytical techniques have been deployed for many
years to
assess consumer credit144 and detect credit
136 Steve Ressler, “Social Network Analysis as an Approach to Combat

Terrorism: Past, Present, and Future Research,” Homeland
Security Affairs 2, Article 8 (July 2006),
https://www.hsaj.org/articles/171.
137 “Documents on NSA Efforts to Diagram Social Networks of US Citizens,”
New York Times, September 28, 2013, http://www.
nytimes.com/interactive/2013/09/29/us/documents-on-nsa-efforts-to-
diagram-social-networks-of-us-citizens.html.
138 Ibid.
139 F.E. White, Data Fusion Lexicon, Joint Directors of Laboratories,
Technical Panel for C3, Data Fusion Sub-Panel, Naval Ocean
Systems Center, San Diego, California, 1991.
140 Bahador Khaleghia, Alaa Khamisa, Fakhreddine O. Karraya, and Saiedeh N.
Razavi, “Multisensor Data Fusion: A Review of the
State-of-the-Art,” Information Fusion 14, no. 1 (2013): 28-44.
141 Ibid.
142 With thanks to Daniel Meisner, senior director, Platform, head of Open
Data and Ecosystems, Thomson Reuters, for pointing this out.
143 Ron Kohavi and Foster Provost, “Glossary of Terms,” Machine Learning
30 (1998): 271–274, http://ai.stanford.edu/~ronnyk/
glossary.html.
144 Amir E. Khandani, Adlar J. Kim, and Andrew W. Lo, “Consumer Credit
Risk Models via Machine-Learning Algorithms,” MIT
card fraud.145 Such practices, previously also used percent

of crimes compared with 4.7 percent
in matchmaking on online dating sites, are now for the
ETAS model. Relative to the amount
beginning to find applications in such varied areas of
patrol time allocated to certain hotspots,
as graduate recruitment.146 ETAS-
predicted locations were expected to
experience 7.4 percent fewer crimes (on a

Box 3.4. Use of Predictive Analytical mean of
58.17 crimes per division) per week
Techniques to Improve Policing Outcomes in the
absence of patrol. Analysts’ use of
The field of predictive policing seeks to use
traditional methods was expected to yield
advances in data collection and analysis to half the
reduction (~3.7 percent) at equivalent
identify instances of increased crime risk and patrol
levels.
develop/deploy an associated prevention Another
study150 evaluated the effectiveness
strategy to mitigate and/or reduce those of the
first version of the Chicago Police
risks.147 Varying levels of success for these
Department’s Strategic Subject List (SSL)
initiatives have been observed; the extent of
predictive policing program. The program’s
success has been linked in part to the specific goal was
to use social network analysis methods
use case, the phenomena under examination, to
identify people at risk of gun violence. These
and the relative operational capabilities and people
were then to be referred to local police
resources of the law enforcement agency in
commanders for preventive intervention in the
question. hopes of
reducing future crimes linked to gun
One study148 used a randomized controlled
violence.
field trial to evaluate the effectiveness of an The
predictive model ended up identifying only
Epidemic Type Aftershock Sequence (ETAS) 1
percent of the eventual homicide victims (3
crime forecasting model as compared with the out of
405 victims). The program did, however,
existing best practice used by crime analysts result
in SSL subjects being more likely to be
in a district.149 Trials were held with the Los arrested
for a shooting.151 This last finding was
Angeles Police Department (United States), thought
to indicate that the police used the list
where analysts traditionally used a COMPSTAT as a
resource to pursue criminals after the fact,
(computer statistics) policing model, and rather
than in accordance with the intended 35
with the Kent Police Department (United purpose:
to intervene before crimes took place.
Kingdom), where analysts traditionally used an The
lesson to acknowledge from this case is
intelligence-led policing approach. that the
outcomes from using technology, like
Overall, the study found that ETAS models
predictive analysis, will be only as good as
outperformed analysts’ and their traditional the
organizational arrangements that allow
techniques. For instance, in the United insights
to be acted upon appropriately.
Kingdom (UK), the analyst predicted 6.8 Machine
learning techniques have become
percent (Maidstone, England) and 4.0 percent increasingly
popular for predictive analytics.
(Sevenoaks, England) of crimes successfully Unsupervised
learning algorithms in particular
compared with 9.8 percent and 6.8 percent, allow for
the identification of rare phenomena that
respectively, by the ETAS model. In the United may
previously have been difficult to identify in
States, the analyst successfully predicted 2.1 large
datasets. As with any technology, one key to
Sloan School of Management and Laboratory for Financial Engineering, 2010,

https://dspace.mit.edu/openaccess-
disseminate/1721.1/66301.
145 Richard J. Bolton and David J. Hand, “Unsupervised Profiling Methods for
Fraud Detection,” Imperial College, London, via
CiteSeerX, 2001, http://citeseerx.ist.psu.edu/viewdoc/summary?
doi=10.1.1.24.5743.
146 Laura Noonan, “Deutsche Uses Koru’s ‘Dating Site’ Tech to Enhance Match with
New Recruits,” Financial Times, September 7,
2016, https://www.ft.com/content/b83108fe-72b4-11e6-bf48-b372cdb1043a.
147 Walter L. Perry, Brian McInnis, Carter C. Price, Susan C. Smith, and John S.
Hollywood, Predictive Policing: The Role of Crime
Forecasting in Law Enforcement Operations, Rand Corporation, 2013,
http://www.rand.org/content/dam/rand/pubs/research_
reports/RR200/RR233/RAND_RR233.pdf.
148 G. O. Mohler, M. B. Short, Sean Malinkowski, Mark Johnson, G. E. Tita,
Andrea L. Bertozzi, and P. J. Brantingham, “Randomized
Controlled Field Trials of Predictive Policing,” Journal of the American
Statistical Association (2015): DOI: 10.10.1080/01621459.201
5.1077710.
149 ETAS models are analogous to those used for seismic activity. Using an
Expectation-Maximization algorithm, as crimes occur
in real time, the model adjusts the probabilities of future crime hotspots
similar to the way that one might model aftershocks
following an earthquake (if one incident occurs in a hotspot, it is more
likely that others will follow).
150 Jessica Saunders, Priscilla Hunt, and John S. Hollywood, “Predictions Put
into Practice: A Quasi-Experimental Evaluation of
Chicago’s Predictive Policing Pilot,” Journal of Experimental Criminology
12, no. 3 (September 2016): 347–371, DOI 10.1007/s11292-
016-9272-0.
151 Ibid.
effectively using predictive analytics is having the

Box 3.5. Using Blockchain to Address
appropriate organizational measures in place to act
Fraud and Theft
upon the insights gleaned from these techniques.
Everledger is a UK-based company that uses

public
and private blockchains, along with
Blockchain
other
technologies, to address a novel problem:
One of the most interesting and groundbreaking diamond
theft and associated insurance fraud.
technological innovations of the past decade is This
problem stems from two factors. First,
the blockchain that underpins bitcoin, a digital there
previously was not a dependable way to
currency supported by cryptographic methods (a detect
if a diamond had been stolen. Moreover,
“cryptocurrency”). One of the key technologies that like
other luxury goods, proof of ownership
secures bitcoin is a distributed, publicly available, remains
on paper documents, which are
and immutable ledger commonly referred to as a
vulnerable to tampering and loss.153
blockchain.
Everledger creates a unique, digital

In very simple terms, a blockchain is a shared
“thumbprint” of a diamond, which records
database with time-stamped entries. The name its
individual set of attributes including color,
is derived from the way in which transactions are
clarity, cut, and carat weight, as well as forty
grouped together (into a block) and added to the other
metadata points, and links these to the
ledger sequentially. Each block is linked to the laser
inscriptions on the girdle of the stone.154 It
previous block, thereby making a chain (hence, then
places this information on the blockchain
“blockchain”). That the entries form a chain allows to
create an immutable entry. If stolen, the
anyone to trace back through the history of
diamond’s original owner can be traced using
transactions to see and confirm what transactions this
entry on the blockchain.
took place between whom and at what time.
Three broad types of blockchains have emerged— As many
organizations that are experimenting
public, private, and a hybrid of the two.152 They are with
blockchain have found out, there are
differentiated based on their level of centralization/
inherent difficulties using a technology
decentralization, their consensus mechanism, and
designed to track digital currency transactions
who has read or write ability. for
other use cases. Attempting to register
36
physical assets using a digital entry on a

A blockchain is used in bitcoin to prevent the double-
blockchain requires a trusted third party.
spend problem. Before bitcoin, the issue with a
However, bitcoin was designed specifically
digital currency was that someone could spend the to
remove the need for such a trusted third
same unit of digital currency in multiple places at party
through a computationally intensive
the same time. A blockchain solves this problem
consensus mechanism.155 Trust in Everledger
by providing a shared ledger, which ensures that
therefore becomes paramount, as opposed to
everyone knows and agrees on how much of the
bitcoin, where trust is intentionally factored
digital currency has transacted among users at any out by
design.
point in time.
Moreover, placing information on any public

It is thought that blockchains might provide an
blockchain—such as the bitcoin blockchain—
effective tool in detecting and preventing corrupt
necessitates making that information publicly
or fraudulent activities. This thinking is premised on
available. This might not be appropriate for
the immutability of a blockchain. The immutability some
sensitive or private information. To
prevents any one party from altering past entries,
overcome this, Everledger uses a private
as one might be able to do with paper or digital
blockchain, with sensitive data such as police
records. reports
and policy information kept on the
company’s Eris-run platform.156
152 Vitalik Buterin, “On Public and Private Blockchains,” Ethereum Blog,
August 7, 2015, https://blog.ethereum.org/2015/08/07/on-
public-and-private-blockchains/.
153 Grace Caffyn, “Everledger Brings Blockchain Tech to Fight against
Diamond Theft,” CoinDesk, August 1, 2015, http://www.
coindesk.com/everledger-blockchain-tech-fight-diamond-theft/.
154 “On Blockchain, Diamonds Are Forever,” Rakuten Today, October 4, 2016,
https://rakuten.today/blog/everledger-blockchain-
diamonds-forever.html.
155 Steve Wilson, “Blockchain Plain and Simple,” Constellation Research,
January 30, 2017, https://www.constellationr.com/blog-
news/blockchain-plain-and-simple.
156 Grace Caffyn, “Everledger Brings Blockchain Tech to Fight against
Diamond Theft.”
The bitcoin blockchain has inspired numerous new False Positives

and Negatives
projects that all seek to build on the cryptocurrency’s An important
limitation of any profiling effort across
original success. However, it must be remembered relatively
large populations is the occurrence of false
that the bitcoin blockchain was developed to positives and
false negatives. A false positive can
solve one very specific problem: double-spend. be thought of
as a false alarm. According to New
As new projects continue to develop, such as York
University’s distinguished professor of risk
Hyperledger and Ethereum, many new possibilities engineering,
Nassim Nicholas Taleb, the “tragedy of
for applications of distributed/shared ledger big data” is
that even though one has more data, it
technology will emerge.157 also means one
has more false information.160 More
false
information makes it harder, and costlier, to
Shortcomings and Limitations of correctly
identify the desired targets. Reducing the
Data and Digital Technologies incidence of
false positives or negatives becomes
Although the cost of profiling and data fusion are more costly as
one attempts to eliminate such
falling due to Moore’s Law and other technological errors from the
predictive analysis.
advances, there are important economic, statistical,
and practical/operational issues that commonly
stand in the way of effective deployment of these “. . . [U]se of
big data
technologies. As with any tool, use of big data
methods will be effective only if those who wield
methods will be
effective only
these tools have the requisite knowledge of their if those who
wield these tools
applications and shortcomings.
have the
requisite knowledge
Privacy Considerations of their
applications and
Strict privacy-related laws have been in place for
many decades, in the United States and abroad, shortcomings.”
to constrain the ability of public and private sector
organizations to collect and use personal data. This may not be
an issue in cases where incorrectly
In particular, the European Union’s General Data identifying and
acting upon an entity that is a false
Protection Regulation, which will come into effect in
37
positive does
not result in enormously meaningful
2018, has specific clauses related to practices such
repercussions.161 However, in instances where there
as profiling. are meaningful
repercussions from such an error,
As some of the case studies throughout this chapter the benefits of
such predictive profiling may be
have illustrated, large-scale data collection and (substantially)
outweighed by the costs.
analysis can often fall foul of privacy laws.
The Unit of
Analysis with Dynamic Profiles
Part of the issue is that anonymized data can be in
Heterogeneous Populations
de-anonymized when several data sources are The first step
in profiling is determining what the
combined.158 Likewise, non-personally identifiable unit of
analysis should be. In other words, “What
information can become personally identifiable do we watch—the
farmer, the dog, the chickens,
information—which is treated differently legally— or the coop”?
162 The answer to this question may
when combined with other data.159 not immediately
be obvious. If the correct unit
of analysis is
not chosen, however, the rest of the
A privacy assessment is therefore essential to any
profiling
exercise—and the output of any subsequent
initiative using large-scale data collection and
analysis—is
moot.
analysis to avoid infringing upon privacy laws and
civil liberties. Moreover,
profile attributes are dynamic—they are
shaped by many
inputs over time and as such can
shift depending
on the changing circumstances.
The true rates
of bad actors, which are sentient and
157 See “About the Hyperledger Project,” Hyperledger,

https://www.hyperledger.org/about and Ethereum, https://www.ethereum.
org/, for more information.
158 Latanya Sweeney, “K-anonymity: A Model for Protecting Privacy,”
International Journal on Uncertainty, Fuzziness and Knowledge-
Based Systems 10, no. 5, (2002): 557-570.
159 Paul Ohm, “Broken Promises of Privacy: Responding to the Surprising Failure
of Anonymization,” UCLA Law Review 57 (2010):
1701.
160 Nassim Nicholas Taleb, Antifragile: Things That Gain from Disorder (New
York: Random House, 2012).
161 Daniel Geer, Measuring Security, Tutorial, 2007, v2.1:16x07,
http://geer.tinho.net/measuringsecurity.tutorial.pdf.
162 Ibid.
thus able to adapt, might also change over time. All

Kellan attributed his key insight, which allowed
these elements require data inputs to be continually him
to correctly interpret the body of data, to
tracked and updated, which might not be cheap or one
interview with a senior Vietcong captain:
practical.
He
was asked very early in the interview
if
he thought the Vietcong could win the
Effective Interpretation of Results and
war, and he said no. But pages later, he

Intervention Strategy
was
asked if he thought that the US could
While robust and extensive data analysis might be win
the war, and he said no. The second
undertaken with cutting-edge predictive analytic
answer profoundly changes the meaning
methods, this does not imply that the results of such of
the first. He didn’t think in terms of
analysis will subsequently be correctly interpreted
winning or losing at all, which is a very
and acted upon. There are inherent limitations in
different proposition. An enemy who is
using these techniques, and not fully understanding
indifferent to the outcome of a battle is
them can have consequences. This is particularly the
most dangerous enemy of all.167
the case when attempting to measure or identify a
person’s emotions or state of mind.163 This
reality was something that Gouré had
overlooked given his own personal history and

Even in cases where the analysis is correctly
biases. The lesson here is that while a large
interpreted and understood, an effective prevention body
of data might be available, correctly
or intervention strategy must be developed and
interpreting the data is an entirely different
deployed to mitigate the identified risk(s).164
matter. This has not changed in spite of
However, the history of predictive policing suggests
decades of advances in analytical techniques.
that developing and deploying these strategies is
one of the biggest challenges that initiatives using
such data analysis techniques face.
Recommendations
A number
of lessons on how to successfully deploy
Box 3.6. Gouré, Kellan, and RAND’s Vietnam digital
technologies and data analytics emerge from
Motivation and Morale Project165 the
various cases covered in this chapter. These
lessons
form the basis for the recommendations
38 During the Vietnam War, to understand below.
whether the US-led carpet bombing campaign
was reducing the morale of the Vietcong •
Invest in people with the skills and knowledge:
fighters and North Vietnamese citizens, the A
broad skill set is required to correctly secure,
RAND Corporation extensively interviewed
scan, index, search, store, order, distribute, and
North Vietnamese prisoners and defectors. edit
data as well as visualize/communicate
Starting in 1964, the original leader of the
findings from data analysis. Very rarely does
RAND project, Leon Gouré, interpreted from any
one person possess all of these skills, so
the sixty-one thousand pages of extensive data
multidisciplinary teams must be formed to
collection and analysis (the big data of its day)
successfully use digital technologies and data
that the bombing campaign was successful
analysis. Organizations should take this into
(i.e., the Vietcong’s morale was falling). One of
account when considering the adoption and
his colleagues, Konrad Kellan, later reviewed
subsequent use of these technologies.
the interviews in 1965. Kellan postulated a
different interpretation, concluding that the •
Ask whether data analysis is appropriate
opposite (and ultimately correct) outcome was for
answering the desired question: Digital
occurring, namely, that the bombing campaign
technologies and data analysis are relatively
only reinforced the morale of the Vietcong and
better suited to solving some problems, such
citizens of North Vietnam.166 as
optimization, than others, particularly
163 Malcom Gladwell, “Revisionist History: Saigon, 1965, Podcast Episode

2,” 2016, based on Gladwell, “Viewpoint: Could One Man
Have Shortened the Vietnam War?” BBC.com, 2013,
http://www.webcitation.org/6I1RnuJsR.
164 Perry, McInnis, Price, Smith, and Hollywood, Predictive Policing; Greg
Ridgeway, “Linking Prediction and Prevention,” Criminology
and Public Policy 12, no. 3 (2013): 545-550; Saunders, Hunt, and
Hollywood, “Predictions Put into Practice.”
165 Gladwell, “Revisionist History: Saigon, 1965, Podcast Episode 2.”
166 Gladwell, “Revisionist History: Saigon, 1965, Podcast Episode 2.” It
is also worth noting that during the Vietnam War, US
Secretary of Defense Robert McNamara became blinded to the reality in the
field due to his overreliance on data collection and
interpretation. In particular, his focus on the body count blinded him to
the other—more important—indicators that the war was
not winnable. See Kenneth Cukier and Viktor Mayer-Schönberger, Big Data:
A Revolution That Will Transform How We Live, Work,
and Think (Eamon Dolan/Mariner Books: 2013). The same methods that worked
well in reducing the costs of Ford motorcar
production ended up disastrous for the conduct of full-scale war in
Vietnam—another lesson that applying effective techniques
from one use case does not mean success will occur for other use cases.
167 Gladwell, “Revisionist History: Saigon, 1965, Podcast Episode 2.”
those involving behavior or emotions. Before • More data do

not necessarily equal better data:
embarking on a data analysis exercise to answer A common
misconception is that collecting
a question, organizations first need to consider and adding more
data results in “better” data.
whether the techniques they intend on using The issue is that
beyond a certain point, more
will be able to generate useful answers. This data tend to create
more noise, which results
recommendation also applies to blockchains. in “worse” data.
Organizations need to consider
Organizations need to consider whether an how much data are
required to answer the
immutable, publicly available database that question they have
and determine at what point
requires immense computing power to maintain sufficient data
have been collected for useful
consensus is superior—given the use case—to analysis to be
undertaken.
relatively more simple, long-standing options in
the field of distributed databases. Conclusion
• Place technology use within a larger strategy: Digital technologies
and data analysis have advanced
Even if data analysis is correctly done and greatly over the past
two decades. A variety of
the results are correctly interpreted and techniques are now
available including profiling,
then communicated, the exercise becomes metadata collection,
network analysis, data fusion,
moot if there is not robust implementation/ and predictive
analytics. These techniques can be,
operationalization of the results. Organizations and increasingly are,
used to profile and track bad
need to understand technology use and data actors to detect and
deter or prevent fraud, money
analysis not in isolation but as part of a wider laundering, bribery,
terrorism, and regulatory non-
organizational strategy. compliance. While
powerful when used properly,
these technologies are
most effective when
• When investing in data analysis technologies, deployed by
organizations in which the staff have
consider all available options: Many data analysis appropriate skills and a
realistic understanding of
technologies and databases or data sources just what benefits the
technologies can provide.
are open source and freely available. However,
in some cases, a custom-built “data analysis
solution” might be needed to accomplish
organizational goals.
39
CHAPTER 4 Big Data: Tackling Illicit Financial Flows
BIG DATA
A Twenty-First
Century Arms Race
CHAPTER 4
Big Data: Tackling Illicit Financial

Flows
Tatiana Tropina
T
Tatiana Tropina
he relatively new phenomenon of big data has
rapidly become both
Senior Researcher, Max
41
Planck Institute for a promise and a challenge. Big data solutions
are praised by some
Foreign and International as technologies that will change the world,
criticized by others as
Criminal Law threats to privacy, acclaimed to be a silver bullet to
myriad issues, called
a “buzzword tsunami,” and used as a source of
inspiration for utopian and
dystopian scenarios; big data has quickly become
central to many policy
debates. Governments, law enforcement agencies, and
the private sector
are currently trying to grasp the benefits of the huge
amounts of data
generated and processed daily and exploring how big
data can help them
perform better in different areas—from healthcare to
preventive policing
and from targeted advertising to research and
innovation, to name but a
few. Meanwhile, criminals strive to use big data to
their advantage as well.
There is still no agreed-upon definition of big data,

though many define it
as the rapidly increasing production, storage, and
transfer of large amounts
of data available from different sources, along with
the algorithms and
tools needed to process them. However, though its
definition is still being
debated, big data is already a reality. Despite
ongoing debates around
the use of big data tools for preventing and
controlling crime, there is no
question “if” these tools will be employed: the
questions are only “how”
and “when.” There is also little doubt that, once
implemented properly, big
data analytics can be revolutionary in tackling
illicit financial flows.
This chapter explores both how big data is used by

criminals to create
illicit profits and how law enforcement and other
institutions can use
big data to help tackle this problem. It begins with a
brief explanation
of the concept of illicit financial flows and
examination of how digital
technologies are changing the face of online and
offline profit-driven
crime. It also investigates the promises and
challenges of using big data
to stop illicit financial flows and discusses the
balance between law and
technology required to address the problem of
illegally acquired money.
Finally, recommendations highlight the need for long-
term approaches to
combat the problem of crime, wherein big data and Box

4.1. Underground Economy of Cybercrime:
other technological solutions should be made part
Automation and Botnets
of comprehensive strategies.
Automation plays a vital role in the functioning of

the
underground economy: without it criminals
Digital Technologies and Illicit would
have to manually target individual victims
Financial Flows: State of Play and and
computer systems, thus making attacks
Possible Developments in the Era of and
crimes too costly and time consuming.
Big Data The
core of automation and the backbone of
In the past few years, use of the term “illicit financial the
underground economy are the botnets, i.e.,
flows” has grown; these illegal flows are now a
networks of compromised computers that can be
crosscutting issue on the agenda of governments
remotely controlled by the perpetrators and used
and international organizations such as the World as
“zombies” to launch large-scale denial-of-
Bank and Organisation for Economic Co-operation
service attacks on computer systems, disseminate
malware, and look for system vulnerabilities.

and Development (OECD), amongst others. Despite
Trading botnets is a very profitable activity in the

a lack of consensus regarding the extent to which
“crime
as service” business model, which is based
this term covers grey areas and practices such as
on
offering services, such as hacking and carding,
tax avoidance, the general understanding is that and
tools to commit cybercrime for sale or rent.
it refers to money “illegally earned, transferred or
Botnets are offered at a low cost relative to profit
used.”168 The notion of illicit financial flows aims to due to
the high volume of “customers” and overall
connect seemingly disparate illegal activities under
turnover: distributed denial-of-service attacks
a single umbrella to tackle the whole lifecycle of can be
purchased for $10 to $1,000 per day.169
illicit finance—from earning to utilization—and
provide a holistic picture of the issue. The umbrella The
Digital Underground Economy
approach makes even more sense in the digital
age, where technology has increasingly become a
Cybercrime, which in the last decade has transformed
common enabler. It also makes it possible to adopt into a
complex and thriving digital underground
harmonized frameworks to trace illegal money, to economy,
is one of the most direct links between
share best practices between regulatory domains, digital
technologies and illicit financial flows. This
42 and, ultimately, to connect previously fragmented economy
is based on the monetary value of data
efforts. as an
illegal commodity,170 which is moved across
national
borders and traded in underground online
The legal and technical solutions for tracing crime in
marketplaces.171
a digital environment have never been perfect, and
in an age of exponentially increasing data, finding
Technological developments are transforming
solutions is now akin to finding the proverbial both the
legitimate and illicit economies, in part
needle in a growing haystack of data. However, big by
decentralizing operations as value chains are
data also makes it easier to trace criminal activity. being
replaced with value networks. The patterns
of doing
business in criminal ecosystems bear
many
similarities to legitimate business-to-business
Illicit Profits: How Digital Technologies Are
models
regarding decentralization, product
Changing the Face of Crime
placement, outsourcing, subcontracting, and

As information and communications networks have
networking. And, like legitimate businesses, those
changed the way of doing business and the manner in the
criminal economy strive to profit from the
of social interactions, they have also been employed
development of new business models based on the
by criminals to both facilitate traditional criminal use of
information, communications technologies,
activities and enable new types of crimes.
168 United Nations Economic Commission for Africa, Report of the High
Level Panel on Illicit Financial Flows from Africa, 2015,
http://www.uneca.org/sites/default/files/PublicationFiles/iff_main_report_26feb_en.
pdf; see also “Illicit Financial Flows (IFFs),”
World Bank, 2015,
http://www.worldbank.org/en/topic/financialmarketintegrity/brief/illicit-financial-
flows-iffs.
169 Europol, Threat Assessment: Internet Facilitated Organized Crime, The
Internet Organised Crime Threat Assessment, File No.:
2530–264, The Hague, January 7, 2011,
https://www.europol.europa.eu/sites/default/files/publications/iocta.pdf; see also
Candid
Wueest, “Underground Black Market: Thriving Trade in Stolen Data,
Malware, and Attack Services,” Symantec Official Blog,
November 20, 2015, http://www.symantec.com/connect/blogs/underground-
black-market-thriving-trade-stolen-data-malware-
and-attack-services
170 For example, according to SecureWorks, in 2015-2016 the price for
stolen credit card credentials varied from $4–$80 per item,
the price for stolen online payment account credentials varied from $20
to $149 per item depending on the account balance, and
the full packages of identity information were traded for $15–$65. See
Dell, SecureWorks, Underground Hacker Markets, Annual
Report – April 2016,
http://online.wsj.com/public/resources/documents/secureworks_hacker_annualreport.pd
f.
171 Hanno Fallmann, Gilbert Wondracek, and Christian Platzer, “Covertly
Probing Underground Economy Marketplaces,” Vienna
University of Technology Secure Systems Lab, 2010,
http://www.iseclab.org/papers/dimva2010_underground.pdf; Europol, The
Internet Organized Crime Threat Assessment (iOCTA), 2014,
https://www.eurssopol.europa.eu/content/internet-organized-crime-
threat-assesment-iocta.
and analysis of digital data. These new models Terrorist

Financing
allow money stolen through cybercrime to generate
illicit revenues, from the supply of the tools to the The Internet
is a well-known vehicle for terrorist
commission of the crimes. Highly sophisticated financing.
Terrorist organizations use digital
criminal-to-criminal services offer “crime as service” tools and
communications technologies to solicit
tools, including training tutorials, while making them donations and
conduct e-commerce schemes
available for “customer” demand at relatively low for selling
books and promotional material to
prices compared with the potential illicit profits.172 supporters.
For example, a group of Islamic State of
Iraq and al-
Sham militants from Russia has used the
Information Technology as a New Tool for very popular
digital wallet QIWI to collect money
‘Traditional’ Organized Crime online.174
Criminal organizations carrying out “traditional” A growing

trend concerns the use of digital
illegal activities use digital tools for planning and currencies
for terrorist financing: their relative
coordination, communications, networking, and anonymity,
ease of use, accessibility, and the
trading illegal goods, including arms, drugs, and fact that
they are decentralized and mostly
counterfeit documents. The Internet merges these unregulated
make them attractive means of
activities with those related to cybercrime—such carrying out
fundraising campaigns. Some of the
as the trade in botnets and tools to commit digital anti-money
laundering bodies—both nationally and
crimes and trade in stolen personal data—and
internationally—are discussing potential regulatory
outsources the commission of digital crimes. These responses to
the possible use of virtual currencies
two trends drive the creation of online criminal by
terrorists. For example, the Financial Crimes
hubs—hidden online marketplaces—where the trade Enforcement
Network (FinCEN), an agency of the
of traditional illegal goods and services coexists in US Treasury
Department, is considering establishing
the “darknet” with the supply of tools to commit a “meaningful
regulatory framework for virtual
cybercrimes. currencies
that intersect with the U.S. financial
system.”175
In addition, the intergovernmental
A trend that is distinct from using the Internet to Financial
Action Task Force monitors emerging
facilitate the trade of illegal goods, and much more regulatory
issues arising from terrorist financing
worrisome, is the attempt by traditional organized risks
associated with virtual currencies.176 43
crime groups to employ the skills of highly qualified
cybercriminals to carry out the sophisticated Meanwhile,
there have already been cases of terrorist
manipulation of computer systems to facilitate organization
websites requesting donations via
illegal operations. One of the first studied cases of bitcoin.177
Social media and crowdfunding—whether
such synergy was discovered in June 2013, when being used
under false pretensions or not—have
law enforcement agencies detected a Netherlands- also emerged
as valuable fundraising tools for
based drug smuggling ring that collaborated with
terrorists.178 Terrorist organizations and radicalized
hackers to penetrate the systems controlling the individuals
can also use peer-to-peer lending.179
movement and location of shipping containers Since many of
these opportunities use payment
and—as a result of data manipulation—was able methods that
exist outside of regulatory oversight
to collect cargos with drugs before the legitimate and anti-
terrorist financing compliance procedures,
carrier was able to get them.173 there is a
risk that terrorist networks can use
172 Yuval Ben-Itzhak, “The Cybercrime 2.0 Evolution,” ISSA Journal, June 2008,
http://professor.unisinos.br/llemes/Aula01/
CybercrimeEvolution; Tatiana Tropina, “Organized Crime in Cyberspace” in
Heinrich-Böll-Stiftung and Regine Schönenberg
(eds.), Transnational Organized Crime: Analyses of a Global Challenge to
Democracy, Bielefeld, Transcript Verlag, 2013, 47-60.
173 Europol, iOCTA.
174 Joanna Paraszczuk, “IS Militants Use Popular Russian Web Payment System to
Raise Cash,” Radio Free Europe, May, 17, 2015,
http://www.rferl.org/a/islamic-state-funding-russian-web-payments-
qiwi/27021379.html.
175 FinCEN, Statement of Jennifer Shasky Calvery, Director, Financial Crimes
Enforcement Network, United States Department of
the Treasury, November 19, 2013,
https://www.fincen.gov/news/testimony/statement-jennifer-shasky-calvery-director-
financial-
crimes-enforcement-network.
176 Financial Action Task Force (FATF), Guidance for a Risk-Based Approach:
Virtual Currencies, 2015, http://www.fatf-gafi.org/
media/fatf/documents/reports/Guidance-RBA-Virtual-Currencies.pdf.
177 FATF, Emerging Terrorist Financing Risks, 2015, http://www.fatf-
gafi.org/media/fatf/documents/reports/Emerging-Terrorist-
Financing-Risks.pdf, 36.
178 Sam Rubenfeld, “Foreign Terror-Fighters Fundraise on Social Media,
Crowdfunding Sites,” Wall Street Journal, October 21, 2015,
http://blogs.wsj.com/riskandcompliance/2015/10/21/foreign-terror-fighters-
fundraise-on-social-media-crowdfunding-sites/;
FATF, Emerging Terrorist Financing Risks, 31-32.
179 Such concerns were especially raised after it became known that Syed Rizwan
Farook, one of the two shooters responsible for
the terrorist attack in San Bernardino, California, on December 2, 2015, was
able to get a loan of $28,500 through an online peer-
to-peer lending website (see, e.g., Darrell Delamaide “Loan to Terror Couple
Challenges Regulators,” USA Today, December 15,
2015, http://www.usatoday.com/story/money/2015/12/15/shooting-terrorism-
online-loans-san-bernardino/77358520/).
virtually any such payment and fundraising tool to income

and taxes, and, therefore, claiming inflated
their benefit. tax
refunds. Criminals can further seek to transfer
these tax
refunds to prepaid debit cards.182
Box 4.2. Use of Bitcoin for Terrorist Financing:
Ibn Taymiyya Media Center
Use of
Information Technologies in Illegal
The case of the Ibn Taymiyya Media Center Money
Transfers and Integration
(ITMC)—an online jihadist propaganda unit Digital
tools have significantly transformed many
located in the Gaza Strip—using bitcoin for
components of illicit financial flows, including
fundraising was brought by Yaya J. Fanusie, a the
transfer and integration of ill-gotten gains. All
former counterterrorism analyst for the US Central stages of
money laundering—placement, layering,
Intelligence Agency. According to Fanusie, the and
integration183—are affected by the myriad ways
ITMC used social media tools to carry out the
online
transactions can be used to distance any
fundraising campaign in bitcoin. This was the
type of
illicit funds from the source of illegal profit.
first known case of the terrorist group publicly
seeking donations in digital currency. The
Technology does not care about the source of illegal
terrorist unit posted the information on Twitter income.
The same tools and digital technologies
with QR (Quick Response) codes that were linked can be
used to transfer illicit money of any origin,
to a bitcoin address, which received two bitcoin
including
from corruption, embezzlement, organized
donations in July 2016.180
crime,
tax evasion, and many other activities. The
only
difference between online and offline criminal
Tax Fraud, Tax Evasion, and Information
activities for money transfers is that the profits
Technologies: The Challenges of the Digital gained
from digital crime already exist in the digital
Economy
environment, so money laundering’s risky placement
stage can
be avoided.184 The same is true for the
While it is hard to assume that the use of global illegal
trade of goods online in digital currencies:
communications networks has no effect on tax the money
is “pre-laundered” because it is placed in
evasion, it is unknown whether there are any specific mostly
unregulated financial institutions.185
digital tools employed in this area that help carry
out large-scale corporate tax evasion. Undoubtedly, The
countless opportunities for digital transactions
44 the digital economy and borderless Internet, while via
various electronic payment intermediaries—
enabling operations worldwide, create loopholes in such as
transfers from one intermediary to
taxation. The possibility that tax bases are becoming another,
peer-to-peer transactions, and transfers
severely eroded in the digital economy has prompted to and
from the traditional banking system—
international organizations to place this issue on are
making the ecosystem extremely complex186
their agendas; the OECD, for example, is currently and
creating obstacles in the identification of
developing action plans to address the problems
suspicious transactions.187 Many electronic payment
associated with taxation in the digital era.181
intermediaries are less regulated than traditional
financial
institutions or not regulated at all.188 Thus,
There is, however, a growing synergy between
compliance with anti-money laundering laws and
identity-theft cybercrimes and tax fraud. Stolen the
identification of suspicious transactions are left
identities can be used to file tax returns: such to the
unregulated payment intermediary, many
schemes involve reporting inflated amounts of of which
lack the incentive to detect suspicious
180 Yaya Fanusie, “The New Frontier in Terror Fundraising: Bitcoin,” The
Cipher Brief, August 24, 2016, https://www.thecipherbrief.
com/column/private-sector/new-frontier-terror-fundraising-bitcoin-1089.
181 OECD, Addressing the Tax Challenges of the Digital Economy, OECD/G20
Base Erosion and Profit Shifting Project, OECD
Publishing, 2014, http://www.oecd.org/ctp/tax-challenges-digital-economy-
discussion-draft-march-2014.pdf.
182 Internal Revenue Service, IRS Intensifies Work on Identity Theft and
Refund Fraud; Criminal Investigation Enforcement Actions
Underway across the Nation, 2014, https://www.irs.gov/uac/newsroom/irs-
intensifies-work-on-identity-theft-and-refund-fraud-
criminal-investigation-enforcement-actions-underway-across-the-nation.
183 Key definitions: Placement—depositing money into the financial system,
layering—distancing money from its source through a
series of transactions, and integration—the commingling of money with
funds in legal sectors.
184 Wojciech Filipkowski, “Cyber Laundering: An Analysis of Typology and
Techniques,” International Journal of Criminal Justice
Sciences (IJCJS) 3, no. 1 (2008): 15-27.
185 National Drug Intelligence Center, Money Laundering in Digital
Currencies, US Department of Justice, 2008, http://www.justice.
gov/archive/ndic/pubs28/28675/28675p.pdf.
186 Tatiana Tropina, “Fighting Money Laundering in the Age of Online
Banking, Virtual Currencies and Internet Gambling,” ERA
Forum 15, no. 1 (June 2014): 69-84.
187 Council of Europe, Criminal Money Flows on the Internet: Methods,
Trends, and Multi-stakeholder Counteraction, Moneyval Research
Report, March 2012,
http://www.coe.int/t/dghl/monitoring/moneyval/Activities/MONEYVAL(2013)6_Reptyp_flo
ws_en.pdf, 36.
188 FATF, Money Laundering & Terrorist Financing Vulnerabilities of
Commercial Websites and Internet Payment Systems, 2008,
http://www.fatf-gafi.org/.
45
A woman looks at a map showing where eight members belonging to a New York-based
cell of a global cyber
criminal organization withdrew money from ATM machines. The US government charged
eight individuals with
using data obtained by hacking into two credit card processors in a worldwide
scheme that netted some $45
million within hours, a crime prosecutors described as one of the biggest bank
heists in history.
Photo credit: Reuters/Lucas Jackson.
behavior, especially if their primary goal is to provide The following

tools can be used to facilitate
bulletproof payment services. illicit
financial flows: online banking189 and
mobile
banking;190 electronic payment systems
via
unregulated financial intermediaries;191
cryptocurrencies;192 online services and trading
189 Council of Europe, Criminal Money Flows on the Internet; see also Christine
Victoria Thomason, “How Has the Establishment
of the Internet Changed the Ways in Which Offenders Launder Their Dirty
Money?” Internet Journal of Criminology, July
2009,
http://www.internetjournalofcriminology.com/Thomason_Internet_Money_Laundering_July
_09.pdf and Stephen J.
Weaver, “Modern Day Money Laundering: Does the Solution Exist in an Expansive
System of Monitoring and Record Keeping
Regulations?” Annual Review of Banking & Financial Law 24, 2005: 443-465.
190 John Villasenor, Christopher Bronk, and Cody Monk, Shadowy Figures: Tracking
Illicit Financial Transactions in the Murky
World of Digital Currencies, Peer-to-Peer Networks, and Mobile Device
Payments, The Brookings Institution and the James
A. Baker III Institute for Public Policy, August 29, 2011,
http://bakerinstitute.org/media/files/Research/d9048418/ITP-pub-
FinancialTransactions-082911.pdf. See also LIRNEasia & UP–NCPAG, Mobile
Banking, Mobile Money and Telecommunication
Regulations, 2008, http://lirneasia.net/wp-content/uploads/2008/05/Mobile-
2.0_Final_Hor_EA.pdf.
191 Jean-Loup Richet, Laundering Money Online: A Review of Cybercriminals
Methods: Tools and Resources for Anti-corruption
Knowledge, United Nations Office on Drugs and Crime, June 1, 2013,
arxiv.org/pdf/1310.2368; see also Giulio Piller and Elvis
Zaccariotto, “Cyber-Laundering: The Union between New Electronic Payment
Systems and Criminal Organizations,” Transition
Studies Review 16, no. 1 (2009): 62-76, and Tropina, “Fighting Money
Laundering in the Age of Online Banking.”
192 Danton Bryans, “Bitcoin and Money Laundering: Mining for an Effective
Solution,” Indiana Law Journal 89, August 29, 2013,
http://ssrn.com/abstract=2317990, 1; Europol, iOCTA, and TRACFIN, Regulating
Virtual Currencies, 2014, http://www.economie.
gouv.fr/files/regulatingvirtualcurrencies.pdf.
platforms; and online gambling.193 Most of these their

databases more attractive and vulnerable
tools represent legal services and technologies that to
cyberattacks.198 The trade in consumer data
criminals can abuse because their operations exist in the
legitimate economy also makes that data
outside of regulatory compliance and oversight. more
vulnerable given criminals can acquire data
Even if some of the payments services, such as via legal
transactions. For example, in 2013 the
Zerocoin and Darkcoin, are known as special niche leading
global consumer credit bureau Experian
cryptocurrencies that offer total anonymity and
inadvertently sold sensitive data on US consumers
might attract criminals,194 they are also used for via Court
Ventures, a company it acquired in 2012,
legitimate purposes and, therefore, cannot be to a
Vietnamese identity theft ring. Data transferred
attributed to only criminal activities. to the
criminals included names, addresses, Social
Security
numbers, birthdays, work history, driver’s
license
numbers, email addresses, and banking
“. . . [O]rganized crime
information.199
groups will exploit big By

exploiting the vulnerabilities of centralized
data
storage, criminals can develop aggressive
data ‘to carry out complex and
complex techniques to commit crimes. The
and sophisticated identity
acquisition of a large volume of sensitive personal
data can
allow for phishing schemes that target
frauds [at] previously
individuals rather than businesses or certain
demographic groups and, therefore, are harder

unprecedented levels’.” to
detect.200 Moreover, Europol predicts that in
the
future organized crime groups will exploit
big data
“to carry out complex and sophisticated
Big Data: A Big Advantage for Criminals? identity
frauds [at] previously unprecedented
Data have always been integral to the execution of
levels.”201 Highly personalized scams can target
digital crime: the trade of data as a valuable illicit a
particular person on the basis of details from a
commodity drives the whole underground economy social
networking profile or from financial activity.
of cybercrime. With data becoming an asset “akin Further
development of biometrics in combination
46 to oil in the twentieth century”195 for legitimate with big
data might enable criminals to create false
businesses, the value of this commodity has also
identities that could be used both digitally and in
significantly increased for criminals. The more data the real
world.202 All of these risks have to be taken
the industry creates and stores, the more criminals into
account when developing technical and legal
are happy to consume them.196 responses
to both offline and online crime.
To enjoy the benefits of big data, businesses tend

to aggregate vast amounts of sensitive data from
various sources in one place to better analyze
them.197 Such centralization also increases the value
of the data for criminals and makes companies and
193 Filipkowski, “Cyber Laundering.” See also Council of Europe, The Use
of Online Gambling for Money Laundering and the
Financing of Terrorism Purposes, 2013,
http://www.coe.int/t/dghl/monitoring/moneyval/activities/MONEYVAL(2013)9_
Onlinegambling.pdf and Ingo Fiedler, Online Gambling as a Game Changer to
Money Laundering? Institute of Commercial Law,
University of Hamburg, April 30, 2013, http://ssrn.com/abstract=2261266.
194 TRACFIN, Regulating Virtual Currencies; see also Europol, iOCTA.
195 Raymond D. Moss, “Civil Rights Enforcement in the Era of Big Data:
Algorithmic Discrimination and the Computer Fraud and
Abuse Act,” March 9, 2016, Columbia Human Rights Law Review 48.1, 2016:
1.
196 Marc Goodman, Future Crimes (New York: Knopf Doubleday Publishing
Group, 2015), 137.
197 Colin Tankard, “Big Data Security,” Network Security 2012, no. 7 (July
2012): 5–6.
198 Jose Gutierrez, Thomas Anzelde, and Galliane Gobenceaux, Risk and
Reward: The Effect of Big Data on Financial Services,
Leading Trends in Information Technology, Stanford University, Summer
2014, https://web.stanford.edu/class/msande238/
projects/2014/BigDataFinance.pdf, 18; Lidong Wang and Cheryl Ann
Alexander, “Big Data in Distributed Analytics, Cybersecurity,
Cyber Warfare, and Digital Forensics,” Digital Technologies 1, no. 1
(2015): 22-27, doi: 10.12691/dt-1-1-5, and Tankard, “Big Data
Security,” 5-6.
199 Brian Krebs, Experian Sold Consumer Data to ID Theft Service, Krebs on
Security, October 20, 2013, https://krebsonsecurity.
com/2013/10/experian-sold-consumer-data-to-id-theft-service/.
200 Trend Micro, Addressing Big Data Security Challenges: The Right Tools
for Smart Protection, 2012, http://www.trendmicro.de/
media/wp/addressing-big-data-security-challenges-whitepaper-en.pdf, 4.
201 Europol, Exploring Tomorrow’s Organized Crime, 2015.
202 Ibid.
Illegal Profits and Big Data: New linear

data.206 Therefore, big data analytics, which
Challenges, New Opportunities? can process
and analyze nonlinear datasets and
link together
seemingly disconnected data, is
Prevention, Detection, and Disruption of considered a
powerful “weapon of choice.”207 Big
Illicit Financial Flows data tools
have been revolutionary208 in replacing
The banking industry and law enforcement or
complementing manual techniques, connecting
agencies employ various tools to investigate crime previously
disconnected dots, and enabling quick
and comply with regulations, such as the Know responses to
threats—all of which makes it easier to
Your Customer requirement.203 These tools range react before
malicious activity has caused significant
from anti-money-laundering software for financial damage.209 Big
data analytics is able to predict
industries to special equipment for digital crime security
breaches by identifying abnormalities and
investigations and electronic evidence collection. quickly
processing large amounts of linear and
nonlinear data
from different sources.210 Moreover,
Every year, software vendors offer industry and big data
solutions can not only stop criminal acts,
law enforcement agencies cutting-edge technical they also play
a significant role in predicting them
solutions for fighting financial crime. Some of before they
occur, thus facilitating new, proactive
them, like Egmont Secure Web and FIU.net, are approaches to
fighting illicit financial flows.211
specifically tailored to tackle the problem of illicit
financial flows by managing requests for financial Big data
analytics is also addressing the cross-
intelligence sharing from abroad and providing border
elements of illegal financial flows. Analytics
secure information exchange for this purpose.204 makes data
sharing between law enforcement
Technology is employed to analyze data from agencies
faster and more efficient and helps
beneficial ownership databases—databases that transnational
crime investigations by identifying
collect information about companies’ owners and patterns.212
Big data tools also help with mapping
organizational structures and link them together— and
visualization213 to provide a broader picture
and to obtain electronic records about transaction of the illicit
financial flows and identify affected
trails to detect corruption and tax evasion by geographical
areas, industry players, channels, and
connecting seemingly unrelated transactions and suspects.214
activities.205
The benefits
of using big data to tackle crime and 47
However, due to the increasing volume of data illicit money
transfers have become obvious in recent
flows, neither law enforcement nor private years. Old
investigation tools cannot analyze the
companies can continue to monitor suspicious ever-growing
amounts of unstructured data. Thus,
behavior using traditional tools based only on big data tools
have been implemented in different
areas and used
by governments, private industry,
203 Know Your Customer is a process implemented by banks to obtain information

about their customers’ identities to ensure that the
banking system is not misused. In many countries, anti-money laundering
regulations require that banks implement this process.
204 TRACFIN, Annual Analysis and Activity Report 2013,
http://www.economie.gouv.fr/files/ra_tracfin_anglais_2013.pdf.
205 Tatiana Tropina, Do Digital Technologies Facilitate Illicit Financial Flows,
World Bank, 2016, http://documents.worldbank.org/
curated/en/896341468190180202/pdf/102953-WP-Box394845B-PUBLIC-WDR16-BP-Do-
Digital-Technologies-Facilitate-Illicit-
Financial-Flows-Tropina.pdf.
206 Heather Adams, Fighting Financial Crime with Data, Accenture, 2015,
https://www.accenture.com/t20160519T222110w/us-en/_
acnmedia/Accenture/Conversion-
Assets/DotCom/Documents/Global/PDF/Industries_6/Accenture-Fighting-Financial-Crime-
with-Data.pdf, 4.
207 Deloitte, Insight on Financial Crime: Challenges Facing Financial
Institutions, 2014, http://www2.deloitte.com/content/dam/
Deloitte/global/Documents/Risk/gx-cm-insight_on_financial_crime.pdf, 5.
208 Europol, Exploring Tomorrow’s Organized Crime, 2015, 43.
209 Executive Office of the President, Big Data: A Report on Algorithmic Systems,
Opportunity, and Civil Rights, United States
Government, 2016,
https://www.whitehouse.gov/sites/default/files/microsites/ostp/2016_0504_data_discr
imination.pdf; Joe
Goldberg, “Tackling Unknown Threats,” Network Security 12, 2014: 16-17.
210 Digital Reasoning, Unstructured Data: A Big Deal in Big Data,
http://www.digitalreasoning.com/resources/Holistic-Analytics.pdf,
2. See also Wang and Alexander, “Big Data in Distributed Analytics.”
211 Deloitte, Insight on Financial Crime: Challenges Facing Financial
Institutions, 2014, http://www2.deloitte.com/content/dam/
Deloitte/global/Documents/Risk/gx-cm-insight_on_financial_crime.pdf; Trend
Micro, Addressing Big Data Security Challenges,
5; Wang and Alexander, “Big Data in Distributed Analytics”; and Jill Coster
van Voorhout, Tesse Alleblas, and Ting Zhang, Curbing
Illicit Financial Flows: The Post-2015 Agenda and International Human Rights
Law, The Hague, November 2015, http://www.
thehagueinstituteforglobaljustice.org/wp-content/uploads/2015/11/PB8-Illicit-
Financial-Flows.pdf, 10.
212 Houses of Parliament, Big Data, Crime, and Security, POSTnote, no. 470 (July
2014), researchbriefings.files.parliament.uk/
documents/POST-PN-470/POST-PN-470.pdf, 3.
213 One example of such an infographic can be found at Dawson and Li, Top 20
Countries Losing Money from Illicit Financial Flows,
Thomson Reuters Foundation, 2013, http://news.trust.org//item/20131211124740-
udist/.
214 Van Voorhout, Alleblas, and Zhang, Curbing Illicit Financial Flows, 10. See
also Shaun Hipgrave, “Smarter Fraud Investigations
with Big Data Analytics,” Network Security 12, 2013: 8.
nongovernmental organizations, and journalists to money

laundering, and develop automated rules
detect and investigate illegal transactions. and
universal templates for the industry to better
fight the
practice. Furthermore, big data tools are
How Is Big Data Being Used to Tackle Illicit helping
collect more detailed information from the
Financial Flows? industry
and analyze it in more advanced ways.219
Financial Industry Big data
analytics are also helping detect the
misuse of
new types of payments, especially virtual
In the age of digital crime, holistic approaches to
currencies
based on blockchain technology. Despite
crime detection have also been embraced by the
the great
degree of anonymity blockchain offers, big
financial industry, which suffers from increasing
data tools
can make it possible to track and match
vulnerability to fraud and is a vehicle for money
information on certain types of transactions, making

laundering. While facing significant financial losses
sure that
actions are legitimate and genuine. Given
from fraudulent activities, the financial industry also
the recent
calls to consider options for regulating
bears the largest burden of regulatory compliance.
blockchain,220 big data analytics could be employed

In most countries, banking regulations require
not only
so regulators and enforcement agencies
financial intermediaries to share information with
can detect
illicit financial flows via blockchain, but
regulators and law enforcement about suspicious
also to
encourage the voluntary creation of more
transactions even if the illegality of the act has not
secure and
trusted digital currencies and payment
been proven.215
systems in
cases when no effective regulatory
Myriad bank transactions happen every day. frameworks
are found.
Traditional systems that are based on the analysis
of structured data, such as credit card transactions, Trade-
Based Money Laundering
and on small samples of data cannot tackle the Similarly,
big data tools help detect trade-based
problem of detecting complex illegal schemes.216 money
laundering, which includes over- and under-
But, big data analytics can use structured and invoicing,
multiple invoicing, over- and under-
unstructured raw data from different sources, such shipment,
and other techniques that allow criminals
as geolocation data and those from mobile devices to move
funds across borders in the form of goods.
and social media, to detect fraudulent activities, The use of
automated text analytics combined with
48 unearth hidden connections between accounts, web-
analysis and web-crawling is considered to be
and track the relationship between the sources a
revolutionary development to ensure transparency
and beneficiary.217 As a result, big data analytics is in global
trade.221
replacing traditional approaches that rely on “red
flag” alerts and linear data analysis with predictive
Governments and the private sector use big
models based on processing large volumes of data, data
algorithms to analyze both structured and
such as transactions history and payment activity
unstructured transactions data. When combined
patterns, in real time.218 with
multiple records from different countries
and
institutions, big data can uncover suspicious
Likewise, regulators are also using big data analytics patterns
such as mismatches in corresponding
to carry out predictive analysis of money laundering
documentation, shipment routes, and details;
in the financial industry. Big data analytics are
discrepancies between goods descriptions and
being used by financial institutions to review shipment
documents; multiple deposits; and other
successful investigations, identify indications of
215 Stavros Gadinis and Colby Mangels, “Collaborative Gatekeepers,” Wash.

& Lee L. Rev. 73, no. 2 (2016), http://scholarlycommons.
law.wlu.edu/wlulr/vol73/iss2/6, 802.
216 Gutierrez, Anzelde, and Gobenceaux, Risk and Reward, 10; IBM, Combat
Credit Card Fraud with Big Data, 2013, http://www.intel.
de/content/dam/www/public/us/en/documents/white-papers/combat-credit-
card-fraud-with-big-data-whitepaper.pdf, 2.
217 Bashyam Selvaraj, Combating Fraud and Money Laundering: How the
Financial Services Industry Can Leverage Big Data,
Tata Consulting Services, 2015,
http://www.tcs.com/SiteCollectionDocuments/White-Papers/Combating-Fraud-Money-
Laundering-0415-1.pdf, 1-3; Intel, Reduce Money Laundering Risks with
Rapid, Predictive Insights, Solution Brief, 2015, http://
www.intel.de/content/dam/www/public/emea/xe/en/documents/financial-
services/final-aml-solution-brief.pdf, 2.
218 Selvaraj, Combating Fraud and Money Laundering, 3. See also Helena
Forest, Evelyn Foo, Donya Rose, and Dmitriy Berenzon,
Big Data: How It Can Become a Differentiator, Deutsche Bank, 2015,
http://cib.db.com/insights-and-initiatives/flow/35187.htm,
12; Hipgrave, “Smarter Fraud Investigations,” 8, and Daniel Mayo,
Assessing the Role of Big Data in Tackling Financial Crime and
Compliance Management, OVUM, 2016,
http://www.oracle.com/us/industries/financial-services/fs-big-data-fccm-wp-
2861557.pdf, 8.
219 Such tools have been employed in the United States by FINSEC. See
Holly Gilbert, Treasury Department Using Advanced
Analytics to Help Detect, Prevent Money-Laundering, 2013,
http://www.predictiveanalyticsworld.com/patimes/treasury-
department-using-advanced-analytics-to-help-detect-prevent-money-
laundering/1043/.
220 As mentioned earlier in this paper, FinCEN in the United States and
FATF have called for monitoring the regulatory issues and
possibly creating regulatory frameworks for digital currencies.
221 John A. Cassara and Chip Poncy, Trade-Based Money Laundering: The Next
Frontier in International Money Laundering
Enforcement, Wiley, 2015, 164.
issues.222 Since the trade finance business relies on The results

are passed to law enforcement and the
paper documents related to specific transactions, intelligence
community for further investigation.228
big data analytics, especially text analytics, can Furthermore,
in 2016 FinCEN proposed a rule
effectively tackle trade-based money laundering.223 that would
require crowdfunding portals to
enact policies
and procedures to prevent money
Box 4.3. Big Data to Tackle Trade-Based laundering and
terrorist financing.229 This rule would
Money Laundering in Developing Countries extend the
application of big data analytics to
In November 2016, DC-based nonprofit Global include
monitoring crowdfunding for signs that it is
Financial Integrity launched a new database being used to
finance terrorism.
tool—FTrade—that is geared toward helping
Tax Crimes
developing countries. It can analyze prices in
real time and measure trade misinvoicing risks Governments
and international organizations are
for eighty thousand goods categories.224 currently
trying to determine how big data can best
tackle
offshore tax evasion. Successful examples
Terrorist Financing already exist
in this field. For instance, the United
Tracking terrorist financing is yet another area Kingdom’s tax
and customs authority has been
where big data analytics can be useful. Some of effectively
using big data analytics to tackle the
the national and international efforts in this field problem of tax
fraud. Likewise, the Internal Revenue
have already been based on using large volumes of Service (IRS)
in the United States is using big data
data to track terrorist money. For example, under analytics—
quantitative algorithms and statistical
the European Union-US Terrorist Finance Tracking models—to
detect fraud and taxpayer identity
Program, data on international bank transfers are theft.230
Additionally, the OECD has developed
passed, under the management of Europol, to the special
programs to tackle tax avoidance and base
US Treasury for further assessment.225 Recently, erosion and
profit shifting.
Danish journalists were able to establish links Box
4.4. Big Data to Fight Tax Fraud:
between terrorism financing and value-added-tax A
United Kingdom Case Study
(VAT) refund scams by using big data analytics
instruments: different datasets collected from public The United
Kingdom’s tax and customs
49
records were scraped and compiled to identify authority
(Her Majesty’s Revenue & Customs,
critical nodes and patterns, which were further or HMRC)
employs the big data tool Connect
verified by journalists.226 The analysis resulted in a to detect
tax evasion and tax fraud. Connect
documentary, which was broadcast in Denmark, makes it
possible to bring together and
and sparked the launch of a further investigation by analyze
billions of pieces of HMRC internal
the Danish Security and Intelligence Service.227 data. It
performs searches of information,
which would
otherwise be difficult to find, to
In the United States, FinCEN uses advanced elicit
patterns and connections that uncover
analytics tools to detect terrorist financing. The crime. HMRC
reported that between April
data gathered by FinCEN—via special rules that 2013 and
April 2014 it was able to recover £2.6
help identify transactions by particular terrorist billion by
using this technology, with an initial
organizations—generate matches in advanced investment
of £45 million (including five years
data analytics systems for review and exploration. of running
costs).231
222 PwC, Goods Gone Bad: Addressing Money-Laundering Risk in the Trade Finance
System, January 2015, http://www.pwc.com/us/
en/risk-assurance-services/publications/assets/pwc-trade-finance-aml.pdf.
223 Ibid., 13.
224 Global Financial Integrity, “GFI Launches Database—GFTrade—to Help Developing
Countries Generate Millions in Additional
Public Revenue,” November 9, 2016, http://www.gfintegrity.org/press-
release/gfi-launches-database-gftrade-to-help-developing-
countries-generate-millions-in-additional-public-revenue/.
225 Statewatch, Note on Big Data, Crime, and Security: Civil Liberties, Data
Protection, and Privacy Concerns, April 3, 2014, http://
www.statewatch.org/analyses/no-242-big-data.pdf, 2.
226 EurActive, Big Data Revolutionizes Europe’s Fight against Terrorism, 2016,
https://www.euractiv.com/section/digital/news/
big-data-revolutionises-europes-fight-against-terrorism/; see also Global
Editors Network, “The VAT Hustlers,” 2016, http://
community.globaleditorsnetwork.org/content/vat-hustlers-0.
227 The Local DK, “Terror Suspects Tied to VAT Scam in Denmark,” January 25,
2016, http://www.thelocal.dk/20160125/terror-
suspects-tied-to-financial-fraud-in-denmark.
228 FinCEN, Statement of Jennifer Shasky Calvery.
229 C. Todd Gibson, Michael McGrath, and Ken Juster, FinCEN Proposal to Impose
AML Obligations on US Funding Portals, K&L
Gates, 2016, https://www.fintechlawblog.com/2016/05/fincen-proposal-to-
impose-aml-obligations-on-u-s-funding-portals.
230 Charles S. Clark, “IRS and SEC Detect Fraud Patterns in Heaps of Data,”
Government Executive, October 16, 2012, http://www.
govexec.com/technology/2012/10/irs-and-sec-detect-fraud-patterns-heaps-
data/58816/.
231 United Kingdom Houses of Parliament, “Big Data, Crime, and Security,”
Postnote, July 2014, 3.
50
Big data analytics can help law enforcement agencies with criminal
investigations, allowing them to deal with
large amounts of data to identify connections between seemingly unrelated
pieces of information.
Photo credit: Reuters/Jonathan Ernst.
Law Enforcement: Crime Prevention and Crime are used to

identify risks, understand crime patterns,
Control and share
information between agencies.232
Big data tools equip law enforcement agencies

Big Data and
Big Challenges
with the powerful analytical processes that
improve both proactive and reactive approaches to While the
promise of big data analytics has not
policing. Such tools are helpful not only in online yet been
fully delivered, big data tools are being
crime investigations, where law enforcement has used
successfully. Nevertheless, both governments
to deal with the growing amount of data that and the
private sector must consider many factors
need to be analyzed, but also in investigating any before fully
enjoying the benefits that big data tools
complex situations, like organized crime, where bring to the
prevention, detection, and investigation
it is necessary to identify connections between of crime and
illegal money transfers.
seemingly unrelated pieces of information. Big data
Big Data and
Human Capacity
analytics can be used to store, combine, and match
all existing information, categorize content, and While able
to bring significant improvements to
establish correlations. Furthermore, big data tools tackling
illicit financial flows, big data tools alone
are not the
answer; they are just a part of the
232 Justin Heinze, “Fighting Crime with Data: How Law Enforcement Is
Leveraging Big Data Analytics to Keep Us Safe,” Better
Buys, 2014, https://www.betterbuys.com/bi/fighting-crime-with-data/; “How
Big Data Analytics Can Be the Difference for
Law Enforcement,” SAS, https://www.sas.com/en_us/insights/articles/risk-
fraud/big-data-analytics-for-law-enforcement.html;
Abdullahi Muhammed, “A Look into Big Data Applications for Law
Enforcement,” Smart Data Collective, 2016, http://www.
smartdatacollective.com/oxygenmat/382813/look-big-data-applications-law-
enforcement.
response.233 Even the most sophisticated technical Big Data

Privacy Concerns and Safeguards
solutions require humans to use the results and
determine future actions.234 While big data tools The principal
challenges for big data solutions are
enable people to perform analyses that can identify the following:
1) addressing concerns about the
illegal financial flows, they also rely on people to ask vulnerability
of databases containing personal
better questions, see the broader picture, establish data240 and 2)
ensuring the legality, necessity, and
links, find correlations, and, ultimately, make
proportionality of analyzing data to tackle criminal
decisions.235 activity.241
Privacy issues are very important for the
industry given
the increased use of big data analytics
The human factor is especially important given to prevent
malicious activity. Some industry players
the danger of wrong and misleading data and have already
recognized ethical and privacy risks.
the possibility of incorrectly interpreting data. It According to
Deutsche Bank, “one bank removed
is critical to ensure the quality, authenticity, and face
recognition algorithms from its set of analytics,
integrity of data for big data analytics, but mistakes because it did
not even want to be seen as being
can occur due to human error.236 Therefore, law able to use
it.”242 Nevertheless, there is an ongoing
enforcement agencies237 and private industry238 debate about
how industry can help alleviate these
must work on capacity building and developing challenges.
specialized knowledge in advanced data analytics
to better ensure that the data being analyzed are In the age of
big data, addressing privacy
sound and that the analysts can interpret results concerns and
maintaining appropriate security
correctly. safeguards are
also of the utmost importance for
law
enforcement and intelligence agencies. Data
Box 4.5. Bitcoin and Money Laundering processing for
the purposes of crime prevention
and criminal
investigation in many countries is
In January 2016, the Dutch police arrested ten subject to
strict safeguards, checks, and balances.
people in conjunction with an international For this
reason, law enforcement must be cautious
investigation into a money laundering scheme when
implementing big data solutions to avoid
that used a cryptocurrency—bitcoin—to overstepping
legal boundaries.
launder up to twenty million euros from
online drug deals. Some of the suspects Big Data Tools
and Capacity Building in Developing
51
were operating as bitcoin traders who had Countries
acquired the currency through the illegal trade
in drugs; others were involved in exchanging Illicit
financial flows have devastating effects on
the cryptocurrencies for euros to withdraw developing
countries. While big data analytics can
them from ATMs (automated teller machines). help tackle
the problem more effectively, the lack of
The alarm that led to the investigation and regulatory and
enforcement instruments in place to
subsequent arrests was raised by the banks, control
financial crime and tax evasion will not be
because eventually the criminals combined fixed by
technical solutions. Therefore, in addition
the use of cryptocurrencies with traditional to technical
tools, developing countries need to
banking and used their bank accounts to institute
coherent policies, regulatory frameworks,
deposit large sums of money to then quickly and human
capacity building. One of the biggest
withdraw from ATMs.239 challenges is
ensuring big data solutions can tackle
all
vulnerabilities in financial systems that enable
illicit
financial flows in developing countries.
233 Trendmicro, Addressing Big Data Security Challenges: The Right Tools for
Smart Protection, White Paper, 2012, http://www.
trendmicro.de/media/wp/addressing-big-data-security-challenges-whitepaper-
en.pdf; Surfwatch, Big Data, Big Mess, 2.
234 Articol Bănărescu, “Detecting and Preventing Fraud with Data Analytics,”
Emerging Markets, Queries in Finance and Business,
Procedia Economics and Finance 32, 2015: 1832–1833.
235 Conrad Constantine, “Big Data: An Information Security Context,” Network
Security, January 2014, 19. See also Surfwatch, Big
Data, Big Mess, 3.
236 Forest, Foo, Rose, and Berenzon, Big Data, 20.
237 Europol, Exploring Tomorrow’s Organized Crime, 43.
239 “Ten Arrested in Netherlands over Bitcoin Money-Laundering Allegation,”
Guardian, January 20, 2016, https://www.theguardian.
com/technology/2016/jan/20/bitcoin-netherlands-arrests-cars-cash-ecstasy;
Daniel Dob, “Dutch Police Arrests 10 Men for
Bitcoin Money Laundering,” The Merkle, January 20, 2016,
http://themerkle.com/dutch-police-arrests-10-men-for-bitcoin-money-
laundering/; and Organized Crime and Corruption Reporting Project, “10
Arrested in Netherlands in Bitcoin Operation,” January
22, 2016, https://www.occrp.org/en/daily/4841-10-arrested-in-netherlands-in-
bitcoin-operation.
240 Wang and Alexander, “Big Data in Distributed Analytics”; Neil Richards and
Jonathan King, “Three Paradoxes of Big Data,” 66
Stanford Law Review Online 41, September 3, 2013; Forest, Foo, Rose, and
Berenzon, Big Data; and Statewatch, “Note on Big Data.”
241 Houses of Parliament, Big Data, Crime and Security, 1.
“Follow the Money”: The Nexus of that would

complement all previously isolated
Digital Technologies and the Law efforts to
fight financial crime.
Big data tools could potentially bridge the • Since big
data analytics requires people to
technology gap between law enforcement agencies analyze
results and determine appropriate
and sophisticated criminals. However, big data actions,
governments and private industry
solutions do not come in a vacuum. Big data tools should
recognize that one of the keys to success
may solve technical problems by tracing, reporting, is building
the human capacity to best use these
and predicting crime, but there are complex legal innovative
tools.
problems associated with tackling illegal money that
existed long before digital technologies enabled • Using big
data tools requires governments and
new illicit financial flows. industry to
address privacy considerations;
safeguarding
people’s privacy should be an
Digital criminal activities can easily bypass national integral part
of using big data analytics.
legal frameworks and borders that national
regulators and law enforcement agencies cannot. • Big data
analytics requires proper legal
National regulators and law enforcement agencies frameworks
that address trans-border criminal
can enforce only the laws of the country in which
investigations, mutual legal/regulatory assistance,
they operate and they can do so only within their and
compliance at the national level. To enjoy the
own national borders; therefore, they must rely on benefits of
big data, governments must implement
mutual legal assistance to stop criminal activities. In proper laws
and regulations surrounding its
other words, though technological solutions, even use and be
ready to update them in the face of
those as promising as big data analytics, can provide unforeseen
technological challenges.
powerful crime-fighting equipment, they do not
fix—or bridge—all legal gaps. As a result, it will be • Given
that both governments and industry
impossible to fully harness big data’s ability to fight face the same
technical, privacy, and ethical
crime and money laundering without concurrently challenges in
implementing big data tools for
facilitating cross-border data flows, investigations, tracing
illicit financial flows, there should be
and the exchange of electronic evidence; an ongoing
dialogue and partnership between
harmonizing regulatory and legal frameworks; and government
and industry to build trust, share
52 information,
and develop industry standards.
developing procedural tools and common digital
forensics standards. • Using
existing and new big data tools should
Lastly, the existence of thousands of stakeholders be considered
part of an ongoing process and
in the digital economy calls for public-private long-term
comprehensive strategy to tackle
cooperation between industry and governmental the problem
of illicit financial flows. This multi-
bodies. While regulated intermediaries, such as faceted
strategy should comprise both reactive
entities in the financial industry, can certainly employ and proactive
approaches and include technical
big data or other technological tools to better and legal
tools, public-private cooperation, and
comply with anti-money laundering regulations or future risks
analysis.
to protect themselves from financial fraud, there
are thousands of unregulated payment providers Conclusion
and other intermediaries outside the scope of No single
technical or legal solution, or any
compliance procedures that lack incentives to combination, will
completely solve the problem of
contribute to the effort of mitigating illicit financial illicit financial
flows. Illicit profit flows and crime will
flows. Thus, it is important to find those incentives possibly exist as
long as humanity does. However,
and promote collaborative voluntary approaches. big data
analytics, when implemented correctly, can
Good solutions should be multi-faceted and be a game changer
for tackling financial crime and
include proper national legal frameworks; mutual money laundering:
technology can empower law
legal assistance instruments able to cope with the enforcement
agencies with the tools that enable them
speed of information transfers; frameworks for self- to both react to
complex crime and money laundering
regulation, public-private cooperation, and raising and predict it.
Nevertheless, to fully benefit from big
awareness; and a commitment to the ongoing data solutions,
tools need to be complemented by
education of users about how to avoid crimes like proper legal
frameworks, human capacity building,
identity theft. and working
mechanisms to support cross-border
crime
investigations. Ultimately, any technology,
Recommendations no matter how
revolutionary it could be, should be
• Governments, law enforcement, and private considered
one part of a long-term strategy to tackle
industry should employ big data analytical crime and abuse of
the financial system—a strategy
tools to tackle illicit financial flows; these tools that should not
only be able to address the current
have significant potential to develop solutions risks, but
anticipate future ones.
CHAPTER 5 Big Data: Mitigating Financial Crime Risk
BIG DATA
A Twenty-First
Century Arms Race
CHAPTER 5
Big Data: Mitigating Financial

Crime Risk
Miren B. Aparicio
T
Miren B. Aparicio
he goal of financial crime legislation is to
enhance transparency in
Counsel and Senior
53
Consultant, The World financial transactions and restrict or prevent
criminals from using
Bank Global Practice banks and other non-financial sector entities to
launder money.
Financial integrity regulations help prevent money
laundering, terrorist
financing, bribery, and corruption,243 and big data is
used in conjunction
with regulatory obligations to help fight financial crime.
However, the effectiveness in fighting financial crime is

often hindered by the
quality and quantity of available data and by financial
integrity regulatory
asymmetry across jurisdictional boundaries. There are also
tensions
between the principles that stand behind the rights of
transparency and
security in financial integrity laws versus data privacy
in international data
flows.
On the one hand, financial crime legislation requires

banks244 to collect
information about who is and who controls any customer
(Know Your
Customer, or KYC, obligations), employee, or vendor at the
beginning of a
legal relationship and on an ongoing basis. There are even
recordkeeping
obligations after the relationship has ended. To fulfill
their regulatory
requirements, banks need to obtain and analyze
comprehensive and quality
data from their customers and screen them against
sanctions lists provided
by authorities, for each country in which the bank
operates.
On the other hand, data privacy laws could hinder banks’

ability to use
big data to fight financial crime. Data privacy laws
threaten global banks’
ability to adhere to their duty to know their clients and
beneficial owners
when operating across borders if they make it more
difficult for banks to
243 Anti-money laundering (AML), counter-terrorist

financing (CTF), and anti-bribery and
anti-corruption laws (ABAC) will be jointly referred
to as “financial integrity laws” or
“financial crime laws”, with main focus on “AML laws”
in this chapter.
244 The term “banks” will be used broadly in this chapter
and include financial services firms,
such as banks, brokers, or dealers in securities;
mutual funds; and futures commission
merchants and introducing brokers in commodities.
acquire this information or impede international across

borders. The occasional gaps, which are
data flows.245 Data privacy rules are nevertheless exploited by
criminals, arise from the regulatory
important. Anytime an organization collects asymmetry in
the implementation of the FATF 2012
customer data, it must ensure that it complies
recommendations, and their lack of enforcement at
with privacy rules, and preserves private data from a global
level.
cyberattacks.
International
Guidelines
Global data, which are essential to fighting crime
and terrorism, cannot be processed without The Financial
Action Task Force is the international
technology. Data analytics tools augment the ability anti-money
laundering (AML) standard-setting
to analyze data, which was previously structured body, which
was established in response to mounting
by automated systems. However, technological concern over
money laundering by the G7 at the Paris
tools are only as good as the underlying data they summit in
1989.246 Hosted by the Organisation for
analyze, which is why accurate and quality data are Economic Co-
operation and Development (OECD),
essential. Mining big data is a critical component of FATF issued
its first round of recommendations in
an effective anti-money laundering program, and 1990. The
recommendations are not bulletproof: Not
involves extracting and analyzing data that are both all FATF
members (currently thirty-five countries
structured and unstructured and that reside both in- and two
international organizations) criminalize
house and externally. As a result, for analytics tools money-
laundering offenses or specify which crimes
to effectively mitigate financial crime risks, privacy can serve as
predicates for money laundering
laws should include exemptions for transparency prosecutions.
Moreover, the recommendations do
and security purposes, which should be agreed not have the
force of law.247 However, they have
upon at a global level. become the
world’s blueprint for effective national
and
international controls for combating money
This chapter analyzes the international transparency laundering and
terrorism financing, even more after
standards by the Financial Action Task Force (FATF) the events of
September 11, 2001.248
and the Basel Committee of Banking Supervision. It
also analyzes the trends in financial crime laws in the The Basel
Committee on Banking Supervision,
United States and the European Union (commonly established in
1974 by central bank governors,
considered reference legislation), as well as the promotes sound
supervisory standards worldwide.
54
regulatory gaps that might be exploited by “bad In 1988, the
Basel Committee set up principles
actors.” It then examines the data analytics tools for effective
banking supervision and identified
used by the financial sector, its supervisors, and deficiencies
in a large number of countries.249 Even
governments to process big data and fight financial among
countries with well-developed financial
crime. Finally, it explores technology innovation markets, the
extent to which banks follow Know
(fintech/regtech, smart contracts, and distributed Your Customer
rules and employ effective client
ledgers technologies), and new opportunities due diligence
practices varies, as noted in the
for collaboration between the private and public 2001 reference
paper Customer Due Diligence
sectors to manage evolving threats. for Banks.250
Banks are expected to identify their
customers,
monitor their accounts to identify
transactions
that do not conform to normal activity
What Laws and Regulations Are in for that
customer, investigate red flags, and report
Place to Help Mitigate Risks? suspicious
transactions of money laundering
Criminal activities know no boundaries, so it to competent
authorities. Additional guidelines
is important to look beyond the jurisdictional since 1988,
including the “Sound management of
competences of supervisors and law enforcement risks related
to money laundering and financing
authorities and promote international cooperation. of terrorism”
in 2016, address the need for global
To make it more difficult for criminals to integrate banks to adopt
a global approach in fighting
funds into the financial system, banks are required financial
crime, applying a sound KYC program, and
by national laws to analyze and process data from employing an
automated transaction monitoring
clients and their transactions that move money
245 See Customer Due Diligence in section Tools to Mitigate Risk.

246 “What We Do,” FATF, http://www.fatf-gafi.org/about/, accessed January
9, 2017.
247 Financial Action Task Force (FATF), The Forty Recommendations and
Interpretative Notes, 2012, http://www.fatf-gafi.org/
publications/fatfrecommendations/documents/fatf-recommendations.html.
248 FATF, International Standards on Combating Money Laundering and the
Financing of Terrorism & Proliferation: The FATF
Recommendations, 2012, updated 2016, 7-9.
249 Basel Committee on Banking Supervision, Prevention of Criminal Use of
the Banking System for the Purpose of Money-
Laundering, 1988, http://www.bis.org/publ/bcbsc137.pdf.
250 Know Your Customer (KYC) is the term employed by banks to refer to
Customer Due Diligence processes. Basel Committee on
Banking Supervision, Customer Due Diligence for Banks, October 2001,
http://www.bis.org/publ/bcbs85.pdf.
system (data analytics tools)251 to both the parent

bank (or head office) and all of its branches and
“After the
Paris terrorist
subsidiaries worldwide.252 This proposal by the Basel attacks in
2015, the European
Committee for banks of supervising clients’ activities
at a global level employing data analytics tools is Commission
presented an
a sound risk management goal to prevent financial
crime. However, as the Institute of International
action plan
to strengthen
Finance points out in a recent study, data privacy the fight
against terrorist
laws challenge banks’ ability to fulfill this goal and
FATF should work to improve the effectiveness of financing.”
its member states’ information sharing regimes.253
The action
plan listed a number of concrete
measures that
were immediately put into practice
Anti-Money Laundering (AML) Reference Laws by the
European Commission and laid out a path
Recent Trends in EU AML Directives forward to
review existing legislation and propose
new
legislation. As part of the action plan, the
The first European Union (EU) AML Directive of 1991
European
Commission adopted a proposal to
was confined to drug trafficking, as defined in the
amend the
4AMLD (also referred to as “5AMLD”
1988 Vienna Convention.254 The fourth AML Directive
due to the
substantial character of the proposed
(4AMLD) was adopted in 2015 and needs to be
amendments)
in July 2016. The revised directive
transposed into AML national laws by June 2017.
addresses
five tasks: (1) ensuring a high level of
This directive introduces an explicit requirement
safeguards
for financial flows from high-risk non-
for companies to maintain adequate, accurate, and
EU countries;
(2) enhancing the powers of the EU
current information on their beneficial ownership
Financial
Intelligence Units (FIUs) and facilitating
records.255 This information must be made readily
their
cooperation; (3) centralizing national bank and
available to competent authorities, designated
payment
account registers or central data retrieval
entities, and any member of the public who can
systems in
all member states; (4) tackling risks linked
demonstrate a legitimate interest, upon request. EU
to anonymous
prepaid instruments (e.g., prepaid
member states need to create a central beneficial
cards); and
(5) addressing terrorist financing risks
owners’ registry and show that they have taken
linked to
virtual currencies. 55
appropriate steps to identify, assess, understand,
and mitigate AML/Counter Terrorist Financing (CTF) The European
Commission proposed expanding
risk, including with respect to beneficial ownership the scope of
the revised 4AMLD to include virtual
information. This will also be achieved by way of a currency
exchange platforms and custodian wallet
National Risk Assessment to be conducted by each providers.
FIUs would be able to have direct access
EU member state. to any
information held by any obliged entity (even
when the
reporting entity has not filed a Suspicious
After the Paris terrorist attacks in 2015, the European
Transaction
Report). In addition, EU member states
Commission presented (on February 2, 2016) an
will now be
obliged to set up a central registry or
action plan to strengthen the fight against terrorist
mechanism to
identify the owners of bank and
financing.256 The action plan focuses on two main
payment
accounts on an automatic basis and FIUs
strands of action: tracing illicit financial flows and
will have
direct access to these national registers.
preventing terrorists from moving funds or other
assets; and disrupting the sources of revenue used Furthermore,
the European Commission’s proposal
by terrorist organizations by targeting their capacity creates a
harmonized and enhanced approach
to raise funds. across the EU
for performing due diligence on high-
251 Basel Committee on Banking Supervision, Sound Management of Risks Related to

Money Laundering and Financing of Terrorism,
2016, 6-16.
252 See also, “General Guidelines on Account Opening and Customer
Identification,” Basel Committee on Banking Supervision,
February 2013, http://www.bis.org/publ/bcbs85annex.htm and Basel Committee on
Banking Supervision, Guidelines: Sound
Management of Risks Related to Money Laundering and Financing of Terrorism,
February 2016, http://www.bis.org/bcbs/publ/
d353.pdf.
253 Institute of International Finance, Deploying Regtech Against Financial
Crime, March 2017, https://www.iif.com/publication/
research-note/deploying-regtech-against-financial-crime
254 The EU directives harmonize national AML standards and need to be transposed
into laws by EU member states; even if they
are not transposed, they have a direct effect. See “The Direct Effect of
European Law,” Eur-Lex, January 14, 2015, http://eur-lex.
europa.eu/legal-content/EN/TXT/?uri=URISERV%3Al14547.
255 Eur-Lex, Directive (EU) 2015/849 on the Prevention of the Use of the
Financial System for the Purposes of Money Laundering or
Terrorist Financing, May 20, 2015, http://eur-lex.europa.eu/legal-
content/EN/TXT/?qid=1476157559137&uri=CELEX:32015L0849,
accessed January 9, 2017.
256 European Commission, Anti-Money Laundering and Counter Terrorist Financing:
Stronger Rules to Respond to New Threats, 2016,
http://ec.europa.eu/justice/criminal/document/files/aml-factsheet_en.pdf.
risk non-EU countries. This harmonized list of actions In

particular, the USA Patriot Act of 2001 AML
will set minimum requirements to be applied by all rules have
extraterritorial reach and are especially
EU member states and will encompass a number of relevant
for correspondent banking relationships.
checks, including on customers, the purpose and Under
Section 311, the Treasury Department has
nature of the business relationship, and the source the
authority to apply special measures to address
of funds. primary
money laundering concerns related to
specific
banks in foreign jurisdictions.261 For instance,
The Council of the European Union adopted in 2005,
the Treasury designated Banco Delta Asia
its negotiating position on December 19, 2016, in Macau
as a “primary money laundering concern”
and the Parliament followed with its position on and served
the bank with a 311 order because it
February 28, 2017.257 The final text is likely to be had
facilitated a range of illegal activities for North
agreed to in 2017 by the Council and Parliament, Korea,
including counterfeiting $100 bills and
though both institutions have different objectives, money
laundering.262 Practically overnight, banks
with the Parliament focusing on transparency and throughout
the region stopped doing business
tax evasion and the Council on terrorist financing.258 with the
Banco Delta. A ripple effect around
Finally, the European Commission proposed a the
international banking community led to the
package to measure the EU’s capacity to fight freezing,
scrutiny, and isolation of North Korea from
the financing of terrorism and organized crime, the
banking system. This result was remarkable for
delivering on the commitments made in the action several
reasons: the United States could not have
plan against terrorist financing from February proposed
any trade sanctions, since there was no
2016. The package includes a proposed directive trade with
North Korea at the time; Banco Delta did
that would establish the criminalization of money not have
US accounts to be frozen; and North Korea
laundering for all member states (with the exception was not
the subject of any United Nations (UN)
of Denmark and Ireland), a proposed regulation measure or
sanction.263 Another recent example
that would implement tighter controls on large cash is Russia,
which would like to see an easing of US
flows, and a proposed regulation to strengthen the sanctions
on Western financing for its banks and oil
mutual recognition of criminal asset freezing and companies,
because fewer sanctions could easily
confiscation orders within the European Union. boost
growth by a percentage point or more by
some
estimates.264
56
Recent Trends in US AML Laws
The US
Treasury can compel US banks to apply
Enacted in 1970, the Bank Secrecy Act (BSA) is gradual
protective measures, from recordkeeping
the primary US anti-money laundering regulatory practices
to closing correspondent accounts. US
statute. It was followed by the world’s first anti- banks have
to apply special due diligence measures
money laundering law, the Money Laundering and
respond to questions about any client or foreign
Control Act of 1986.259 Motivated by the attacks of bank they
deal with, including who its owners are
September 11, 2001, it was amended by the USA and the
nature of its regulatory oversight.265 For any
Patriot Act.260
correspondent banking account managed by a US
financial
institution, the US Treasury can request any
257 EU Council, Proposal for a Directive of the European Parliament and of

the Council Amending Directive (EU) 2015/849 on the
Prevention of the Use of the Financial System for the Purposes of Money
Laundering or Terrorist Financing and Amending
Directive 2009/101/EC, December 19, 2016,
http://data.consilium.europa.eu/doc/document/ST-15605-2016-INIT/en/pdf.
258 EU Parliament, Report on the Proposal for a Directive of the European
Parliament and of the Council Amending Directive
(EU) 2015/849 on the Prevention of the Use of the Financial System for
the Purposes of Money Laundering or Terrorist
Financing and Amending Directive 2009/101/EC, March 2017,
http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//
TEXT+REPORT+A8-2017-0056+0+DOC+XML+V0//EN
259 Federal Financial Institutions Examinations Council, Money Laundering
Control Act of 1986, http://www.ffiec.gov/bsa_aml_
infobase/documents/regulations/ml_control_1986.pdf.
260 US Department of Justice, The USA Patriot Act: Preserving Life and
Liberty, 2001, https://www.justice.gov/archive/ll/what_is_
the_patriot_act.pdf.
261 “Special Measures: Overview,” Bank Secrecy Act Anti-Money Laundering
Examination Manual, Section 311 of the USA Patriot Act
(2001), which amends the Bank Secrecy Act (1970),
https://www.ffiec.gov/bsa_aml_infobase/pages_manual/OLM_031.htm.
262 Bryan Borrough, “In ‘Treasury’s War,’ Missiles for a Financial
Battlefield,” New York Times, August 31, 2013, http://www.nytimes.
com/2013/09/01/business/in-treasurys-war-missiles-for-a-financial-
battlefield.html.
263 Samuel Rubenfeld, “Q&A: Juan Zarate, the author of ‘Treasury’s War,’”
Wall Street Journal, September 26, 2013, http://blogs.wsj.
com/riskandcompliance/2013/09/26/qa-juan-zarate-author-of-treasurys-war.
264 Neil Buckley, “Buoyant Putin Still Needs Washington to Cut a Deal on
Sanctions,” Financial Times, December 19, 2016, https://
www.ft.com/content/13cbbdca-c76b-11e6-9043-7e34c07b46ef. See also Max
Seldom and Courtney Weaver, “Trump to Call Putin
as He Considers Lifting Russia Sanctions,” Financial Times, January 27,
2017, https://www.ft.com/content/581eff4e-e49b-11e6-
8405-9e5580d6e5fb.
265 US Department of Justice, The USA Patriot Act, Section 312,
http://ithandbook.ffiec.gov/media/resources/3356/con-usa_patriot_
act_section_312.pdf.
57
A woman holds bank notes at Banco Delta Asia in Macau, China. Photo credit:
Reuters/Paul Yeung.
records regarding the account, even those located definition of a

beneficial owner, so the identification
outside of the United States, including the identity requirements
were unclear.
of each beneficial owner of the foreign bank, unless
the bank is publicly traded.266 However, the
Bank Secrecy Act passed in May 2016,
which will
become effective in 2018, will address
Requirements for banks to know their corporate this issue for
companies when a new account is
clients’ beneficial owners are also increasing opened.268
Trusts, on the other hand, do not have
in the United States.267 The USA Patriot Act beneficial
ownership identification requirements
had already contemplated requiring beneficial under the new
legislation.269 This is a significant gap.
ownership information as part of customer due
diligence obligations, but the act did not provide a
266 US Department of Justice, The USA Patriot Act, Section 319(b) and
implementing regulations, https://www.ffiec.gov/bsa_aml_
infobase/pages_manual/OLM_027.htm.
267 The final rule (§ 1010.230) released by the Department of the Treasury’s
Financial Crimes Enforcement Network (FinCEN) on May
6, 2016, to obtain and record beneficial ownership information will increase
the customer due diligence obligations of covered
financial institutions, which will have two years to implement the new
requirements on beneficial ownership, as part of their
obligations under the Bank Secrecy Act in Title 31.
268 The beneficial ownership definition includes any individual who owns directly
or indirectly 25 percent or more of the equity
interests of the corporate customer. See Department of the Treasury, Financial
Crimes Enforcement Network, Customer Due
Diligence Requirements for Financial Institutions, 31 CFR Parts 1010, 1020,
1023, et al., https://www.gpo.gov/fdsys/pkg/FR-2016-
05-11/pdf/2016-10567.pdf.
269 Ibid. Covered financial institutions include federal regulated banks and
credit unions, mutual funds, brokers and dealers in
securities, futures comissions merchants and introducing brokers in
commodities.
What Are the Regulatory Gaps? of their

pooled accounts citing attorney-client
There is a lack of consistent AML regulations across privilege.
the global community. The different playing fields Real
Estate. In 2016, the US Treasury’s Financial
of controls internationally, caused by deficient AML Crimes
Enforcement Network (FinCEN) issued
laws and often by their lack of enforcement by several
Geographic Targeting Orders (GOTs),274
national authorities, create opportunities for “bad which apply
to title companies located in six major
actors” to operate in many jurisdictions; this should
metropolitan areas in the United States (New York,
be tackled as a global priority. Emerging countries, Miami, Los
Angeles County, San Diego County, the
as recently recommended by the Financial Stability San
Francisco area, and the county that includes
Board (FSB), need stricter bank supervision.270 San
Antonio, Texas) and require them to identify
Currently, FATF members (thirty-five countries) do the
beneficial owners of legal entities, partnerships,
not fully implement the FATF 2012 recommendations, or
representatives that make all-cash purchases of
and many countries do not implement them at all. high-end
residential real estate. GOTs275 are valid for
This regulatory asymmetry creates jurisdictional 180 days
and were renewed on February 24, 2017,
gaps, which are exploited by bad actors. The for a
similar period. FinCEN276 found that about
exclusion of politically exposed persons (PEPs), 30 percent
of the transactions were related to a
beneficial owners, and “gatekeepers” of the financial beneficial
owner with a previous suspicious activity
sector (such as lawyers, real estate professionals, report. The
information obtained confirmed the
and trusts) from transparency requirements is a use of
shell companies to launder money through
regulatory gap that threatens the global community, the
purchase of luxury real estate in “all-cash”
as revealed by the Panama Papers.271 Virtual
transactions and led to enforcement actions. For
currencies and other new businesses can be used instance,
in June 2016, the Department of Justice
by bad actors to move money globally. seized more
than $1 billion in assets from the
1Malaysia
Development Berhad fund. The sovereign
wealth
fund’s embezzled assets were transferred
Financial Sector Gatekeepers into the
United States using shell companies and
The FATF recommendations contain AML guidelines the client
bank accounts of law firms to buy luxury
for the financial sector’s “gatekeepers,” including real estate
properties in Los Angeles, New York, and
58 trusts and company services providers, lawyers, real London.277
estate professionals, casinos, dealers in precious
metals and stones, those in the life insurance sector, Trusts and
Bearer Shares Corporations. The Panama
and money services businesses.272 Many of these Papers leak
in 2016 also revealed a serious need to
businesses remain unregulated internationally, with supervise
non-financial sector entities (such as trust
AML laws addressing only the financial sector. Some services
companies and law firms), despite previous
examples of vulnerabilities are as follows: country
assessments by FATF. Two years prior, in
June 2014,
FATF identified strategic deficiencies
Law Firms. The FATF 2016 December report on the in Panama,
which expedited the adoption of an
United States has called law firms’ pooled accounts AML
legislation package. Panama’s vulnerability
a vulnerability.273 Tens of billions of dollars every year to money
laundering was that not all financial
move through opaque bank accounts managed by and non-
financial sectors were subjected to AML
law firms that create a gap in US money-laundering regulations
and supervision. This was addressed in
defenses. US law firms protect the confidentiality the new
legislation and provided the justification,
after some
technical assistance, to remove Panama
270 Caroline Binham, “Stricter Bank Supervision Needed in Developing

Nations, Say Policymakers,” Financial Times, December 19,
2016, https://www.ft.com/content/13cbbdca-c76b-11e6-9043-7e34c07b46ef.
271 “The Panama Papers: A Torrential Leak,” Economist, April 9,
2016,http://www.economist.com/news/international/21696497-huge-
trove-documents-has-revealed-secrets-offshore-business-presaging-tougher.
272 FATF, Risk-Based Approach Guidance for Legal Professionals, October 23,
2008, http://www.fatf-gafi.org/publications/
fatfrecommendations/documents/riskbasedapproachguidanceforlegalprofessionals.html
273 Rachel Louise Ensign and Serena Ng, “Money Laundering Loophole: Law
Firms,” Wall Street Journal, December 27, 2016, A1 and A6.
274 US Department of Treasury, “Treasury Announces Key Regulations and
Legislation to Counter Money Laundering and Corruption,
Combat Tax Evasion,” Press Release, May 5, 2016,
https://www.treasury.gov/press-center/press-releases/Pages/jl0451.aspx.
275 US Department of Treasury, Geographic Targeting Order, February 21,
2017, https://www.fincen.gov/sites/default/files/shared/
Real%20Estate%20GTO%20February%202017%20-%20Generic.pdf.
276 US Department of the Treasury, “FinCEN Renews Real Estate ‘Geographic
Targeting Orders’ to Identify High-End Cash Buyers in
Six Major Metropolitan Areas,” Press Release, February 23, 2017,
https://www.fincen.gov/news/news-releases/fincen-renews-real-
estate-geographic-targeting-orders-identify-high-end-cash.
277 Louise Story, “US to Expand Tracking of Home Purchases by Shell
Companies,” New York Times, July 27, 2016, http://www.
nytimes.com/2016/07/28/us/us-expands-program-to-track-secret-buyers-of-
luxury-real-estate.html?_r=0.
from the FATF (grey) list of countries with strategic The 2015 FATF
report on Emerging Terrorist
deficiencies in February 2016.278 However, the leak Financing
Risks points to crowdfunding as an
of the law firm Mossack Fonseca shortly after alternative
way to transfer funds abroad for terrorism
(in April 2016) revealed the continued lack of finance
purposes, citing the FIU of Canada, which has
transparency and extended use of shell companies reported
several instances “where individuals under
to launder money and evade trade sanctions.279 It investigation
for terrorism-related offences, have
also suggested that FATF international surveillance used
crowdfunding websites prior to leaving and/or
of AML country frameworks should be strengthened attempting to
leave Canada.”282 Several cases link P2P
through independent reviews. lending or
crowdfunding platforms with terrorism
financing.
Online lending platforms should screen
A recent US State Department report points to the lenders and
investors against designated terrorist
country’s serious AML deficiencies: and
sanctioned entity lists, take steps to detect
Numerous factors hinder the fight against fake
investors, and report suspicious transactions.
money laundering, including the existence The
questionable due diligence practices of some
of bearer share corporations, a lack of crowdfunding
platforms internationally, combined
collaboration among government agencies, with
regulatory fragmentation, make crowdfunding
lack of experience with money laundering vulnerable to
exploitation by criminals.
investigations and prosecutions, inconsistent In the San
Bernardino, California, terrorist attack,
enforcement of laws and regulations, and a in which a
married couple killed fourteen people
weak judicial system susceptible to corruption and wounded
others, one of the shooters obtained
and favoritism. Money is laundered via bulk a loan from a
peer-to-peer lending site to finance
cash and trade by exploiting vulnerabilities at the
attack.283 The problem in this case was not the
the airport, using commercial cover and free source of
funding (which was legitimate), but the
trade zones (FTZs), and exploiting the lack of clients’
identification and end use of Syed Raheel
regulatory monitoring in many sectors of the Farook’s
loan, which was not to consolidate loans,
economy. The protection of client secrecy is as he had
alleged, but to purchase guns and
often stronger than authorities’ ability to pierce munition. P2P
lending risk lies in the anonymity of
the corporate veil to pursue an investigation.280 these loans,
compared with traditional bank loans
to a person
who has an account with the bank and 59
Fintech: Crowdfunding, Online Lending whose
financial activities can be monitored.
Platforms, P2P Lending
Online lending platforms, peer-to-peer (P2P) Another
potential threat is to cybersecurity
lending, and equity crowdfunding—the raising of and identity
theft. In October 2015, US
capital by selling unregistered securities to investors
telecommunications giant T-Mobile reported a data
or lenders over the Internet—are rapidly growing breach that
affected fifteen million customers. The
industries in the United States, United Kingdom (UK), stolen data
could be used to create fake lender or
and China, according to Morgan Stanley.281 However, investor
profiles to launder money. As an example,
Standard and Poor’s has raised concerns about the fake
investors (with stolen T-Mobile identities) could
online lending platforms’ capacity to comply with crowdfund a
sham company that purports to do
key financial regulatory principles and the quality of charitable
work abroad. The investors could transfer
the data that the platforms keep and on which they funds to the
company by purchasing (worthless)
base their loan underwriting decisions. equity, and
the company could transfer the money
abroad under
the guise of its business.
278 The Inter-American Development Bank drafted the new AML legislation, and
provided technical assistance to Panama to be
removed from the FATF grey list “Panamá prepara nueva ley contra el blanqueo
de capitals,” La Estrella De Panamá, August 12,
2014, http://laestrella.com.pa/economia/panama-prepara-nueva-contra-blanqueo-
capitales/23795230.
279 “The Lesson of the Panama Papers,” The Economist, April 9, 2016,
http://www.economist.com/news/leaders/21696532-more-
should-be-done-make-offshore-tax-havens-less-murky-lesson-panama-papers.
280 US Department of State, International Narcotics Control Strategy Report, Vol.
II, 2016, http://www.state.gov/j/inl/rls/nrcrpt/2016/
vol2/index.htm.
281 By 2020, Morgan Stanley forecasts online lenders will reach $47 billion, or
16 percent of total US small and medium enterprise
(SME) approvals, Smittipon Srethapramote et al., Global Marketplace Lending:
Disruptive Innovation in Financials, Morgan Stanley,
May 19, 2015, http://bebeez.it/wp-
content/blogs.dir/5825/files/2015/06/GlobalMarketplaceLending.pdf.
282 FATF, Emerging Terrorist Financing Risks, “Case Study 19: Crowdfunding,”
October 2015, http://www.fatf-gafi.org/media/fatf/
documents/reports/Emerging-Terrorist-Financing-Risks.pdf, 31-32.
283 Darrell Delamaide, “Loan to Terror Couple Challenges Regulators,” USA Today,
December 15, 2015, http://www.usatoday.com/
story/money/2015/12/15/shooting-terrorism-online-loans-san-
bernardino/77358520/; “FBI Will Investigate San Bernardino
Shootings as Terrorist Act,” Federal Bureau of Investigation, December 4,
2015, https://www.fbi.gov/news/stories/fbi-will-
investigate-san-bernardino-shootings-as-terrorist-act.
Since 2013, in the United States, crowdfunding it would

make it possible for fintech companies to
platforms have been subject to AML provide
services across the United States.
requirements.284 Under Securities and Exchange
Commission and Financial Industry Regulatory Fintech
companies would be able to voluntarily
Authority (FINRA) rules, equity crowdfunding apply for
a national charter and benefit from uniform
AML programs must comply with Bank Secrecy (federal)
regulation and supervision by the OCC.
Act obligations analogous to those applicable Chartered
fintech companies would need to adopt
to a broker-dealer, including establishing and AML risk-
mitigation programs and automated tools
maintaining effective customer identification on similar
to banks. As the OCC notes, discounting
investors; conducting background checks on each notes,
purchasing bank-permissible debt securities,
officer, director, and holder of 20 percent voting engaging
in lease-financing transactions, and
power of the issuer; monitoring and reporting making
loans are forms of lending money. Similarly,
suspicious activity and complying with requests issuing
debit cards or engaging in other means of
for information from FinCEN and denying access to
facilitating payments electronically are the modern
its services if it believes the issuer or the offering
equivalent of paying checks. The OCC would
presents a potential for fraud. consider
on a case-by-case basis the permissibility
of new
activities.
Online lending businesses should employ automated
tools to detect and prevent AML risks.285 Similar to Some EU
countries, such as the UK and Spain,
online banking, platforms should use compliance have
specifically regulated crowdfunding, but it
intelligence tools to prevent crowdfunding project is not
regulated at the European level—though
initiators from secretly raising funds for illicit some
other countries consider crowdfunding as
purposes. A December 2016 Harvard Business an
activity covered under the Markets in Financial
School white paper proposed automating the
Instruments Directive.289 Regarding lending-based
regulatory compliance activities for online lending
crowdfunding, the European Banking Authority
platforms and creating a concrete regulatory action
recommends that online platforms should, at a
plan, including a limited national charter.286 minimum,
require borrower background checks;
have
strong AML policies and procedures in place;
On December 2, 2016, the Office of the Comptroller offer
transparent information regarding their
60 of the Currency (OCC) proposed issuing special
directors, stakeholders, and beneficial owners; and
purpose national bank charters for financial have
enough technical capacity and expertise to
technology (fintech) companies.287 In March 2017, maximize
online security.290
the OCC issued a licensing manual draft supplement
or Fintech Charter288 for comments. The OCC will The
World Bank InfoDev study291 projects that the
consider applications for special purpose national market
value of crowdfunding will be $96 billion
bank licenses from financial technology companies, by 2025.
It also recommends crowdfunding should
which operate one of the core banking activities of occur
only on portals that are registered with a
“paying checks” (broadly referred to as payment national
regulatory body that oversees securities,
systems) or lending money (including any new form or
through clearing houses that conduct mandatory
of leasing or discounting). The Fintech Charter would
background checks for issuers and investors and
require governance and a risk assessment, including require
auditing and financial disclosures. Very few
AML, among other regulatory requirements and
crowdfunding platforms meet these requirements
would subject the firms to OCC supervision. Overall, today
globally. In fact, many platforms raise
284 Equity crowdfunding is regulated by the US Jumpstart Our Business

Startups Act (“JOBS Act”) Title 301 (“This title may be
cited as the “Capital Raising Online While Deterring Fraud and Unethical
Non-Disclosure Act of 2012” or the “Crowdfund Act”);
Crowdfunding, 78 Fed. Reg. 66428, 66461-65, proposed November 3, 2013,
hereinafter “Regulation Crowdfunding.”
285 Zachary Robock, “The Risk of Money Laundering Through Crowdfunding: A
Funding Portal’s Guide to Compliance and Crime
Fighting,” Michigan Business Entrepreneurial Law Review, Vol. 4, No. 1
(2014), http://repository.law.umich.edu/mbelr/vol4/iss1/4/.
286 Karen Gordon Mills and Brayden McCarthy, The State of Small Business
Lending: Innovation and Technology and the Implications
for Regulation, Harvard Business School Working Paper 17-042, 2016,
http://www.hbs.edu/faculty/Publication Files/17-
042_30393d52-3c61-41cb-a78a-ebbe3e040e55.pdf, 73 and Chapter 6.
287 Office of the Comptroller of the Currency, Exploring Special Purpose
National Bank Charters for Fintech Companies, 2016,
https://www.occ.gov/topics/responsible-innovation/comments/special-
purpose-national-bank-charters-for-fintech.pdf.
288 Office of the Comptroller of the Currency, Evaluating Charter
Applications from Financial Technology Companies, 2017, https://
www.occ.gov/publications/publications-by-type/licensing-manuals/file-pub-
lm-fintech-licensing-manual-supplement.pdf.
289 Financial Conduct Authority, A Review of the Regulatory Regime for
Crowdfunding and the Promotion of Non-readily Realizable
Securities by Other Media, February 2015,
https://www.fca.org.uk/publication/thematic-reviews/crowdfunding-review.pdf.
290 European Banking Authority, “EBA recommends convergence of lending-
based crowdfunding regulation across the EU,”
February 26, 2015, https://www.eba.europa.eu/-/eba-recommends-
convergence-of-lending-based-crowdfunding-regulation-
across-the-eu.
291 World Bank, Crowdfunding’s Potential for the Developing World, 2013,
http://www.infodev.org/infodev-files/infodev_
crowdfunding_study_0.pdf.
questions regarding the identity of issuers and transfers from

the United States, according to
investors and the fragmentation of the regulatory estimates by the
World Bank.296 However, according
regimes in cross-border sourcing projects. to the 2009
International Monetary Fund (IMF)
country report
for Mexico, RSPs are not required
Remittances and Money Services to conduct any
customer due diligence except for
Businesses when
transactions exceed $10,000.297
A risk-based approach should guide the regulation Since the
financial crisis, remittance start-
of remittance service providers (RSPs) and ups298 have
emerged globally using disruptive
money services businesses (such as those that technologies
such as blockchain in direct payments
issue travelers checks and prepaid cards) at to mobile phones
(P2P money transfers) to provide
the global level.292 At this time, RSPs are mostly remittance
services across borders. While some of
unregulated and have different business models. them are not
regulated, others are. For instance,
However, after September 2001, the FATF Special Coins.ph is a
mobile blockchain-based platform
Recommendations on Terrorist Financing provided connecting over
three hundred million unbanked
that in order to prevent terrorist financing, informal people in
Southeast Asia.299 Blockchain helps
remittance houses should be licensed and comply Coins.ph
facilitate remittances from any country
with risk-based AML regulatory standards that as long as the
sender is able to purchase digital
apply to banks.293 The European Parliament currency.
Coins.ph is regulated by the central bank
acknowledges the difficulty in implementing FATF of the
Philippines (BSP) as a remittance and foreign
recommendations at a global level, as well as the exchange
company. Since the amounts are small,
different terminology employed across jurisdictions KYC requirements
for opening a Coins.ph account
(also referred to as “money transfer or money service are less
demanding than opening a bank account.
businesses” in Anglo-Saxon legal systems). The For low-risk
individuals’ identification purposes, a
Consultative Group to Assist the Poor, housed at the risk-based
approach permits users to take a selfie
World Bank, recommends a gradual implementation on their phone
while holding a government identity
of AML rules that considers the level of maturity of document.
Strategic partnerships with banks also
the monetary industry in each country.294 allow Coins.ph
customers to use automated teller
RSPs receive cash from their customers that they machines (ATMs)
by sending a code to their phone
without the need
to have a bank account or an ATM 61
transfer internationally through the banking system.
Data on who sends and receives these payments card.300
in foreign countries are often untraceable and
criminals frequently use this anonymity to their Virtual Currency
Businesses (Exchanges
advantage. For instance, the HSBC Group paid and E-Wallets)
$1.9 billion in fines to US authorities in 2012 for Bitcoin and
other virtual currencies embody a
not supervising its RSP clients, which laundered value-transfer
system that operates like a currency
money from drug cartels through its Mexican unit or a commodity,
with no issuer or central authority.
for years.295 Mexico is the top destination for money There are,
however, inherent risks that have
292 See Committee on Payment and Settlement Systems and World Bank, General
Principles for International Remittance Services,
January 2007, http://www.bis.org/cpmi/publ/d76.pdf. “The World Bank Migration
Development Brief,” Issue No. 21, October
2013, 29; See also, “Let Them Remit,” The Economist, July 20, 2013,
http://www.economist.com/news/middle-east-and-
africa/21581995-western-worries-about-money-laundering-are-threatening-
economic-lifeline.
293 FATF, Special Recommendations on Terrorist Financing, 2001, reviewed 2008,
http://www.fatf-gafi.org/media/fatf/documents/
reports/FATF%20Standards%20%20IX%20Special%20Recommendations%20and%20IN
%20rc.pdf; see also World Bank,
Guidance Report for the Implementation of the CPSS-World Bank General
Principles for National Remittance Services, Financial
Infrastructure Series, 2007,
http://www.worldbank.org/en/topic/paymentsystemsremittances/publication/guidance-
report-for-
the-implementation-of-the-cpss-wb-general-principles-for-international-
remittances, 24-26.
294 European Parliament, “The Impact of Remittances in Developing Countries”,
p.30 http://www.europarl.europa.eu/
meetdocs/2009_2014/documents/deve/dv/remittances_study_/remittances_study_en.pdf
295 Aruna Viswanatha and Brett Wolf, “HSBC to Pay $1.2 Billion US Fine in Money
Laundering Case,” Reuters, December 11, 2012,
http://www.reuters.com/article/us-hsbc-probe-idUSBRE8BA05M20121211.
296 Raúl Herández-Coss, The US–Mexico Remittance Corridor: Lessons on Shifting
from Informal to Formal Transfer System, World
Bank Working Paper No. 47, February 2005,
http://siteresources.worldbank.org/EXTAML/Resources/396511-1146581427871/US-
Mexico_Remittance_Corridor_WP.pdf.
297 International Monetary Fund, Mexico: Detailed Assessment Report on Anti-Money
Laundering and Combating Terrorism, Country
Report, 2009, 130, paragraph 146.
298 Amit, “11 Money Transfer Companies Using Blockchain Technology,” Let’s Talk
Payments, October 23, 2015, https://
letstalkpayments.com/11-money-transfer-companies-using-blockchain-technology-
2/.
299 Kate, “19 Bitcoin Remittance Startups That Won’t Let the Cryptocurrency Die,”
Let’s Talk Payments, February 5, 2016, https://
letstalkpayments.com/19-bitcoin-remittance-startups-that-wont-let-the-
cryptocurrency-die/.
300 Chamber of Digital Commerce, Georgetown University, “Blockchain and Financial
Inclusion White Paper”, March 2017, p. 18-19,
http://finpolicy.georgetown.edu/newsroom/news/center-releases-white-paper-
blockchain-and-financial-inclusion
62
A chain of block erupters used for Bitcoin mining is pictured at the Plug and
Play Tech Center in Sunnyvale,
California October 28, 2013. A form of electronic money independent of
traditional banking, Bitcoins started
circulating in 2009 and have since become the most prominent of several
fledgling digital currencies.
Photo credit: Reuters/Stephen Lam.
attracted the attention of regulators. Due to the are not
necessarily associated with a real-world
anonymity afforded by these currencies, criminals identity.
It therefore offers a level of anonymity
are increasingly using virtual currency exchanges beyond
traditional credit and debit cards or online
and e-wallets to launder money. For instance, payment
systems, such as PayPal. The transactions
a high percentage of illicit financial flows from in
blockchain can be tracked, but mixers can be
developing countries are now being transferred used to
hide the transactions history of any client
through trade-based money-laundering methods so it
becomes easier to launder money without
to avoid detection. Using virtual currencies in such being
detected.302 Also, the transaction records
international transactions makes them almost may
reside with multiple entities located in different
untraceable.301
jurisdictions, which makes it difficult for law
enforcement to collect information.

Bitcoin’s protocol, for example, does not verify
participants and generates transactions that
301 Global Financial Integrity, Illicit Financial Flows from Developing

Countries: 2004-2013, December 2015, http://www.gfintegrity.
org/wp-content/uploads/2015/12/IFF-Update_2015-Final-1.pdf.
302 FATF Report, “Virtual Currencies Key Definitions and Potential AML/CFT
Risks”, June 2014, p. 6 , http://www.fatf-gafi.org/media/
fatf/documents/reports/Virtual-currency-key-definitions-and-potential-
aml-cft-risks.pdf. Mixer (laundry service, tumbler) is
a type of anonymiser that obscures the chain of transactions on the
blockchain by linking all transactions in the same bitcoin
address and sending them together in a way that makes them look as if
they were sent from another address. A mixer or
tumbler sends transactions through a complex, semi-random series of dummy
transactions that makes it extremely difficult to
link specific virtual coins (addresses) with a particular transaction.
Mixer services operate by receiving instructions from a user
to send funds to a particular bitcoin address. The mixing service then
“comingles” this transaction with other user transactions,
such that it becomes unclear to whom the user intended the funds to be
directed.
Criminal abuse of the bitcoin currency has already credit card

accounts for bitcoins that he bought
featured prominently in several high-profile on bitcoin
exchanges. The reality is that unlicensed
laundering and fraud cases. In 2014, a board member bitcoin
exchanges308 have been connected with
of the nonprofit Bitcoin Foundation was charged other illegal
activity.
with money laundering for allegedly conspiring
with a bitcoin exchange operator to sell $1 million Virtual
currency exchanges, which are considered
in bitcoins to users of the Silk Road black market.303 money
transfer businesses in the United States, are
That same year, Japan-based Mt. Gox, then the regulated by
states. While some states allow money
world’s largest bitcoin exchange, announced that transmitters
to operate without a license, others
hackers had stolen $500 million in bitcoins from its require one.
In 2015, the New York Department
poorly guarded system.304 Japanese prosecutors of Financial
Services issued specific regulations
later charged former Mt. Gox Chief Executive Officer for virtual
currency businesses, requiring anyone
Mark Karpeles with embezzlement, accusing him of conducting
these activities in New York State to be
stealing $2.66 million from clients.305 licensed
(Bitlicense) and to implement customer
due diligence
requirements and AML programs.309
The emergence of virtual currency exchanges
(VCEs) and other related businesses poses new risks Another
challenge is supervision. There is no
described by the FATF 2014 paper. Anyone with an central
oversight authority over the virtual currency
Internet connection can use them to transfer funds exchanges or
custodian wallet providers (WPs). In
across borders, regardless of jurisdiction, while very the United
States, since 2013, VCEs and WPs have
few countries have issued regulations surrounding been subject
to AML supervision by FinCEN at
their use.306 The IMF has pointed out that more could the federal
level. In March 2017, the OCC issued a
be done to help develop an effective international voluntary
charter proposal for financial technology
framework for the regulation of virtual currencies.307 companies
(Fintech Charter),310 which would allow
them to
operate at the federal level under OCC’s
In the United States, in 2013, FinCEN issued
supervision.311
guidance and rulings on when a VCE must register
as a money services business and is subject to anti- In the
European Union, the 5AMLD will aim to
money laundering and KYC regulations. However, harmonize the
AML requirements among EU
what constitutes an exchange can be unclear. VCEs member states
for virtual currency exchanges and
63
engage in exchanging virtual currency for “real custodian
wallet providers and impose strict limits on
currency.” However, this gets more complicated prepaid
cards.312 Under the European Commission’s
when private users (who are not regulated) offer proposal to
expand the scope of the revised fourth
on classified websites to sell or buy bitcoins at a AMLD (or
5AMLD), VCE platforms and WPs would
premium or a discount, making the transaction become
“obliged entities” and have to implement
anonymous. A Louisiana chiropractor exchanged similar
preventive measures and report suspicious
more than $3 million in money orders through his transactions.
The new directive would also reduce
303 Emily Flitter, “Prominent Bitcoin Entrepreneur Charged with Money

Laundering,” Reuters, January 27, 2014, http://www.reuters.
com/article/us-usa-bitcoin-arrests-idUSBREA0Q15N20140128.
304 Yoshifumi Takemoto and Sophie Knight, “Mt. Gox Files for Bankruptcy, Hit with
Lawsuit,” Reuters, February 28, 2014, http://www.
reuters.com/article/us-bitcoin-mtgox-bankruptcy-idUSBREA1R0FX20140228.
305 Taiga Uranaka, “Prosecutors File Charges against Ex-CEO of Mt. Gox Bitcoin
Exchange,” Reuters Canada, September 12, 2015,
http://ca.reuters.com/article/technologyNews/idCAKCN0RC04620150912.
306 FATF, Money Laundering and Terrorist Financing Vulnerabilities of Commercial
Websites and Internet
Payment Systems, June 18, 2008, http://www.fatf-
gafi.org/topics/methodsandtrends/documents/
moneylaunderingterroristfinancingvulnerabilitiesofcommercialwebsitesandinternetpaym
entsystems.html.
307 Dong He et al., Virtual Currencies and Beyond: Initial Considerations,
International Monetary Fund, January 2016, SDN/16/03, 36.
308 Lester Coleman, “Arrests and Prosecutions Reveal Big Vagaries in Bitcoin
Selling Regulations,” Cryptocoin News, May 23, 2016,
https://www.cryptocoinsnews.com/arrests-and-prosecutions-reveal-big-vagaries-
in-bitcoin-selling-regulations/.
309 New York State Department of Financial Services, New York Codes, Rules, and
Regulations, Title 23, Department of Financial
Services, Chapter I. Regulations of the Superintendent of Financial Services,
Part 200. Virtual Currencies, http://www.dfs.ny.gov/
legal/regulations/adoptions/dfsp200t.pdf.
310 US Department of Treasury, “OCC to Consider Fintech Charter Applications,
Seeks Comment,” Press Release, December 2, 2016,
https://www.occ.treas.gov/news-issuances/news-releases/2016/nr-occ-2016-
152.html.
311 Office of the Comptroller of the Currency, Evaluating Charter Applications
From Financial Technology Companies, Comptroller’s
Licensing Manual Draft Supplement, March 2017,
https://www.occ.gov/publications/publications-by-type/licensing-manuals/file-
pub-lm-fintech-licensing-manual-supplement.pdf.
312 European Commission, Proposal for a Directive of the European Parliament and
of the Council Amending Directive (EU)
2015/849 on the Prevention of the Use of the Financial System for the
purposes of Money Laundering or Terrorist Financing and
Amending Directive 2009/101/EC, July 5, 2016,
http://ec.europa.eu/justice/criminal/document/files/aml-directive_en.pdf; see
also Samantha Sheen, “ACAMS, 4AMLD Part 3: Virtual Currency Exchange
Platforms, E-Wallet Providers and Pre-Paid Cards,”
Advancing Financial Crime Professionals Worldwide, July 20, 2016,
http://www.acams.org/aml-resources/samantha-sheens-blog/
eu-proposals-to-bolster-fight-against-financial-crime/.
the exemption regime for anonymous prepaid regimes

for PEPs to prevent corruption and money
cards. In its proposal, the European Commission
laundering.316 The requirement that public officials
suggested deleting the exemption for prepaid declare
their income and assets already exists in the
cards used online, lowering the threshold for non- United
States for government employees, General
reloadable prepaid cards from $282 (€250) to $169 Schedule
(GS)-15 and higher.317
(€150), and enhancing the powers of FIUs. However,
it is still unclear whether the 5AMLD would require The
challenge for banks in fulfilling their regulatory
uniform licensing or registration for VCEs and WPs,
obligations to identify and monitor PEPs
or whether each EU member state may opt for
transactions is mainly that public data from official
either regime. In any event, as the European Banking sources
are difficult to obtain. Analytical software
Authority’s 2016 opinion pointed out, due to the for
client due diligence purposes often includes
Internet’s reach, there are practical difficulties in PEPs
information obtained from private and (when
preventing unlicensed or unregistered entities from
available) public sources, media, and the Internet.
providing digital services across borders.313 However,
the data contained are often difficult to
analyze
in cases of a potential name match, since
This problem also applies at the global level, due the
available information is frequently incomplete.
to the Internet’s reach, since the majority of virtual For
instance, the Central Intelligence Agency’s
currency businesses remain unregulated. The library
database of chiefs of state and cabinet
“big three” Chinese VCEs314 issued statements members
of foreign governments provides a public
in February 2017 disallowing withdrawals for a list of
names but not dates of birth (which should be
month to upgrade infrastructure and include necessary
for financial firms to investigate potential
“self-regulated” anti-money laundering controls, “false
positives,” i.e., name matches that do not
following regulatory pressures from the People’s
correspond to the same person).318 In addition, PEPs
Bank of China. Regulation for VCEs and WPs should have
found many ways to avoid detection, such as
be addressed globally, promoting the adoption by
opening accounts in the names of corporations,
of AML, cybersecurity, and consumer protection trusts,
or close family members or associates.319
frameworks and automating the monitoring The
Corruption Perceptions Index published by
process.315
Transparency International, a nongovernmental
organization devoted to combatting corruption,

64
Politically Exposed Persons (PEPs) ranks
countries by scores.320 Quality PEPs data should
PEPs represent a high-risk category of customers be
available as part of the UN Anti-Money Laundering
for banks, and are subject to enhanced due diligence
Information Network, which should consider
in many countries. FATF recommendations include
establishing and maintaining a global repository of
the customer identification of both domestic and PEPs.321
Disclosure requirements on assets before
foreign PEPs. However, many AML national laws and after
leaving office should be required globally
only include the obligation to identify international as a
transparency measure, following the UN’s and
PEPs and often exclude domestic PEPs, which is a World
Bank’s recommendations.322
significant gap. The United Nations and the World
Bank recommend income and asset disclosure
313 The European Banking Authority has issued further recommendations in

its 2016 opinion to adopt a more comprehensive
EU regulatory regime for virtual currencies and set up a wall with the
financial sector. See European Banking Authority,
Opinion of the European Banking Authority on the EU Commission’s Proposal
to Bring Virtual Currencies into the
Scope of Directive (EU) 2015/849 (4AMLD), August 2016,
http://www.eba.europa.eu/documents/10180/1547217/
EBA+Opinion+on+the+Commission
%E2%80%99s+proposal+to+bring+virtual+currency+entities+into+the+scope+of+4AMLD.
314 Samburaj Das, “Bitcoin Withdrawals Postponed, to Resume after
Regulatory Approval: Chinese Exchanges,” Cryptocoin News,
March 8, 2017, https://www.cryptocoinsnews.com/bitcoin-withdrawals-
postponed-resume-regulatory-approval-chinese-
exchanges/.
315 See Transaction Monitoring section. Financial Industry Regulatory
Authority, Anti-Money Laundering, Special NASD Notice to
Members 02-21, April 2002,
http://www.finra.org/sites/default/files/NoticeDocument/p003704.pdf.
316 World Bank, Public Office, Private Interests: Accountability through
Income and Asset Disclosure, 2012, https://star.worldbank.
org/star/sites/star/files/Public%20Office%20Private%20Interests.pdf, 7-
21.
317 The US Ethics in Government Act of 1978 sets the financial disclosure
requirements for members and employees of the
government. See Public Citizen, Personal Financial Disclosure
Requirements for Public Officials, June 2011, https://www.citizen.
org/documents/Personal-Financial-Disclosures-June2011.pdf.
318 CIA Library of Chiefs of State and Cabinet Members of Foreign
Governements, https://www.cia.gov/library/publications/world-
leaders-1/
319 World Bank, The Puppet Masters: How the Corrupt Use Legal Structures
to Hide Stolen Assets and What to Do About It, 2011, 11-16.
320 Transparency International, “Corruption Perceptions Index 2015,” 2015,
http://www.transparency.org/cpi2015.
321 See United Nations International Anti-Money Laundering Information
Network, “Anti-Money Laundering International Database
(AMLID),” www.imolin.org/amlid/index.html.
322 World Bank, The Puppet Masters: How the Corrupt Use Legal Structures to
Hide Stolen Assets and What to Do About It, 2011
Beneficial Owners European

Parliament and Council and negotiators
Transparency requirements in AML laws should are aiming to
agree to it by summer 2017.327 The
go beyond the identity of corporate customers revised fourth
AMLD is scheduled to be transposed
to include their controlling interests or beneficial into national
law by all EU member states twelve
owners; this recommendation aligns with those of months after
publication in the EU’s Official Journal.
FATF. In the United States, the final rule released
A recent example
exemplifies why oversight of
by FinCEN on May 6, 2016, adds a new obligation
beneficial
ownership records must be strengthened.
for banks to obtain and record beneficial ownership
The Financial
Conduct Authority and the New York
information on their legal entity clients to ensure
Department of
Financial Services fined Deutsche
clear identification of their stakeholders and
Bank (DB) in
2016 for failures to pick up the
controlling interests.323 The Bank Secrecy Act’s new
beneficial
owners of a Russian trading scheme used
beneficial ownership requirements will become
by offshore
clients to launder money in London.
effective in 2018, and will create specific reporting
The bank shut
its investment bank in Russia as a
duties with respect to each “legal entity customer”
consequence. The
offsetting trades consisted of
when a new account is opened. The beneficial
a series of
mirror trades. A small broker in Russia
owner is any individual who owns 25 percent of
bought from DB
blue chip shares for rubles, while
a company or significantly controls, manages, or
the same stocks
were sold by a British Virgin
directs a customer.324
Island holding
company to DB in London for cash
The European Union’s 4AMLD of 2015, which goes in dollars. An
internal audit report found around
into effect on June 26, 2017, already follows this two thousand
similar transactions that transferred
FATF recommendation. It sets out specific rules on money out of
Russia, bypassing AML controls and
the collection, storing, and access to information involving around
$10 billion. The US Department
on the ultimate beneficial owner of companies.325 of Justice is
examining potential money laundering
The new definition of a beneficial owner is further and sanctions
evasion schemes connected to
specified as a natural person who ultimately has these
transactions.328 The bank has admitted that
a shareholding, controlling, or ownership interest “the company has
so many different technology
with over 25 percent of the shares or voting systems that the
gaps between them are open to
rights in corporate entities, land title ownership
manipulation.”329
65
included.326 Although there are notable differences
in the positions of the Council and the European Tools to
Mitigate Risks
Parliament, and depending on the final agreement, The elaboration
of customer risk profiles has been
the 5AMLD (or revised fourth AMLD) could widen recently called
the “fifth” pillar330 of an AML program,
transparency obligations by lowering the threshold due to the
substantial changes introduced by the
below 25 percent, so that more beneficial owners new FinCEN
legislation in 2016. The other four pillars
would need to be identified by banks. are policies,
training, compliance, and independent
audit functions.
A strong customer due diligence
The 5AMLD aims to reinforce such transparency program should
include the following information
obligations by also proposing to create public about customers:
the full identification of a customer
access by way of compulsory disclosure of certain and its
beneficial owners (for legal entities),
information on the beneficial ownership of trusts development of a
“client profile” and transaction
and other passive non-financial entities such as activity
profiles (or transaction monitoring) in
foundations. The 5AMLD needs to be adopted by the anticipation of
the projected customer’s activity,
323 See US Department of the Treasury, Financial Crimes Enforcement Network,

Customer Due Diligence Requirements
for Financial Institutions, FinCEN Rule § 1010.230, Vol. 81, No. 91, May 11,
2016, https://www.federalregister.gov/
documents/2016/05/11/2016-10567/customer-due-diligence-requirements-for-
financial-institutions.
324 Ibid. Covered financial institutions include federal regulated banks and
credit unions, mutual funds, brokers and dealers in
securities, futures comissions merchants and introducing brokers in
commodities.
325 Eur-Lex, Directive (EU) 2015/849.
326 Ibid. See definition of beneficial owner in Eur-Lex, Directive (EU) 2015/849,
Article 3 and Articles 30 and 31.
327 EU Parliament, Report on the Proposal for a Directive of the European
Parliament and of the Council Amending Directive
(EU) 2015/849 on the Prevention of the Use of the Financial System for the
Purposes of Money Laundering or Terrorist
Financing and Amending Directive 2009/101/EC, March 2017,
http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//
TEXT+REPORT+A8-2017-0056+0+DOC+XML+V0//EN
328 Karen Freifeld and Arno Schuetze, “Deutsche Fined $630 Million for Failures
over Russian Money-Laundering,” Reuters, Edition
United Kingdom, January 31, 2017, http://uk.reuters.com/article/us-deutsche-
mirrortrade-probe-idUKKBN15E2SP.
329 John O’Donnell, “The ‘Mirror’ Trades That Caught Deutsche in Russian Web,”
Reuters, January 31, 2017, http://www.reuters.com/
article/uk-deutsche-mirrortrade-probe-scheme-idUKKBN15F23D.
330 “FinCEN’s Final Rule to Enhance Customer Due Diligence Requirements for
Financial Institutions,” Davis Polk & Wardwell, May
31, 2016, https://www.davispolk.com/publications/fincen%E2%80%99s-final-rule-
enhance-customer-due-diligence-requirements-
financial-institutions/.
“Data profiling techniques of

international banks from the United States and
Europe
met with the Basel Institute on Governance
can identify data quality at the
Wolfsberg Group (an association of banks)
in
Switzerland in 1999.332 They set up industry
issues; ensure standards are
standards, known as the Wolfsberg AML Principles,
fulfilled; reconcile differences; on how
to conduct client questionnaires to gather
data
from them and mitigate risk. These principles
and suggest solutions for
complement FATF recommendations with a
technical approach to guide banks in customer due

identified problems. ”
diligence rule implementation.333
the investigation of unusual customer or account

Customer Profiling
activity (including documentation of findings),
Understanding the purpose of a customer
and suspicious transaction reporting. The client
relationship helps a bank formulate a risk-based
profile refers to the information gathered about a
approach to monitoring each customer’s activities
customer at the account opening that is then used to and
detecting unusual behavior. To develop a
analyze the customer’s behavior (client monitoring)
customer risk profile, a bank analyzes data about
and report potential suspicious activities to the the
customer’s annual income, net worth, domicile,
competent Financial Intelligence Unit. and
principal occupation or business, as well as the
customer’s history of activities with the bank.

Customer Due Diligence
Financial institutions continually review data that

Banks need to obtain information about potential
could
update or enhance established customer
new corporate customers before they open an
identification information. The most common issues

account. In the case of legal entities, this includes
with
customer data relate to missing or inaccurate
basic information about the company’s directors,
data.334 Not capturing comprehensive risk-relevant

shareholders, and beneficial owners. In May 2016,
data
that form a customer risk profile could lead
FinCEN issued final rules under the Bank Secrecy Act
to
incorrectly evaluating unusual activity. The
outlining new customer due diligence requirements,
challenges can be higher in global organizations

66 which involve developing customer risk profiles
where
information is not easily shared across
and abiding by Know Your Customer rules, which
jurisdictions or remains in silos in business units that

use customer due diligence tools to mitigate the
do not
communicate.335
risk of fraud.331 Due diligence tools are, in practice,
used equally by private and public sector entities. Once
data have been collected, the risk posed by
By establishing a customer risk management the
customer needs to be evaluated. Although the
framework, financial institutions can effectively rules
do not specifically require a system of risk
understand the overall risk posed by their clients. rating,
this process creates a consistent definition
Managing customer data is key for an anti-money of risk
across a business unit or an institution and
laundering program, even before a contractual
eliminates subjective interpretations of risk levels in
relationship is entered into. The more a bank or a
processes related to customer due diligence or in
public sector agency knows about its counterparts
transaction monitoring. For instance, FINRA336 has
or clients, the more likely it is that money-laundering
specifically required that online brokers who do not
and reputational risk abuses can be prevented. meet
their clients in person should maximize the
use of
electronic databases to verify information
Initially, the banks obtain KYC information from
about
existing or prospective clients and conduct
prospective customers through a series of data-
computerized surveillance on account activity to

gathering interviews and questionnaires before
detect
unusual or suspicious transactions.337
the account is opened. To determine what type of
information should be obtained from clients, a group
331 Department of the Treasury, Financial Crimes Enforcement

Network, Customer Due Diligence Requirements for Financial
Institutions, 31 CFR Parts 1010, 1020, 1023, et al., May 2016,
https://www.gpo.gov/fdsys/pkg/FR-2016-05-11/pdf/2016-10567.pdf.
332 Gemma Aiolfi and Hans-Peter Bauer, “The Wolfsberg Group,” in Mark
Pieth (ed.), Collective Action: Innovative Strategies to
Prevent Corruption, (Zurich: Dike, 2012), 1-10,
http://www.dike.ch/Collective_Action_Pieth.
333 Wolfsberg Group, “Wolfsberg Principles for Correspondent Banking,
2002, www.wolfsberg-principles.com/corresp-banking.html.
334 Issues with customer data often include missing data, multiple
names in name lines, names in address lines, inconsistent data
standards, duplicates, lack of additional customer information, and
extract issues.
335 Rita Gemayel, “Understanding Customer Risk,” ACAMS Today,
September-November 2016, Vol. 15, No 4, 64-65.
336 “NASD Provides Guidance to Member Firms Concerning Anti-Money
Laundering Compliance Programs Required by Federal
Law,” Notice to Members, FINRA, 2002,
http://www.finra.org/industry/notices/02-21.
337 Ibid., 7. See FINRA’s guidance to online brokers.
In general, banks use automated programs— customer

databases. Global banks should be in a
which are usually based on a risk-scoring model position to
simultaneously monitor many sanctions
and data-profiling techniques—to perform AML lists issued by
several countries, including notably
customer due diligence. Risk-scoring models the EU and the
UK Treasury consolidated lists.340
use numeric values to create client profiles and
their associated risk categories (i.e., by product, Because banks
cannot rely on manual controls to
geographic area, customers who operate online detect
sanctioned parties from their customers’
only). The risk categories are then combined to databases, good
technological tools and quality
give a composite score. A high-risk assessment may structured data
on each customer profile play
indicate a client needs more scrutiny or enhanced important roles
in this effort. For instance, a client
due diligence. Data quality should be addressed at name may
initially match a sanctions list name (e.g.,
system implementation to avoid creating a massive Pablo Escobar)
but a check on the client’s date of
backlog. Advanced compliance systems offer birth from a
passport will reveal that this red flag
sophisticated data quality solutions to analyze, is just a
“false match” or “false positive.” Banks
cleanse, and de-duplicate customer records. Data use automated
sanctions-screening tools, which
profiling techniques can identify data quality issues; aggregate all
sanctioned entities and individuals. As
ensure standards are fulfilled; reconcile differences; FINRA points
out, “Given the global nature of online
and suggest solutions for identified problems. brokerage
activity, it is essential that online brokers
Building client profiles at the beginning of the client confirm the
customer data and review the OFAC List
relationship and identifying high-risk customers can to ensure that
customers are not prohibited persons
later help the bank focus its resources on monitoring or entities and
are not from embargoed countries or
transactions more accurately and effectively, regions.”341
based on client risk. For instance, FinCEN found Enterprise risk
solutions obtain, analyze, and
that Eurobank’s338 automated system failed to process data
from media, the Internet, and other
adequately capture numerous transactions related private and
public sources for sanctions-screening
to the same customer. Also, the automated system purposes.
Public sources are necessary to obtain
did not monitor for suspicious activity based on data such as
birth certificates or certificates of
customer risk profiles, or the type and volume of incorporation
from corporate registers. Corporate
customer transactions.339 certificates of
incorporation may include the names 67
of directors,
stakeholders, and other significant
Sanctions Screening individuals.342
However, public data lack uniformity
Before a bank starts doing business with a across
jurisdictions and are challenging for banks
prospective customer, it must check the customer to collect on a
global level. For instance, official
against published lists of known or suspected identity
documents vary from country to country
terrorists to mitigate the regulatory risk of dealing and are
nonexistent in many countries in Africa and
with sanctioned parties and comply with AML laws. Asia. This
identity information is key to conducting
This automated process is called sanctions screening sanctions-
screening and customer-identification
and must be periodically undertaken by banks once programs. In
other words, access to public and
a client relationship has been established, at least private
information sources is a critical component of
for each new transaction with a customer. The the matching
process and fundamental to reducing
hundreds of names of individuals and businesses false positives
in sanctions-screening processes.
that appear in several lists of sanctioned parties Ensuring data
quality and their accessibility for
issued by the United Nations, the US government AML and
security purposes must be seen as a
(including the Office of Foreign Assets Control or partnership
between the private and public sectors,
OFAC List) need to be screened against each bank’s each of which
is equally important.343
338 FinCEN, Assessment of Civil Money Penalty, in the matter of Eurobank, San
Juan, Puerto Rico, US Department of the Treasury,
2010,
https://www.fincen.gov/sites/default/files/enforcement_action/AssessmentEurobank.pd
f.
339 Ibid., 4; see also Daniel Nathan and Alma Angotti, Securities Regulation &
Law Report, 44 SRLR 1410, 07/23/2012, The Bureau of
National Affairs, http://www.bna.com.
340 See Office of Foreign Assets Control, Specially Designated Nationals and
Blocked Persons List, https://www.treasury.gov/
ofac/downloads/sdnlist.pdf; United Nations, Consolidated United Nations
Sanctions List, https://scsanctions.un.org/fop/
fop?
xml=htdocs/resources/xml/en/consolidated.xml&xslt=htdocs/resources/xsl/en/consolida
ted.xsl; European External Action
Service, Consolidated List of Persons, Groups and Entities Subject to EU
Financial Sanctions, https://data.europa.eu/euodp/
en/data/dataset/consolidated-list-of-persons-groups-and-entities-subject-to-
eu-financial-sanctions; UK Treasury, Financial
Sanctions: Consolidated List of Targets,
https://www.gov.uk/government/publications/financial-sanctions-consolidated-list-
of-
targets.
341 FINRA Notice,
http://www.finra.org/sites/default/files/NoticeDocument/p003704.pdf.
342 Wolfsberg Group, Wolfsberg Statement on AML Screening, Monitoring and
Searching, 2009, http://www.wolfsberg-principles.
com/pdf/standards/Wolfsberg_Monitoring_Screening_Searching_Paper_(2009).pdf,
3.
343 Screening process for PEPs and sanctions requires quality data, including
primary name; alias and alternate names; record
KYC Utilities client

due diligence information. As FINRA points
In correspondent banking relationships, a bank on in a
recent report, the responsibility ultimately
must rely on its foreign bank counterpart’s cannot
be transferred to the utility: “While broker-
AML controls to detect unwanted clients and dealers
may choose to outsource certain functions
process international trade finance or payment to a
central utility or a third party on the network,
transactions on its behalf. Prior to entering into firms
need to be aware that they may not outsource
any correspondent relationships between banks, their
responsibility associated with the performance,
a thorough review of each counterpart’s AML or lack
thereof, of those functions (see, e.g., “Notice
control framework is required by AML laws in many to
Members 05-48: Outsourcing.”)346
countries. For instance, under the USA Patriot Act,
SWIFT
announced in January 2016 that over two
a US bank needs to apply enhanced due diligence
thousand financial institutions in over two hundred

measures to analyze the risk of doing business
countries and territories had signed up for their

with each of its foreign correspondent banking
KYC
utility, which maintains standardized sets of
counterparts.344 In practice, this has created a glut
data—
including KYC information for correspondent
of AML questionnaires being circulated by banks to
banks,
fund distributors, and custodians—that can
each and all counterparts as a means of complying
be
shared among members.347
with due diligence requirements.
The Wolfsberg Group, an organization composed Supply

Chain Management
of an association of private banks, has been
Automated tools can track vendors and service
collaborating since 2004 with a third-party, private
providers. Due diligence tools help governments
vendor to set up the first international “due diligence and the
private sector understand how their supply
repository” for the collection and storage of data, chains
operate and where key suppliers are located.
including relevant due diligence information and For
example, the acquisition of raw materials (e.g.,
documentation among member banks. Data on each
conflict diamonds) can be traced: due diligence
financial institution at a group level (including its tools
help provide information on country risk and
licenses, beneficial owners, corporate governance, gaps in
transparency by fully mapping supply chains
directors, managers, and AML controls) are shared to
avoid human trafficking or forced labor. These
among financial entities upon consent, instead of tools
are used by private and public sector entities
68
exchanging standard AML questionnaires.345 to
comply with public procurement rules, sanctions,
or
environmental or government export controls
Several providers have developed central identity
regulations.348 As an example, the Department of
management facilities or “KYC utilities” with the Defense
and many other US agencies, which have
aim of keeping customer due diligence information strict
procurement rules, may use automated tools
in a single repository. Although it has obvious similar
to those used by banks to track vendors that
benefits for banks and customers, there is no respond
to its requests for proposals.
standardized set of information that should be
included in KYC utilities, since there is not a uniform There
are many automated screening tools that
definition of customer due diligence in AML laws analyze
data related to background checks on
and identification documents vary from country
prospective and current employees, contractors,
to country. Also, data privacy, processing, and and
vendors, especially for criminal history. These
localization rules impede the use of information in are in
addition to customer due diligence tools for
utilities, and may prevent banks from submitting name
screening against sanctions lists and negative
relevant information to utilities. Utilities are working news.
Employee background checks impede bad
on solutions for these problems, but a dialogue and actors
from accessing company information and
coordination with regulatory authorities is essential,
systems, thereby preventing potential fraud and
since ultimately it could facilitate supervision.
regulatory and reputational risks. The Federal
Deposit
Insurance Corporation has provided specific
Some KYC utilities are using distributed ledger
guidance to the financial sector, recommending
technology, instead of a single repository, to store a risk-
focused approach (higher for managerial
type (individual, entity, vessel); gender; date of birth; age; country;

address (country, city, address lines); national ID and passport
number.
344 See The USA Patriot Act, Section 312,
http://ithandbook.ffiec.gov/media/resources/3356/con-
usa_patriot_act_section_312.pdf ,
345 “International Due Diligence Repository,” Wolfsberg International,
http://www.wolfsberg-principles.com/diligence.html.
346 FINRA, Distributed Ledger Technology: Implications of Blockchain for
the Securities Industry, January 217, p. 15, http://www.finra.
org/sites/default/files/FINRA_Blockchain_Report.pdf
347 SWIFT, “SWIFT´s KYC Registry Surpasses 2,000 Financial Institutions,”
January 19, 2016, https://www.swift.com/insights/press-
releases/swift_s-kyc-registry-surpasses-2_000-financial-institutions.
348 US Department of State, Trafficking in Persons Report, Preventing Human
Trafficking in Global Supply Chains, 2015, https://www.
state.gov/documents/organization/245365.pdf, 13-33.
69
A taxi passes a company list showing the Mossack Fonseca law firm at the Arango
Orillac Building in Panama
City. The International Consortium of Investigative Journalists released a
database with information on more than
200,000 offshore entities that are part of the Panama Papers investigation. Photo
credit: Reuters/Carlos Jasso.
levels) and several background screenings, including and by government

agencies in data intensive fraud
fingerprint checks against a criminal database. investigations.
Some regulations prohibit any person who has
been convicted of a crime involving fraud or money Big data analytics
aggregate data from multiple
laundering from owning or controlling an institution platforms and
should be designed to quickly and
or participating in managerial functions.349 accurately
identify and flag financial transactions
that involve
individuals or entities included on
watch lists and
involved in suspicious transactions.
Transaction Monitoring
Integrating data
from multiple sources—such
The first challenge for a global bank is identifying as linking client
email and all available financial
the unusual or suspicious transactions within the transaction data,
including clients’ financial records,
massive amount of data generated by its global if available—into
a single big data platform would
transactions. Big data analytics are essential for increase the
accuracy of analytics.
detecting illicit activities, which are hidden within
layers of multibillion dollar transactions, particularly Adopting new
cognitive computing systems will
in trade-related businesses and government increase and
enhance the human capacity in the
programs. Data analytics tools are equally applied investigation and
decision-making process related to
by banks for the prevention of money laundering clients’
suspicious transactions.350 Intelligent process
349 Federal Deposit Insurance Corporation, Pre-Employment Background Screening.

Guidance on Developing an Effective Pre-
Employment Background Screening Process, 2005,
https://www.fdic.gov/news/news/inactivefinancial/2005/fil4605.pdf.
350 Bryan Bell and Robert A. Goldfinger, “Compliance Solutions: Combining
Cognitive Computing with Human Intelligence,” ACAMS
Today, September-November 2016, Vol. 15, No. 4, pg. 50-51.
automation (IPA)351 is a set of new technologies that depend on the

type of business account and client
combines robotic process automation and machine relationship.
In transaction monitoring systems,
learning. IPA can replace human effort in processes programming
is key. The adequacy of a bank’s
that involve analyzing and aggregating data from systems will
be tested in an inspection visit or by
multiple sources. As an example, IPA technologies an
independent audit. A review of the number of
can be programmed to monitor clients’ financial unusual
transactions, the way they are analyzed and
activities and learn from such recognized patterns to documented,
and finally the number and quality
detect unusual behavior. In doing so, data analytics of suspicious
activities filed with FIUs can be very
tools will become more efficient in detecting revealing. A
very low number of alerts compared
patterns of suspicious transactions that may be with a high
number of transactions conducted by
further analyzed by compliance professionals to a bank may
suggest that the setting for the alert
detect potential illicit activity.352 programming
is wrong, particularly if the business
involves
high-risk jurisdictions, transactions, or
The Basel Committee’s 2016 report recommends customers.
Also, a sound suspicious activity–
automating the monitoring process for banks that monitoring
program for global banks needs
are internationally active. Effective techniques for to include
all client accounts and transactions
global bank transaction monitoring should combine across
business lines and multiple countries.358 For
all client accounts. Transaction monitoring tools, instance, in
the Wachovia case, FinCEN found that
whether developed internally or acquired from “Wachovia’s
automated transaction monitoring
vendors, should scan, filter, and analyze customer systems were
inadequate to support the volume,
account activities and data. Such automated tools scope, and
nature of international money transfer
“must enable the Bank to undergo trend analysis of transactions
conducted by the Bank. . . . The
transaction activity and to identify unusual business number of
alerts or events generated by the Bank’s
relationships and transactions in order to prevent automated
transaction systems was capped to
[money laundering].”353 accommodate
the number of available compliance
Since 2002, FINRA has recommended adopting
personnel.”359
computerized surveillance tools, jointly with a risk-
based review and investigation of alerts, for online Independent
Audits
70 brokers and other global firms to detect and report Compliance
reviews and internal audits are
suspicious transactions to law enforcement.354 The independent
functions that oversee business units
FinCEN fines imposed on Eurobank and Wachovia and are the
second and third lines of defense of
suggest it would be difficult for US banks with large an AML
program. As FinCEN in the Wachovia fine
transaction volumes or international operations to noted, there
was room for improvement in the
meet FinCEN regulatory expectations for identifying independent
validation of the audit function as a
and reporting suspicious transactions by relying tool to
mitigate risk: “In addition, the monitoring
only on manual controls. Eurobank relied mostly system’s
programming, methodology, and
on manual processes to monitor transactions for effectiveness
were not independently validated to
suspicious activity.355 This seemed particularly ensure that
the models were detecting potentially
inadequate to FinCEN, given “the Bank’s customer suspicious
activity.”360
base, geographic risk and business lines, as well
as the volume, scope, and types of transactions The volume of
regulatory requirements and data
conducted at the Bank.”356 involved
renders manual compliance inadequate
for analyzing
customer profiles and account
Another challenge is setting the appropriate transactions.
Data are meaningless unless they are
thresholds357 for monitoring purposes, which often organized in
a way that enables people to analyze
351 Albert Bollard, Elixabete Larrea, Alex Singla, and Rohit Sood, The
Next-Generation Operating Model for the Digital World,
McKinsey & Company, 2017, http://www.mckinsey.com/business-
functions/digital-mckinsey/our-insights/the-next-generation-
operating-model-for-the-digital-world.
352 George Anadiotis, “Big Data versus Money Laundering: Machine Learning,
Applications and Regulation in Finance,” ZDNet,
http://www.zdnet.com/article/big-data-versus-money-laundering-machine-
learning-applications-and-regulation-in-finance/.
353 Basel Committee on Banking Supervision, Sound Management of Risks
Related to Money Laundering and Financing of Terrorism, 6.
354 Financial Industry Regulatory Authority, Anti-Money Laundering, Special
NASD Notice to Members 02-21.
355 FinCEN, Assessment of Civil Money Penalty, in the matter of Eurobank,
San Juan, Puerto Rico.
356 Ibid.
357 Nathan and Angotti, “Broker-Dealer AML Transaction Monitoring: The
Devil’s in the Details.”
358 Ibid.
359 US Department of the Treasury, Financial Crimes Enforcement Network,
Assessment of Civil Money Penalty, in the matter of
Wachovia Bank, No. 2010-1,
https://www.fincen.gov/sites/default/files/enforcement_action/100316095447.pdf, 4.
360 Ibid., 4.
them and make decisions based on the results of Additional

Tools to Help
those analyses. An independent audit can test the Governments
and Law Enforcement
sophistication of data analytics tools, as well as their Manage
Evolving Threats
thresholds and the potential biases in algorithms.361
The employment of data analytics tools and the Regtech
quality and frequency of audits to validate such Regtech
(derived from the words regulation and
risk management systems can be revealing about technology)
is often used to explain how technology
the institution and its management’s commitment can help
banks and regulators fulfill their regulatory
to fighting financial crime. Banks have to employ compliance
reporting obligations and supervisory
qualified and experienced audit and compliance staff duties.363
Regtech uses digital technologies
empowered to investigate suspicious transactions (including
big data analytics, cloud computing, and
and make independent decisions. In addition, high- machine
learning) to automate compliance and
quality, independent, and frequent external audits risk-
management processes, facilitate regulatory
are needed to test controls. reporting,
and track regulatory changes worldwide.
As an
example, regtech makes it possible to identify
Training Programs the “one to
many” relationship for the first time (i.e.,
Many AML laws around the world require banks to where one
control satisfies many regulations, or
implement mandatory training programs for their where a
single regulation requires multiple controls).
employees as a preventive measure. For instance, Different
forms of technological innovation can
the USA Patriot Act requires AML programs to facilitate
the automation of data reporting from
include an ongoing employee training program.362 regulatory
filings of suspicious transactions (SARs)
A sound training program for global banks should or currency
transaction reports.364 In particular,
include a practical course focused on how to they can set
up intelligent queries and algorithms
avoid money laundering and sanctions risks to detect
SARs. It may also be easier for financial
within the parameters of an employee’s regular institutions
to maintain records for regulators,
job routine. Its content should include applicable audits, or
inspection visits.365
legal requirements and references to policies and
Big data
analytics and data science also have wide
procedures but also other fundamental aspects,
applications
for the private sector and governments
such as how to recognize vulnerabilities and make
71
to enhance
financial crime supervision, particularly
the right judgements by showing real examples
in areas such
as trade-based money laundering. Data
of good and bad control tests; how suspicious
mining,
network analysis, and algorithms designed
transactions activity is recorded and documented;
to assess
probabilistic measures of suspicious
when and how to raise concerns or seek support from
activity in
financial transaction data can help with
financial crime compliance and risk professionals;
compliance by
mining the data related to clients’
and a broader and deeper understanding of the
activities
and uncover hidden patterns in the flow
financial crime risks within a business context. Such
of the funds.
This could help increase transparency
AML programs need to be risk-based and function-
in
transactions related to the multibillion dollar
specific—business lines must be able to identify and
global trade
and finance industry as well as those in
report suspicious transactions for the AML program
the shadow
banking industry, which challenge law
to be effective.
enforcement
authorities. Both types of transactions
are highly
fragmented, global, interconnected, and
governed by
multiple regulators.366
Regtech
solutions have promising applications
to streamline
compliance costs and processes.
361 Kevin Petrasic, Benjamin Saul, James Greig, and Matthew Bornfreund,
“Algorithms and Bias: What Lenders Need to Know,” White
& Case, January 20, 2017,
https://www.whitecase.com/publications/insight/algorithms-and-bias-what-lenders-
need-know.
362 See The USA Patriot Act, Section 352.
363 Fintech Circle Innovate CEO Nicole Anderson coined the term “regtech.” See
“The FinTech Influencers: FinTech, RegTech, and
the Disruption of Banking’s Services,” Herrington Starr, May 26, 2015,
http://www.harringtonstarr.com/fintech-influencers-fintech-
regtech-disruption-bankings-services.
364 Institute of International Finance, Regtech in Financial Services: Technology
Solutions for Compliance and Reporting, March 2016,
p. 4, https://www.iif.com/publication/research-note/regtech-financial-
services-solutions-compliance-and-reporting.
365 European Securities and Markets Authority, European Banking Authority, and
European Insurance and Occupational Pensions
Authority, Joint Committee Discussion Paper on the Use of Big Data by
Financial Institutions, JC 2016 86, Joint Committee of
the European Supervisory Authorities, December 2016,
file:///Users/mirenapariciobijuesca/Downloads/jc-2016-86_discussion_
paper_big_data.pdf, 27.
366 Caitlin Long, “Why Financial Regulators Are Warming to Blockchains and
Rightfully So” in Alt-M Ideas for an Alternative
Monetary Future, (April 2016), http://www.alt-m.org/2016/04/26/why-financial-
regulators-are-warming-to-blockchains-and-
rightfully-so/
Artificial intelligence systems and robotic processes vary

from country to country. Regtech providers can
automation have huge potential to complement big
aggregate data worldwide. As an example, identity
data analytics, such as for anti-money laundering
verification companies provide access to data
and client identification, which are related to
collected in fifty countries from a variety of sources;
compiling and checking data on customers and data
intelligence platforms collect information
transactions. A number of regtech providers are about
financial crimes from media sources.
developing systems for using blockchain for digital
identity purposes.
Regtech innovation can also help governments
provide citizens with a digital identity.370 As the

US
Department of Commerce’s Digital Identity
“Several countries are testing
Guidelines define it:
the development of a digital

Digital Identity is the unique representation of
a
subject engaged in an online transaction. A
identity. . . When approved, it
digital identity is always unique in the context
could be leveraged by banks of

a digital service, but does not necessarily
need to uniquely identify the subject. In other

to facilitate KYC processes.”
words, accessing a digital service may not
mean that the physical representation of the
underlying subject is known. Identity proofing

An example of a new information source to conduct
establishes that a subject is actually who they
KYC and background checks are web crawlers,
claim to be. Digital authentication establishes
which can scan the Internet and deliver their data to
that a subject attempting to access a digital
big data infrastructures in real time.367 In the future,
service is in control of one or more valid
machine learning could be promising to monitor
authenticators associated with that subject’s
suspicious transactions on a risk-based customer
digital identity.371
profile.
Several countries are testing the development of a
Regtech technologies, such as biometric validation
digital identity, such as the Monetary Authority of
for digital identity and KYC purposes—including
Singapore, which is developing a digital proof of
72
facial, voice, fingerprint, and iris recognition—are
identity tool on mobile phones. When approved,
evolving rapidly. Citigroup’s 2017 Digital Disruption it
could be leveraged by banks to facilitate KYC
Revisited368 report explores regtech as an
processes. Estonia372 is another example of progress
opportunity for banks to explore the use of artificial in
this area. Estonians have a digital identity
intelligence and biometric identification for anti-
embedded in a SIM card, which they can use for
money laundering and client identification, since
digital signatures for every legal document and
“over the longer term, a nationwide [know your
voting.373
customer] utility could be beneficial to the whole
Another successful example is Aadhaar, a digital
society, and many regulators and governments are
identity program that has been introduced in India
working towards this ideal.”369 and
is targeting one billion citizens on a voluntary
Customer due diligence infrastructure requires
basis, to be identified and authenticated by the
analyzing information from private and public use
of biometrics (fingerprints and scan of the
sources in different languages and formats, which
iris).374 The Aadhaar digital identity project aims
367 Institute of International Finance, Deploying Regtech Against Financial

Crime, March 2017 p 17 ss. https://www.iif.com/system/
files/32370132_aml_final_id.pdf
368 “What FinTech VC Investments Tell Us about a Changing Industry,” Citi
GPS, January 23, 2017, https://www.privatebank.citibank.
com/home/fresh-insight/citi-gps-digital-disruption-revisited.html.
369 Martin Arnold, “Banks’ AI Plans Threaten Thousands of Jobs,” Financial
Times, January 25, 2017,
https://www.ft.com/content/3da058a0-e268-11e8-8405-9e5580d6e5fb.
370 See the Draft Digital Identity Guidelines, provided by National
Institute of Standards and Technology, DRAFT NIST Special Publication
800-63-3 Digital Identity Guidelines, US Department of Commerce, 2017,
https://pages.nist.gov/800-63-3/sp800-63-3.html.
371 Ibid.
372 See “Fact,” e-Estonia.com, https://e-estonia.com/facts/.
373 Citigroup Global Perspectives and Solutions, Digital Disruption –
Revisited – What FinTech
VC Investments Tell Us about a Changing Industry, January 2017,
https://ir.citi.com/
rc3XP
%2FtfuLrOmpDrBN2nNfJpkI7892Pd71h7%2BpDMbIosIS3u8kcgSiJoKWuI6p6RLpMUB0DYajQ%3D, 40.
374 Reserve Bank of India, Committee on Comprehensive Financial Services
for Small Businesses and Low
Income Households, 2013, via World Bank,
http://siteresources.worldbank.org/EXTFINANCIALSECTOR/
Resources/282884-1339624653091/8703882-1339624678024/8703850-
1368556147234/India-Financial-Inclusion-Report-RBI-
CMTE-CFS070114EFL.pdf, 7-21. See also World Bank, Transforming Digital
Identity in India, http://www.worldbank.org/en/news/
video/2016/01/13/transforming-government-digital-identity-in-india
to avoid fraud with the creation of a centralized issuing digital

currencies and creating securities
database including information on citizens deterred infrastructure
with reduced operational risk, data
by any government agency. Digital identity can integrity, and
increased market transparency while
promote financial inclusion. Any potential welfare protecting
confidentiality.379
and healthcare benefits provided by the Indian
government can be disbursed through a digital Smart contracts
were defined by computer scientist
account associated with each citizen’s mobile Nick Szabo in
1996 as a “set of promises, specified
phone using this system.375 in digital form,
including protocols within which the
parties perform
on these promises.”380 The white
Digital identity uses are promising but also present paper prepared in
December 2016 by the Smart
the technical challenge of cybersecurity: “. . . because Contracts
Alliance, an initiative of the Chamber of
this process often involves the proofing of individuals Digital Commerce,
explores in detail twelve use
over an open network, and always involves the cases for
businesses. Smart contracts are typically
authentication of individual subjects over an open deployed on a
blockchain, although they can be
network to access digital government services. The used on other
platforms. Blockchain technology
processes and technologies to establish and use uses encryption
messages, which are bundled
digital identities offer multiple opportunities for together in a
software-generated container (a
impersonation and other attacks.”376 block), relating
to a particular smart contract. In
permissioned
(closed) blockchains, an administrator
Blockchain, Distributed Ledger incorporates the
encrypted messages into the
Technologies, and Smart Contracts secured data. The
white paper points to promising
Financial supervisory agencies are welcoming potential
applications of smart contracts for digital
blockchain as a transparent ledger that will help identities,
company registrations, financial data
supervise securities trading and settlements due or land title
recordings, supply chains, insurance,
to the “practical impossibility of a single national mortgages, trade
finance, and clinical trials, among
regulator collecting sufficient quality data . . . to other areas.381
recreate a real-time ledger of the highly complex, Smart contract
applications for digital identities
global swaps trading portfolios of all market (for individuals
and companies) could represent a
participants.”377 Digital Asset Holdings’ December valid alternative
for mitigating financial crime risk 73
2016 Digital Asset Platform: Non-Technical White and streamlining
compliance with KYC processes
Paper defines a distributed ledger technology (DLT) for financial
firms. A digital identity for individuals
as “a record of transactions or other data which exists and legal
entities could potentially be issued by
across multiple distinct entities in a network.”378 Its a regulatory
agency that controls the identity’s
application for different uses is evolving rapidly, from personal data and
is able to securely disclose
transaction registries to other forms of data and them to different
counterparties (such as banks)
encoded business logic. Central banks, exchanges, in a blockchain,
as needed.382 An interesting and
governments, and financial market participants are innovative public
initiative by Delaware (the Delaware
starting to use DLTs for several purposes, including initiative), in
partnership with a fintech company,
375 World Bank, Digital Identity Toolkit: A Guide for Stakeholders in Africa,
June 2014, http://documents.worldbank.org/curated/
en/147961468203357928/pdf/912490WP0Digit00Box385330B00PUBLIC0.pdf.
376 National Institute of Standards and Technology, DRAFT NIST Special
Publication 800-63-3 Digital Identity Guidelines, US
Department of Commerce, 2017, https://pages.nist.gov/800-63-3/sp800-63-
3.html.
377 Commodity Futures Trading Commission Commissioner J. Christopher
Giancarlo speech before the CATO Institute,
“Cryptocurrency: The Policy Challenges of a Decentralized Revolution,” April
2016, US Commodity Futures Trading Commission,
http://www.cftc.gov/PressRoom/SpeechesTestimony/opagiancarlo-14; see also
Mary Jo White, “Opening Remarks at the SEC
Fintech Forum” US Securities and Exchange Commission, November 2016,
https://www.sec.gov/news/statement/white-opening-
remarks-fintech-forum.html.
378 Digital Asset Holdings, The Digital Asset Platform, December 2016,
http://hub.digitalasset.com/hubfs/Documents/
Digital%20Asset%20Platform%20-%20Non-technical%20White%20Paper.pdf?
utm_campaign=whitepaper-non-
tech&utm_medium=email&_hsenc=p2ANqtz-9kX1tI0v3HDSL4FBF2JCelw-
TrrhFvbkqsrl_lqGfRwSbWk00bu1VqUmQqgK_
SSKdlxDAtq05ciM8q-BsommkSxGP3EF-
UgkJAhInC9DE4eQx89hI&_hsmi=38825746&utm_content=38825746&utm_source=hs_
email&hsCtaTracking=fc1f9260-0c14-472a-967e-c9cb3095f953%7Cba8116ac-3c0b-
43f3-a880-d60c4bc1d707, 4.
379 Ibid., 27.
380 See Nick Szabo, “Foreword” in Smart Contracts: 12 Use Cases for Business &
Beyond, Chamber of Digital Commerce, December
2016,
https://gallery.mailchimp.com/a87f67248663abe55ad9325d6/files/Smart_Contracts_12_Us
e_Cases_for_Business_Beyond.
pdf?utm_source=Chamber+of+Digital+Commerce&utm_campaign=4123b7a006-
EMAIL_CAMPAIGN_2016_12_06&utm_
medium=email&utm_term=0_e6622a916a-4123b7a006-338085917
381 Smart Contracts: 12 Use Cases for Business & Beyond, Chamber of Digital
Commerce, December 2016, https://
gallery.mailchimp.com/a87f67248663abe55ad9325d6/files/Smart_Contracts_12_Use_Cases_
for_Business_Beyond.
pdf?utm_source=Chamber+of+Digital+Commerce&utm_campaign=4123b7a006-
EMAIL_CAMPAIGN_2016_12_06&utm_
medium=email&utm_term=0_e6622a916a-4123b7a006-338085917.
382 See also Ibid., 6-48.
74
A bitcoin ATM machine enables the user to convert cash to bitcoins via a QR
code transfer to an application on
their mobile device. Photo credit: Reuters/Mike Blake.
is the development of a new public repository to The

Financial Stability Board has recently
incorporate companies in 2017—corporations will recommended
stricter bank supervision and financial
have the choice of registering either via traditional crime law
enforcement in developing nations to
stock certificates or on a blockchain. Registering halt the
decline in correspondent banking (“de-
companies through blockchain could facilitate risking”).
The FSB statement recognizes that many
performing due diligence, registering beneficial emerging
countries have adopted AML laws but do
ownership during a corporate lifecycle, and, in the not enforce
them or lack capacity to adequately
future, issuing digital securities.383 supervise
banks. As a consequence, banks in the
US and
other developed economies, particularly in
Stricter Bank Supervision in Emerging Europe, as
per Bank of International Settlements
Nations statistics
on July 2016, have increasingly withdrawn
Money launderers do not respect borders. from doing
business in high-risk jurisdictions.384
Financial Intelligence Units and law enforcement As the
Comptroller of the Currency stated before
authorities have jurisdictional limitations and often the
Institute of International Bankers in 2016: “if
lack resources. As a result, criminals can exploit U.S.-
chartered financial institutions have a clear
jurisdictional gaps to circumvent AML national laws.
understanding of the risks associated with their
383 Delaware Office of the Governor, “Governor Markell Launches Delaware

Blockchain Initiative. Reflects State’s Commitment to
innovation and Embracing the New Economy,” Press Release, May 2016,
http://www.prnewswire.com/news-releases/governor-
markell-launches-delaware-blockchain-initiative-300260672.html; see also
Delaware Chancery Court Judge J. Travis Laster
speech before the Council of Institutional Investors (Chicago), “The Block
Chain Plunger: Using Technology to Clean Up Proxy
Plumbing and Take Back the Vote,” Council of Institutional Investors,
September 2016, http://www.cii.org/files/09_29_16_laster_
remarks.pdf.
384 Binham, “Stricter Bank Supervision Needed in Developing Nations, Say
Policymakers.”
correspondent banking clients and the jurisdictions pleaded guilty

to violating the Foreign Corrupt
in which they are located, they may be more Practices Act
and agreed to pay a criminal penalty
comfortable providing banking services, even of $632
million. Brazil would receive 70 percent of
those services that may have historically had higher it, with the
United States and Switzerland receiving
risk.”385 15 percent
each.
International
cooperation mechanisms among law
International Cooperation
enforcement
authorities and Financial Intelligence
Recent successful international anti-corruption Units and
exchange of information should be
cooperation examples among law enforcement prioritized and
reinforced. Another successful
authorities include Odebrecht, Braskem, and example of
international anti-money laundering
International Soccer. As the US Justice Department cooperation
between the US Treasury and foreign
announced in 2016 referring to sharing information governments was
the US Treasury’s declaration
among law enforcement authorities under the in October 2015
of Banco Continental (Honduras)
Foreign Corrupt Practices Act Pilot Program: “an Group as
“specially designated narcotics traffickers,”
international approach is being taken to combat an which allows
the freezing of assets in the United
international problem.”386 States due to
money laundering.389 The Honduran
In the US v. Odebrecht case, the US jurisdiction authorities
cooperated in the investigation and
was attracted via the use of US bank accounts liquidated the
Honduran bank, which had been
by Odebrecht and Braskem in Miami. Odebrecht, involved in
money laundering activities for a decade.
a Brazilian conglomerate, engaged in 2001 in a The Egmont
Group is composed of a number of
scheme paying bribes to officials in several countries FIUs that have
been working together since their
including Brazil, Angola, Argentina, Colombia, the first meeting
in Brussels in 1995, at the Egmont-
Dominican Republic, Ecuador, Guatemala, Mexico, Arenberg
Palace.390 The group provides a forum for
Mozambique, Panama, Peru, and Venezuela. The FIUs that
allows them to share information through
Justice Department called “an elaborate, secret memoranda of
understanding meant to improve
financial structure” to pay $778 million in bribes anti-money
laundering programs. The exchange
over fifteen years. In exchange, Odebrecht asked of financial
intelligence can generate evidence in
politicians on retainer to pass friendly tax legislation fighting
financial crime and improve FIU expertise.391 75
and contracts with state-owned oil companies such
as Petrobras.387 At the European
level, the European Commission’s
recent proposal
of 5AMLD would enhance the FIUs’
Braskem, a Brazilian petrochemical company, also authority to
access information from any covered
participated in the scheme and received several entity in
Europe across national borders by setting
contracts with Petrobras. Both companies pleaded up automated
centralized mechanisms in the form
guilty for corrupt payments and profits, which of (i) a
central data registry of holders of banking
amounted to approximately $3.8 billion. The final and payment
accounts or (ii) central data retrieval
penalty388 for Odebrecht was determined to be $2.6 systems.392 The
interconnection of central registries
billion in April 2017 (initially estimated at $4.5 billion would also
increase transparency.393 Moreover, the
but negotiated down since Odebrecht admitted it recent proposal
to set up a strong independent
could not pay the fine). Brazil would receive 80 European Public
Prosecutor’s Office with authority
percent of the recovery, with the United States and over all types
of financial crimes affecting the EU
Switzerland receiving 10 percent each. Braskem
385 Remarks by Thomas J. Curry, Comptroller of the Currency, March 7, 2016,

https://www.occ.gov/news-issuances/speeches/2016/
pub-speech-2016-25.pdf.
386 US Department of Treasury, “Treasury Announces Key Regulations and
Legislation to Counter Money Laundering and Corruption,
Combat Tax Evasion,” Press Release, May 5, 2016,
https://www.treasury.gov/press-center/press-releases/Pages/jl0451.aspx.
387 Acting Assistant Attorney General Kenneth A. Blanco, “Statement at the
American Bar Association National Institute on White
Collar Crime” (speech, Miami, FL, March 10, 2017),
https://www.justice.gov/opa/speech/acting-assistant-attorney-general-
kenneth-blanco-speaks-american-bar-association-national.
388 United States of America v. Odebrecht S.A., Plea Agreement,
https://www.justice.gov/opa/press-release/file/919911/download
389 Gustavo Palencia and David Alire Garcia, “Honduran Bank at Center of Money
Laundering Case to Be Shut Down,” Reuters,
October 11, 2015, http://www.reuters.com/article/honduras-crime-banking-
idUSL1N12B0I820151012.
390 Egmont Group, Principles for Information Exchange between Financial
Intelligence Units for Money Laundering and Terrorism
Financing Cases, June 2011.
391 See Egmont Group, 100 Cases from the Egmont Group,
http://www.egmontgroup.org/library/cases.
392 See 5AMLD approved by the EU Council, Proposal for a Directive of the
European Parliament and of the Council Amending
Directive (EU) 2015/849.
393 See proposed Measures 3 and 4 under the European Commission, “Anti-Money
Laundering and Counter Terrorist Financing:
Stronger Rules to Respond to New Threats, 2016,
http://ec.europa.eu/justice/criminal/document/files/aml-factsheet_en.pdf, 2-4.
budget could be an important step in preventing reviews) on

member countries’ compliance with
financial crime.394 respect to
its recommendations. In February 2013,
FATF
developed a methodology for AML country
Independent Assessments for High-Risk
assessments.397
Jurisdictions
The IMF has
endorsed the FATF 2012
Evaluating the money-laundering risk in several
recommendations and 2013 methodology. The
countries and jurisdictions requires looking at IMF’s
financial integrity reviews apply to selected
different sources. FATF identifies jurisdictions that cases of
Article IV consultations (surveillance
have strategic AML deficiencies and works with programs),
which are similar to annual audits the
them to address those deficiencies that pose a risk IMF holds
with each member state, as well as its
to the international financial system.395 Countries Financial
Sector Assessment Program (FSAP).
that are often in the media for corruption, drug FSAPs are
in-depth examinations of the financial
trafficking, and terrorism generally qualify as high- sector,
conducted by the IMF (jointly with the
risk jurisdictions. Most AML laws require banks to World Bank
in the case of developing nations), and
conduct enhanced due diligence processes for are
associated with an Anti-Money Laundering/
customers doing business in high-risk countries. Counter-
Terrorism Financing (AML/CTF) review.
Banks, governments, and private firms use data The IMF’s
2012 Guidance Note sets out a number
analytics tools to pool data when evaluating of criteria
that guide staff in determining whether
country risk. Country risk analytics tools generally financial
integrity issues should be included in the
use algorithms to weigh and process data gathered IMF’s
surveillance programs.398 The Guidance Note
from public and private sources. When choosing refers to
cases where money laundering, terrorism
data analytic tools, it is important that the data are financing,
and related crimes (such as corruption or
comprehensive, accurate, and frequently updated. tax crimes)
are serious enough to threaten domestic
Countries in sanctions lists published by the United stability,
balance of payments stability, or the
Nations, the United States, United Kingdom, and effective
operation of the international monetary
European Union need to be monitored by global system.399
banks to avoid regulatory fines. Country reports The IMF’s
corruption reviews could be adopted more
and evaluations published by international financial broadly, as
recognized by its managing director,
76
institutions, such as the International Monetary Fund based on
good governance principles.400 Ukraine
and the World Bank, are also useful information is an
example where the endemic corruption has
sources to assess country risk. A frequent source prompted
the IMF to work with the authorities to
of information for country risk analysis is the propose
anti-corruption measures and agencies,
US Department of State’s global annual report change
public procurement rules, dismantle a
on money laundering and financial crime, which company,
and reform the judicial system. These good
provides country evaluations based upon the governance
measures agreed to by the authorities
contributions of numerous US government agencies were part
of the IMF’s economic recovery plan for
and international sources.396 Ukraine.401
In 2010, FATF issued guidance concerning how Increasing
transparency requests from stakeholders
it would identify certain high-risk countries by and donors
should make international financial
describing specific strategic AML deficiencies. The
institutions consider promoting financial integrity
FATF conducts mutual evaluations (peer-to-peer and good
governance for financial assistance
394 See “Anti-Money Laundering, European Public Prosecutor’s Office,

Digital Contracts, and Insolvency,” Speech by Commissioner
Jourová to the Legal Affairs Committee and EU Affairs Committee in the
Bundestag, September 26, 2016, http://europa.eu/rapid/
press-release_SPEECH-16-3189_en.htm.
395 FATF, Public Statement, April 2017, http://www.fatf-
gafi.org/publications/high-riskandnon-cooperativejurisdictions/documents/
public-statement-february-2017.html
396 See US Department of State, Volume II: Money Laundering and Financial
Crimes, 2016, http://www.state.gov/j/inl/rls/nrcrpt/2016/
vol2/index.htm.
397 FATF, Methodology for Assessing Technical Compliance with the FATF
Recommendations and the Effectiveness of AML/CFT
Systems, February 2013, http://www.fatf-
gafi.org/media/fatf/documents/methodology/FATF%20Methodology%2022%20
Feb%202013.pdf.
398 International Monetary Fund, Review of the Fund’s Strategy on Anti-
Money Laundering and Combating the Financing of
Terrorism, February 2014,
https://www.imf.org/external/np/pp/eng/2014/022014a.pdf, 15, Sections 25, 26 and
27.
399 The IMF and the Fight Against Money Laundering and the Financing of
Terrorism, May 2017, http://www.imf.org/external/np/exr/
facts/aml.htm
400 Remarks by Christine Lagarde, “The Power of Transparency to Increase
Economic Resilience,” at the Atlantic Council, February 8,
2017, https://www.youtube.com/watch?v=1ifk0OZMPvo.
401 Ibid.
programs402 based on: (i) the global reach of

negative spillover effects of corruption, illicit
“Technology is
helping the
financial flows, and trade-based money laundering; financial sector
analyze, filter,
(ii) the increasingly global reach of virtual currency
businesses (such as virtual currency exchanges and investigate, and
process
e-wallets), and the anonymity risk they represent as
potential facilitators of illicit activities; and (iii) the
information on
suspicious
recent recommendations by the Financial Stability transactions.”
Board for developing nations to strengthen bank
supervision to halt de-risking in correspondent authorities
expect to test the technology during
banking activities. inspection visits
to determine whether the system
appropriately
detects suspicious transactions.
How To Help Government and Given
technological advances and the decreased
Law Enforcement with Oversight cost of available
systems, it would be difficult
Responsibilities today for any US
bank to claim that it is reasonable
to rely on a
largely manual system to identify and
Expand the Use of Regtech, Automated report suspicious
transactions to authorities.404
Data Analytics, and Monitoring Systems
The Basel Committee report on sound management Multi-stakeholder
Processes
of risks related to money laundering and financing
Other countries
should consider following the
terrorism also recommends using automated risk
UK’s lead in
creating task force groups and
analytics tools at a global level: “For most banks,
opening channels
of communication with the
especially those which are internationally active,
financial
sector.405 Such task force groups leverage
effective monitoring is likely to necessitate the
intelligence that
banks may have when conducting
automation of the monitoring process. When a bank
global business,
beyond formal STRs reporting.
has the opinion that an IT [information technology]
Channels for
direct dialogue between the financial
monitoring system is not necessary in its specific
sector and
governmental agencies can prove
situation, it should document its decision and be
mutually
beneficial.
able to demonstrate to its supervisor or external
77
auditors that it has in place an effective alternative. . Public-private
partnership initiatives (PPPIs) are
. . The IT monitoring system should enable a bank to often led by
international financial institutions in
determine its own criteria for additional monitoring, partnership with
international banks, government
filing a suspicious transaction report (STR) or taking agencies, and the
private sector to boost
other steps in order to minimize the risk.”403 investments in
the energy, water, infrastructure, and
transport
sectors. As the lead adviser, international
The financial sector’s obligation to report
financial
institutions work with governments on
suspicious activities to a Financial Intelligence Unit
legal and
regulatory requirements to build technical
exists in many countries. Technology is helping
capacity.
International financial institutions should
the financial sector analyze, filter, investigate, and
consider
including financial integrity safeguards,
process information on suspicious transactions.
similar to
environmental and social safeguards,
This should be complemented with regular
in their design
of the PPPI strategies. These are
training programs for employees. Most global
key to fostering
transparent bidding processes
banks have incorporated automated tools to help
and good
governance and to avoiding corruption.
them comply with STRs and other regulatory or
Implementing
these safeguards would also have the
disclosure requirements. Whether they purchase
benefit of
raising financial integrity standards for
software from vendors or develop their own
local partners.
monitoring programs, the important thing is to get
the job done in capturing unusual client behavior
patterns. US and EU financial crime enforcement
402 AML/CFT measures have been incorporated into conditionality under fund-
supported programs in Afghanistan, Cyprus, Greece,
Kyrgyzstan, São Tomé and Príncipe, and Uganda. See International Monetary
Fund, Review of the Fund’s Strategy on Anti-Money
Laundering and Combating the Financing of Terrorism, February 2014,
https://www.imf.org/external/np/pp/eng/2014/022014a.
pdf, 17.
403 Basel Committee on Banking Supervision, “Sound management of risks related to
money laundering and financing of terrorism,”
(Basel, 2016), 6-16.
404 US Department of the Treasury Financial Crimes Enforcement Network, in re:
“Eurobank, San Juan, Puerto Rico,” (No. 2010-
2),
https://www.fincen.gov/sites/default/files/enforcement_action/AssessmentEurobank.pd
f, 4; See also Financial Industry
Regulatory Authority, Anti-Money Laundering, Special NASD Notice to Members
02-21.
405 Jonathan Pickworth and Jonah Anderson, “New UK AML Action Plan – The
Increased Role of the Private Sector,” White & Case,
April 28, 2016, http://www.whitecase.com/publications/alert/new-uk-aml-action-
plan-increased-role-private-sector.
Voluntary Standards •
Financial regulators should promote the use of
The Wolfsberg Group is an example of how collective data
analytics and monitoring tools by banks
action from global banks can help promote strong and
their gatekeepers and fintech companies.
international AML standards. Although the group
•
Banks and supervisors should review rules that
has been criticized for being too formalistic and
may
hinder regtech experimentation.
relying too much on information based on standard
questionnaires, it is also recognized that these •
Emerging countries should reinforce financial
questionnaires have simplified the due diligence
supervision and explore technology innovation
process for correspondent banking through data such
as the issuance of digital identities to
repositories. In addition to formal AML policies, the
promote financial inclusion.
group should consider analyzing the efficiency of
the automated controls currently in place to detect •
International financial institutions should
and monitor suspicious transactions and clients.
expand their role in promoting good
governance programs and the adoption of FATF

FATF recommendations have not been fully
recommendations.
implemented in many countries and global banks face
challenges operating in countries with weak financial •
Financial Intelligence Units should reinforce
crime regulations or enforcement. The Financial
international cooperation and set up public-
Stability Board has called on developing nations to
private task force groups to exchange informal
adopt stricter banking supervision rules to halt the
intelligence.
decline in correspondent banking relationships (de-
risking).406 Global correspondent banks can have a Conclusion
positive influence raising local standards to avoid Data
analytics tools used by the public and private
de-risking, and creating incentives for local banks to sectors to
fight financial crime need high-quality
voluntarily adopt higher AML standards, even if not and
accessible data at a global level. Data protection
required by local AML laws. Global asset managers or
localization rules create obstacles to accessing
and large pension funds can play a role in raising the data and
sharing information across financial
corporate governance standards of the companies groups and
lead to “silos” of information, against
they invest in at a global level. the Basel
Committee’s principles for effective risk
78
data
aggregation and reporting.407
Recommendations
The following proposals could help underpin As a
result, for automated tools to effectively mitigate
financial
crime risks, privacy laws should include
financial integrity if adopted at a global level:
exemptions
for data sharing based on transparency
• The Financial Stability Board, FATF, and and
security purposes. For instance, many
regulators should work together to ensure that
jurisdictions, including the European Union, which
transparency exemptions for risk management has
implemented FATF recommendations, require
and security purposes are addressed in privacy consent
for processing personal data. Such privacy
and other relevant laws to enable information- laws pose
potential risks to accessibility and data
sharing regimes. quality,
which are necessary to fight financial crime.
The
Financial Stability Board, FATF, and regulatory
• The FSB should promote global regulatory
authorities should engage in international dialogue
coordination for the improvement of data to favor
certain risk-based exemptions for data
formats and standardization of financial sharing,
permitting the processing and disclosure
definitions for risk data aggregation. of
personal data without a data subject’s consent,
to prevent
fraud and corruption or for money
• The FSB should develop international standards
laundering
risk control. The Financial Stability Board
and best practices addressing cybersecurity.
should
also intensify efforts for global regulatory
• The FATF should provide clear definitions of
coordination to improve standardization of data
key regulatory concepts and guidelines, such formats on
financial concepts and definitions. A
as Know Your Customer regulations or digital lack of
data harmonization or insufficient detail
client onboarding due diligence. of
definition makes it hard to aggregate risk data
across
financial groups and jurisdictions on an
automated
basis.408
406 See Binham, “Stricter Bank Supervision Needed in Developing Nations,

Say Policymakers.”
407 Basel Committee on Banking Supervision, Guidelines: Sound Management of
Risks Related to Money Laundering and Financing
of Terrorism, February 2016, http://www.bis.org/bcbs/publ/d353.pdf.
408 Institute of International Finance, Regtech in Financial Services:
Technology Solutions for Compliance and Reporting, March 2016,
p. 4, https://www.iif.com/publication/research-note/regtech-financial-
services-solutions-compliance-and-reporting
The FATF 2012 recommendations have not been as Know Your

Customer or client due diligence
enforced, or not fully enforced, in many countries. requirements.
National identification documents
Such regulatory asymmetry creates gaps, which also vary from
country to country. Placing KYC
favor the circumvention of financial crime laws by utilities on a
distributed ledger could allow banks
moving the activities to jurisdictions, to the digital to share
sensitive consumer data across several
economy, or to unregulated sectors. To mitigate entities,
facilitating KYC and supervision, without
such risks, banks and other relevant players need to compromising
nonpublic personal data (although
effectively use data analytics tools to monitor clients it would not
solve all the issues concerning data
and transactions, and share intelligence with FIUs. sharing). To
mitigate the risk of experimenting with
Gatekeepers and new digital finance businesses new
technologies, regulators should set up an open
(such as virtual currencies exchanges, money dialogue with
banks and start-ups to promote a
services businesses, and online lending platforms), “safe”
environment and experimentation, where
should use automated data analytics tools, have both
supervisors and firms can work together
effective AML frameworks, and report suspicious to analyze how
regulations can unintentionally
transactions, even on a voluntary basis. Emerging impact
automation and innovation, such as through
countries should explore regtech solutions such requiring in-
person identification instead of allowing
as digital identity to promote financial inclusion. digital
identity verification methods.409
They should also focus on stricter supervision of
banks to avoid “de-risking,” according to FSB. Fintech and
regtech technologies that monitor
International financial institutions’ role should be customer
activities may also increase cybersecurity
more prevalent in promoting good governance and privacy
risks.410 Anytime an organization collects
and financial integrity, consistent with FATF 2012 customer data,
it must ensure that it preserves data
and Basel Committee recommendations. Financial from
cyberattacks.411 Regulators should change
Intelligence Units and law enforcement authorities their
supervisory focus as digitization changes
should reinforce cooperation and exchange of the types of
risk in the financial sector, shifting
information mechanisms at a global level, including to
cybersecurity risk. Ultimately, regulators need
public-private partnerships and task force groups. to set up
international standards addressing
legitimate
privacy and cybersecurity concerns,
Technological innovation, such as regtech and while at the
same time ensuring transparency and
smart contracts, has the potential to effectively help financial
integrity, through dialogue with the private 79
banks streamline regulatory compliance processes sector and the
creation of new mechanisms to
and facilitate effective supervision by authorities. promote
coordination among relevant agencies
As an example, the global AML/CTF framework internationally
to fight financial crime, protect data
lacks universal definitions of key concepts, such privacy, and
uphold information security.
409 Institute of International Finance, Deploying Regtech against Financial

Crime, March 2017, https://www.iif.com/system/
files/32370132_aml_final_id.pdf, 27.
410 Citi Global Perspectives and Solutions, E-Privacy and Data Protection: Who
Watches the Watchers? How Regulation Could Alter
the Path of Innovation, March 2017, https://ir.citi.com/I
%2FDe1TjhFWX1NpgDsXKJmsACj6DaypITsS7sNZ8DtTZvNvVHwHlNTmLog
XdvmMMu727lshzkyVo%3D.
411 Kevin Petrasic, Benjamin Saul, and Helen Lee, “Regtech Rising: Automating
Regulation for Financial Institutions,” White & Case,
September 16, 2016, https://www.whitecase.com/publications/insight/regtech-
rising-automating-regulation-financial-institutions.
AUTHORS
Els De Busser, Senior Lecturer, European Criminal Law; Senior

Researcher,
Centre of Expertise Cyber Security, The Hague University of
Applied
Sciences
Els De Busser holds a Ph.D. from Ghent University, Belgium and is
currently senior
lecturer at the Faculty Public Management, Law & Safety and
senior researcher at the
Faculty IT & Design, Centre of Expertise Cyber Security of The
Hague University of
Applied Sciences, the Netherlands. She is guest researcher at
Leiden University, Institute
of Security and Global Affairs; a member of the Standing
Committee of Experts on
Chapter 1 International Immigration, Refugee and Criminal Law (Meijers
Committee); secretary
of the Scientific Committee of the International Association of
Penal Law (AIDP) and
expert for the European Judicial Training Network (EJTN). Her
research is focused on
European and international cooperation, cyber security,
information exchange, and
data protection in criminal matters especially in the
transatlantic relationship. She is a
frequent speaker at international events and guest lecturer on
these topics. Her book
“Data Protection in EU and US Criminal Cooperation” (Maklu, 2009)
was awarded with
the 2014 Siracusa Prize for Young Penalists by the Association
Internationale de Droit
Pénal (AIDP) and the International Institute of Higher Studies in
Criminal Sciences
(ISISC).
Erica J. Briscoe, Chief Scientist ATAS Laboratory, Georgia Tech

Research
Institute
80 Erica J. Briscoe is a Senior Research Scientist and a Lab Chief
Scientist at the Georgia Tech
Research Institute (GTRI) in Atlanta, GA. She oversees basic
research and development
projects focused on behavioral and data science/analytics
applications in various problem
spaces, including: computational social science, technology
emergence and prediction,
social network analysis, insider threat detection, terrorism and
radicalization, business
intelligence, and psychological profiling. Dr. Briscoe received a
BS degree in Industrial
Chapter 2 Engineering from Georgia Tech, an MS degree in Information
Systems from Drexel
University, and an MS and PhD from Rutgers University in
Cognitive Psychology.
Benjamin C. Dean, President, Iconoclast Tech

Benjamin C. Dean works at the intersection of technology,
economics and public policy.
He is President of Iconoclast Tech, which advises clients on the
economic, political
and social implications of waves of technological change. He is
also presently a Ford/
Media Democracy Fund Technology Exchange Fellow at the Center for
Democracy and
Technology in Washington DC. Previously he was a fellow for
cybersecurity at Columbia
University and a policy analyst at the Organisation for Economic
Co-operation and
Development (OECD). Currently, Mr. Dean contributes to an
initiative to develop business
digital risk management metrics at the OECD’s Working Party on
Security and Privacy in
Chapter 3 the Digital Economy. He recently contributed a paper to inform
the European Parliament
on the economic implications of EU-US cooperation in
cybersecurity and cybercrime. He
also assists re-insurance clients with the development of models
to assess the probability
and impact of a variety of digital security incidents. Mr. Dean
completed a MA International
Affairs at Columbia University’s School of International and
Public Affairs. He is also a
graduate of the University of Sydney with a BA Economics and
Social Sciences (Hons.)
Tatiana Tropina, Senior Researcher, Max Planck Institute for Foreign
and
International Criminal Law
Tatiana Tropina is a senior researcher at the Max Planck Institute for
Foreign and
International Criminal Law. Her current areas of research include
international standards
to fight cybercrime, the comparative analysis of cybercrime
legislation, self- and co-
regulation, public private partnerships to address cybersecurity
issues, cybersecurity
and human rights, and the multi-stakeholder approach to fight
cybercrime. Tatiana’s
background includes both academic and practical experience. She has
been conducting
Chapter 4 cybercrime research for 15 years, starting in Russia in 2002, where she
became the first
Russian researcher to defend a PhD thesis on cybercrime (2005). From
2002 to 2009, she
was responsible for cybercrime projects at the regional subdivision of
the Transnational
Crime and Corruption Centre (George Mason University, USA) in
Vladivostok, Russia. At
the same time, from 2003 to 2008, she worked full-time as a lawyer and
then as head of
the legal departments of a number of telecommunication companies. Since
2009, Tatiana
Tropina has been involved in both legal research and various applied
cybercrime projects
at the international level.
Miren B. Aparicio, Counsel and Senior Consultant, The World Bank Global
Practice
Miren B. Aparicio is a counsel and senior consultant at the World Bank
Global Practice
and a member of the Chamber of Digital Commerce Smart Contracts
Alliance initiative
in Washington DC. Ms. Aparicio has advised financial services firms in
a wide range of
investment banking business sectors. Her practice focuses on Fintech
and Regtech, capital
markets and financial crime, including policy and regulatory advise for
governments.
Ms. Aparicio’s financial services experience in Spain includes working
at Morgan Stanley
(as General Counsel and Head of Compliance), Société Générale Corporate
and Investment
Chapter 5
Banking and BBVA. Ms. Aparicio developed an Anti-Money Laundering and
Counter- 81
Terrorism Financing institutional framework, risk mitigation and
governance for the Inter-
American Development Bank. Her publications include several articles
with Thomson
Reuters regulatory intelligence (Accelus) about the need to balance
Fintech innovation
and regulation. Ms. Aparicio is an LL.M. graduate at Columbia
University of New York;
D.E.A. in International Law at the Graduate Institute of International
Studies in Geneva;
Certified Anti-Money Laundering Specialist (CAMS).
Atlantic Council Board of Directors
CHAIRMAN Michael Calvey Lawrence S. Kanarek

Robert O. Rowland
*Jon M. Huntsman, Jr. James E. Cartwright Stephen R. Kappes
Harry Sachinis
CHAIRMAN EMERITUS, John E. Chapoton *Maria Pica Karp
Brent Scowcroft
INTERNATIONAL Ahmed Charai *Zalmay M. Khalilzad
Rajiv Shah
ADVISORY BOARD Sandra Charles Robert M. Kimmitt
Stephen Shapiro
Brent Scowcroft Melanie Chen Henry A. Kissinger
Kris Singh
Michael Chertoff Franklin D. Kramer
James G. Stavridis
PRESIDENT AND CEO
George Chopivsky Richard L. Lawson
Richard J.A. Steele
*Frederick Kempe
Wesley K. Clark *Jan M. Lodal
Paula Stern
EXECUTIVE VICE CHAIRS David W. Craig *Jane Holl Lute
Robert J. Stevens
*Adrienne Arsht *Ralph D. Crosby, Jr. William J. Lynn
Robert L. Stout, Jr.
*Stephen J. Hadley Nelson W. Cunningham Izzat Majeed
John S. Tanner
VICE CHAIRS Ivo H. Daalder Wendy W. Makins
*Ellen O. Tauscher
*Robert J. Abernethy Ankit N. Desai Zaza Mamulaishvili
Nathan D. Tibbits
*Richard W. Edelman *Paula J. Dobriansky Mian M. Mansha
Frances M. Townsend
*C. Boyden Gray Christopher J. Dodd Gerardo Mato
Clyde C. Tuggle
*George Lund Conrado Dornier William E. Mayer
Paul Twomey
*Virginia A. Mulberger Thomas J. Egan, Jr. T. Allan McArtor
Melanne Verveer
*W. DeVier Pierson *Stuart E. Eizenstat John M. McHugh
Enzo Viscusi
*John J. Studzinski Thomas R. Eldridge Eric D.K. Melby
Charles F. Wald
Julie Finley Franklin C. Miller
Michael F. Walsh
TREASURER
Lawrence P. Fisher, II James N. Miller
Maciej Witucki
*Brian C. McK. Henderson
*Alan H. Fleischmann Judith A. Miller
Neal S. Wolin
SECRETARY *Ronald M. Freeman *Alexander V. Mirtchev
Mary C. Yates
*Walter B. Slocombe Laurie S. Fulton Susan Molinari
Dov S. Zakheim
DIRECTORS Courtney Geduldig Michael J. Morell
HONORARY DIRECTORS
Stéphane Abrial *Robert S. Gelbard Richard Morningstar
David C. Acheson
Odeh Aburdene Thomas H. Glocer Georgette Mosbacher
Madeleine K. Albright
*Peter Ackerman Sherri W. Goodman Thomas R. Nides
James A. Baker, III
Timothy D. Adams Mikael Hagström Franco Nuschese
Harold Brown
Bertrand-Marc Allen Ian Hague Joseph S. Nye
Frank C. Carlucci, III
John R. Allen Amir A. Handjani Hilda Ochoa-Brillembourg
Ashton B. Carter
*Michael Andersson John D. Harris, II Sean C. O’Keefe
Robert M. Gates
Michael S. Ansari Frank Haun Ahmet M. Oren
Michael G. Mullen
Richard L. Armitage Michael V. Hayden Sally A. Painter
Leon E. Panetta
David D. Aufhauser Annette Heuser *Ana I. Palacio
William J. Perry
Elizabeth F. Bagley Ed Holland Carlos Pascual
Colin L. Powell
*Rafic A. Bizri *Karl V. Hopkins Alan Pellegrini
Condoleezza Rice
Dennis C. Blair Robert D. Hormats David H. Petraeus
Edward L. Rowny
*Thomas L. Blair Miroslav Hornak Thomas R. Pickering
George P. Shultz
Philip M. Breedlove *Mary L. Howell Daniel B. Poneman
Horst Teltschik
Reuben E. Brigety II Wolfgang F. Ischinger Daniel M. Price
John W. Warner
Myron Brilliant Deborah Lee James Arnold L. Punaro
William H. Webster
*Esther Brimmer Reuben Jeffery, III Robert Rangel
R. Nicholas Burns Joia M. Johnson Thomas J. Ridge
*Executive Committee Members
*James L. Jones, Jr. Charles O. Rossotti
List as of June 19, 2017
*Richard R. Burt
The Atlantic Council is a nonpartisan organization that
promotes constructive US leadership and engagement
in
international
affairs based on the central role of
the Atlantic community in meeting today’s global
challenges.
© 2017 The Atlantic Council of the United States. All

rights reserved. No part of this publication may be
reproduced or transmitted in any form or by any means
without permission in writing from the Atlantic Council,
except in the case of brief quotations in news articles,
critical articles, or reviews. Please direct inquiries to:
Atlantic Council
1030 15th Street, NW, 12th Floor,

Washington, DC 20005
(202) 463-7226, www.AtlanticCouncil.org

Big Data A Twenty First Century Arms Race

Uploaded by

Copyright:

Available Formats

Big Data A Twenty First Century Arms Race

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Big Data A Twenty First Century Arms Race

Uploaded by

Copyright:

Available Formats

BIG DATA

About the Foresight, Strategy, and Risks Initiative

In this Atlantic Council report undertaken in partnership with Thomson Reuters,

W e are living in a world awash in data. big data

From a security standpoint, militaries, law The underlying

1 Aline Robert, “Big Data Revolutionises Europe’s Fight Against Terrorism,”

the United States need to be able to share threat In Chapter 3, “Big

Big Data: The Conflict Between

Both law enforcement and intelligence agencies, as

When two or more legal frameworks contain conflicting

The last decade has shown that this dilemma is more

the September 11, 2001, attacks on US territory, protection

data processing for the purpose of criminal data

Judicial Cooperation in Criminal Matters,” Official Journal of the European

required; rather, it is sufficient for the subpoena

20 Laura K. Donahue, “Anglo-American Privacy and Surveillance,” J. Crim.

This brings us to the main differences facing two used to be

The purpose limitation principle is known in the In the

that probable cause is shown.39 SCA warrants are of crimes now

include personal data that identify or enable the third

security investigations, we can anticipate that

49 GDPR, Article 3, §2.

all evidence derived from such inadmissible country’s

inadmissible. For example if during a house search, a laptop containing

with the 2003 EU-US mutual legal assistance to non-US

60 Official Journal of the European Union, L 181, July 19, 2003.

role in how data transfers work in practice under Mutual Legal

65 OECD, “Guidelines on the Protection of Privacy and Transborder Flows of

• Create a variation to request-based cooperation

72 GDPR, Article 45.

Big Data: Exposing the Risks from

Trust in Public and Private Sectors

73 Christel Lane and Reinhard Bachmann, eds.,

when one party’s actions are consequential or The last

74 Roy Lewicki and Barbara Bunker, “Developing and maintaining trust in

Passengers watch a television screen broadcasting news on Edward Snowden, a

from the wealth of information that is produced by interest in

77 “The Generation Gap...Tell me about it!” The Creative Network, Inc.,

Email, texting, social media

Unauthorized access attempts,

Stress indicators, e.g., from

Stress indicators, such as from

Unauthorized access attempts

Foreign or competitor contacts

80 Celia Hatton, “China ‘social credit,’ Beijing sets up huge system,”

Table 2.2: Example of Notable Insider Threat Cases

The difficulties in preventing, detecting, and potential,

Phyo and Furnell’s taxonomy84 is based on the often have

breaking, and hacking

While much attention has been given to prominent •

84 William Cheswick, Steven M. Bellovin, and Aviel D. Rubin, Firewalls

Insider Threat Detection and Prevention behaviors,

straightforward is through the use of honeypots. A

Table 2.3: Example Anomaly Detection Methods with Associated Elements

may trigger an alert, for example, to signal a human indicators

96 GCN Staff, “IARPA preps insider threat monitoring projects,” GCN,

and public record repositories,”98 and social media, example,

98 Stephen Braun, “U.S. intelligence officials to monitor federal employees

US Department of Homeland Security employees work in front of US threat level