CYBER CRIME questioned them because the intended recipients included personal bank accounts in the Philippines, which were unlikely to have a legitimate reason to receive millions of dollars from Bangladesh’s central bank. Further, Deutsche Bank, the routing bank for one of the transactions to the Philippines, blocked a transaction due to money laundering-related suspicions. Cyber security benefits from similar techniques - such as monitoring a network for unusually large data uploads or downloads - and in the banking business it is not surprising that the two forms of monitoring would complement each other. Tracking anomalous money flows and data flows may answer similar questions. Through training and experience, bankers develop an AML mindset, and that mindset can be leveraged to support cyber security programmes and help thwart attacks. AML experts operate on the assumption that money laundering attempts will occur, and AML experts learn (and train others) to detect and distinguish suspicious activity from typical, low-risk transactions. Indeed, it was the money laundering suspicion raised by bankers at Deutsche Bank and in Sri Lanka that allowed bankers to intercept, and ultimately recover, millions of dollars before they reached the hackers’ pockets.

Thus, a strong AML compliance programme, including robust transaction monitoring systems and analysts actively clearing alerts, may mitigate against a breach once cyber criminals have gained access to a bank’s systems. Filling gaps in international AML regulation While many countries have strong AML regulations, and financial institutions spend millions of E-Finance & Payments Law & Policy - May 2016 dollars on AML compliance, sophisticated criminals can detect and exploit the weaknesses that exist in other countries, as the Bank of Bangladesh hackers did with great success. The broad exemption for casinos in Filipino law, combined with a readily available remittance transfer network, allowed the hackers to steal tens of millions of dollars and maintain anonymity. Similarly, several other countries including Mexico, Cambodia and India still exempt casinos from their AML regulations.

And like the Philippines, these countries are also well-serviced by remittance transfer providers. They therefore may serve as points of opportunity for future cyber attacks. Accordingly, it is worth considering whether to implement new AML regulations in these countries. The Philippines Senate has since amended the AML law to add casinos to the list of entities required to report suspicious activity to the Anti-Money Laundering Council, and perhaps other countries’ legislatures should follow suit.

Though technology is central to a strong cyber security programme, stronger international AML laws may also help thwart future cyber attacks. activities (including, without limitation, the ownership, nature, source, location, or control of such funds or assets) as part of a plan to violate or evade any Federal law or regulation or to avoid any transaction reporting requirement under Federal law or regulation; (ii) The transaction is designed to evade any requirements of this chapter or of any other regulations promulgated under the Bank Secrecy Act; or (iii) The transaction has no business or apparent lawful purpose or is not the sort in which the particular customer would normally be expected to engage, and the bank knows of no reasonable explanation for the transaction after examining the available facts, including the background and possible purpose of the transaction.’ 31 C.F.R. § 1020.320. The Bank Secrecy Act and its implementing regulations require financial institutions to establish AML programs, which at a minimum must include: the development of risk-based internal policies, procedures and controls; designation of a compliance officer; an ongoing employee training program; and an independent audit function to test programs.

See 31 U.S.C. § 5318(h). Michael L. Yaeger Special Counsel Melissa G.R.

Goldstein Associate Kimberly G. Monty Associate Schulte Roth & Zabel LLP, New York michael.yaeger@srz.com 1. SWIFT is an acronym for the Society for Worldwide Interbank Financial Telecommunication, a cooperative of approximately 3,000 financial institutions. 2.

Suspicious activity reporting is required under the Bank Secrecy Act for any transaction that is conducted or attempted by, at, or through the bank, that involves or aggregates at least $5,000 in funds or other assets, and that causes the bank to know, suspect, or have reason to suspect that: ‘(i) The transaction involves funds derived from illegal activities or is intended or conducted in order to hide or disguise funds or assets derived from illegal 05 .