Identity Resolution Daily

Last Thursday, we published a post entitled No One Knows What Know Your Customer Really Means that pointed out potentially dangerous and undoubtedly actionable holes in the Banking Secrecy Act’s mandate to Know Your Customer (KYC.) Keying off a hypothetical bank customer imagined by Alvin D. Lodish over on FinanceTech, in this post we wondered if this fictional

“developer/exotic car aficionado/gambler happens to also be a terrorist financier […] what would happen if a catastrophic terrorist attack succeeds due to funding from this gentleman and the subsequent forensic investigation ties him to the crime? Would the bank be fined for not knowing this customer well enough?”

It just so happens that also on Thursday several federal regulators issued a joint statement,

“setting forth the agencies’ policy for enforcing specific anti-money laundering requirements of the Bank Secrecy Act (BSA). The purpose of the Interagency Statement on Enforcement of Bank Secrecy Act/Anti-Money Laundering Requirements is to provide greater consistency among the agencies in enforcement decisions in BSA matters and to offer insight into the considerations that form the basis of those decisions.”

So thanks to this policy statement, banks now have a clearer understanding of exactly what BSA and KYC compliance means, right? Not really.

We downloaded the PDF so you don’t have to and here’s what the Federal Reserve, Federal Deposit Insurance Corporation, Office of the Comptroller of the Currency, Office of Thrift Supervision and the National Credit Union Administration will be enforcing:

“Specifically, under each Agency’s regulations, a BSA Compliance Program must have at minimum, the following elements:

• a system of internal controls to assure ongoing compliance with the BSA;

• independent testing for BSA/AML [Anti-Money Laundering] compliance;

• a designated individual or individuals responsible for coordinating and monitoring BSA/AML compliance; and

• training for appropriate personnel.”

The inter-agency statement then goes on — pay attention here — to specify,

“…A BSA Compliance Program must include a Customer Identification Program with risk-based procedures that enable an institution to form a reasonable belief that it knows the true identity of its customers.”

What is the legal, enforceable definition of a bank’s responsibility to “form a reasonable belief that it knows the true identity of its customers?”

Let’s go back to the example of our hypothetical developer/exotic car aficionado/gambler. If his bank runs a standard background check on this guy, is that reasonable belief? What if they perform enhanced due diligence but his ability to cloak his true identity produces a false negative, is that enough to satisfy reasonable belief? Our original question remains: If this guy’s money funds terror on U.S. soil, will the bank be penalized? Reasonable belief is so subjective that even if the bank did everything in their power to resolve this identity, they could still be scapegoated for allowing a terrorist to succeed.

In response to this updated policy statement, Reps. Barney Frank, D-Mass., Spencer Bachus, R-Ala., and Stephen Lynch, D-Mass., wrote a letter to the Government Accountability Office and according to MarketWatch,

“In their letter to the GAO, the lawmakers said also bank representatives claim the rules for examinations about complying with federal anti-money laundering laws still lack clarity. Bankers also believe examiners aren’t “uniformly interpreting the requirements” of the Bank Secrecy Act, the congressmen said.

“The lawmakers asked GAO to study why the number of suspicious activity reports from banks has spiked in recent years. More than one million such reports were filed in 2006, the lawmakers said, citing the Treasury’s enforcement network. Frank and the others asked the congressional investigator to study to what extent the activity reports are filed “defensively” to avoid potential questions or sanctions from banking regulators.”

It’s really scary that because of the ambiguity surrounding BSA/AML compliance, bankers are forced to play defense against their own government, instead of being on offense against money-launders, drug traffickers and terrorists.

To Reps. Frank, Bachus and Lynchsay we say again what we said last week before this inter-agency statement came out: Congress needs to revisit AML legislation because no one really knows what Know Your Customer really means.

Share This

[Daily Post from Infoglide Software] Employee Screening: An Ounce of Prevention is Worth a Pound of Lobsters

“It’s pretty much impossible to tell if a potential employee is a good or bad person by simply looking at their resume. However, identity resolution software aggregates information from existing data stores, turning up lawsuits, convictions, bad debt, driving histories and the like to form a clear, comprehensive, composite depiction of your employees.”

Reuters: US clarifies anti-money laundering enforcement rules

“Banks and credit unions must have proper internal controls, independent testing of anti-money laundering programs, a program coordinator and a staff training program. A cease-and-desist order could be issued if they fail to establish and maintain a reasonably designed program or correct a previous problem, regulators said.”

Federal Reserve Board: Agencies issue statement on enforcement of Bank Secrecy Act/Anti-Money Laundering Requirements

“The federal financial regulatory agencies on Thursday issued a statement setting forth the agencies’ policy for enforcing specific anti-money laundering requirements of the Bank Secrecy Act (BSA). The purpose of the Interagency Statement on Enforcement of Bank Secrecy Act/Anti-Money Laundering Requirements is to provide greater consistency among the agencies in enforcement decisions in BSA matters and to offer insight into the considerations that form the basis of those decisions.”

Federal Reserve Board: Interagency Statement on Enforcement of Bank Secrecy ACT/Anti-Money Laundering Requirements

PDF: U.S. regulators set forth guidelines to clarify when banks will be issued with cease-and-desist orders for failing to report possible money laundering transactions.

USATODAY: State-run sites not effective vs. terror

“[U.S. Attorney Harvey Eisenberg] said officers at the center do a lot of work on ‘general crime.’ When it comes to ‘putting together those dots’ that might lead to potential terrorists, ‘we need to do better at that.’ Former 9/11 commissioner Bob Kerrey said the government’s inability to share information effectively poses ‘a real risk as well as a missed opportunity.’”

Share This

Employees with initiative and creativity are great for your business, but would you hire this guy?

“An accused lobster thief was trapped by police yesterday after they said he tried to leave a Rte. 9 grocery store with more than $50 worth of lobsters - disguised as a bag of mussels.” See Lobster theft suspect pinched.

Here’s someone else you’d hate to have on your payroll. Did you hear about the jewelry store in San Diego that raised $12,000 for a cancer-stricken employee? This employee was later arrested for stealing $45,000 in merchandise, including one ring valued at $30,000. Her employers also suspected that she didn’t really have cancer.

This costly (and embarrassing) incident might have been prevented, if the jewelry store had had access to the right technology and the right data before hiring this employee. By linking the hiring process to the latest identity resolution software that can aggregate information from multiple internal and external data sources, the store could have learned about the previous incident and avoided a great deal of unneeded publicity and expense.

With an identity resolution system in place, the jewelry store would have discovered that this employee had been sued by another employer for stealing $55,000 from a high school cheerleading program. It’s pretty much impossible to tell if a potential employee is a good or bad person by simply looking at their resume. However, identity resolution software aggregates information from existing data stores, turning up lawsuits, convictions, bad debt, driving histories and the like to form a clear, comprehensive, composite depiction of your employees.

According to an annual survey conducted by the University of Florida, the average retailer loses an estimated 1.5% to 2.0% of their revenue each year due to customer, vendor, and employee fraud with 2006 total losses tagged at $41.6 billion. Employees actually steal more than shoplifters and moreover most are never caught:

“According to the U.S. Department of Commerce, 75 percent of all employee thefts went unnoticed. The average amount taken in retail was estimated at $1,750 per incident, and $3,400 per incident in all other business.” (For more, click here.)

It’s obviously easier not to hire high risk employees than to catch them in the act.

If you’re still relying on old technology to screen employees, here’s a few people you might want to warn HR about:

Lord of the (Shoplifting) Rings
“A man has pleaded guilty to charges in a three-state shoplifting ring that prosecutors say led to Internet sales of more than $400,000 in stolen merchandise.

Blue light bust-up at Kmart
“He punched one employee, tackled another, and struck another. He kept assaulting and threatening them until police arrived; then he struggled with police. [..] They found that he had outstanding warrants for two charges of third-degree theft of property and one charge of second-degree theft of property.”

Man Caught Switching Bar Codes, Three Days in a Row
“The next day, December 16, Ryan said investigators learned that Haneborg switched a price sticker on a Porter-Cable cordless hammer drill in the same manner. Ryan said Haneborg allegedly removed a Makita circular saw out of its box and put it in the box of a cheaper model then checked out.”

Police catch ‘beer bandit’
“The Wal-Mart beer bandit apparently went back for refills, only to be grabbed by several store employees.”

Share This

[Daily Post from Infoglide Software] Privacy vs. Security: New FBI Data-mining Program Sparks Debate

“The United States has struggled with this debate over privacy versus security since its inception. (See our previous post, Finding a perfect balance between individual privacy and national security.) One thing that is clear about this 200-yr-plus debate is that the opinions and actions of both the defenders of privacy and security must remain engaged and unbending, watchful and most importantly — true to their beliefs to maintain a proper balance.”

Scientific American: Privacy Isn’t Dead, or At Least It Shouldn’t Be: A Q&A with Latanya Sweeney

“In a post-9/11 world, where security demands are high, personal privacy does not have to be sacrificed, says computer scientist Latanya Sweeney, who discusses a few ways to save it.”

Chronicles of Dissent: The 110th Congress and Privacy: Week 28 (July 16 - July 20)

“A number of privacy-related bills [5] were introduced in Congress during this week. The following have all been entered in this site’s Proposed Legislation page on this site for future tracking…”

AP: Outdated Sanctions Harm Terrorism Fight

“The United Nations has not kept an up-to-date list of al-Qaida and Taliban leaders targeted by international sanctions, harming both the fight against terrorism and efforts to stabilize Afghanistan, a key U.N. counterterror official said Friday. Several dozen important al-Qaida and Taliban figures have not been placed on a list of 490 people and businesses subject to a U.N. travel ban, arms embargo and assets freeze put in place after the Sept. 11, 2001 attacks, said Richard Barrett, coordinator of the monitoring team for the U.N.’s Al-Qaida and Taliban Sanctions Committee.”

Share This

Last week, the FBI’s Foreign Terrorist Tracking Task Force reported to Congress on its System to Assess Risk, or STAR, the agency’s latest data-mining efforts to profile possible terrorists. Before being rolled out, the FBI asserts that the STAR system would undergo a privacy-impact assessment. And when it does go live, FBI officials promise that

• all the data would be obtained lawfully
• all the data will be contained within the agency
• access to the new system would be limited to trained users
• possible suspects will be assigned risk scores

Despite these assurances, privacy advocates had a strong reaction.

Here’s a sampling of some of the discussion surrounding STAR:

From the FBI report: “STAR does not label anyone a terrorist. Only individuals considered emergent foreign threats (as opposed to other criminal activity such as U.S. bank robbery threats) will be analyzed.”

From ComputerWorld: “Each initiative is designed to supplement, not replace, traditional investigative methods. No action is taken based solely on the analytic products produced by these data mining initiatives,” the DOJ said. As such, they are governed by a slew of laws such as the Privacy Act of 1974 and the Federal Information Security Management Act of 2007.

ACLU senior legislative counsel Tim Sparapani: “When you put bad information into a system and you don’t have any mechanism of ensuring the information is of high quality, you’re certain to get bad information spit out on the back end. And that has profoundly negative consequences for the individuals who are wrongly identified as potential terrorists.”

EFF privacy expert David Sobel: “If we can’t assess the accuracy of the information being fed into the system, it’s very hard to assess the effectiveness of the system.”

Mr. Sobel’s concern has merit. And preservation of our democracy depends on the concerns of eternally vigilant citizen watchdogs like the EFF and the ACLU.

The United States has struggled with this debate over privacy versus security since its inception. (See our previous post, Finding a perfect balance between individual privacy and national security.) One thing that is clear about this 200-yr-plus debate is that the opinions and actions of both the defenders of privacy and security must remain engaged and unbending, watchful and most importantly — true to their beliefs to maintain a proper balance.

Share This

[Daily Post from Infoglide Software] No One Knows what Know Your Customer Really Means

“To truly root out money laundering, identity theft, fraud and terrorist financing, banks must go beyond the Know Your Customer (KYC) edict, as mandated by the Banking Secrecy Act of 1970.”

Entrepreneur.com: Preventing Retail Theft

“In retail, you want your products to fly off the shelves and out the door–but only after they’ve been paid for. Theft–both by customers and employees–costs American retailers more than $33 billion per year. Entire retail chains have gone out of business due to their inability to control losses from theft. “

New York Times: U.S. Will Allow Most Types of Lighters on Planes

“Security officers have been collecting some 22,000 lighters a day nationwide, slowing down lines at check points. Even so, many smokers had found ways to sneak lighters through checkpoints, often by placing more than one in a carry-on bag. Disposing of the seized lighters has cost about $4 million a year.”

Newsweek Terror Watch:Terror: The Flip Side of the NIE

“[German] investigators are particularly disturbed that suspects in the investigation seem to know that the authorities are onto them but appear to be going ahead with their attack plans anyway. Authorities have so far been unable to collect enough evidence to bring criminal charges—which could help get the suspects off the street.”

Share This

Remember Riggs Bank, the Washington, DC-based bank that was fined $25 million dollars in May of 2004 for helping former General Pinochet launder his money? With tighter Anti-Money Laundering (AML) regulations enforced by the Bank Secrecy Act and the USA Patriot Act, a scandal like this one could never happen again, right?

Think again.

To fight money laundering activities, U.S. banks have increased spending on AML programs by 71 percent over the last three years, according to recent KPMG press release. Despite the increased spend, it’s still not enough. KPMG’s Teresa A. Pesce, is quoted in the July 9th release as saying:

“‘Many AML executives may have a view that they have invested so heavily in IT systems and hiring experienced professionals that they do not need to focus on tactical and relevant strategic compliance and monitoring issues.’ […] She cautioned, however, that AML remains a very critical issue, particularly since 7 percent of North American bank executives reported their institutions were not in compliance with U.S. Patriot Act testing requirements.”

Note that 7 percent “reported” their non-compliance. Odds are high that many more banks are not in compliance — they just didn’t tell KPMG about it for fear of doing anything that might trigger an investigation.

To truly root out money laundering, identity theft, fraud and terrorist financing, banks must go beyond the Know Your Customer (KYC) edict, as mandated by the Banking Secrecy Act of 1970. Before 9/11, banks were encouraged to file Suspicious Activity Reports (SAR) with the federal government and to establish procedures to identify money laundering schemes. Post 9/11, all of this is now required but exactly what a bank can be held accountable for has never been spelled out. Know Your Customer requirements, as they stand now, are loosely interpreted and rarely enforced.

Here’s a scenario put forth by Alvin D. Lodish in FinanceTech:

“‘Know Your Customer’” does not mean the bank is responsible for evaluating how an account holder, corporate or otherwise, chooses to spend its money. However, what a jury or even a Judge may believe a bank’s duty is, particularly in light of broad based ‘Know Your Customer’ policies, is not clear. For example, let’s assume a corporate account holder is in the business of developing property and raises money from investors for that purpose and the investor’s funds are deposited in the corporate operating account. Let’s assume some of the money is used to buy dozens of exotic cars or is sent to casino/hotels, does the bank have an obligation under the ‘Know Your Customer’ policy to question those transactions? (Given that whatever payments were made were done by an authorized signatory and there were sufficient funds in the account.)”

Now let’s assume that this hypothetical developer/exotic car aficionado/gambler happens to also be a terrorist financier, though that can’t be found on his resume. Now what would happen if a catastrophic terrorist attack succeeds due to funding from this gentleman and the subsequent forensic investigation ties him to the crime? Would the bank be fined for not knowing this customer well enough?

Congress needs to revisit AML legislation because no one really knows what Know Your Customer really means.

Share This

[Daily Post from Infoglide Software] Knowledge Center: Barry Graubart on Complexity of Identity Resolution and Anti-Money Laundering

“The importance of having an effective identity resolution solution in place that can resolve all these complexities is vitally important because the consequences of failing to detect a money launderer are much, much higher than when a shoplifter lifts a pair of pants.”

The Terror Finance Blog: The Digital age of Funding Crime and Terrorism

“Moving funds from one criminal/terrorist to another can work like this: A criminal/terrorist using fake IDs opens a virtual account in an online game. He then deposits real money via an ATM into his virtual account. With his virtual currency he buys virtual real estate from his co-conspirator and transfers virtual payment for the property to the seller’s virtual account. The seller then converts the virtual currency into real money and withdraws it from an ATM.”

Federation of American Scientists: Data Mining and Homeland Security: An Overview

[PDF] “As with other aspects of data mining, while technological capabilities are important, there are other implementation and oversight issues that can influence the success of a project’s outcome. One issue is data quality, which refers to the accuracy and completeness of the data being analyzed. A second issue is the interoperability of the data mining software and databases being used by different agencies. A third issue is mission creep, or the use of data for purposes other than for which the data were originally collected. A fourth issue is privacy.”

RetailBulletin: Loss Prevention - Tackling Retail Shrinkage to Accelerate Business Performance

“Defined as ’stock loss from crime or wastage’, shrinkage is normally measured as a percentage of retail revenue. The ‘European Retail Theft Barometer’ from the Centre for Retail Research segments it into the following types: customer theft, staff theft, supplier theft, and internal error. In 2006, it found that 85.7 per cent of shrinkage in the UK was attributable to theft. More shockingly, this is equivalent to anywhere between 20-40 per cent of profits.”

Wired: We’re All Terrorists! Watch List Makes 20k ‘Matches’ in ‘06

“They may never know it, but U.S. air travelers and others set off silent terrorist warning alarms nearly 20,000 times in 2006 when their names matched against the government’s centralized terrorist watch list, according to a statistic buried in a Department of Justice document. The number represents a 27 percent jump over 2005, and points to the growth in the federal Terrorist Screening Center, a joint FBI and DHS operation that controls the government’s master list of suspected terrorists.”

Share This

By Barry Graubart, VP of product management, Alacra

In the retail world, identity resolution and data cleaning applications (such as fraud detection) have the luxury of fairly comprehensive data. Right there in your customer and employee databases you have name, address, phone, SSN, date of birth and many other values to match against.

However, when comparing customer records to Anti-Money Laundering (AML) or Terrorism watch lists, banks and other financial institutions frequently have very limited access to information (on the watch list side). Terrorists, money launderers and drug traffickers don’t often provide a SSN or a street address. Instead, AML pros are limited to matching a name and, at best, city or country. Further complicating matters is the fact that to Westerners the cultural variations in name spelling make matching difficult, particularly with Asian and Middle Eastern names.

As an example, the Libyan head of state’s name can be spelled the following
ways:

Muammar al-Qaddafi
Moamar El Kadhaafi
Mu’ammar Al Qathafi
Mu’ammar Al Qathafi
Mo’ammar Gadhafi
Moammar Khadafy

Resolving identities, when you factor in that each of these spellings is correct, grows exponentially more complicated. Toss in accidental error and intentional attempts to deceive and you begin to see how tricky AML compliance can be and why costs to North American institutions have risen 70% in the last three years.

Due to cultural differences, data entry errors or deliberate data manipulations by money launderers, finding matches within your data is often problematic or impossible with common search techniques. Many methodologies used to identify individuals depend on finding matches within databases. This works fine in theory, but in reality, unless the data matches perfectly, these methodologies are ineffective and increase the rate of false negatives or incorrectly discarded records.

To catch a sophisticated criminal, you need to implement sophisticated similarity search techniques to resolve multiple identities into one unified view.

The importance of having an effective identity resolution solution in place that can resolve all these complexities is vitally important because the consequences of failing to detect a money launderer are much, much higher than when a shoplifter lifts a pair of pants. In More Data is Better, Proceed With Caution, Jeff Jonas eloquently writes:

“The opportunity cost or consequence related to situational awareness is proportional to the size of the organization – bad decisions in the case of the manager of the barber shop produces one worst case outcome, bad decisions at Enron another, a country another, and mankind yet another, each with increasing consequences.”

Share This

[Daily Post from Infoglide Software] Knowledge Center: Barry Graubart, Alacra’s VP of Product Management

“Last week, we launched our Knowledge Center series with Loss Prevention—Then vs. Now by guest blogger, Jeff Stein. This week, we’re proud to feature a post by Barry Graubart, Alacra’s vice president of product management.”

CQ Today: House Budget Told Spending Can Prevent Fraud, Save Billions

“HHS Secretary Leavitt told the panel that every additional dollar spent on Medicare and Medicaid fraud investigations yields 13 to 15 times the amount invested.”

PC World: U.S. Data Mining Goes Beyond Terrorist Hunt

“The DOJ report, which is required under the Patriot Improvement and Reauthorization Act of 2005, details six pattern-based data mining initiatives currently under way or planned by the department and its components. “Each of these initiatives is extremely valuable for investigators, allowing them to analyze and process lawfully acquired information more effectively in order to detect potential criminal activity and focus resources appropriately,” a DOJ spokesman said in an e-mailed statement.”

WWAY NewsChannel 3: Retail theft causes price increase

“A new crime-wave is hitting closer to home and this one will affect your pocketbook. Retail theft and fraud are on the rise. When losses are factored into retail prices that means you end up paying more for goods and services. From malls to Wal-Mart, shoppers to employees, shoplifting is on the rise.”

Share This