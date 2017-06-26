COLUMBUS, Ohio, April 6 (Thomson Reuters Regulatory Intelligence) - As the Islamic State (IS) loses its position in Mosul, Iraq, as well as egress points in Syria, so too begins the strategic withdrawal of Sunni militants and financial assets from the area, which presents a major new challenge to anti-money laundering officers.

IS fighters will retreat through human smuggling networks to other countries. The group's illicit proceeds, which total tens of billions of dollars, are derived from plundering banks, siphoning and trafficking of black market oil, kidnapping for ransom, human trafficking, organ trafficking, and stolen antiquities, according to Western governments and analysts.

Financial institutions that aid, abet, or help facilitate the strategic withdrawal of assets and IS fighters will find themselves at risk of incurring historically large U.S. and European regulatory enforcement actions.

Intercepting and reporting these activities will be the most significant counterterrorism priorities for global banking compliance, anti-money laundering (AML), and sanctions-screening programs in the second half of 2017 and 2018.

Background

The Islamic State's rise to power was fueled by a confluence of events in Iraq and Syria that resulted in extreme sectarian violence and a breakdown in governance in large parts of both states. The Arab Spring movement, which saw popular uprisings overthrow authoritarian rulers in Tunisia, Libya, and Egypt, also played a role by inspiring a similar revolt in Syria. The Syrian uprising, however, triggered a full-scale civil war whose chaos and influx of heavy weapons permitted the explosive resurgence of al Qaeda in Iraq (AQI), which later rebranded itself as the Islamic State. The group is designated by the U.S. State Department as a terrorist organization.

Strategic Withdrawal of Islamic State Fighters

In addition to the movement of financial assets, financial institutions must also be aware that IS's pending collapse will trigger the physical movement of thousands of Islamic State fighters through a complex series of human smuggling networks, ultimately leading to Yemen, Pakistan, Afghanistan, Algeria, Sudan, and Mali, among others. The vast majority of former IS members will likely defect to al Qaeda, as the perceived "winner" of modern Sunni militant groups. Most will likely join the Yemen-based affiliate known as al Qaeda in the Arabian Peninsula (AQAP), as well as the West-African counterpart called al Qaeda in the Lands of the Islamic Maghreb (AQIM).

The next sectarian Islamist battlefront is likely Yemen, which possesses significant geostrategic importance. AQAP has recently strengthened its position in Yemen, which in 2014 was plunged into chaos when Iranian-backed Houthi rebels deposed the country's Sunni-led regime, prompting a highly destructive and destabilizing Saudi-led bombing campaign a year later. Iran is concerned that AQAP's growing strength in Yemen could invite a Western invasion that would give U.S. forces control over both sides of the Gulf of Aden, thereby allowing it to choke off Iran's trade in energy and weapons.

Another group of IS militants likely intends to return to their homelands in Europe and the Caucasus region. These are hardcore IS loyalists who intend to carry out mass-casualty attacks on the West.

New Terrorism Finance Paradigm

AML compliance specialists should renew their thinking around modern terrorism financing. In 2017, militant organizations are not predominantly financed by third parties (apart from Hezbollah receiving funds from Iran). Instead, they are self-financed through their own criminal enterprises, and IS is no exception.

Senior IS leaders are highly educated and will launder illicit assets through outside individuals with legal, compliance, and accounting backgrounds. These individuals will likely understand the regulatory environment and know how to subvert conventional AML optimization strategy based on broad transaction actions and limited Know Your Customer (KYC) collection data-points. They may take advantage of the lack of integration between KYC and transaction-monitoring within banking compliance programs. Additionally, these facilitators will likely be well-versed in sanctions-screening evasion tactics. Expect significant use of real passports with fake names, which were purchased through bribery of corrupt officials in various diplomatic consulates.

The laundering process will include shell, shelf, and seemingly legitimate front companies. Known IS leaders already named on the U.S Treasury Department's Specially Designated Nationals and Blocked Persons List and other sanctions databases will likely not be listed on any accounts. Those names should, however, remain a high-risk concern with respect to beneficial ownership in KYC compliance programs.

Numerous banking products, from global to retail, will be affected by IS's likely strategic withdrawal. Financial institutions can minimize risk and focus on IS's financial outflow by mobilizing an optimization, rule-tuning, and development program that specifically targets emergent terrorism channels and typologies in their risk assessment, global threat landscape analysis, transaction-monitoring detection, and sanctions-screening methodology.

MOVEMENT STAGE 1: CASH TO CURRENCY EXCHANGE TO GLOBAL WIRES

Initially, IS can be expected to execute bulk cash-smuggling through its elaborate Hawala informal money-transfer network, utilizing numerous couriers supported by expert smugglers along human smuggling networks. The cash will likely transit through currency exchanges in the United Arab Emirates and Lebanon, followed by channels of international wire transfers that make extensive use of free-trade zones.

Middle East and free-trade zone banks and currency exchanges with "check-the-box" compliance frameworks, as well as other firms with no interest in escalating illicit activity to regulatory agencies, could facilitate these transactions through willful ignorance or direct corrupt involvement.

Banks and money transmitters in countries including Turkey, Bulgaria, Cyprus, Lebanon, Egypt, Azerbaijan, Bosnia and Herzegovina, Belgium, Germany, and Sweden, among others, should be of particular concern.

Movement Stage 2: Retail Banking

Moving from global wires and currency exchanges to retail bank accounts, IS will likely make significant use of Western retail institutions, distributing wealth among major banks, credit unions, community banks, and credit card companies alike. Retail money laundering tradecraft could include false invoicing of products through online services, such as eBay or PayPal, and money transmitters, such as Western Union and MoneyGram.

Of additional concern is purchase activity related to precious metals, digital or blockchain currency, such as bitcoin, and of great significance: mobile applications. IS is staffed by many young, tech-savvy men who are well-versed in mobile technology and could make use of Facebook Payments, the "Cash" application, and others.

The general retail channels of movement by echelon, as with any global threat organization, will likely include movement from business checking to tactical-level checking, and then credit card accounts. Those accounts may be used to load open-loop, general-purpose reloadable (GPR) prepaid cards through the use of manufactured spending and subversion of third-party payment processor (TPPP) reporting.

For example, CheckFree, a payment processor, cannot issue a suspicious activity report (SAR) for transactions under $2,000, and it does not require identification under $2,500. Their AML policies and procedures are posted online through open sources. Threat actors could use this information by executing transactions just under $2,000. Once prepaid cards are loaded, operatives could "bust-out" to cash anonymously in their new homeland.

Individual Anonymity Tradecraft

Banking compliance programs are greatly concerned when the source of funds in a bank account is unknown, as the source could be derived from illicit proceeds. Compliance programs should be even more concerned about patterns of activity that provide anonymity to the physical individual or company.

Some typologies that indicate "hiding in plain sight" feature KYC information with incorrect email addresses, use of P.O. boxes, and inoperable phone numbers. With respect to telecommunications, compliance staff should look for purchases of "burner" phones from prepaid phone providers, as well as searching the client's phone number against instant-messaging platforms, such as "WhatsApp," which provides encrypted communication used frequently by terrorists and drug traffickers.

Transactions related to private browsing, encryption, and online video games, such as World of Warcraft, provide unconventional cover for covert communications. Expect to see these purchases on retail prepaid, credit, or checking accounts.

Other transactions potentially designed to provide personal anonymity include cash-intensive ATM deposits and withdrawals, the loading of open-loop, general-purpose reloadable (GPR) prepaid cards, cyclical manufactured spending, technology purchases, and inter-state or international travel. Look for rental car transactions, as police officers cannot identify the individual by running the license plate of the vehicle.

Pay special attention to false personal identification information, such as the "stacking" of Arabic titles in lieu of actual Arabic naming nomenclature. For example, a name that in English reads as "Son of Doctor Pastor Community Leader" would not look right, and it looks wrong in Arabic, as well. Arabic naming nomenclature includes stacked titles, but naming nomenclature must be present to be valid.

Look for individual or entity accounts linked to IS hotspots that are owned by a female, but with male names listed as beneficiaries. In many orthodox Sunni Islamic countries, women generally do not own bank accounts. A cultural awareness of Islamic societal norms in certain places is helpful in sorting anomalies from conventional practices.

Also look for Arabic-language naming nomenclature in places where ethnic Arab representation is demographically uncommon. This type of data point has been relevant in identifying other militant groups, such as Hezbollah. For example, Shiite-specific Arabic naming nomenclature associated with accounts belonging to business types known as high-risk for affiliation with the Iranian Ministry of Intelligence and Security (MOIS), Islamic Revolutionary Guard Corps (IRGC), and Hezbollah have appeared in places like Venezuela and Paraguay, whose populations overwhelmingly carry Hispanic names.

From KYC and OFAC sanctions-screening perspectives, staff should pay special attention to "real-but-fraudulent" passports, with fake names, derived from corrupt government personnel that profit from the sale of passports. For IS fighters retreating from territories formerly under their control, passports are as important as weapons. In addition to genuine passports obtained through bribery, expect IS fighters to use counterfeit Belgian and French passports, which are relatively easy to fake, to facilitate travel throughout the Western world.

Hybrid Threat Finance (Htf) Detection

In terms of typologies, the current and future flow of IS funds will include hundreds of combinations of geographic-nexus wire channels (e.g. originating entity, originating bank, beneficiary bank, beneficiary entity), in tandem with complicated transaction-monitoring typology sets. It is critically important to understand and target these channels, typologies, financial-institution facilitators, and front-companies of concern.

Al Qaeda prefers to use non-profits and shell- or shelf companies, unlike Shiite militant group Hezbollah, which uses a trade-based money laundering (TBML) system employing seemingly legitimate front companies. Expect IS to have adapted its laundering tactics to accommodate both approaches.

Detection scenarios should be created under the hybrid threat finance (HTF) targeting doctrine. The term "hybrid threat" is an intelligence and warfare targeting doctrinal concept that recognizes the intersection of hostile nation-state and non-nation state threat typologies.

The HTF doctrine isolates the movement of illicit funds through detection strategies based on threat typologies, organizations, and actual threat actors. This is in sharp contrast to conventional detection strategies that use red-flagging scenarios based on broad actions like ATM withdrawals, structuring, and flow-through-of-funds, which generate excessive false-positives. Threat organizations do not operate within the confines of broad actions.

Additionally, firms should be wary of providers attempting to sell unsupervised machine-learning (UML) and artificial intelligence (AI) platforms that promise to identify threat-actors through abnormalities. Global threat organizations are skilled money launderers who layer proceeds in ways that often appear as normal business activity to the untrained eye. Such software is built by technology experts who may be unqualified on issues such as terrorism. Even so-called subject-matter experts (SMEs) who support the developers may lack the requisite background to identify the tradecraft of threat organizations.

Many AML program components can and should use UML/AI automation, but the detection of evolving and dynamic threat finance tactics, techniques, and procedures (TTP) is a complicated process that should be addressed by experienced intelligence professionals. There is no automated "magic bullet" that can detect terrorists through transaction-monitoring and risk assessments. Additionally, detection strategies must be custom-built to the global geographic nexus and product offerings of each specific financial institution.

Conclusion

Financial institutions must ensure they do not facilitate the withdrawal of IS fighters and financial assets. Successful implementation of an "actor-centric" hybrid threat finance (HTF) detection strategy will help prevent regulatory enforcement, negative media, and the proliferation of Sunni fighters to the next battlefront.

[Editor's note: This article was updated to reflect the corrected name of "Islamic Revolutionary Guard Corps (IRGC)".]

(Joshua Fruth is the director of AML advisory at Matrix-IFS, and an AML manager for HTF Solutions, LLC. Mr. Fruth is a Van Deman distinguished-honor graduate of the U.S. Army Intelligence Center of Excellence, and a graduate of the Ohio OPOTA Police Academy. Mr. Fruth maintains an active commission as a US Army Intelligence Officer and two active commissions as a Police Officer in the state of Ohio. The views expressed are his own)