As lawmakers fight back against crime, terrorism, and weapons proliferation, they’re coming down hard on banks. Banks that get involved in transactions related to criminals or known terrorist organizations face millions of dollars in fines.
It’s fair for government agencies to ask banks to help fight financial crime, but government sometimes makes compliance difficult. Global banks have to comply with laws from multiple countries, deal with old and sometimes obsolete regulations, and change tactics every time the government has a new political villain.
Currently, banks juggle at least 30 lists containing the names of 30,000 sanctioned people and organizations. If they don’t catch transactions from entities on the list — including transactions containing misspellings of the entities’ names — they face severe financial penalties from government agencies hungry to punish someone for financial crime.
Today’s banks need to learn a lesson from the information security industry: there’s a time to compete against one another and a time to work together.
Co-opetition: The Antivirus Industry
Banks continue trying to fight financial crime on their own, but juggling disparate lists of criminals and sanctioned organizations is more than any financial institution can handle alone. Antivirus companies learned a long time ago that sharing information benefited everyone. Banks could protect themselves from government penalties by following a similar model.
Antivirus companies started doing big data long before it became a buzzword. To catch malware before it spreads, they’ve utilized several different methods:
- Honeypots are servers and email addresses designed to attract attacks. By setting up honeypots, antivirus companies discover previously unknown malware, and they collect information about attackers and how they probe for vulnerabilities.
- Databases like MITRE Corporation’s Common Vulnerabilities and Exposures (CVE) database serve as standardized catalogs for known bugs and malware. Security companies catalog their discoveries with CVE so that other companies can have the information.
- Undercover work. Antivirus researchers often go undercover in hacker forums and malware writer communities, hoping to catch glimpses of new malware in the making.
- Spam filters. Many spam emails contain attachments or links that are infected with malware. Antivirus companies can analyze the spam emails caught by filters and uncover new malware.
- User submissions. In communities like VirusTotal, end users can submit suspicious files and URLs for analysis. When communities detect new malware, security companies get notified.
In addition to gathering and sharing information about existing vulnerabilities, antivirus companies think one step ahead of online attackers. They envision potential attack scenarios and develop proof-of-concept (PoC) attacks. PoC allows software developers and hardware manufacturers to patch their systems by uncovering the vulnerabilities no one has thought of yet.
Like banks, they maintain lists of undesirables, and they keep an eye out for suspicious events. Unlike banks, they anticipate disaster scenarios and share information with one another. They’ve been doing this since the 1980s, when the first computer viruses and worms appeared.
The information security industry understands that no single antivirus company could prevail in a marketplace where customers relied on one company to eradicate a certain virus and a different company for other viruses. So according to Stephen Cobb, a researcher at ESET, they built the “co-opetition” model. Antivirus companies may compete fiercely for customers, and they may try to outpace one another in product innovations. However, behind the scenes they share information about malware, software vulnerabilities, and malicious IP addresses and websites.
Fighting Financial Crime With Co-opetition
Banks have to monitor not only their own customers but also their customers counterparties and correspondents. Within the SWIFT network alone, 7,000 banks maintain 1.3 million distinct correspondent relationships. When they’re constantly sending data back and forth, they create redundancies that make it tough to sift through information. They also create so many logs that banks can’t possibly review them all. Within their own systems, banks try to create multiple alerts — e.g., spelling “Qaddafi” in as many ways as they can think of — but those alerts generate many false positives.
Staying compliant with financial regulations offers no competitive advantages for banks. Compliance is a must-do for any financial institution not something that gives one bank a competitive edge. Luc Meurant of the Society for Worldwide Interbank Financial Telecommunication (SWIFT) argues that banks already share tools like automated clearinghouse (ACH). In the same way, they need to start sharing information about financial crime.
Meurant envisions a unified system that would gather financial crime data in a central clearinghouse. The names of sanctioned individuals and groups, and all the variations thereof, would be maintained and standardized within a central database. In many ways, his vision sounds like the CVE database, where antivirus companies log known vulnerabilities in a searchable format. Banks could share sanitized data about bad players in the financial system without hurting their individual competitiveness.
Instead of each bank pouring money into reinventing the wheel, banks could create economies of scale. Also, instead of using their own personnel to review alerts and logs, they could rely on the central database to prioritize investigations. Banks could redeploy people where they could do more to help the bank’s bottom line. They could stop criminals and lessen government penalties, lowering their operating costs in the process.
The Challenge of Too Many Regulations
Governments have shifting priorities when dealing with financial crime. The obsession with the Mafia, prominent in the early 20th century, has shifted to preoccupation with global terrorist financing, weapons trafficking, and cybercrime. Even though policy priorities have changed, old Mafia-era regulations remain on the books. Governments layer new burdens onto financial institutions without stripping away the old ones.
Banks aren’t just dealing with one government’s priorities; they’re dealing with regulations from 196 different countries and multiple smaller jurisdictions. Fixing the problem starts with deciding which regulations are relevant for today’s villains. Then, by adopting the co-opetition model pioneered by antivirus companies, banks actually have the chance to fight financial crime. They can start by sharing information about known bad financial market players so that everyone can stop fraudulent transactions. Co-opetition isn’t just in the public interest; it’s in the interest of every bank.