Did banks’ KYC controls fail in Russian efforts to swing election?
WASHINGTON — The alleged use of fraudulent financial accounts by Russian internet trolls, who authorities say were trying to tip the 2016 election, reveals yet another fault line in banks' efforts to truly "know" their customers.
The indictments announced Friday in the Russia special counsel's investigation illustrate how banks can be exploited by bad actors, but once again the key questions are: What did banks know, and how could they have stopped it?
“If these individuals were doing activities that were disproportionate to an everyday checking account, then banks should have been more on top of that. But ... it is hard to tell from the press accounts,” said John Byrne, vice chairman of AMLRightSource and special adviser to ACAMS Advisory Board.
Russian operatives through an entity called the Internet Research Agency and other affiliated companies used stolen identities to buy social media ads via PayPal, according to media reports and the indictments. A separate indictment named Richard Pinedo, a 28-year-old California computer science major who authorities say sold bank accounts opened in his name — or purchased from people online — for profit. According to reports, that included selling accounts to Russians trying to influence the election.
The case casts yet another light on "know-your-customer" regulations, which generally require banks to take steps to validate the true person behind an account in order to detect money-laundering or an account being used to fund illicit criminal activity.
The indictments present "a fundamental Know-Your-Customer-type issue,” said Dan Stipano, a partner at Buckley Sandler, of the reports of Russian nationals purchasing U.S. bank accounts that were sometimes used to set up PayPal accounts.
“Banks are expected and required at the outset of any customer relationship to know the nature and purpose of the account they are opening and they are supposed to collect information so they know who they are doing business with and how the account is being used and I don’t think this is any different.”
However, Stipano also noted that there are still a lot of unknowns and added that some of the activity might have been outside of the normal banking system “so banks may not have had a role in it.”
Still, the case has furthered attention on how financial institutions monitor account usage for potential wrongdoing.
“I am deeply troubled that the Putin-controlled Internet Research Agency was able to use false information to open accounts at U.S. financial institutions, and then use those accounts to carry out their illegal operations to interfere with the U.S. elections — all without being caught by the U.S. financial institutions," said Rep. Carolyn Maloney, D-N.Y., in a statement emailed through a spokeswoman. "This is another reason why we need to look into strengthening our Know Your Customer requirements."
Experts say financial institutions may have been ill-equipped to detect fraudulent account activity by alleged Russian trolls since such political disinformation activities present a relatively new threat — compared to more egregious crimes such as drug trafficking or terrorism financing — and it is nearly impossible to identify true account backers when they have stolen others' identities.
“This is unclear from the press accounts. If this was a case of identity theft, I don’t think the banks have any initial liability," said Byrne. But he added that such cases do not automatically let banks off the hook if there were other alarm bells that should have raised an institution's suspicions. “What we don’t know is whether banks thought that their customer lived in New Jersey or Connecticut but they saw money wired in from Russia. They should have been able to pick up on that,” he said.
Pinedo reportedly opened some of the bank accounts in his own name. In those cases, it could be difficult for banks to flag an account as fraudulent initially, others said.
“Assuming that [Pinedo] was just your average account opener … there is really no call of duty beyond risk-based screening of his name and assuming nothing came back — approving his checking account or small merchant account,” said Brandon Lee, associate managing director at the corporate investigations and regulatory compliance company K2 Intelligence.
But Lee added that the name of Pinedo's business through which he sold the bank accounts, Auction Essistance, could "have raised an amber flag."
The word "auction" is considered a hot word, said Lee, noting that it is a type of business that poses higher risk from a money laundering and KYC perspective. However, Lee added that “without having an aerial view of what is happening across these financial institutions" that Pinedo used, "there is no way to connect the dots in chronological order as the sequence of events are unfolding.”
Many said it is likely that the indictments will alert anti-money-laundering officers at banks and regulators to strengthen efforts to detect outside fraudulent activity used to sow internal political discord, as well as how different banks share information on risks they are seeing.
“Fraud prevention officers are looking at these reports and asking: ‘Is there anything more we should be doing?’” said Byrne. “It is yet another thing you have to pay attention to and ask: Are there any indicators? These are new ways to abuse the financial sector to commit crimes.”