The fight against terrorist financing took a fascinating turn last week as several international hacking groups announced plans to target banks, countries and individuals who had helped to finance the Islamic State, also known as ISIS or ISIL, and other terrorist organizations.
The plan, dubbed #OpCharlieHebdo, was formed by groups including Anonymous and Ghost Security in response to the Charlie Hebdo attacks in Paris. It is intriguing and somewhat unsettling that hackers would make decisions about financial institutions' compliance with counter-terrorism measures. But their efforts underscore the need for governments, banks and regulators to work harder at rooting out the sources of ISIS's funding.
Experts agree that ISIS is funded primarily by external transactions such as black market oil sales and ransom payments, as well as internal transactions such as tax collection, human trafficking and bank takeovers. When external transactions are completed in cash, they have ties to the formal banking system. For example, ransom payments originate from bank accounts of insurance companies and government agencies in the European Union, which use brokers to make cash payments to terrorists. And, as Notre Dame law professor and former Treasury under secretary for enforcement Jimmy Gurulé testified before the House Committee on Financial Services in November, "If ISIS is generating $1 to $2 million dollars a day from the illicit sale of oil, it is difficult to imagine that banks are not being used to transfer such large sums of money to entities controlled by ISIS."
This concern was echoed by David S. Cohen, the Treasury under secretary for terrorism and financial intelligence, in an October speech. He said:
ISIL's ability to make the most effective use of money that it raises depends on its access to the banking system in Syria, Iraq, and internationally. Operating entirely in cash is both cumbersome and risky cash is bulky, vulnerable to theft, and requires complicated logistics to transport. Moreover, ISIL will have a hard time funding external operations, including facilitating the movement of foreign fighters, without access to the international financial system.
"Scores of bank branches are located in territories where ISIL operates," Cohen continued, vowing to prevent the terrorist group from using those branches. "The private sector is playing a key role in provid[ing] valuable insight into financial activity in areas where ISIL operates."
It's clear that counter-terrorist financing measures are necessary to defeat ISIS. Unfortunately, it is equally clear that the measures implemented thus far have left much to be desired.
For one thing, the Financial Action Task Force's evaluations of different countries' anti-money laundering and counter-terrorist financing standards often miss the mark. Macau is a case in point: the money laundering capital of Asia received a glowing evaluation.
Many financial institutions also tend to pay negligible attention to counter-terrorist financing law. Thousands of compliance officers are experts in complying with the law rather than interpreting it. This is not necessarily their fault: we should not be tasking compliance officers with interpreting the law if they are not lawyers.
Moreover, the U.S. devotes enormous resources to enforcing AML compliance but fails to take the same measures in the higher-risk area of counter-terrorist financing compliance. As Gurulé noted in his testimony, the Financial Crimes Enforcement Network has brought only two major cases against banks charged with violating the anti-terrorist financing provisions of the Bank Secrecy Act in the last decade. Our priorities ought to be the reverse. Terrorist financing kills people and directly threatens democracy. Money laundering does not.
If counter-terrorist financing laws had been effectively enforced, ISIS would never have risen to power, occupying an area the size of the United Kingdom. Nor would it have had the financial capacity to start and continue its horrific reign of terror.
These failures have not been lost on Anonymous and their colleagues. They are fighting ISIS in the digital shadows precisely because we have not been able to prevent ISIS from thriving financially.
If you are a director or officer of a global financial institution, fund, online payment processor or money services business, the idea that hackers are engaged in counter-terrorist financing efforts should be frightening. Banks are now answerable to people who are not only anonymous, but who can with a few clicks take the bank offline and download data on any client, transaction, or executive. Moreover, they aim to make banks answerable in the court of public opinion for unwittingly funding terrorism.
So far, #OpCharlieHebdo has taken down the websites of government agencies in Yemen, Syria, Afghanistan, Pakistan and Turkey as well as about 80 websites believed to be controlled by ISIS that publish terrorist propaganda. And while the hacking groups haven't taken down any banks yet, they have given notice to banks in Saudi Arabia that they will be targeted. That could well apply to Western banks in Saudi Arabia, including HSBC, Deutsche Bank and JPMorgan Chase.
Some people reading this likely applaud hackers' efforts to shut down ISIS websites and debilitate them. Everyone, including Wall Street bankers, can love an anti-hero.
But vigilante justice will lose its allure if hackers infiltrate our financial institutions and without the benefit of experience in counter-terrorism law make judgment calls about the culpability of banks and their executives. Such judgments cannot be fairly made in the absence of the rule of law.
In order for democracy to work, we must all subscribe to its ideals. Hackers must play by the rules. And banks and regulators must crack down on compliance in order to mitigate terrorist financing.
Clearly, we are at a point in history where banks must be exceedingly vigilant. Anonymous is indeed watching.
Christine Duhaime is a lawyer based in Canada with a specialized practice in counter-terrorism and anti-money laundering law. Follow her on Twitter at @cduhaime.