4th March 2021

Cybercrime in Southeast Asia; Compliance in Europe; Crypto in the US

A report highlights Dark Web cybercrime in Southeast Asia, banks’ financial crime investments bear fruit in Europe, and New York State takes a tough line on crypto.  

We share our financial crime regulatory highlights from the week of March 1, 2021.

UN Reveals Cybercrime Growth in Southeast Asia

At the end of February, the United Nations Drugs and Crime agency (UNODC) issued a new report reviewing the scale and character of Dark Web-linked cybercrime in Southeast Asia. “Darknet Cybercrime Threats to Southeast Asia”, the agency’s first such analysis, stresses that although information on the threat remains limited, all available evidence suggests that it is growing rapidly. 

As the report notes, the Dark Web has become a significant source of illicit trading in the region in recent years, partly driven by growing consumer use of ‘Tor’ router technology, and concerted efforts by serious organized criminality to exploit a relatively unpoliced digital space. 

UNODC assesses that the region’s major Dark Web markets, much like the rest of the world, remain in drugs; in 2019, the combined total of items on sale in the four main marketplaces was around 140,000, of which 95,000 – 68% of the total – were drugs or drugs-related. The most commonly available drugs were amphetamines, MDMA, cannabis, cocaine, heroin, opioids, psychedelics, and prescription drugs, although precursor chemicals used to produce synthetic drugs such as Fentanyl also featured. 

Alongside drugs, the report notes that other trades have thrived in the region via Dark Web marketplaces, including cybercrime toolkits, fake passports, counterfeit currency, stolen credit card details, and online child sexual exploitation material. 

Importantly for those operating as Virtual Assets Service Providers (VASPs) in the region, UNODC identifies cryptocurrencies as ‘the payment method of choice’, with crypto-tumblers services used to mix funds and obfuscate criminal links. Bitcoin is still the primary cryptocurrency, but the use of ‘privacy’ coins such as Monero and Litecoin, the encryption protocols of which allow greater levels of anonymity, is also thought to be growing. 

The report notes that the regional trend in Dark Web cybercrime has been rising for some time; however, it also emphasizes the particular impact that the COVID-19 pandemic and social restrictions have had in the last twelve months. This has included new consumers accessing marketplaces, expanded activity by established organized crime groups, and also a growing number of cybercrime ‘novices’ with no previous experience entering the space. In addition, COVID-19 has created new markets directly related to the needs of the crisis. UNODC’s Chief of the Cybercrime and Anti-Money Laundering Section, Neil J. Walsh, commented that some marketplaces “normally dedicated to narcotics” had repurposed themselves to offer “COVID-19-related merchandise including fraudulent COVID-19 vaccines, hydroxychloroquine, and personal protective equipment.”

The report notes some relatively recent regional law enforcement successes against illicit marketplaces, such as the takedown of the Thailand-based AlphaBay in 2017. Nonetheless, it makes clear that Dark Web-linked cybercrime is still seen as a rich area of opportunity for criminals, who “perceive the region as a low-risk/high-gain operational environment where the likelihood of detection is relatively low.” 

According to UNODC, local law enforcement is poorly equipped to mount operations against cybercrime, with most successful investigations originating from outside the region. According to Jeremy Douglas, UNODC Regional Representative for Southeast Asia and the Pacific, the report points to the need for “a regional counter-darknet cybercrime strategy…that improves cross-border cooperation, law enforcement capacity and results.” He further highlighted the important role that the Association of Southeast Asian Nations (ASEAN) would need to play in the effort.  

Overall, therefore, the report paints a concerning picture for the region about the growth of cybercrime on the Dark Web, and specific causes for concern for businesses dealing in cryptocurrencies. With risks growing, and regulators demonstrating increased focus on the risks around crypto (see our Regulatory Highlights of January 11, 2021), it is vital that those operating in crypto – and VASPs more generally – focus on what they can do – and must legally do – to ensure the risks are mitigated. 

With law enforcement agencies still coming to terms with the threat, businesses in the region need to recognize their position as the first line of defense. The core part of the task is the implementation of flexible and intelligent Anti-Money Laundering and Countering the Finance of Terrorism (AML/CFT) controls, a vital step that closes the door on cybercriminals but also underpins the resilience and reputation of the VASP sector.     

European Banks Benefit from AML/CFT Compliance

A recently published academic research paper has argued that the introduction of the European Union’s (EU) Fourth Anti-Money Laundering Directive (4AMLD) has had a significant and positive effect on the valuation of European banks subject to the regulation. The report, co-authored by Arjan Premti, Mohammad Jafarinejad, and Henry Balani, appears in the most recent edition of the journal Research in International Business and Finance

The EU currently implements AML/CFT regulations via a directive, the most recent of which – 6AMLD – was scheduled to be transposed into member states’ national laws and regulations by December 3, 2020. 4AMLD, which was introduced in 2015 and scheduled to be transposed into EU states’ laws by June 26, 2017, has been amongst one of the most consequential of the recent revisions of the directive. 

Key elements of 4AMLD included the need for obligated entities, including Financial Institutions (FIs), to take a more Risk-Based Approach (RBA) to the application of AML/CFT controls, and to ensure that where higher inherent risks were identified, appropriate Enhanced Due Diligence (EDD) occurred. The directive also increased potential punishments for businesses and individuals who did not meet its requirements, with a maximum fine of at least twice the amount of the benefit derived from the breach, or at least €1 million.

Within the AML/CFT compliance industry, the expansion of compliance obligations has often led to criticism that rising costs for FIs have generated limited benefits either in terms of fighting financial crime or aiding the reputation of the obligated entities themselves. As a result, compliance has often been painted as a ‘deadweight’ cost, encouraging firms to focus on a tick-box approach to please regulators. 

However, what this recent research paper suggests is that in strategic and commercial terms, more rigorous AML/CFT regulation can be good for FIs. The paper found that, as a direct consequence of the implementation of 4AMLD, stock valuations across the EU’s banks sector increased and that levels of total risk declined. This effect appeared to be accentuated in larger and more profitable FIs in richer jurisdictions, which had been able to invest more readily to meet AML/CFT requirements. 

The authors of the report have said that their analysis indicates that in a broad sense, the benefits to FIs of regulations outweigh the costs of implementation. Talking to the FinTech Times, Balani said, “it is often wrongly thought that these regulations use up too much valuable time and resources when it comes to compliance, making them cost more than they are worth. This research suggests that, actually, the opposite is true. [They are]…essential to protecting consumers from criminal activities, whilst also positively benefitting the valuation of banks.”

The report comes at the same time as a statement from Lisa Osofsky, the Director of the UK’s Serious Fraud Office (SFO), on the importance of private sector compliance in fighting economic crime. Talking at the Society of Corporate Compliance & Ethics Conference, Ms. Osofosky said that strong compliance programs were invaluable protection, and their absence was a matter of prime concern for her agency. She told her audience that businesses needed to ask whether compliance frameworks are “part of the company’s DNA,” or nothing more than “window-dressing.” The message from Ms. Osofsky emphasized the importance of businesses making well-considered investments, including in technology, to meet their obligations. 

Taken together, these two recent stories underline how important it is for businesses to get AML/CFT compliance right. If done with a focus on well-calibrated risk-based processes and controls, compliance can not only help fight financial crime and protect the business and its clients but also help businesses grow. Despite some widespread industry assumptions to the contrary, the evidence suggests that self-interest and social responsibility can go hand-in-hand.

The New York Attorney General Targets Crypto

The office of Letitia James, the Attorney General (AG) for the state of New York, has recently completed a settlement agreement worth $18.5 million with iFinex Inc., a Hong Kong-based VASP which operates the Bitfinex cryptocurrency exchange and the stablecoin, Tether. The settlement follows a nearly two-year investigation into the corporate practices of iFinex by the AG’s office. Alongside the settlement, the companies will discontinue trading activity with New York state residents.

The investigation into iFinex began in April 2019, when New York state authorities discovered that it had shifted $700 million out of its reserves at Tether Ltd. to augment Bitfinex’s balance sheet. The transfer was executed to support Bitfinex after it lost access to $850 million of clients’ funds that were held by third-party payments processor, Crypto Capital. Crypto Capital is currently under a separate investigation by the US Department of Justice (DoJ). 

The attorney general’s office said iFinex had failed to disclose these financial movements and had made several public misrepresentations of their accounts. This has led to an additional obligation in the requirement that Tether provides quarterly reports on its reserves for the AG’s office for the next two years, which the company has said that it will release publicly. 

On a more positive note for the companies, it was noted by market observers that the AG’s office did not make any comment on historic allegations that Tether had been used in market manipulation. As a stablecoin, Tether is supposed to be linked to an outside asset – in this case, the US dollar – but there have been accusations that the currency was issued without adequate dollar backing. Talking to the Wall Street Journal, Jason Weinstein, a partner at the law firm Steptoe & Johnson, which represented the iFinex companies, stated that “contrary to online speculation, there was no finding that Tether ever issued tethers without backing, or to manipulate crypto prices.” 

The iFinex settlement also comes in the context of a broader range of crypto-related action by the AG’s office. Several weeks ago, the AG filed a lawsuit against Coinseed, an automated crypto investment platform, for failing to register as a virtual currency trading business. Moreover, in a recent public statement, Ms. James has taken a strong rhetorical stance on the need for all VASPs to operate within the boundaries of law and regulation.  “We’re sending a clear message to the entire industry that you either play by the rules or we will shut you down”, she said. “We will not hesitate to take action against anyone who violates the law.”

So far, these recent actions have targeted broad compliance issues in VASPs, but the AG’s office is known to have wider concerns about the potential financial crime risks that affect the Virtual Assets industry. In 2018, the AG’s office – prior to Ms. James’s tenure – conducted a wide-ranging investigation into the cryptocurrency exchanges that looked into the levels of consumer protection and AML/CFT compliance. 

The developments in New York also come against a wider canvas of uncertainty for cryptocurrencies in the US. In the markets, Bitcoin is currently performing extremely well, driven in part by large purchases of the asset by Tesla in February this year, and the recent announcement by Mastercard that it would soon support Bitcoin payments. 

At the same time, however, the Biden administration has taken a cautious early approach to cryptocurrencies, with Treasury Secretary Janet Yellen making a series of carefully crafted remarks on the potential financial crime risks posed. The US House of Representatives’ Financial Services Committee has also held recent hearings on the funding of the insurrection at the Capitol building on 6 January which has focused on the role played by cryptocurrency donations from overseas.  

Some within the Virtual Assets industry have pushed back hard against criticisms, citing recent industry surveys showing the relatively small scale of crypto-linked criminality. Nonetheless, it remains true that any unregulated financial activity remains vulnerable to illicit actors over time, and for those who want to see a resilient and growing industry, managing financial crime risks through effective AML/CFT compliance is likely to be a better longer-term option. As our article above on the long-term impact of EU AML/CFT regulations suggests, compliance not only manages risks but can strengthen a business as well.