Thank you to the New York State Society of CPAs’ Anti-Money Laundering & Counter Terrorist Finance Committee for organizing this wonderful annual conference. And thank you to Sean O’Malley, Senior Vice President at the New York Fed, for inviting me.
Sean asked me to speak today about some of the recurring challenges in my office’s work to fight financial and cyber crime and other cross-border threats.
I’ll speak about three of those challenges today, recognizing that each of these three challenges is common in your work as well. And I look forward to learning during our Q&A the steps that your institutions are taking to confront these challenges.
Challenge 1: Incorporation transparency, or lack thereof, and the need for legislation to identify beneficial owners.
Challenge 2: Cryptocurrency, the rise of crypto-related crimes, and the need for more robust licensing regulations.
Challenge 3: Cyber threat information-sharing and the need for new tools and partnerships to prevent cybercrimes before they happen.
I was very glad to hear that incorporation transparency was discussed at today’s conference. The U.S. is one of the easiest places in the world for criminals to open anonymous companies to launder money with impunity.
And so my Office, going back more than a decade now, has been at the forefront of efforts to require greater incorporation transparency, and I have testified before Congress on this urgent need. We’ve spoken out against powerful interests on this issue and will continue to do so before the new Democratic House in January.
Why? Because in any type of white-collar investigation, it is essential to follow the money, as the saying goes. In most cases that means issuing subpoenas for records from financial institutions, and pursing the leads those records provide. But too often, those records lead nowhere, and our investigators have eaten up days, weeks, or months, only to hit a wall.
On a near-daily basis in my Office, we encounter a company or network of companies involved in suspicious activity, but we are unable to glean who is actually controlling and benefiting from those entities, and from their illicit activity. In other words, we can’t identify the criminal.
This is not because the entities are incorporated in an offshore tax haven like the Cayman Islands. That country actually collects beneficial ownership information. Often, that entity is incorporated in the United States – precisely because we don’t. In this important way, a prosecutor sitting in the Cayman Islands is better positioned to root out financial crime in her own markets than I am in ours.
All too frequently, an anonymous incorporation record spells the end of the road for our investigations. And when we are able, with much time and effort, to overcome that obstacle, we often find that the perpetrators have purposefully relied on our lax incorporation requirements, knowing that we wouldn’t be able to catch them fast enough.
In our Office, we routinely collaborate with foreign law enforcement agencies to shut down cross-border threats. It is detrimental to these partnerships, and frankly embarrassing, when we have to tell international law enforcement that we can’t assist them in taking down U.S.-incorporated criminal enterprises, because information about the owners of entities formed in our states is beyond our reach.
There have been recent efforts in certain states and sectors to require disclosure of some beneficial owners and those who have a controlling interest in a country. But only federal regulation can address the problem as it exists in every sector, and only federal regulation can head off a “race to the bottom” among states.
The U.S. needs a simple, federal law that requires beneficial owners to be identified on state incorporation forms. This simple solution would vastly improve our capacity to attack financial crime and terrorism finance, and to disrupt plots before they happen.
There are currently two such pieces of bipartisan legislation that my Office would strongly support if reintroduced in the next Congress – one is the Corporate Transparency Act, and the other is the “TITLE” Act. Both would require entities that form corporations and LLCs to disclose information about the company’s beneficial owners.
- The Corporate Transparency Act is sponsored by two New York congress members – Carolyn Maloney, a Democrat from Manhattan, and Peter King, a Republican from Long Island. It’s sponsored in the Senate by Senators Wyden and Rubio. Under this Act, if your state does not require disclosure of beneficial owners upon incorporation, then you have to file beneficial owner information with FinCen. It’s a great idea.
- The TITLE Act – which stands for True Incorporation Transparency for Law Enforcement Act – was introduced in the Senate only this year, by Senators Whitehouse and Grassley. Under the TITLE Act, any state that receives DOJ grant money (under the Edward Byrne Memorial Justice Assistance Grant program) would now have to require entities to disclose beneficial owners when forming a company. It’s another great idea.
We’ll continue making the law enforcement case for incorporation transparency, and I hope you all continue making the business case. Your institutions want to know the ultimate owner of the entities with which you do business. This helps you meet due diligence and anti-fraud and corruption requirements, and it helps you as AML and CTF professionals strengthen the integrity of the financial system at large.
Let’s say 2019 is our year and we’re finally able to get incorporation transparency achieved through federal legislation. The question then becomes, what other trends are obscuring illicit money movement, and the identities of people moving money? I fear we could be closing a door but leaving open a giant window, with the explosive rise in the use of cryptocurrencies.
I’ve yet to hear a good reason why digital currency should not be treated and regulated as currency, with platforms having to adhere to similar diligence and AML standards as your institutions.
In New York, we’re seeing more and more cybercriminals leveraging these new types of digital capital and taking advantage of unregulated, emerging financial marketplaces.
But outside of this room, what many fail to recognize is that when it comes to cryptocurrency, there’s no virtually oversight, unlike in existing, established markets where bad behavior is regulated and punished.
Instead, bad actors are often able to act with impunity, and the use of cryptocurrency in the commission of crimes has prompted us to think about how we in law enforcement go about tracking something that is, at its core, very difficult to track. There are currently over 1,000 different types of digital currencies, many of which are designed to be untraceable.
We’re also seeing a rise in criminal conduct involving cryptocurrency. A couple of years ago, my Office had fewer than three investigations involving digital currency; today, we have more than 25 active and pending investigations.
Due to payor anonymity, digital currencies can be used to pay for contraband and purchase criminal services. In one ongoing investigation, we discovered evidence of a company that may have been using cryptocurrency to facilitate the illicit sale and purchase of steroids and other drugs.
In an unregulated crypto market, once a payment is sent, most consumers do not realize that money is often gone for good, with no possibility of recovery. We are seeing online scams where sellers request payment in digital currency, and once the payment is received they never send the purchaser the item. The would-be purchasers are often shocked that they can’t reverse the transaction. And depending upon the digital currency used, we cannot track where the digital currency went or review identifying data of the individuals involved in the transaction – all steps that the existing fiat currency structures allow law enforcement and regulators to take.
This is what makes it so difficult for investigators and regulators to follow the money, as the saying still goes.
And the crimes in which we need to follow that money are increasingly diverse. It used to be that demands for ransomware bounties were made in dollars. Now, attackers are demanding that ransom fees be paid in cryptocurrencies, the varying values of which have plummeted and soared with shocking swiftness.
In fact, the very promise of turning a modest investment into an overnight windfall is the honey trap that many scammers use to lure in victims of elaborate schemes involving Initial Coin Offerings and other types of fraud.
In one of our cases, investors who were led to believe they were funding the development of a new type of cryptocurrency lost more than $50,000 after it was revealed that their money was simply being used to prop up a classic Ponzi scheme.
And investors aren’t the only ones carefully tracking the fluctuating values of digital currencies. Everyone from sophisticated cybercriminals to old-fashioned stickup artists are keeping a close eye, too.
In another case of ours, at the height of the cryptocurrency bubble, multiple defendants worked together to plan and carry out the kidnapping, armed robbery, and theft of more than $1.8 million in “Ether” cryptocurrency in a violent attack that really demonstrates the vanishing line between violent crime and cybercrime.
Thanks to the work of prosecutors in my Office’s Cybercrime and Identity Theft Bureau, we were able to pursue this case and obtain a landmark conviction in an underdeveloped area of the law.
But it’s clear that cryptocurrency isn’t going anywhere, and we need to support efforts like New York State’s bitLicensing scheme at larger scale.
This is another challenge where I think your institutions any my Office share a common goal and should be advocating together for robust, 21st-century regulations.
Cyber Threat Info-Sharing and GCA
The third challenge I’ll speak about today is cybercrime and specifically, the need to share cyber threat data and prevention tools between your institutions, between the financial services sector and other sectors, and ultimately between governments.
When I was a rookie Assistant D.A. in the 1980s, “hacking” meant legally operating a taxi cab. “Computer crime” usually meant you stole a whole computer. And “cybercrime” did not even exist as a word in our vocabulary.
Today, modern cybercrime is diffuse, aggressive, and unremitting in nature. Despite the way that attacks are sometimes portrayed – highlighting a lone instance of a data breach or a single organization as the victim – the attacks are rarely one-offs. They are constant, and they are coming from all sides.
This is especially apparent in New York, where many major institutions are headquartered. It is undeniable that we host a high number of primary targets.
So when I came into office in 2010, I knew that the Manhattan DA’s Office – by virtue of its jurisdiction – needed to be able to punch back, and help New York companies and residents prevent cybercrime in the first place.
My Office today devotes approximately 75 full-time staff members to cybercrime investigations and prosecutions. The rising number of cyber threats is also borne out in a growing number of felony cases that involve a digital component.
In response, we built a dedicated cyber lab and focused our resources on taking down complex cybercrime rings that claimed victims not just in New York, but around the world.
Because as we all know by now, crippling cyber-attacks can be launched from anywhere in the world on any number of targets, from the biggest city in the U.S. to the smallest, and very often both at the same time.
Manhattan is unique, but the challenges that we face are the same as elsewhere: these attacks increasingly threaten the integrity and security of our government, our professional livelihoods, and our private lives.
Moreover, cybercrime’s cross-border, mass-victim impact makes it particularly difficult to curb through criminal prosecutions alone – so prevention is just as important, if not more important, than prosecution.
Prosecuting cyber cases, even the big ones, isn’t going to reverse an escalating global trend. Instead, focusing on reducing vulnerability and preventing crime proactively may be more important when it comes to bending the curve in a meaningful and positive way.
At the international level, the pervasive and shared threat of cybercrime is one of the reasons why my Office, together with the City of London Police and the Center for Internet Security, formed the Global Cyber Alliance, a coalition of organizations focused on addressing worldwide cyber threats.
Working with our partners, it wasn’t long before we realized that the same people who were victimizing New York residents were also victimizing residents of London, Paris, and Singapore. And that list goes on.
All institutions and individuals are at risk, but not everyone has the resources to cope with these threats, which is where GCA comes in.
GCA began as a commitment by my Office and our partners in law enforcement to reduce digital vulnerability worldwide. Our aim was to invest the resources necessary to develop practical tools to combat the most malicious cyber threats, and get those tools out there, in the hands of organizations of all types.
In fact, GCA has already released two targeted tools designed to prevent cyberattacks. They include:
- a DNS tool (“Domain Name System”) designed to leverage shared threat intelligence to prevent access to malicious websites,
- a DMARC tool (“Domain-based Message Authentication, Reporting and Conformance”) designed to combat phishing and email spoofing,
- and QUAD9, a platform designed to prevent access to compromised sites.
These tools work: In 2017, when Her Majesty’s Revenue and Customs implemented the DMARC tool, within one year, DMARC stopped 300 million phishing emails that were fraudulently using their email address. In 2018, a law enforcement agency implemented DMARC at the highest level, and after a few months, DMARC blocked a spam campaign that sent 43,000 “malicious” emails to citizens using the law enforcement agency’s domain name.
Here’s a direct quote from Ed Tucker, Head of Cyber Security at Her Majesty’s Revenue and Customs: “In one year we’ve stopped 300 million phishing emails that were fraudulently using our email address. If we can do it, anyone can! GCA is doing a great job helping organisations with practical solutions to loading DMARC.”
Not only are the tools incredibly powerful, but they’re free and available to individuals and organizations of any size. The goal here is not to husband resources. In fact, the goal is very much the opposite, and GCA’s overarching mission is to make these tools and technologies available to as many as possible.
Since its formation, GCA has grown to include more than 235 global partners in 26 countries and 18 sectors. Solving cyber challenges must be a collaborative effort, not an isolated burden that falls to any one organization, industry, or city alone.
Our overall mission is to build an international community to confront the serious cyber risks we all face. Membership is entirely voluntary, but we only stand to gain from increased collaboration across institutions, sectors, and borders.
So I hope you will learn more at Global Cyber Alliance dot org, and encourage your institutions to sign up, if they haven’t already.
Thanks for listening and I look forward to your questions.