FINTRAC—How Canada Fights Against Money Laundering and Counters Terrorist Financing.

FINTRAC—How Canada Fights Against Money Laundering and Counters Terrorist Financing.

One of the rarer criminology angles that is explored has to do with the specifics of money laundering and the intersectionality of the issue with other parts of Canada’s society.  As someone who has been trained and certified in FINTRAC’s Anti-Money Laundering and Counter Terrorism Financing (an annual requirement for anyone who works in the financial services sector and with financial instruments) the takeaway from that experience was that the manner that financial instruments are leveraged for criminal purposes sees them act as the lifeblood and heartbeat of criminal enterprises.  Some people may recognize the name “FINTRAC” as being one of the most important forces in leading the fight against money laundering and terrorist financing, but that might be the extent of their familiarity.

What is FINTRAC?

The Financial Transactions and Reports Analysis Centre of Canada, more commonly referred to as FINTRAC, is the national financial intelligence agency of Canada, and it was established in 2000 in the Proceeds of Crime Act.  FINTRAC assists businesses in being compliant with their obligations under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (the Act) and associated Regulations.  Those obligations include things like identifying clients, keeping records, and reporting certain types of financial transactions to FINTRAC, including large cash transactions, large virtual currency transactions, or other suspicious transactions which have no monetary threshold for reporting.  As such, approximately 90% of the reporting that FINTRAC receives every year comes by a way of these businesses.

FINTRAC has a unique approach when working with Canada’s big banks, meeting on a quarterly basis, at a minimum, to monitor the ongoing state of their anti-money laundering and anti-terrorist financing program, as well as what they are doing to identify and address risks to the financial system including risk exposure, assessment of the effectiveness of policies, procedures, and controls in place to account for money laundering and terrorist financing.  Surprisingly, however, FINTRAC has no control over which technologies different banks use, nor any other business that falls under its umbrella of oversight.

FINTRAC’s Director and CEO, Sarah Paquet, has announced that there is a modernization strategy underway, calling it “FINTRAC in Real-Time”.  This modernization process was described as harnessing modern skills, tools, and technologies, including artificial intelligence, to be able to better identify, assess, and communicate risks in real-time; to conduct analyses in real-time; and to generate financial intelligence for public safety stakeholders in real-time, or as close to it as possible.  In addition, Canada is one of the more active members of the Egmont Group of Financial Intelligence Units, an international organization headquartered in Ottawa that facilitates cooperation and intelligence sharing between national financial intelligence units in the fight against money laundering and terrorist financing, and contributing to a wide range of projects and initiatives that leverage the use of data and technology to better address emerging and evolving threats.

Perhaps one of the reason’s Canadians do not hear much about FINTRAC in the news has to do with it being prohibited from disclosing information on the compliance history of individual entities, as well as on compliance actions that are ongoing or planned in relation to a specific business except in the case of a monetary penalty being imposed.  How assessments are conducted includes observation letters to highlight improvements or program gaps and compliance assessment reports to assess progress in implementing a compliance program.  However, the lack of publicity around FINTRAC should not be taken to mean that nothing is being done, as a significant portion of its resources goes towards business that presents a higher risk of being exploited by money launderers or terrorist financiers.

Can we legislate our way out from under some of FINTRAC’s vulnerabilities?

During my FINTRAC training in the mid-2010s, it had elements to it that might constitute as being potential vulnerabilities, but they were nothing compared to the vulnerabilities with regulated cryptocurrency exchanges.

First, the same overreliance on frontline staff to report suspicious activity that fell just short of FINTRAC’s threshold and frontline staff being able to see accounts that were flagged by FINTRAC and under investigation that existed back in 2016, 2017 and 2018, seems to still exist. Despite one of the requirements for obtaining certification was ensuring the privacy of individuals, as well as the confidentiality of accounts that were flagged and under investigation, there continue to be instances that make headlines where bank tellers are co-opted by criminals to provide otherwise inaccessible information.  Although not all those incidents have to do with FINTRAC-related matters, they demonstrate the concern about asking individuals who are hired with only simple background checks, who may be incapable of uncovering potential red flags in candidates, to ensure that such information remains confidential.  Just imagine, if criminal enterprises are as organized as public safety stakeholders tell us that they are, then how difficult is it for them to find someone on the inside to tip them off if they pull up their account during a transaction and if the account is flagged by FINTRAC?

Second, regulated cryptocurrency exchanges do not have brick and mortar locations and the manner in which they authenticate their customers is through users taking photos of their documents and requiring them to take selfies, sometimes even asking that they throw up the “peace” sign.  It sounds like a funny ask, but that is how it is being done. But the security perks of doing all-things related to finance through brick-and-mortar locations, like robust crime detection tools, do not exist with verifications done over digital devices.  Just imagine, if criminal enterprises are as organized as public safety stakeholders tell us they are, then how difficult is it for them to obtain stolen documents or fake duplicated IDs and have a person stand-in for the photo requirement and successfully bypass the authentication systems put in place by regulated cryptocurrency exchanges?

What if these vulnerabilities are the tip of the iceberg? What if the submersed part of the iceberg represents a world of new ways to mask transactions and create an appearance of legitimate transactions where money paying for something over the internet actually serves as a way to launder money, finance terrorism, pay human traffickers, or evade policing agencies? Well, that world very well might be here, and it is not like anything people can imagine.

The vulnerabilities of e-commerce platforms like eBay and Etsy via “digital store fronts”.

At first glance, e-commerce platforms serve to connect individuals to a global marketplace accessible by anyone with an internet connection.  Online shopping is now an integral part of life for many people around the world, and it is also one of the reasons why “digital store fronts” have overtaken traditional brick-and-mortar locations. But there are major differences between the two.

When people “window shop”, they can see what is behind the glass and products on display, and they can enter the store and look around.  On the other hand, “online browsing” provides nothing tangible and only allows one to view images or videos, with little promise of things being “as described”. However, during a person’s scrolling on platforms like eBay and Etsy, the items that might get overlooked behind the displayed image might be a digital store front that is being leveraged to money launder, finance terrorism, and pay human traffickers.

The way it works is that any person from anywhere in the world can create an account on any e-commerce platform and set up their own digital store front and post photos of different products.  But guess what, those digital store owners can post random images of things they do not even own, for whatever price they want, and they can carry out pre-arranged purchases over these e-commerce platforms where the funds look like they are paid for an item, but nothing ever gets bought.  This is one of the newer ways that are being leveraged to launder money, finance terrorism, and even pay human traffickers.

There is no way for e-commerce sites to pick up on the fake transactions because they are legitimate transactions by every measure and the buyers are not complaining either.  It is a problem plaguing the world’s top policing agencies.  Some may argue that the user information collected during transactions over an e-commerce platform can be useful, it only is if those individuals are on police radar.  More often than not, however, that is not the case.

A peek into parts of the digital world where the sun does not shine.

As someone who has an appreciation for the complexities of today’s cyber world, given that I grew up during the dial-up internet era and Wild West days of websites and social media platforms, it is no longer possible to know everything you need to know about programming, coding, and cybersecurity like it once was by reading four books.  Yet, to this day, some people still manage to crack the DaVinci Code that is cybersecurity, sometimes for ethical purposes but more often for criminal purposes.

One glimpse into the dark web and the dark arts of hacking is provided courtesy of Jack Rhysider’s podcast, Darknet Diaries, which is centered around hacking and cybersecurity, and documents some of the most unimaginable hacks ever.  Rhysider is a veteran to the security world and has gained his professional knowledge having worked in security operations for a Fortune 500 company and with clients ranging from school and governments to banks and commercial organizations.  Otherwise, a quick YouTube search will load thousands of videos of hackers that have been rehabilitated and now go after phone scammers that try to get access to people’s computers, and there are even stories of the notorious ZachXBT who exposes crypto scammers too.

Not to be outdone by anyone, and an enigma of a person, is Ryan Montegomery, whose life’s story resembles a thriller movie plot.  To start, Montegomery dropped out of high school after grade nine and has no formal or college education in cybersecurity or hacking, so he is entirely self-taught, and he says that “hacking” is the best decision he has ever made in his life.  His social media nickname is“0day”, which is codename for a discovered cybersecurity vulnerability that has zero days to get fixed, while his LinkedIn handle is “rapper”.  But do not be fooled by the social media fun, as he has dedicated his life to cybersecurity and going after child predators and human traffickers, and he is doing so on par with policing agencies, sometimes uncovering the details before they can.

In the grand scheme of money laundering and terrorist financing, accountants and lawyers have been described by experts in policing as being the biggest enablers of money laundering crimes, but the time has come to add technologists to that mix too.  For the purposes of policy, regulations, and legislation, they all fall outside the purview of any legal obligations, sometimes with just enough grey area for them to wiggle out of it.

So what can be done?  I hope to soon bring you an interview with some cybersecurity experts and ethical hackers, including advice for our readers on how they too can follow in the white- hatted footsteps.