News

Global financial institutions have intensified their scrutiny of access to their digital services in recent years but still struggle to pinpoint and prevent parties in blacklisted jurisdictions from transacting online, sources said.

Sanctions evaders for years have logged into online accounts and moved funds from countries like Iran and North Korea directly or by using anonymizing tools to mask their IP addresses, and therefore their locations, from financial institutions, six former officials and senior compliance professionals told ACAMS moneylaundering.com.

Since at least 2016, however, lenders have begun screening clients’ IP addresses more regularly—including against lists of virtual private networks, or VPNs, and Tor exit points—and blocking any matches, said Jason Rhoades, a former official with the Treasury Department’s Office of Foreign Assets Control, or OFAC.

“It’s better than nothing, but certainly not foolproof,” Rhoades, now counsel with Alston & Bird in Washington, D.C., said. “It’s a difficult thing to keep up with, because VPN server addresses and Tor exit nodes change all the time.”

VPNs enable internet users to scramble their IP addresses by funneling their traffic through a distinct, standalone network. Tor, an acronym for The Onion Router, routs traffic through multiple servers in several, disparate geographic locations to mask the customer.

Individuals and entities conducting business and related transactions from or with countries targeted by U.S. sanctions can easily deploy one or the other method to conceal the true nature of their activities from their financial institutions, said Daniel Wager, former director of the New York High Intensity Financial Crime Area.

OFAC currently administers four such sanctions programs: against Iran, North Korea, Syria and Cuba.

Hypothetically, a citizen of a low-risk jurisdiction such as Canada or Germany may own a seemingly legitimate firm that covertly engages in prohibited trade with Iran, and, to that end, may visit the Islamic Republic or neighboring countries such as the UAE and Turkey.

From there, he or she could access online banking through a VPN or Tor.

“For most institutions, I would be able to hide that I am in a place where conducting business is prohibited,” said Wager, now vice president of global financial-crime compliance at LexisNexis Risk Solutions. “Or even just avoid letting my institution know I am visiting a country considered medium-to-high risk for its proximity to a blacklisted jurisdiction.”

Failing to prevent transactions openly initiated from blacklisted jurisdictions can result in massive outlays, but whether or not an institution could incur regulatory or legal penalties for Tor- or VPN-enabled transactions remains unclear.

In April, U.K. and U.S. authorities fined Standard Chartered more than $1 billion for allowing more than 100 individuals and entities in Iran, Myanmar, Sudan, Syria and Cuba to move hundreds of millions of dollars through two of its online banking platforms from 2008 to 2014.

“Not blocking access from sanctioned countries makes it easier for clients to open an account posing as being based in one country when they are really based in another,” a senior U.S. compliance officer told his U.K. counterparts in an October 2012 email.

The London-based lender failed to deny services to online clients who took no steps to mask their locations in Iran and other blacklisted jurisdictions, let alone those that may have disguised themselves through anonymizers.

“I think the key to whether there will be enforcement will remain if the institution knew or should have known of access by parties in prohibited jurisdictions,” said Brian O’Toole, a former senior official with OFAC.

A handful of firms now in the market constantly hunt for VPN- or Tor-linked servers, then make their addresses available to the public on a limited basis or to clients by subscription.

According to Rhoades, the former OFAC sanctions compliance and evaluation officer, lenders began monitoring such lists more closely following the issuance of guidance by the Treasury Department’s Financial Crimes Enforcement Network in late-2016.

In October 2016, the bureau instructed financial institutions to incorporate any cyber-related information associated with suspicious transactions they report.

“That was a big eye opener,” Rhoades said. “It showed that regulators knew what was going on and got banks to take action.”

In a May 5 advisory, FinCEN specifically identified the use of VPNs and Tor in cryptocurrency transactions as red flags of illicit finance.

The bureau separately warned financial institutions to watch out for cryptocurrency transactions from IP addresses in blacklisted nations, as well as transactions from atypical addresses.

Contact Valentina Pasquali at vpasquali@acams.org