Snippings

xxx

The first known attack was initiated in 1989 by Joseph Popp, PhD, an AIDS researcher, who carried out the attack by distributing 20,000 floppy disks to AIDS researchers spanning more than 90 countries, claiming that the disks contained a program that analyzed an individual’s risk of acquiring AIDS through the use of a questionnaire. However, the disk also contained a malware program that initially remained dormant in computers, only activating after a computer was powered on 90 times. After the 90-start threshold was reached, the malware displayed a message demanding a payment of $189 and another $378 for a software lease. This ransomware attack became known as the AIDS Trojan, or the PC Cyborg.

From A History of Ransomware Attacks: The Biggest and Worst Ransomware Attacks of All Time | Digital Guardian:

xxx

 

xxx

To regain access, the users would have to send $189 to PC Cyborg Corporation at a PO box in Panama.

From AIDS Trojan | PC Cyborg | Original Ransomware | KnowBe4:

xxx

 

xxx

Popp was eventually discovered by the British anti-virus industry and named on a New Scotland Yard arrest warrant. He was detained in Brixton Prison. Though charged with eleven counts of blackmail and clearly tied to the AIDS trojan, Popp defended himself by saying money going to the PC Cyborg Corporation was to go to AIDS research.

From AIDS (Trojan horse) – Wikipedia:

xxx

 

As Alina Simone puts, 

Six years after the AIDS Trojan was first unleashed, two pioneering cryptographers — Adam L. Young and Moti M. Yung — patched the holes in Popp’s leaky programming by developing a class of algorithms known as public-key cryptography.
This innovation basically did for ransomware what the Bessemer processdid for steel.

From The Strange History of Ransomware | by Alina Simone | Medium:

xxx

xxx

Governments could help by changing financial rules. “Would tighter regulation of cryptocurrency transactions help?” asks Ciaran Martin, the founding CEO of the U.K.’s National Cyber Security Centre. “What about mandatory disclosure of payments? At the moment, the business model works for the criminals, not for our societies.”

From Worried About Cyberhacks? Say Now You’ll Never Pay Ransom – WSJ:

xxx

Lee Reiners, writing in the Wall Street Journal, says that there are no obvious benefits to cryptocurrencies “beyond the chance to make a quick buck”. He goes to say that “I have yet to identify a single task or process that crypto makes easier, better, cheaper or faster” but I think that this misses the key point that (eg) Bitcoin was never designed to be easier, better, cheaper or faster. It was designed to be censorship-resistant, which it is, which is why the government of Iran is mining Bitcoins to export because it can’t export oil.

xxx

It is no coincidence that ransomware attacks exploded with the emergence of cryptocurrency.

From Ban Cryptocurrency to Fight Ransomware – WSJ:

xxx

xxx

First, a central bank digital currency may be designed to encourage the private sector to innovate on top of it, much like app designers bring enticing functionality to phones and their operating systems. By accessing an open set of commands (“application programming interfaces”), a thriving developer community could expand the usability of central bank digital currencies beyond offering plain e‐​wallet services. For instance, they could make it easy to automate payments, so that a shipment of goods is paid once it has been received, or they could build a look‐​up function so money can be sent to a friend on the basis of her phone number alone. The trick will be vetting these add‐​on services so they are perfectly safe.

From Public and Private Money Can Coexist in the Digital Age | Cato Institute:

xxx

xxx

the option of redemption into central bank money is essential for stability, interoperability, innovation, and diversity of privately issued money, be it a bank account or other form of money

From Public and Private Money Can Coexist in the Digital Age | Cato Institute:

xxx

xxx

The current mix of public and private money in the UK is the result of history rather than some informed policy decision and some might argue, generally available public money is becoming an anachronism.

From Do we need ‘public money’? – speech by Jon Cunliffe | Bank of England.

xxx

xxx

Financial exclusion is not a problem born of inadequate technology; it is a public policy problem ultimately rooted in the unequal distribution of wealth and power in our society. Commercial banks, while subsidized and regulated by the federal government, are driven by profit considerations and have little incentive to provide services to low-income individuals.

From Millions of Low-Income People Are Locked Out of The Financial System. More Big Tech Monopoly Power Is Not The Answer. – The Appeal:

xxx

xxx

Another common argument is that Western central banks are racing to keep up with China’s advanced CBDC project, which they say could threaten the dollar’s dominance.

But van Steenis is skeptical. “I just don’t see the geopolitical angle is what’s driving it,” he says. “If you ask the Swedes what’s driving the e-krona, it’s much more about a reduction in cash and inclusion and their responsibility to provide to society, than it is because they’re trying to keep up with friends around the world.”

From Central banks aren’t running scared of bitcoin but they want to keep control, says former Bank of England digital guru | Currency News | Financial and Business News | Markets Insider:

xxx

xxx

xxx

When it comes to complaining about the cost-benefit analysis around AML regulation (ie, costs but no benefits), I am first in the queue. But it is interesting to reflect on what mechanisms there might be available to institutions to take some of that costs and use it to obtain organisational benefits, part of what I’ve taken to calling the Digital Due Diligence (DDD) replacement for the current analogue/digital mishmash of Customer Due Diligence (CDD).

The good people at Banking Circle published a white paper about this in May. The paper “Better By Design? Rethinking AML for a Digital Age” looks at a variety of means to make AML not only more efficient but also an element of competitive strategy for financial institutions. I strongly agree with what their CEO, Anders la Cour, writes in his introduction: “Indeed, far from being a burden, the right approach to AML can be an enabler – driving efficiencies and leaner processes, and in turn helping to create the mindset for urgent digital transformation initiatives”. What I think this means in practice is a focus on collecting vastly more data to support decisions and using artificial intelligence and machine learning to make sense of that data, technologies and activities that have wider benefits to an organisation if not confined to compliance.

That’s a good point, and it is an interesting report for many reasons, but what really stood out to me was a comment from Professor Brigitte Unger, Chair in Public Sector Economics at Utrecht University and the principal author of the European Parliament’s report on money laundering. Prof. Unger argues that previous policy approaches to AML cannot prove that they have had any positive effect. Not “some” positive effect or a “limited” positive effect but “any” positive effect at all. Any. She says that there is  “no solid evidence that these approaches have achieved anything”, going on to observe that “AML regulation has a big legitimacy problem. Regulators and politicians must do more to prove their effectiveness.”

Well, indeed.

I took part in an educational and enjoyable discussion about the future of compliance earlier in the year and I remember that one of the speakers said that it was difficult to construct efficient compliance systems when no one knows where the goal posts are. I think the situation is actually slightly worse than that, because the sixth anti-money laundering directive, (6AMLD) is expanding and homogenising the list of “predicate offences” across the EU without helping anyone to figure out how to prevent (or even detect) the flows of funds. 

Whether we can see the goals or not we clearly not winning at the moment since, as I pointed out in Forbes recently, the colossal expenditures on compliance do not seem to have resulted either in an increase in the amount of criminal funds uncovered. The Economist say that the numbers tell of a war “being lost”, referring to a report from  John Cusack, an ex-chair of the Wolfsberg Group, an association of banks that helps develop AML standards. The report estimates some there was some six trillion dollars of financial crime perpetrated in 2018, almost 7% of global GDP, and while statistics on how much is intercepted by authorities are patchy, a decade-old estimate by the United Nations Office on Drugs and Crime put it at just 0.2% of the total. I’d be surprised if it is that high.

It isn’t only financial institutions being forced to shell out for 6AMLD, because it expands on the number of crimes that are categorised as money laundering. It attempts, in particular, to target the use of property transactions to facilitate money laundering and “aiding and abetting, inciting and attempting” now falls under the money laundering bracket and enforces the same criminal punishment as money laundering. 

Is it really worth spending all of that money in order to recover so little (i.e. zero to all intents and purposes) when the money could be spent on developing new products and services to improve the overall financial health of the nation? I think not, which is why Anders’ comments caught my eye. Making the new technologies part of a digital transformation strategy that delivers more cost-effective compliance almost as a byproduct, rather than as a compliance function with no return on investment beyond reduced fines from regulators, has to be a better way forward.

Right now, I am hearing estimates are that British banks are trying to shed something like a quarter of their compliance staff and boost their IT spending to cover for them. Perhaps this is a real opportunity for change. UKplc as a jurisdiction should rethink compliance for competitive advantage. As part of a post-Brexit project to boost British invisibles, we should take jurisdictional competition seriously and create a compliance regime built on this new technology rather than an industrial age mishmash of shaky identification documentation and millions of false positive suspicious transaction reports.