“We only catch the dumb ones,” – that is what the risk manager of a major bank tells me when I ask about banks’ ability to detect illicit financial transactions. Detecting proliferation-relevant illicit financing is even harder than detecting money laundering or terrorism financing. Governments and financial institutions around the world have been dealing with money laundering and terrorism financing for decades. They have developed typologies, “red flags,” and standard operating procedures to minimize exposure to money laundering or terrorism financing. Compared to money laundering and terrorism financing, proliferation financing is a relatively recent and less understood challenge.1
The risks posed by weapons of mass destruction (WMD) stem not only from ready-made bombs, nuclear, chemical, or radiological material, but from dual-use goods and technology that are traded, shipped, and used globally. Laptops, transistors, instant coffee – almost every single moment, no matter where you find yourself in the world, you are surrounded by products that rely on the same technology and material as weapons of mass destruction. Semi-conductor material that is indispensable for laptops and transistors can be used in military equipment. Production of instant coffee, as well as of dry ice-cream for astronauts, relies on freeze-drying technology that can be used in bio-warfare research. Components for nuclear power reactors that generate electricity rely on dual-use components and technology that can be used in a nuclear weapons program.
To date, proliferation financing controls have mostly been seen as an ‘add-on’ to anti-money laundering and counter-terrorism financing measures. Looking at proliferation financing challenges as related to export control efforts can significantly improve the overall national capacity of a given country to minimize proliferation financing risks. In this article, proliferation financing controls refer to measures designed to prevent financing of WMD-related activities.2
UN SECURITY COUNCIL COUNTRY-SPECIFIC SANCTIONS VERSUS BROADER PROLIFERATION CONCERNS3
A common perception within the private financial sector is that proliferation financing controls refer to the implementation of country-specific sanctions, for example, those designed to prevent North Korea (DPRK) and Iran from tapping into the global financial system for proliferation activities. However, country-specific sanctions should be seen as integral but not the only part of proliferation financing controls.
Financial institutions struggle with implementing both country-specific sanctions and the broader proliferation financing controls. The difference is that financial institutions understand better and internalize more easily country-specific sanctions, while broader proliferation risks appear more abstract to these institutions and they find themselves ill-equipped to address those risks.
There follows a description of specific challenges that financial institutions face when implementing country-specific sanctions and broader proliferation financing controls.
Challenges with Implementing UN Country-Specific Sanctions
Resolutions adopted by the UN Security Council (UNSC) under Chapter VII of the UN Charter impose obligations on all UN member-states to implement UN sanctions. Financial institutions are aware of UN Security Council resolutions though they are not always well-equipped to implement country-specific ones. In the proliferation realm, Iran- and DPRK-specific sanctions are especially relevant.4
In the wake of the 2015 Joint Comprehensive Plan of Action (JCPOA or Iran Nuclear Deal), the UN Security Council rolled back UN nuclear sanctions. Previously, financial institutions were prohibited from conducting business with entities and individuals designated by the UN Security Council. Financial institutions were banned from providing their services for prohibited activities (e.g., activities that could contribute to Iran’s enrichment-related, reprocessing, or heavy water-related activities, or to the development of nuclear weapon delivery systems). Iranian banks could not open a new business in other countries if the business was connected with prohibited activities. The UN Security Council imposed a broad requirement on countries to exercise vigilance over business potentially connected with prohibited activities.5
Following the Iran Nuclear Deal, the UN Security Council reduced the list of designated entities and individuals. The UN Security Council obligates countries to seek its approval for financing of UNSC-approved procurement by Iran. It dropped the broad requirement on countries to exercise vigilance over business potentially connected with prohibited activities.6
In contrast to its rollback of sanctions related to Iran’s nuclear program, the UN Security Council continued to expand sanctions against the DPRK in response to its audacious WMD program.
The financial provisions of DPRK sanctions are broad. For example, the UNSCR 2270 (2016) introduces activity-based and category-based targeted financial sanctions. It requires countries to prevent financial transactions related to DPRK’s nuclear or ballistic missile programs or other prohibited activities. The same resolution bans the opening and operation of branches and subsidiaries of DPRK banks; bans public and private financial support for DPRK’s prohibited activities; and requires the freezing of assets and economic resources, which include transportation vessels. UNSC Resolution 2371 (2017) prohibited new or expanded joint ventures and cooperative commercial entities with the DPRK. The UNSC Resolution 2375 (2017) went further and prohibited all joint ventures, cooperative entities, and expansion of existing joint ventures with DPRK entities and individuals.7
Below are five examples of challenges that financial institutions face with implementing country-specific sanctions.
First, domestic legislation in many countries around the world does not fully internalize UN sanctions. That means some countries lack the legal basis to deal efficiently with implementing the sanctions because their institutions are not authorized to take relevant actions – e.g., denying financing, freezing assets, or punishing violators.
The second and related challenge is an inefficient process for updating domestic regulations and informing private sector promptly to match changes in UN designations of entities and individuals. For example, if the UN Security Council designated new entities or individuals as proliferators, but a given country failed to update its lists, financial institutions might continue conducting business with those entities and individuals during this lag time.
The third challenge pertains to practicalities. Financial institutions use software that screens transactions against the lists of UN-designated entities and individuals. In practice, such screening system returns a high number of false positives, often thanks to similar or similar-sounding names. Screening results that return 95% false positives are not unusual. Risk managers spend a lot of time dealing with false positives and writing up reports on each case; time and effort that could be spent on more efficient risk-management procedures.
The fourth challenge for financial institutions is the difficulty with identifying sanctioned countries, entities, and individuals or their middlemen behind transactions. Since the list-based scanning is not fool-proof, financial institutions have to find other ways to make sure they are not servicing sanctioned countries, companies, people or the front companies that work on these countries’ behalf. This is difficult to do because of proliferators’ deceptive practices.
The DPRK represents the most notorious example of challenges. North Korea has perfected the art of disguise and employs various tricks to hide its identity when interacting with the global financial institutions. The Kim Jong-un regime relies on the help of DPRK procurement managers who reside in third countries or middlemen from these countries who act on behalf of the DPRK. These middlemen acting on the DPRK’s behalf use multiple bank accounts under different names and pay for goods in several installments to muddy transactions.8 In one of the numerous examples that has come to light, a representative of the designated DPRK Daedong Bank opened several accounts in mainland China and Hong Kong, both in his name and in the name of front companies, and used those accounts to carry out transactions worth millions of U.S. dollars.9
Because of such deceptive practices, the DPRK does not feature on the documentation that financial institutions receive. As a result, often financial institutions do not know who they are dealing with.
Finally, the underlying challenge to sanctions implementation is the limited capacity of financial institutions to distinguish proliferation activity. DPRK sanctions require activity-based controls which means that financial institutions are supposed to prevent transactions related to prohibited activities but banks, in general, are not in the best position to identify such transactions. Financial institutions see only a small part of data related to a given transaction, and they do not have the technical expertise to distinguish what is proliferation-relevant and what is not.
To put it in perspective, even customs officers who deal with actual goods on an everyday basis often struggle to distinguish dual-use items. However, in contrast to financial institutions, customs officers have access to more information on any transaction, specifically related to the goods involved, and officers can physically inspect the items. There are also procedures in place for customs officers to seek technical expertise from relevant authorities when needed to determine the nature of goods.
Compared to government agencies who deal with controlled goods on a regular basis, such as customs or export licensing authorities, financial institutions will unlikely ever be fully equipped to determine the nature of a transaction – whether it is related to prohibited activities or not – without external help.
Having said this, financial institutions cannot afford to recuse themselves from carrying their share of responsibility. They should be concerned with doing better both for the common good (international security) and for self-serving reasons (to avoid reputational risks and punishment).
On this last point, the role of the United States in relation to non-U.S. banks is especially relevant. Foreign banks rely on the U.S. financial system to clear transactions in U.S. dollars. Losing access to the U.S. financial system carries serious repercussions for foreign banks.
The U.S. government has shown readiness to hit foreign banks for proliferation-related activities. In one example, in 2017, under the USA Patriot Act, the U.S. Treasury labeled China’s Dandong Bank an ‘institution of primary money laundering concern’ for carrying out transactions on behalf of North Korea, effectively cutting it from the U.S. financial system.10 In another recent example, Trump administration issued an executive order that allows the U.S. Department of Treasury to impose sanctions on foreign banks that ‘knowingly conducted or facilitated any significant transaction in connection with trade with North Korea.’11
While the limitations for financial institutions with identifying transactions of proliferation concern cannot be fully eliminated, they can be mitigated. Guidance provided by governments and the Financial Action Task Force (FATF),12 employment of ‘red flags,’ and proliferation finance typologies13are of great value and should be incorporated into risk management practices of financial institutions.
Moreover, education of compliance officers, including on how to access relevant information from non-government sources, would further help to sensitize them to proliferation finance risks. Academic institutions and think-tanks, such as Royal United Services Institute (RUSI), James Martin Center for Nonproliferation Studies, Alpha Project at King’s College London, Center for New American Security (CNAS) to name but a few, offer timely analysis of proliferation trends and provide practical suggestions to financial institutions on how to strengthen proliferation financing controls.14
On the opposite side of the spectrum, there are certain potentially negative implications associated with over-compliance and de-risking when it comes to country-specific sanctions. For example, some financial institutions avoid doing any Iran-related business altogether, despite the lifting of nuclear sanctions in the aftermath of the Iran Nuclear Deal. Over-compliance and de-risking can negate the effectiveness of sanctions and bring unintended consequences. In the case of Iran, the reluctance of global financial institutions to engage can reduce political support for the deal within the country.
CHALLENGES OF IMPLEMENTATION – BROADER PROLIFERATION CONTEXT
Proliferation financing controls cannot be tied solely to country-specific sanctions implementation. Proliferation risks expand further than just those emanating from specific countries, such as the DPRK or Iran. New proliferator countries can appear on the horizon, or non-state actors, such as terrorist organizations, can attempt to obtain proliferation-sensitive goods. Our reliance on dual-use goods and technology in daily life means that every day and in every part of the world goods that can be misused for weapons purposes are easily available. Determined proliferators can abuse legitimate trade and financial systems to achieve their aims.
To counter this risk, the UN Security Council passed a resolution in 2004 that obligated all UN member-states to implement proliferation controls that would prevent non-state actors from acquiring WMD. UNSCR 1540 (2004) includes provisions that cal onl UN member states to adopt and enforce laws which would prevent financing of WMD-related activities by non-state actors and enact export controls related to financing the movement of sensitive goods.15 More recently, UNSCR 2325 (2016) called on countries to pay more attention to proliferation finance measures.16
Financial institutions are typically not well attuned to broader proliferation trends, risks, and states’ responsibilities under broader proliferation-relevant UN Security Council Resolutions. So far, the author has not encountered representatives of financial institutions who are aware of the UNSCR 1540.
Even though financial institutions face challenges when implementing sanctions, compared to broader proliferation financing controls, the implementation of country-specific sanctions is more structured, is associated with more concrete measures, and guidance is more explicit, especially when it comes to targeted financial sanctions aimed at designated entities and individuals. UNSCR 1540, by design, leaves the interpretation of national compliance relatively broad, without setting firm benchmarks.
Broader proliferation risks are harder for financial institutions to grasp and even harder for them to address. The majority of countries around the world have limited awareness of proliferation and proliferation trends. Many decision-makers mistakenly think that WMD proliferation refers to the spread of actual weapons of mass destruction and their components, without realizing that strategic goods and technology are directly relevant to WMD risks. Moreover, many developing countries do not think WMD proliferation poses risks to their security and prefer to use their limited resources on pursuing other national priorities.
Not surprisingly, many countries lack legal and regulatory frameworks for implementing proliferation financing controls, which is a more advanced component of WMD nonproliferation policy. As a result, financial institutions are not usually familiar with the concept of dual-use goods and technology and struggle to internalize what proliferation entails.
On a more practical level, when attempting to identify transactions involving proliferation-relevant goods, financial institutions encounter the following challenges.
Even if financial institutions run checks against HS codes that are associated with sensitive goods, they cannot be certain they catch potentially dangerous transactions. Proliferators can misrepresent product descriptions and use incorrect HS codes in their paperwork. Proliferators can also seek goods that are below the ‘controlled goods’ threshold – for example, goods with technical characteristics that are slightly lower than of controlled equipment. There is also a big question mark whether information that financial institutions receive (through SWIFT or trade finance documentation) is sufficient to check against lists of controlled goods.
The fact that financial institutions often do not have access to full end use and end-user information is another practical challenge. Who is the final beneficiary? And what is the real purpose of a transaction? These are the kind of questions that financial institutions struggle to answer. Moreover, because financial institutions have not internalized proliferation concerns, the know-your-customer and due diligence procedures do not incorporate checks against proliferation-relevant risks.
Financial institutions also face industry-specific challenges, for example, with data-sharing due to liability and confidentiality rules. Financial institutions can submit suspicious activity reports (SARs) when they suspect illicit behavior, but they cannot easily share information on suspicious transactions and customers, even with their branches located in other countries. This means that data that could point to proliferation networks are fragmented and not available in its entirety for analysis.
Another fundamental weakness with implementing proliferation financing controls lies in the isolation of financial institutions from other relevant national actors. It is not general practice for financial institutions to interact with export control agencies, customs, border control, and intelligence authorities. Often, interaction and information flow with law enforcement and intelligence authorities, including financial intelligence units, is one-way. Financial institutions submit SARs to financial intelligence units, but they do not receive feedback on whether and how that data fits into uncovering financial crimes or sanctions violations.
Financial institutions also provide relevant data to law enforcement authorities on demand on specific cases under investigation. This means that opportunities for information exchange that could be mutually helpful to all actors are not fully utilized.17
A strong case can be made for connecting efforts to counter proliferation financing with export controls.18 Export control licensing authorities have expertise in dual-use goods, and they deal with companies involved in strategic trade. They have information on export license approvals and denials, ‘blacklists’ of violators, and other pieces of valuable data. Similar to licensing authorities, customs have more information on products that are traded and shipped across borders than banks ever will. Customs and border control agencies sit on enforcement data that add another dimension to a broader picture of attempts to move goods illegally. Intelligence agencies collect and analyze data not readily available to any other government actors.
Financial institutions also have something to offer to government agencies. Financial institutions cannot disclose proprietary information, but they can share their observations on trends of illicit activities in the financial realm that can add a valuable missing piece to the puzzle of how proliferation networks operate.
In the last few years, several countries established private-public partnerships to deal with financial crimes. In 2016, the United Kingdom launched the Joint Money Laundering Intelligence Taskforce (JMLIT). The Taskforce analyzes data supplied by the public and private sectors to better understand how money launderers and terrorists exploit British financial sector.19 In 2017, Australia launched Fintel Alliance to combat money laundering and terrorism financing, Hong Kong launched a 12-month pilot project named Fraud and Money Laundering Intelligence Taskforce (FMLIT), Singapore launched the Anti-Money Laundering and Countering the Financing of Terrorism Industry Partnership (ACIP).20
Currently, these private-public partnerships do not focus on proliferation financing. However, proliferation financing controls can be integrated into the agenda of a public-private taskforce that deals with anti-money laundering and terrorism financing. Alternatively, a similar public-private partnership model that includes export control and counter-proliferation authorities can be used to deal with proliferation prevention. In its Guidance on Private Sector Information Sharing (2017), FATF explicitly mentions existing public-private partnerships as valuable platforms for information-sharing.21 A recently released FATF Guidance on Counter Proliferation Financing (2018) calls for information sharing among public authorities and for government authorities to have a coordinated approach in communicating with the private sector.22
Creating opportunities for relevant government actors and the private sector to meet regularly and exchange information would allow all participants to have a more holistic picture of proliferation trends and risks. The overall objective should be avoidance of stove-piping the responsibilities that each actor carries in preventing proliferation.
THE WAY FORWARD
How can the challenges in implementing proliferation financing controls described above be addressed?
They can be addressed at two levels: the internal level for financial institutions and the external level of collaboration between financial institutions and other actors.
At the internal level, financial institutions would benefit from investing in three key areas – risk-management practices, education of compliance officers, and technical solutions. Risk-management practices should incorporate proliferation risk indicators, similar to anti-money laundering and counter-terrorism financing components. Financial institutions should look out for potential proliferation risks during know-your-customer and due diligence procedures, keeping in mind that proliferators use deception techniques.
Financial institutions should create opportunities for their compliance officers to address a broader context of proliferation trends and encourage them to fully utilize resources offered by both government and non-government players (national authorities, FATF, academic institutions, and think-tanks).
On the technical level, financial institutions would benefit from moving towards more intuitive electronic platforms that go beyond mechanical list-based screening for designated entities and individuals. Some private sector actors have already started developing advanced software that utilizes network analysis and artificial intelligence. Incorporating data from sources beyond the financial sector (e.g., export control authorities, law enforcement, and intelligence) would allow financial crimes to be spotted more efficiently.
The most promising path forward lies at the collaborative level. There is a significant untapped potential in public-private partnerships based on the models described above (JMLIT and others). A public-private partnership focused on proliferation finance controls can be a taskforce consisting of representatives of major financial institutions, financial intelligence units, financial regulators, customs, and export control authorities.
Above all, proliferation financing controls should be seen as connected to export controls. Financial institutions would be in a much stronger position to deal with proliferation financing if their efforts go hand in hand with efforts to control flows of sensitive goods.
This article is based on interviews with representatives of financial institutions in several countries over the period of 2017-2018. Originally published in World ECR: The Journal of Export Controls and Sanctions, May 2018.