By Angelos Anastasiou
IN TANDEM with the development of increasingly complex financial products – not least methods of payment execution – financial crime has devised new ways to exploit weaknesses in the system, and authorities tasked with defending the public against it can usually only react after the fact.
In the words of former US Treasury Secretary Timothy Geithner, “innovation tends to outpace regulation”.
Criminal ingenuity notwithstanding, however, some basic precautions would normally suffice to keep you relatively safe from internet thieves. Things like not disclosing sensitive personal information and having effective anti-spyware installed on a computer could make the difference between being robbed or not. Also, your personal banker exercising common sense.
A few weeks ago, on a Friday, a Cypriot businessman received a phonecall from his banker asking him to confirm the payment orders he had emailed her earlier. He thought she had called the wrong number, as he had given his bank no such instructions, through email or otherwise.
It turned out that, unbeknownst to him, his email account had been hacked, and two instructions had been emailed to his personal banker, for the payment of tens of thousands of euros from his company’s trading account to an account in a German bank in the name of one Markus Werner. The payment invoices – attached to the instructions – were supposedly for the purchase of products comically unrelated to the man’s business – a 60-seater bus, among other things.
One payment made it through, for a little more than €50,000, but the second – a substantially larger amount – was delayed.
Markus Werner received the money, asked his bank to exchange some €40,000 to Baht – the Thai currency – and attempted to send the exchanged amount to “his girlfriend in Thailand”. This was where red flags were raised by the German police, who blocked the transaction and asked the bank for more information on the origin of the funds.
The scam was averted when the German bank contacted the businessman’s banker in Cyprus for clarifications, who only then called her customer.
Though the money was promptly returned to the businessman’s account, the incident had certainly alarmed him, and he tried to report it to the local police. He was referred to the Economic Crime Investigation Unit (ECIU), but was told to call on Monday as they got off work at 3pm. He ended up paying a visit to the nearest police station, just so that he could have the complaint on record as soon as possible.
He was told his statement would be forwarded to the ECIU as soon as possible, and they would be in touch with him in due course. Three weeks later, he was still waiting for the call.
Lieutenant Christos Christodoulou, ECIU chief, said the case was not harmed in the slightest by the fact that the ECIU had been unreachable.
“This man spoke to the Crime Inspection Department, of which we are a part, because they have around-the-clock shifts,” Christodoulou said. “Proper procedure was followed, a statement was taken and forwarded to us – nothing more could have been done even if he had reached us directly.
“And it would have worked the same way if things were reversed – that is, if a person came to us with a case that was jurisdictionally the CID’s, we wouldn’t necessarily send him off to them. Most likely, we would take the statement and forward the case to CID. Depending on urgency, we could even fax them the statement and any supporting documentation immediately.”
Given the above, the need for a financial crime unit is not evident as any CID member appears interchangeable with ECIU staff. Nonetheless, the case is now with Christodoulou’s team, who said that per procedure, it will engage Interpol to request that Werner be questioned, and – if need be – extradited to Cyprus. It’s waiting time.
But the issue of how – apparently – easy it is for a bank in Cyprus to be fooled by scammers and hackers into making unauthorised payments is another can of worms.
“Based on the kinds of complaints we receive, sometimes the plaintiff bears at least some of the responsibility inasmuch as he may receive an email from a long-standing trading partner, saying they have moved their accounts to another bank in some obscure country,” Christodoulou noted. “Sometimes the most sensible thing – picking up the phone to confirm – isn’t done.”
When it was pointed out that this wasn’t such a case, Christodoulou became mildly defensive.
“It’s not my job to assign blame,” he said cautiously. “In this instance, let me just say that the Central Bank of Cyprus has issued a directive to all banks not to rely on emailed instructions alone to make payments – to seek secondary confirmation. I’ll leave it at that.”
Not so, said Yiangos Demetriou, director of bank supervision at the Central Bank.
“It is up to the banks and their clients if they agree to an arrangement of emailed payment instructions,” he said. “There is no directive.”
But then there’s the issue of the nature of the payments. Anti-money laundering “Know Your Customer” guidelines mandate that personal bankers be familiar with their clients’ businesses, and approve payments on the basis of the customer’s “business profile”, flagging and seeking additional information on anything deviating from their normal course of business. “Reasonable suspicion” to the legitimacy of a transaction is the minimum standard set by law.
“The bank certainly had an obligation to evaluate such transactions as being out of the customer’s normal business activity,” confirmed Demetriou. “Anti-money laundering legislation is clear on this.”
Last month, security firm Kaspersky Labs issued a report describing the single greatest bank heist – technically, a series of smaller heists – in history, with loot anywhere from $300 to $900 million as late as 2013, carried out online by hackers via unauthorised wire transfers.
The story serves to remind that, almost by default, innovation does outpace regulation, but sometimes the antidote to seemingly complex issues can just be a healthy dose of common sense.