Picture this. Two identical ships built in the same year by the same manufacturer with the same design specifications. Ship A steals the identity of ship B by falsifying documents and Automatic Identification System (AIS) transmissions (‘vessel spoofing’), to engage in an illegal ship-to-ship transfer of oil in the middle of the East China Sea. All this while, the real ship B was en route to the scrapping yards in Bangladesh.
It might seem like a scene from a James Bond movie but this case of vessel spoofing is actually a real life example, reported by the United Nations (UN), of sanctions evasion by North Korea that happened two years ago.1
In this case, investigations revealed that the techniques used were designed to circumvent the due diligence and screening controls of one of the region’s leading commodity traders, the United States and Singaporean financial institutions involved in the fuel payments for the vessel, as well as a leading United Kingdom insurer that provided protection and indemnity cover to one of the vessels involved.
Analysis conducted by the UN into broader sanctions violations of the North Korean regime suggest that certain Singaporean commodity firms, and local and global banks, were involved in unknowingly processing certain transactions involving North Korea. These violations highlight a broader industry issue where potential shortcomings in due diligence standards and screening controls across the trade life cycle are exploited by North Korea as it increasingly deploys sophisticated methods to circumvent UN sanctions.
Aside from elaborate and sophisticated vessel spoofing measures, financial sanctions on North Korean also remain some of the most poorly implemented and actively evaded measures of the sanctions regime, according to a report issued by the UN. Individuals empowered to act as extensions of financial institutions of sanctioned nations often operate with seeming impunity by exploiting various loopholes in the system As a result, the effectiveness of sanctions is being constantly and systematically undermined by deceptive practices, allowing sanctioned countries and people to enjoy ongoing access to the international financial system via evasive methods that make it difficult for institutions and states to detect illicit activity.
Cyberattacks have become an important tool in the evasion of sanctions and have been growing in sophistication and scale, often exploiting the pseudo-anonymous features of cryptocurrencies to transfer value/illegal proceeds from attacks and evade sanctions. An estimated USD$2 billion has been generated for North Korea’s weapons of mass destruction programmes using widespread and increasingly sophisticated cyberattacks to steal from banks and cryptocurrency exchanges.2
Singapore is the second busiest trading hub in the world, with trading routes to over 600 ports and 120 countries. Given the geographic location of Singapore and its status as a major offshore financial and trading centre, the nation state has certain inherent risks that make it susceptible for exploitation if collective controls and due diligence standards do not evolve to continually address sanctions and other trade-based money laundering risks.
With the kind of sophistication that we are seeing with regards to sanctions evasion, banks and insurance companies should consider what further enhancements are needed to due diligence and screening controls to mitigate against this ever-evolving risks posed by illicit actors.
I believe a two-pronged approach would be the best way to tackle the problem.
First of all, we need to recognise that there’s a risk and respond by reassesing procedures, controls and most importantly, technology to make sure that the risk is addressed. The methods used by bad actors to evade sanctions is constantly changing and increasing in their sophistication, and we need to do the same to be better prepared to tackle new risks.
This means that however good a system is, a regular review is required to keep up-to-date with emerging financial crime risk typologies and ensure our collective controls are sufficiently robust to tackle these evolving risks.
An important consideration is using the additional data on vessels that is now readily available to supplement and enhance existing controls across various industry participants. The vessel data can be used to review and analyse AIS signatures and histories of vessel movements to detect AIS manipulation and instances where vessel’s AIS transponder has been switched off, something which is against International Maritime Organisation (IMO) regulations.
In today’s world, intelligence is the bedrock by which we build almost every system. By getting more data feeds and using data analytics to generate intelligence, we can better identify suspicious activity and circumvent lapses.
For example, trade is a key product for HSBC. And where previously we relied on manual operations to identify suspicious activity for trade products, we are adopting advanced systems which employ Artificial Intelligence (AI) and advanced network analytical capabilities to help us identify suspicious behavior which may be indicative of money laundering and sanctions evasion.
Secondly, there is scope and a need for greater collaboration between financial institutions, insurance companies and the shipping/maritime sector to improve information sharing, detection capabilities and collectively promote technological solutions to help mitigate these sanctions risks.
Whilst many Public Private Partnerships (PPP) exist covering law enforcement and financial institutions to improve financial crime risk detection and mitigation, these seldom encompass a broader set industry/sector players to thematically address risks on a holistic and end to end basis. Notwithstanding this, within Singapore, both our financial services regulator, the Monetary Authority of Singapore (MAS), and the broader financial services industry through Singapore’s AML/CFT Industry Partnership (ACIP) have adopted a proactive stance in raising standards across the industry on areas such as sanctions evasion and the misuse of legal persons (i.e. shell companies), which are commonly used to disguise both sanctions and money laundering activity.
In 2018, the MAS conducted a series of thematic supervisory visits to selected banks to review control frameworks deployed to mitigate proliferation financing/sanctions risks. The findings from the supervisory review and examples of sound practices identified during visits were published in the form of a best practices paper in August 2018. Publications such as these remain valuable sources of information to compliance departments across the financial services industry to facilitate thorough self-assessments of internal control environments and to raise standards where existing practices fall short.
HSBC as a major financial institution with a global footprint in over 60 markets has the privilege of being an active participant in many PPPs. On top of adopting new technologies, we are also using these PPPs to help focus industry efforts for improved risk management and to use various sources of intelligence and insights from our engagements with across industry forums, law enforcement agencies and regulatory bodies across the globe to help regularly review our procedures to ensure that we are able to respond effectively to evolving threats.
Sanctions evasion is a cross-industry-wide problem not limited to the financial services sector only, and Singapore has unique risks around trade and money laundering due to our position as an international trade hub. Several of our banks, commodities and insurance firms have already been called out in the past for not doing enough due diligence.
There’s a gap and impacted industries need to respond. The onus is on all of us to do our part to prevent sanctions evasion.
A contribution piece by Jamil Ahmed, Head of Financial Crime Compliance, HSBC Singapore. A version of this piece was first published in Regulation Asia on 23 April 2020.