The internet changes everything:

Due diligence and protection

Read our article in the Cayman Financial Review Magazine, eversion 

Millions of Americans look online for discounted-rate medications. But not all of them know the running joke amongst enforcement officials:

Q.     What do we know about Canadian pharmacies?
A.     Two things: they aren’t Canadian and they aren’t pharmacies. 

The joke, though, isn’t so funny for people who have been sold sub-standard or even dangerous substitutes for their medications. By the World Health Organization’s estimates, up to 50 per cent of pharmaceuticals bought online are counterfeit. These “pharmacies” are a clear enforcement target.

But last year, the US government made it clear that it is also going to go after anyone knowingly doing business with these shady enterprises.

Google Inc knew for years that they were selling ads to less-than-legitimate actors, and yet they continued to place these fake pharma ads. In August 2011, Google handed over a $500 million fine to the US Justice Department, and agreed to stop allowing Canadian pharmacies to use their AdWords program.

Fines like this one demonstrate the US commitment to enforcing the sanctions of the country and the ways that the internet has changed the fluidity of business. And the US Treasury Department’s Office of Foreign Assets Control (OFAC) is increasing their resources and focus on crime online.

The world of trade and commerce has expanded and quickened around the globe with the development of the internet. No longer confined by location or time, the internet has helped markets explode with opportunities for growth.

But the opportunities in the rapidly-changing landscape of the internet aren’t limited to legitimate and legal enterprise. For traditional bad actors, the internet enhances the scope and speed of their nefarious operations.

The internet also enables an entirely new set of cybercriminals, with wholly new types of threats that have no offline equivalent. Increasingly, the threats are moving from the secondary markets, where consumers know that they are buying infringing goods, to the primary markets, where consumers believe they are buying genuine and legitimate goods.

The US government’s Intellectual Property Rights Center estimates that music and movie piracy, business software piracy, and fake pharma account for billions of dollars in losses to industries annually.

For business leaders today, the two-fold question is this: How do I protect the enterprise from these threats to my industry and maintain the highest standards of due diligence in compliance with regulatory standards?

Regulatory standards are changing to keep pace with the breakneck speed of changes in the marketplace. OFAC is charged with administering regulations and sanctions designed to achieve the country’s foreign policy and national security goals, while protecting the US economy. OFAC is newly and aggressively focused on the new uses of the internet as a means to escape sanctions.

The US government has used sanctions as a way to protect the country for centuries. Back in the War of 1812, the government imposed sanctions on Great Britain for the harassment of American soldiers. The actual OFAC was officially created in 1950, in response to China entering the Korean War. OFAC blocked all Chinese and North Korean assets.

Today, OFAC keeps lists sanctioned countries and of Specially Designated Nationals: a list of individuals, companies, organisations and vessels. US people aren’t allowed to do business with anyone on these lists without a particular license granted by OFAC.

OFAC’s focus is on the evolving world of in transnational organised crime, terrorism, drug trafficking, the proliferation of weapons of mass destruction, and other activities identified as threats. For example, entities on the list include:

  • Transnational Organised Crime (TOC), including Los Zetas, The Brothers’ Circle and Camorra.
  • Intellectual Property theft, including music, movies, software and pharmaceuticals.
  • Many Iranian banks, including Bank Sepah, Bank Saderat, Bank Melli, Bank Kargoshaee, Arian Bank, Bank Mellat and Persia International Bank.
  • Specially Designated Global Terrorists (SDGTs), the majority of which are based in Africa and the Middle East and believed to be sources of funding, include Osama bin Laden and al-Qaeda.
  • Specially Designated Foreign Narcotics Traffickers Kingpin (SDNTKs) and Specially Designated Narcotics Traffickers (SDNTs).
  • Numerous foreign-incorporated subsidiaries of Iranian, Sudanese or Cuban entities (both governmental and private).

As the Google case demonstrates, there are significant legal, reputational and operational risks associated with failing to comply with US sanctions.

But the risks of non-compliance are just one aspect of the problem. Many industries are already painfully aware of the financial and reputational threats that the internet facilitates. Industries are losing billions of dollars a year all while the integrity of their name is diluted by rogue websites and intellectual property theft.

These loses have been linked to a number of sources, including TOC.

The United States government is taking these losses seriously and is expanding its legal and enforcement framework for combating these risks. In July, 2011, the US president issued an executive order extending sanctions to include IP infringement and cybercrime and TOC.

During the announcement of the US government’s new comprehensive strategy to coordinate and strengthen government efforts to combat TCOs, Attorney General Eric Holder said “the problem of transnational organised crime networks isn’t new. But after a wide-ranging, year-long review – the first study of its kind in more than 15 years – our understanding of what exactly we’re up against has never been more complete or more clear. And our efforts to prevent and combat transnational organised crime have never been more urgent.”

Additionally, at a recent OFAC conference, Adam Szubin, director of OFAC, specifically addressed the growing threat of TOC, stating that OFAC has been quite active in announcing designations in this area. Also, William F Wechsler, deputy assistant secretary of defense for counternarcotics and global threats, recently stated that criminal networks have harnessed “new methods of doing business” that must be challenged. TOC has become “adroit at harnessing information technology tools, seizing the opportunities presented by the accelerating velocity of information flows, the proliferation of online money transfer, and the general anonymity of virtual exchange to increase the scale and scope of their activities while spreading or reducing the risk of detection”.

Banks, financial institutions and payment processors have a great deal of experience abiding by OFAC sanctions. There is a significant history and understanding of the penalties associated with failures to operate with best practice. These industries have their own experience with internet-enabled risks associated with KYC, AML and payment transaction counterparty risk such as anonymity and global reach.

Some industries have an equally long track record with combating IP theft. Notably, the digital content IP holders invest a great deal of resources in challenging IP theft through rogue web sites such as PirateBay and MegaUpload.

Luxury brands are very aware of the nexus of IP theft and TOC as well as the pattern of traditional (offline) bad actors taking advantage of internet technology to enable wholly new types of threats.

But it’s these new forms of risk that even the most experienced industries are woefully unprepared to contest. When a legal IP holder makes headway in getting a site to remove content from one illegal site, the content simply reappears on another site almost immediately. The legal system and the regulatory systems are overwhelmed and can’t keep up with the swiftly moving river of illegal and ever-morphing websites.

This inability to stem the constantly reappearing illegal websites has been likened to a game of “Whac-A-Mole,” the arcade amusement that can easily drain your pocketbook without ever really finishing off any of the moles. In the same way, the financial drain from these illegal sites is significant while the bad actors duck and run, laughing all the way to the bank.

Given the cover of internet anonymity, it is easier than ever for a bad actor to hide deep in the web of domain registrations, administrators, linked web sites, related companies and individuals, and server locations.

New threats need new remedies. The past ten years of efforts to make AML as effective as possible shows has given some hints about what kinds of strategies might work. The opportunity for the most effective approach is a coordinated effort across banks and financial institutions, IP holders, and government and law enforcement groups.

What is required now is a new remedy that builds on industry experience. Such a solution would include an open source, verifiable, contributory repository of continually-updated information.

The solution would be as flexible and changeable as the moving targets of TOC to supplement the existing tools and resources available. This repository would create a comprehensive, elastic and evolving set of intelligence that gives each industry the best opportunity to mitigate damage in the face of multiple risks.

This kind of solution would specifically address the rapidly-changing online world where bad actors can hide and move with ever-increasing fluidity and obscurity. This solution would allow industries to pull the connections into the light, where they can be seen clearly and analysed according to industry best practices.