DUBAI—There we were, my colleague and I, cooling our heels at a police checkpoint in a residential area of this glittering city on Tuesday night. We had met some other compliance acquaintances for evening drinks after Compliance Week’s first event here in the Middle East, and were taking a taxi back to our hotel.

Then came the checkpoint. And as anyone familiar with Dubai knows, that’s rare. You don’t actually see police on the streets of Dubai. In this heavily surveiled city, with tens of thousands of cameras watching you at all times, the security forces impose order from afar.

Our driver apologized as we idled in the street, the police confirming identification of every private car. “This is unusual for Dubai,” he said. “Only in the last two or three days. Now they put up the checkpoints around the city and random places.”

Was that because of the attacks in Paris, we asked?

“Oh yes. Paris, the bombings in Beirut, the Russian plane. All this.”

For several days now I’ve struggled to write about the recent terror attacks. Drawing observations about regulatory compliance and corporate conduct from something so horrible seems small and almost a bit ghastly; these were terrible crimes with hundreds of people murdered. The truth remains, however, that the financial system is a vital battlefield in the war against ISIS and other terrorists. The fight will be nasty, and all of us—in Dubai, Paris, Beirut, New York, and anywhere else in the world—are now physically at risk. If we are going to defeat these bastards, then yes, that means we need to make our regulatory compliance regime work as well as possible.

Several people at our Dubai conference spoke of the rapidly shifting priorities they face right now. Anti-money laundering is still a huge part of their compliance regime, of course, but regulators’ interest specifically in terrorism financing has surged in recent months. That will be tricky for compliance officers to navigate. AML and “CFT” (combating the financing of terrorism) may employ some similar techniques to identify rogue transactions, but the fundamental threats themselves are certainly not the same.

How so? One of the best insights I heard came from a banker at our conference, who described the difference this way: “The laundry never ends; terrorism does.” That is, organized crime wants to convert its illegal proceeds into legal cash, which criminals then use to fund the next round of illegal activity. Terrorist money flows only one way: into the hands of terrorists, who use it to kill people (and often themselves). Even worse, terror funding might originate from some legal activity, which makes it harder to identify.

The common thread for both risks—and sanctions risk too, for that matter—is to know your customer. At least we all grasp that basic concept, and in the last 15 years regulators and banks alike have made great strides to develop more sophisticated KYC tools and procedures. That’s the good news.

The bad news is that one simple compliance strategy for banks—de-risking away from high-risk customers, products, or regions entirely—isn’t a viable option. Just this week we saw Adam Szubin, undersecretary at the Treasury Department for terrorism issues, deliver a speech that unequivocally came down against de-risking. “We believe that most risks can and should be managed, not simply avoided altogether,” Szubin said to the American Bar Association. “[R]egulators expect financial institutions to establish and implement policies and programs that are reasonably designed.  We tell financial institutions to take a reasonable risk-based approach that addresses illicit finance risk on a client-by-client basis. 

One of the best insights I heard came from a banker at our conference, who described the difference this way: “The laundry never ends; terrorism does.”

I see his point. De-risking might expel terrorists and other undesirable actors from your specific business transactions, and drive down your firm’s AML and CFT risks—but those terrorists and other criminals may also simply go elsewhere, funding their crimes beyond sight of the reputable world’s banking system. This may well be a situation where the best strategy is to keep your enemies close.

That reality is not much comfort for compliance officers, regardless of whether you work in the financial sector or not. We will continue to need sophisticated data analytics (which are still only now coming into the mainstream); detailed databases of third parties, charitable organizations, and politically exposed persons (which too few companies employ smartly today); clear and practical policies (which multi-national corporations struggle to coordinate globally); and training, training, training.

None of this will be easy. But to protect ourselves and to do right by the victims of terror already, we must bring our A-Game to fight the threats that are out there. Lord knows they are bringing theirs.

Matt Kelly has been editor of Compliance Week for 10 years. He will step down from that role at the end of this year. You can find him on LinkedIn at or on GoogleTalk at