The attack on the World Trade Center was an expensive, well-funded act of terrorism. The financing behind it sparked new legislation intended to track monetary transactions and identify future plots before they happen.

The idea was, and is, that all those Know Your Customer protocols and Suspicious Activity Reports demanded of financial institutions could save lives.

In the years since 9/11, however, a troubling trend has emerged. Elaborate and expensive acts of terror have become less common, replaced by small-scale terrorist attacks and “lone wolf” terrorists.

The Boston Marathon bombing and the mass shooting at Orlando’s Pulse nightclub are just two of a multiplying caseload of small-scale, domestic attacks. Around the world, shootings, stabbings, and vehicular murders are becoming increasingly common.

The problem faced by regulators is whether the rules and mechanisms in place to uncover the financing behind large-scale plots be applied to the funding stream behind these smaller attacks. That dilemma was the subject of a Sept. 6 hearing before the House Financial Services Committee.

The hearing “explored the patterns and techniques used to fund small-scale and lone-wolf attacks, and what additional controls financial institutions and law enforcement officials should consider to address small-scale terror financing.”

“Once an individual or small group has become radicalized and is determined to carry out a terrorist attack, there are many ways they may fund their attack,” testified Dr. Matthew Levitt, Director, Stein Program on Counterterrorism and Intelligence at Washington Institute for Near East Policy.

In contrast to the highly sophisticated attacks of September 11th, which cost about $500,000 and took years of planning to execute, lone offender and small group attacks can be carried out very quickly, with minimal funding and preparation, he said.

Levitt quoted former FBI Director James Comey: “We are looking for needles in a nationwide haystack, but even more challenging, we are also called upon to figure out which pieces of hay might someday become needles. That is hard work, and it is the particular challenge of identifying homegrown violent extremists.”

“By their very nature, lone offender and small-scale terrorist attacks are less vulnerable to many of the traditional tools in the counter-terror finance toolkit,” he said.

Smaller-scale financial needs have inspired creativity. Recently, U.S. investigators uncovered an ISIS financial network that was transferring money to an operative in the U.S. through false eBay transactions. The recipient, Mohammed Elshinawy, pretended to sell printers on eBay as a cover for the payments he was receiving through PayPal and Western Union for “operational purposes” in the U.S.

“The private sector has access to tremendous financial information and could be better positioned to act on or share this information with relevant authorities,” Levitt said. In turn, the government could do more to help the private sector identify trends and developments in the types of suspicious financial activities to be looked for.”

One key data point, for example, is the use of IP addresses to help track financial information related to terrorist activities.

Frederick Reynolds, global head of financial crime for Barclays, was among those who testified. Previously, he was a federal prosecutor at the Department of Justice and deputy director of the Treasury Department’s Financial Crimes Enforcement Network (FinCEN).

Lone wolf attacks are characterized by low-dollar financial transactions that can fly under the radar of the tools financial institutions use to report suspected terrorist financing, including currency transaction reports and SARs, Reynolds warned. Both are most effective where criminals are attempting to introduce large amounts of cash into the financial system. Lone wolf attacks are accomplished using much smaller sums, so their transactions likely would not trigger the threshold for these filings.

“We are looking for needles in a nationwide haystack, but even more challenging, we are also called upon to figure out which pieces of hay might someday become needles. That is hard work, and it is the particular challenge of identifying homegrown violent extremists.”
Former FBI Director James Comey

Potential solutions to the problem, however, are rife with drawbacks.

“Lowering the threshold for a CTR to capture smaller currency transactions would only result in an influx of reports, most of which would have little value and would instead overwhelm the system with so-called “white noise,” Reynolds said. “Financial institutions have an abundance of data available to them, but it is not effective, or even possible, to manually review all customer activity.”

Financial institutions need to more freely receive and share information,” he suggested. They are, however, limited by domestic laws in their ability to share information between institutions or even across borders within the same institution.

“For example, probably the most significant red flag of a potential bad actor, a prior SAR, cannot be shared by a U.S. institution with its own foreign branch or affiliate,” Reynolds said. “Such limits on information sharing make an enterprise-wide, anti-money system challenging, since sharing key information about customers and their activity within an institution is often prohibited by domestic law. This can result in financial institutions being unable to identify abnormal client behavior.”

The key to overcoming this is “a modernized system of robust information sharing between law enforcement and financial institutions and among financial institutions,” he said. “While not a silver bullet, modernizing this system from its current binary sharing model is critical to the detection and prevention of future attacks.”

Financial institutions rely on information sharing under Section 314(a) of the USA PATRIOT Act, which specifically authorizes law enforcement to share with financial institutions information such as an account, name, IP address, or even a telephone number. Often, a single piece of information allows a financial institution to correctly identify a nefarious actor engaging in what may otherwise appear to be innocuous conduct, Reynolds explained.

Likewise, Section 314(b) or the PATRIOT Act provides a safe harbor for sharing certain types of information among financial institutions. It allows financial institutions to pool information from several sources, creating a more fulsome understanding of a potential terrorist threat.


The following is a report, “Emerging Terrorist Financing Risks,” by the Financial Action Task Force. FATF is an inter-governmental body that sets standards and promotes effective implementation of legal, regulatory and operational measures for combating money laundering, terrorist financing and other related threats to the integrity of the international financial system. 
In contrast to large terrorist organizations, small cells and individual terrorists face only minor financial needs since costs of terrorist attacks are often small. As such, lone actors and small cell terrorist networks have a much smaller funding requirement given that they do not control checkpoints or deliver social services.
That said, they must have the financial means to provide for their own food, shelter, communications devices, transport and any procurement requirements for terrorist plots. The text box below highlights some of the sources
According to a Norwegian Defense Research Establishment report on small cell TF, roughly 75 percent of the 40 violent extremist terrorist plots in Europe (between 1994 and 2013) it studied, cost less than the equivalent of USD $10,000. In terrorist plots involving lone actors and small cells, it is likely that the costs associated with the lethal component of the plot.
Working closely with counter-terrorism experts will increase awareness of the financial management strategies used by specific terrorist organizations.
Areas of focus could include identification of financial collection/aggregation/accounting points within a terrorist organization. This would include having law enforcement increase its investigative focus on the ultimate recipient of the funds within a terrorist organization rather than just the source of funds (i.e., who receives the funds is as important as who send or facilitate the movement of the funds).
Source: FATF

Under current law, that data sharing is “both cumbersome and limited,” Reynolds said. At present, financial institutions can only share information after they have formed a suspicion of money laundering or terrorist financing. Laws should be expanded to allow financial institutions to share this data as part of their effort to identify , or rule out, suspicious activity, he suggests.

“Due to the current limitations, financial institutions are often faced with a Hobson’s choice: choose to share information that may lead to the discovery of valuable intelligence for law enforcement and take on legal risk, or choose not to share and risk failing to stop a bad actor,” he testified.

Other areas where information sharing could be further improved, he says:

Authorizing U.S. financial institutions to share SARS with foreign branches and affiliates;

Explicitly expanding the types of information sharing permitted under Section 314(b) and expanding the safe harbor;

Deprioritizing the investigation and reporting of information of low law enforcement value and allow financial institutions to reallocate those resources to higher value intelligence activity;

Encouraging the formation of a joint Money Laundering Intelligence Taskforce group in the U.S.; and

Clarifying financial institution’s ability to discuss the filing of a SAR with each other where financial institutions are working together on a case, and encouraging them to file joint SARs.

Joseph Moreno, a partner at law firm Cadwalader, Wickersham & Taft is a former prosecutor at the Department of Justice in the National Security Division’s Counterterrorism Section. He specialized in the financing of domestic and international terrorist attacks, as a staff member to the FBI’s 9/11 Review Commission.

“It may be tempting to conclude that disrupting and preventing these lone-wolf and small-scale attacks cannot be addressed through law enforcement tactics or legislative or regulatory solutions,” he said. “However, studies of lone actor terrorists have found that there is almost always some identifiable behavior leading up to an attack.”

Moreno suggested taking “a hard look at whether we can better utilize our existing law enforcement and financial reporting framework to identify transactions that may be an indicator of an impending attack.”

The Bank Secrecy Act criminalizes the act of “structuring,” or making currency transactions under $10,000 to purposefully cause a bank to fail to file a Currency Transaction Report, he explained. Structuring prosecutions have come under criticism in recent years on the argument that an individual may be criminally prosecuted simply for the way they conducted their banking, even if the funds they used in the transaction were obtained in a perfectly legal way.

Nevertheless, he says, in the absence of some other source of information to tip off investigators, looking for structuring or other suspicious financial activity is the primary means of identifying and preventing activity before such funds can be deployed for illicit purposes.”

“This is not to say we should not be aware of the plight of small business owners and other individuals who have done nothing wrong but whose funds are seized nonetheless,” Moreno added. “However, if the goal is vigilant disruption and prevention of terrorist attacks, we must remain willing to vigorously pursue structuring prosecutions and selectively utilize assert seizures as a means of addressing this threat.”

Another existing process to look at is how to better utilize the Bank Secrecy Act’s requirement that financial institutions issue SARs to report potential funding of lone-wolf and small-scale terrorist attacks. The $10,000 threshold for Currency Transaction Reports, and the $5,000 trigger for most mandatory suspicious activity reporting, have been in place since the 1970s and there have been calls in the U.S. to reduce these amounts to capture additional transactions, as was done several years ago in the European Union.

Unfortunately, “that would likely only lead to a higher volume but not necessarily a higher value of reports,” Moreno said. “What we need to explore is better technology and methodologies to identify small transactions that may be indicative of illicit use, such as the abrupt closure of an account, wire transfers by an individual who historically only made cash transactions, or the movement of funds through multiple accounts or among multiple customers.”

Major banks in the United States have been collaborating on digital payment platforms which permit small dollar value transfers to or from a registered bank account.  Some of the more established vendors such as PayPal also enforce “know-your-customer” processes either directly or via relationships with commercial bank accounts or credit card accounts linked to their customers’ accounts.

“However, other emerging technologies and currencies, including constantly emerging new mobile applications, eWallets, crowd-funding technologies, and virtual currencies have little or no processes in place for identifying or confirming the identities of their users, exposing new holes which can be taken advantage of,” Moreno said. “These technologies typically involve no face-to-face interactions between vendors and their customers, impose few or no limits on the dollar value of transactions that may be made, and have no restrictions on moving money across borders.”

As these technologies develop, “we must ensure that our reporting requirements keep pace, and consider requiring the financial institutions that do business with these vendors implement compliance programs to potentially include usage and geographic restrictions and customer due diligence requirements,” Moreno added.