Tracing XML-based Bank Transactions

September 29, 1999

Alan Kotok

Tracing XML-based Bank Transactions

Can We Catch the Crooks?

The unfolding scandals of suspected money laundering through Russian and American banks point out the vulnerability of banks to abuse, especially with growing power of information technology available to the abusers. Are the new banking and investment services offered over the Web, including many based on XML, making it easier for bad guys to hide their ill-gotten gains from the authorities? Banking regulators have expressed concerns, but some features of leading XML vocabularies may actually help catch the bad guys.

Crooks need clean money

Crooks launder money to make the cash they acquire by crime look legitimate, or at least less fishy. Money laundering is also used to escape taxation (capital flight, the nice term for it) or hide assets from seizures in legal proceedings. The practice usually involves shifting money through different banks and accounts to hide the true source of the money and make it difficult or impossible to trace.

International gangsters, drug cartels and terrorist gangs in particular, need to move large quantities of cash across borders. People carrying large amounts of cash on their persons can get caught or run off with the loot. As a result, crooks increasingly use the international banking system and networks of inter-bank transfers to move and hide their money. Some of the more common techniques involve payments to phony companies and inflated invoices to real companies with kickbacks to the payer. Some locales still allow numbered (i.e. unidentified) bank accounts that make tracing the source of funds difficult if not impossible.

The Treasury Department's Financial Crimes Enforcement Network or FinCEN, charged with enforcing money laundering laws, relies mainly on banks to report evidence of these crimes. In the U.S., the Bank Secrecy Act of 1970 (technically Titles I and II of Public Law 91-508 as amended) requires financial institutions to report to the Treasury Department any currency transactions over $10,000, as well as international transactions of currency or bearer instruments exceeding that amount. FinCEN also provides detailed guidance on how to spot attempts to evade the law, using series of transactions under $10,000 for examples—a practice called structuring.

Internet banking speeds the money flow

Internet banking however is rapidly changing the landscape for enforcement of money laundering laws, and that has the authorities worried. Online payments and funds transfers no longer need the brick-and-marble presence of banks. Third party services, called money services businesses by FinCEN, cash checks and wire money as easily or more easily in some cases, than banks. The growing choice of means and services, beginning with a PDA or desktop system, reduce the need for banks, the main reporting source for evidence of money laundering.

Computer banking can also make it easier to break up large amounts of cash into much smaller quantities in individual transactions. Rather than risking detection by structuring transactions just under the $10,000 threshold, crooks can generate a much larger number of phony transactions valued at smaller dollar amounts, and spread them over a number of banks and a longer period of time. The transfers and payments can look as normal as those of any other legitimate business.

Internet banking has begun to attract high-level attention of authorities charged with regulating financial institutions. In July, the U.S. General Accounting Office, Congress's watchdog agency, released a report on Internet banking services (GAO/GGD-99-91) that called for increased coordination among bank regulators over these services. The GAO found Federal banking authorities had not geared up sufficiently to keep watch over the rapidly growing array of services for consumers and businesses over the Internet, due in part to Y2K remediation work.

GAO identified several kinds of risks associated with Internet banking, including non-compliance with laws, regulations, and ethical practices. The GAO recommended paying close attention to third-party services offering Internet banking services, since they would not normally receive as close a scrutiny by banks as in-house services.

FinCEN's strategic plan (1998) notes the rise of Internet banking with some alarm. The report says, "Three years ago, virtually no one was concerned about advanced electronic payment systems; now they are of importance throughout the Treasury Department and in the banking community even though they are currently only at the trial stage."

XML can increase auditability

In a recent e-mail message Eric Cohen, a CPA from Rochester, NY and leader in the development of XML vocabularies for accounting, says XML systems could both help and hinder this problem. He says XML specifications for example can limit the addition, deletion or change of entries to reduce errors, yet at the same time the Web can open up internal networks to unauthorized outside intrusion.

Cohen notes that XML documents are by design both human and machine-readable and thus have greater transparency for auditing purposes. He cites other audit specialists who believe that the combination of electronic and financial standards increase the auditability of business systems by increasing their visibility, thus making it easier to develop effective analytical procedures. In other words, XML has the potential to provide tools for better control of Internet-based financial services.

Interactive Financial Exchange

One of the leading Internet banking vocabularies based on XML is the Interactive Financial Exchange (IFX), which combines the work of the earlier Online Financial Exchange and Integrion GOLD specifications. IFX provides retail banking services for consumers and small businesses such as bill payment, account statements, credit cards, and transfers. It also provides bill presentment services for businesses which, when combined with bill payment, provides a full electronic cycle for invoicing and remittances.

Inflated payments with kickbacks or transactions with sham companies are among the more common means of laundering funds, so providing electronic transactions of this kind could make the job of money laundering easier. However, IFX appears to have safeguards established that make individual transactions traceable and thus should make the bad guys think twice.

IFX uses a dual-message transaction model that has a response message designed for each request. Thus each transaction has a pair of matched messages to improve auditability. Each customer has two identifiers, a customer log-in ID (CUSTLOGINID) prepared by the customer and a customer permanent ID (CUSTPERID) used as a database key by the financial institution and cannot be changed by the customer. Therefore, the customer can change its customer name for log-in but it still relates to the bank's permanent ID for that customer.

Each transaction request has an identifier (TRNUID) using a universally unique ID (UUID) based on the Open Software Foundation Distributed Computing Environment standards to produce a 36-character hexadecimal encoding of a 128-bit number. The TRNUID correlates responses with requests. IFX also has an Account Owner Reference Identifier and Service Provider Reference Identifier that provide a permanent reference for transaction, and thus are useful in audits.

A key feature of IFX is the use of banks and similar financial institutions that can build in the controls and audits that authorities can use to track transactions of suspects. However, the specification would apply to third party service providers as well, so transactions in these non-bank institutions could be subject to the same oversight and controls. Both FinCEN and the GAO have noted the need for greater oversight of third-party financial services.

Bank Internet Payment System

Another established banking vocabulary based on XML is the Bank Internet Payment System (BIPS) developed by the Financial Services Technology Consortium or FSTC. BIPS covers payments to and from banks and has several working prototypes ongoing or planned to test basic BIPS functions (Glenview Bank in Illinois), consumer utility payments (Mellon Bank), and higher volume business payments (Citibank). FSTC designed BIPS to work with current electronic bank messaging and settlement systems including the FedWire, Society for Worldwide Interbank Financial Transfers (SWIFT), and automated clearinghouse standards.

BIPS takes security seriously. In its specification it devotes an entire chapter to security and lists a series of challenges, including identification of frauds or impostors, and the ability to produce latter evidence that the transaction actually took place. BIPS uses digital signatures that meet requirements of the ISO X509v3 standard and allow for identification and authentication of users. BIPS also maintains an event log track that tracks activity connected to individual BIPS messages and has pointers to a BIPS Repository with the original message contents. The event log and repository together provide a record of activity for tracking.

The guts of BIPS is its network payment protocol. Like the IFX standard, BIPS uses a request and response model, so each message has a matched-pair partner that can assist in auditing. Each message contains the digital signatures of both the originator and the bank. Moreover, each message contains both a message ID and payment ID that likewise can help trace transaction lows.

BIPS and IFX show that law enforcement authorities have powerful tools available to them to trace payment transactions to support their investigations. A more likely problem to the authorities than electronic banking is the wave of bank mergers used to reduce redundant staff. FinCEN relies on the banks themselves to report evidence of money laundering and as banks search for places to cut, the staff who report on suspicious transactions may look like inviting targets. The cops may need to rely more on themselves to catch the robbers by mining the data generated by audit trails from XML-based banking vocabularies.

Alan Kotok is director of Internet technologies at Data Interchange Standards Association. In previous work Kotok served as a contractor to the U.S. Justice Department/Organized Crime Drug Enforcement Task Force and U.S. General Accounting Office.