Actual steps to combat the Islamic State with your business

This morning I was excited to wake up to a blog post on one of the preeminent foreign policy blogs, War on the Rocks, titled “How the U.S. Business Community Can Take on the Islamic State.” Anxious to read some potentially useful compliance angle towards maintaining a good CFT (“Countering the Financing of Terrorism”) program or a few pointed supply chain due diligence techniques, we are left with this hair-brained guidance by the author:


Today, U.S. businesses should similarly join the fight against the Islamic State. They can do so by suing banks that handle terrorists’ money under antiterrorism and racketeering statutes.

Yes, you heard me correctly. This genius’ idea of combating the financing of terrorism is for your company to decide to waste its money on poorly thought out litigation against a series of mysteriously functioning branches in Iraq that serve as correspondent accounts for the Islamic State. I wish I could be kidding you, but frankly, I’m not.

The author then goes on to cite the case against Arab Bank Plc, a case that took years of significant litigation relating to 18 U.S.C. § 2331, a section regarding the anti-terrorism act in which US persons can sue for treble damages against an institution that has provided material support as defined elsewhere in the statute (18 U.S.C. § 2339B). The author of this article goes to link ISIS attacks against oil fields in which, ostensibly, US persons have an interest in to be of the same level as litigation under Arab Bank Plc. How does he arrive there?

The Islamic State seized at least 110 bank branches in the Levant that maintain correspondent relationships with global banks. Terrorist fundraisers publicly direct donations to other, identified banks in the Gulf and wider Middle East, and terrorists use such banks to launder hostage ransom payments. Some of these banks are subject to personal jurisdiction in the United States and hold substantial assets here.

The author cites a FATF report that states that Iraq and Syria have correspondent branches under ISIS control, but a read of the FATF report (I’ve kept the link in the block-quote) shows that Iraq has moved to sever the necessary RMA keys with these branches and has further issued instructions to Iraqi banks on how to proceed. Likewise, in order to qualify under the ATA a plantiff would need two jurisdictional hooks: a) a US person harmed or killed in the attacks and b) a US person to sue. I am unaware of any Syrian banks maintain a presence in the United States and if the Iraqi banks are complying with instructions on how to handle their abdicated branches, it is unlikely that the prosecution could provide facts outlining to “extreme indifference” resulting in material support, similar to the facts of the Arab Bank case.

Instead of wasting pixels responding to one of the dumbest articles regarding CFT compliance I’ve read in a while, let’s briefly outline some ways in which not just US companies, but all companies with exposure to this risk can help combat the Islamic State.

  1. Implement an effective AML/CFT program that includes a robust KYC framework. Customers’ risk should be assessed not just for AML and sanctions indicators, but also indicators specific to the financing of terrorism. The linked FATF report above does a great job of outlining geographic, industry and typological indicators that can be incorporated in a risk assessment. Certain customers have greater risk exposure to CFT than others, for instance a charity which is located in or has transactional activity near or at areas of known conflict.
  2. Develop specific Transaction Monitoring scenarios and properly segment customers based on CFT risk. Particularly for financial institutions, properly segmenting customers based on their CFT risk as well as their AML risk can help isolate high risk customers, apply specific scenarios to these segments and put more eyes on the transactional patterns of those customers. Furthermore, while AML and CFT share similar techniques, their activities are distinctly opposite. Money laundering is the process of bringing dirty money into the financial system and making it clean while terrorism financing is taking clean money through the system to make it dirty. We may still see several of the same techniques such as structured deposits, but other techniques such as an uptick in the outflow of funds from a high risk student account may require a different scenario and indicate a different set of activities.
  3. Know your supply chain. Many of the Islamic State’s activities relate to the smuggling of goods such as petroleum and sale of those goods into global supply. As a corporation, a robust supply chain compliance program will include not only KYC into the suppliers, but a firm understanding of the ultimate origin and end use of all goods. Suppliers and parties to all transactions should be vetted by both name screening and risk based enhanced due diligence and both suppliers and buyers should be audited and reviewed on a periodic basis. Because many of the violations are predicated on “reason to know,” simply vetting the Turkish vendor whom you sell pipeline equipment is not enough. Instead your compliance should know the end-user of all transactions and if the vendor may be engaged in nefarious conduct.
  4. Remember where the weakest link is. While implementing all of these provisions, a corporation should remember compliance is only as strong as its weakest link. You should ensure counter-parties, whether they are suppliers, buyers, correspondent banks or large customers with significant transactions, have been properly vetted. This means that KYC procedures should take into account not only the risk presented by the party, but counter-party’s controls, policies and procedures and any negative news that suggests that the controls submitted by the counter-party may be ineffective.

Or then again, maybe it’s just easier to sue the piss out of everyone…