Speech to Definition 2005
The Investment and Financial Services Association Annual Conference
Speech by Australian Federal Police Commissioner Mick Keelty APM
Wednesday 3 August 2005
Brisbane Convention and Exhibition Centre
Topic: The Commercial Realities of 21st Century Security.
(Please check against delivery)
I'd like to begin by acknowledging the traditional owners of this land - the Jagera People…and by saying what a pleasure it is to be with you here today for the Definition 2005 Conference.
In some ways it may seem a little incongruous for a Federal Police Commissioner to be delivering a keynote address at a financial services conference. However it serves as a reminder of how our world continues to change and of the complex linkages that now exist between our various industries.
The topic I have chosen to speak on today is: The Commercial Realities of 21st Century Security. This is an area of particular interest to me, as the emergence of terrorism and transnational crime has obviously redefined the way the AFP does much of its business today.
As you'd all appreciate, the security climate has also clearly had a big impact on the business world and has highlighted the growing need for all of us - regardless of what industry we belong to - to cooperate more closely with each other to strengthen our collective security.
The financial services sector plays a key role in this process, particularly in assisting to detect and monitor illicit transactions and financial activities - such as money laundering - which fuel organised crime.
From a national security perspective, the detection of suspicious financial activity can provide law enforcement with vital early clues and warnings about the planning and execution of terrorist acts, as well as the occurrence of identity crime, drug trafficking and high tech crime.
Equally, for the financial services sector, disabling crime is essential to maintaining consumer confidence and market stability - key elements to the health of your industry and to our economy as a whole.
Just imagine the consequences for our society if the Investment and Financial Services Association did not, for example, take security breaches very seriously...
With your responsibility for overseeing $800 billion worth of funds on behalf of more than 9 million Australians, the implications of a lackadaisical approach would be very costly for the community - in both an economic and social sense.
A key to successfully reducing the level of risk in today's world is to firstly understand the nature of the broad range of threats and how they are evolving.
I'd now like to outline some of those that relate specifically to the financial services sector.
CRIME SCAN - FINANCIAL SERVICES SECTOR
Although Australia's financial services industry has sought to strengthen security over its systems and assets over recent years, it certainly has not been exempt or immune from criminal activity.
Analysis shows there is evidence of serious and organised crime taking place within the industry - including identity crime, collusion, conspiracy, tax avoidance and even the use of violence.
Environmental scanning also suggests organised criminal groups are becoming increasingly aware of the sector's profitability and how it can be exploited for a range of illicit activities.
So where are the main threats coming from?
They are coming from both outside and inside the industry, sometimes from the very individuals entrusted with protecting systems and assets.
In fact, a recent survey reported in Australian Legal Business found 82 per cent of fraud suffered by business is committed by employees.1
Despite the implementation of more rigorous recruiting and vetting policies, problems identified have ranged from staff corruption (which may not even seem like corruption initially, such as an employee revealing weaknesses in an internal security system); or the leveraging of internal staff by organised crime syndicates.
This area of vulnerability was highlighted in January last year during an alleged fraud attempt on the Commonwealth Superannuation Scheme. This involved an attempt to transfer $150 million from an account held with J P Morgan Chase to overseas bank accounts.
The matter is still before the courts, so I can't say more about it, except to say that it was quickly brought to our attention and quickly dealt with so it didn't grow into a larger crime.
While this incident ended on a relatively positive note, the financial sector's record for reporting suspicious activity is one that could generally be improved.
With forecasts predicting crime is likely to grow in this area over the next decade as criminal techniques become even more sophisticated, it is important for the industry to start developing a strong reporting culture.
This must be accompanied by improved procedures and practices for the exchange of information that will assist in the maintenance of security.
Over recent years, we have seen some instances where law enforcement efforts to combat crime in this area have been frustrated by some misinterpretation or misunderstanding of the national privacy legislation.
Organisations not familiar with the provisions of the National Privacy Principles, have been reluctant to share information requested in relation to matters such as fraud intelligence.
These Principles do allow for disclosure that is 'reasonably necessary' for the enforcement of criminal law, so we are now trying to educate the financial and business communities in this regard.
Before I move on to talk about emerging challenges for the business and financial services sector…it is important to note that all these developments have taken place against a backdrop of changing public perceptions about white collar crime.
It doesn't seem that long ago that poor or questionable corporate performance tended to be dismissed as mismanagement. Companies simply went into liquidation with no criminal penalties being applied.
Today, however, the community has low tolerance for such behaviour and regulatory authorities around the world are vigorously pursuing those at the centre of such activity. This has been illustrated by some recent high-profile cases such as WorldCom and Enron in the United States, and HIH and FAI here in Australia.
The AFP is working closely with the Australian Prudential Regulation Authority and the Australian Securities and Investments Commission - as well as with State and Territory Police - to assist in this regard.
This is likely to remain a business priority for some time to come, as transactions and product and service lines become increasingly complex - thereby providing even greater scope for criminal activity.
So what are the key business and security challenges facing the financial services industry in the foreseeable future?
THE CHALLENGES
I believe the main challenges are similar to those faced by the broader community - namely, dealing with the ongoing threat of terrorism, the rapid evolution of high-tech crime and the expansion of identity based crimes.
While the threats may not necessarily be direct, their broader ramifications can have a significant impact on security and performance.
Firstly to terrorism….as we saw only last month in London, the spectre of terrorism has not abated in the West.
While Australia was geographically isolated from the attacks, our close connection with the United Kingdom and the deaths and injury caused to our own, provided a sobering reminder that anyone, anywhere is vulnerable.
Although Australia did not move to raise its official alert level from medium (where it has been since 9/11), authorities are keeping a close watch on suspicious activity.
From a financial services perspective, I guess one of the major concerns about terrorism lies in its impact on community confidence and the flow-on effects to industry generally.
It has been well documented that in the wake of 9/11, the share market experienced a significant decline over a period of time, and that losses to the insurance industry were estimated at more than US$50 billion.
In London, losses from the recent bombings were nowhere near the magnitude of 9/11, but immediate drops in levels of consumer confidence and the share market were recorded.
And a study by the Centre for International Economics - commissioned by the AFP - found the cost of the 2002 Bali bombings to be in the order of $3 billion.
This included the cost of the emergency response and downstream effects to business and industry, including tourism and hospitality.
But it is not just the negative impacts on business and investor confidence that flow from acts of terrorism.
The financial services sector also faces new challenges arising from regimes designed to combat terrorist activity. This includes placing the onus on industry to take responsibility for the origin and purpose of funds flowing through accounts.
For example, the introduction of The Patriot Act by US Congress, is one initiative that could have ramifications for the Australian market.
Although The Patriot Act is US legislation, any financial institution with a presence in US markets is practically obliged to adhere to the measures it sets down.
Under the Act, law enforcement and intelligence agencies are able to conduct surveillance on customer accounts and to access customer account information without needing to provide proof of suspicion.
In effect, financial institutions are required to vouch for the bona fides of their customers and to monitor transactions to ensure they fall within the customer's financial profile.
Therefore, financial institutions must implement comprehensive risk-based anti-money laundering programs that:
- Verify customer identification;
- Enhance due diligence on certain accounts;
- Monitor all financial transactions;
- Prohibit corresponding accounts with shell banks;
- Share information with law enforcement agencies; and
- Report all suspicious transactions.
If, for example, if it was found that funds used in a terrorist attack against US interests were channelled through a financial institution in Sydney and subsequent inquiries revealed that the institution did not take prudent steps to ensure the account holder's bona fides, it may be open for the US Government to cancel the institution's US banking licence or greatly inhibit its ability to access US markets.
And it is important to note that the threat to US interests does not confine itself to onshore US interests, but includes potential threats to US embassies, armed forces and other US government and business interests.
The Australian financial market has already been meeting many of the obligations set out in The Patriot Act through compliance with provisions of the Australian Financial Transactions Reports Act 1988.
While our national anti-money laundering strategies are presently under review, it is anticipated new legislation may contain measures creating similar obligations to those provided by The Patriot Act.
Money laundering
Recently, a global anti-money laundering survey estimated that up to $1 trillion - or between 2 and 5 per cent of global GDP - is now laundered worldwide annually by drug dealers, arms traffickers and other criminals.
To try and combat this growing threat, a meeting of the Asia-Pacific Group on Money Laundering, held in Cairns last month, moved to strengthen anti-money laundering and anti-terrorist financing standards around our region.
The meeting was attended by 29 member countries, six observer countries and 10 international and regional organisations including the International Monetary Fund and the World Bank.
Importantly, member countries agreed on a range of measures including:
- A plan for all jurisdictions to be assessed and evaluated for compliance with stringent Financial Action Taskforce standards on anti-money laundering and terrorist financing as a matter of priority; and
- the provision of technical training and assistance to expedite the process for ensuring compliance across the board.
In recent years, the link between money laundering and terrorism has been well documented, particularly as a result of evidence collected during a number of terrorism investigations.
Therefore, the implementation of tough anti-terrorism financing standards remains one of the most effective ways for disabling terrorist activities.
I believe another important strategy for disabling terrorist activity also involves learning more about the way they operate and their strategies for planning and recruitment.
One of the reasons terrorism is such a difficult crime to police is that their organisations are constantly evolving - changing their makeup and modus operandi so they can avoid detection and capture.
They learn a great deal from each of their attacks and alter their planning and methodologies accordingly.
At a recent International Symposium on The Dynamics and Structures of Terrorist Threats in Southeast Asia, an academic working at the School of Advanced International Studies at John Hopkins University in the United States, Carlyle Thayer, provided a contemporary perspective on the changing composition of groups like Al Qaeda and Jemaah Islamiah.
His paper2 contained some interesting research that examined and analysed aspects of terrorists' social backgrounds, such as socio-economic status, education, faith in their youth, occupation and family status.
This involved a survey of 172 terrorist organisation members. It found they generally came from well-to-do families and were much better educated than the population at large in the developing world.
They were well travelled, were able to speak several languages, and only 17 per cent had Islamic primary and secondary educational backgrounds.
The research found a very high proportion of terrorist leaders - 75 per cent - were classified as professionals, from occupations such as medicine, architecture, and teaching, or they had semi-skilled occupations such as military, mechanics, civil service, or small business.
In terms of family status, 73 per cent were married. And the average age when a person "joined the jihad" to become a terrorist was 25.69 years.
The paper went on to say that 70 per cent of the terrorist leadership joined the jihad in a country other than where they had grown up, and that just before joining the jihad, 'future terrorists' suffered from social isolation, spiritual emptiness and underemployment - which became a source of grievance and frustration.
The paper concluded that joining the jihad involved a three-pronged process, of social affiliation involving membership of "small world" groups based on friendship, kinship and discipleship. Over time, members of these cliques experienced a progressive intensification of their beliefs and faith leading them to embrace the jihad ideology.
The next stage involved an encounter by the small group with a link to the jihad. And the final stage involved intense training and voluntary recruitment usually marked by a formal ceremony (swearing an oath of loyalty).
Some of these findings were borne out in the London bombings experience.
Shortly after the 7 July attacks, it was discovered that the bombers were not extremists from abroad. They included middle-class Britons, who were young, educated and with the world at their feet.
For us to more effectively counter the terrorist threat, I believe it is important we work harder to understand and address those issues that drive people - particularly youth - to subscribe to the terrorist philosophy.
Part of this involves developing greater awareness, tolerance and acceptance of different cultures and beliefs.
From an AFP perspective, we have implemented numerous education and training programs to assist us in this regard. We also conduct regular dialogue with Muslim leaders and their communities, and have appointed our own Muslim Chaplain.
We have also learnt much from assisting police to investigate terrorist attacks overseas, as well as from working cooperatively with other nations on preventative initiatives, such as through the Jakarta Centre for Law Enforcement Cooperation, in Semarang Indonesia.
This Centre has become an excellent example of law enforcement collaboration at work, providing a valuable platform for interaction between law enforcement officials and academics as well as for information exchange, counter-terrorism training and equipment.
The Centre began as a joint Australia/Indonesia initiative, and in its first year of operation has attracted interest and involvement from law enforcement agencies and governments right around the world. The Netherlands, Denmark, Italy and France are among the latest nations to pledge resources and support.
Identity crime
Another element found to be consistent in the commission of terrorist attacks - and many other forms of organised crime - has been the reliance on precursor crimes such as identity fraud, to plan and execute activities.
For example, after 9/11, the 19 hijackers were found to have used 364 false names and 11 of them were suspected of using altered passports where the changes were detectable.
The operational coordinator and pilot of one of the aircraft that crashed into the World Trade Centre - Mohammad Atta - was even trained as an expert document forger.
And during the Bali bombings investigation, conspirators were found to have operated bank accounts under false names, rented the house where the planning was completed, regularly used aliases to avoid detection and shipped bomb-making materials using false identities and identification documents.
In Australia, identity crime is already recognised as a serious and growing problem for business. It is estimated to be costing anywhere between $1 billion and $4 billion annually. Worldwide, the cost has been put as high as $2 trillion.
Part of the reason for this is the ongoing and rapid advances in low-cost technology, which are providing criminals with unprecedented capacity to produce high quality replicas of a broad range of identity documents.
In addition, the incidence of identity theft in the online environment has become an area of growing concern. This includes practices such as "phishing" - where bogus emails are used to lure recipients to fraudulent websites. They attempt to trick people into divulging personal financial data such as credit card numbers, account usernames and passwords and social security numbers.
Over the past year, the monthly growth rate for phishing sites was estimated at 15 per cent, with the financial sector found to be the most frequent phishing target.
To combat this broad and expanding range of threats, a number of measures have been put in place.
On the high-tech crime front, the Australian High Tech Crime Centre hosted by the AFP, has established a close working relationship with the major banks and companies such as Visa International and Mastercard.
This has been a very successful partnership, with representatives from each organisation assisting the Joint Banking and Financial Sector Investigation Team with its investigations.
Significantly, the team recently participated in a worldwide sweep that closed down 1400 phishing sites, with 13 of them based in Australia.
The development of a National Identity Security Strategy by the Australian Government, is another important measure working to combat identity crime.
The Strategy provides for new national document security standards, document verification services and data matching capabilities. As part of this process, new ePassports containing a chip with biometric information, are to be introduced from October, to help bolster security at border controls.
From a law enforcement perspective, the AFP is a member of the Identity Crime Taskforce, which involves 15 different agencies - ranging from the Australian Customs Service, to the NSW Crime Commission, the Australian Crime Commission, AUSTRAC, DIMIA, DFAT and Centrelink. This taskforce is also enabling agencies to share intelligence and expertise to assist with investigations into identity-related crime.
To date, the taskforce has recovered hundreds of false identity documents, ranging from Passports to Medicare Cards, drivers licences and Australian Citizenship certificates, as well as document and card-making equipment.
As well as harnessing technical and investigative expertise, the Taskforce has been gathering valuable intelligence that tells us about local trends in this crime area.
It has found that in Australia, serious organised crime groups are behind much of the activity; there are many international links; and there is a high level of technical skill and quality counterfeiting products.
To try and stem the growth of this crime area, the taskforce is devoting considerable resources to raising awareness in the community about the nature and threats associated with identity crime, making regular presentations to government, business and financial institutions.
Measuring our performance
Before I conclude, I just want to talk a bit about some of the work the AFP has been doing to ensure we are getting the most out of our 'investments' that deal with the challenges of 21st century security.
Today the AFP, has a total operating budget exceeding $1 billion and our roles and responsibilities as Australia's national policing agency have significantly expanded to include more proactive policing responses.
As you would all appreciate, one of the realities of doing business today (whether it be in the public or the private sector) - is that governments and the community - quite rightly - expect us to remain transparent and accountable for our actions and expenditure.
To help us do this, we have set up a dedicated business planning and performance evaluation team that monitors returns to the community across a range of crime types. This helps us to prioritise our work and to ensure precious resources are always directed to the areas of greatest need.
Their methodology includes a suite of performance-benefit ratios in relation to fraud and drug investigations, as well as protective services.
The results show the AFP's fraud investigations are returning $6 in social benefits for every $1 of taxpayers' funds invested in investigations; protection services are returning $4 for every $1; and AFP drug operations are returning over $5 to the community for every dollar spent.
We are also now exploring ways to assess the performance of the International Deployment Group - a key plank in our strategy to promote regional security and stability.
As many of you know, the IDG is undertaking regional assistance and capacity building projects in a range of locations overseas, including the Solomon Islands, East Timor and Cyprus.
As part of our performance monitoring regime, we recently signed a $1.5 million collaborative research program with the ANU and Flinders University to analyse the IDG's presence and impact in these countries.
The research is examining the grounds for providing assistance, as well as cultural and political contexts and the achievements and shortcomings of police assistance missions.
Findings of the research will be used to guide future AFP involvement in the region, including operational issues and training practices, as well as enhanced cooperation with nations, host country agencies and other government providers, including the Department of Defence, AusAID and the United Nations.
Conclusion
In closing, it is clear the security environment poses a lot of challenges for all of us - regardless of what industry we belong to.
Today I've outlined some of those that relate directly to the financial services industry. However, in an environment that is constantly changing, who knows what the key challenges will be in just 12 months time.
In many ways, I believe our success in responding to the security environment over time, will be measured by our ability to address the underlying causes.
This includes answering questions such as: How do we fight an 'idea'? How can people of different faiths and nationalities better assimilate? How do we uphold people's freedoms and liberties while maintaining security? How do we discourage younger generations from embracing ideologies that seek to undermine our way of life?
We have an obligation to future generations to try and come up with workable and appropriate solutions to these problems. If we fail on this count, then the investment and effort currently being poured into making our environment more secure, will only treat the symptoms rather than the causes.
These are difficult questions to answer. But we can take comfort in the knowledge that if the collective will exists, no problem will ever be insurmountable.
Thank you.
2Thayer, Carlyle: Leadership Dynamics in Terrorist Organisations in Southeast Asia. Kuala Lumpur Malaysia, April 18-19, 2005. Research obtained from a survey by Marc Sageman.