"Hackers" want to publicly snitch on those with supposed "links" to financial crime and sanctions. Not convictions nor actual sanctions, but links. Like the same brand of hacker that is all in on bitcoin, anarchy, etc? Hackers are shaming agents in service of the State Department now? Sell us another one.
People should not be de-personed because a bank thinks that they are risky. The population, in general, needs to stop pretending that anonymous "hackers" are legitimate justice advocates instead of the likely state actors that they are. Unless they want anything of the sort to be co-opted and then utilized against them.
These are KYC checks so the information is very interesting if you're the average joe.
the US Bank Secrecy act prohibits you from ever knowing the details of a SAR, or suspicious activity report. there are criminal punishments if a bank were to tell you a SAR had even been filed against you. https://en.wikipedia.org/wiki/Suspicious_activity_report
if this agency does not capitulate to the demands of hackers, then 5.3 million people would suddenly know their SAR/KYC status. it would do quantifiable harm to the prosecution of financial crimes globally.
> A 2020 Bank Policy Institute study found that American SARs elicited a response from law enforcement in a median of 4% of reports, and that a tiny subset of those responses resulted in arrest and conviction, suggesting that 90% to 95% of SARs reports were false positives of unlawful activity.[5]
Anecdotally, I've heard of many people having issues with this system.
I find the claim that "it would do quantifiable harm to the prosecution of financial crimes globally" technically true (it is quantifiable), but to be overall exaggerated as to its actual harm.
KYC checks have in the past resulted in me being unable to open a bank account due to a "discrepancy" between my SSN and my DOB (due to me being an immigrant).
The flip side of your comment is that 1 in 60 (including minors) people in the USA are on a watch list for financial crime.
I think more worrying as a society is not the risk to prosecution of financial crimes (this list being uncovered does not erase evidence of previous or current financial crimes in progress) is how those 1 in 60 people got to be on such a list in the first place.
If I was incorrectly "linked" to some financial crimes I'd like to know about it. If others make decisions based on this data that affect me personally then I'd like to know about it.
I have to pay to know about it.
But any powerful/wealthy person who has done things that could get them on the list probably have the means to see the list for themselves.
My point was that it should change public support for their intended data release.
Because no one should be ok with the State anonymously doxxing uncharged targets, let alone people who are merely on lists as being known to have "links".
I assume that such an action would be to create both leverage and punishment, outside of what legal constraints would otherwise allow.
The nature of democracy is such that the government can't punish individual citizens via stealth practices, and the citizenry can't be ok with it.
Generally speaking, this type of thing would have been vetted by a journalist. Who would have acted as the final release valve, after verifying that the source was legitimate and not, for example, the government itself. While keeping the source confidential, and vetting the information for the ethics and justification for its release.
But today it would be foolish to trust most journalists with that process. And so the public are left with the judgement as to the possible motivations, identities, and probable legitimacy of the actions of anonymous sources who, for whatever reason, aren't first releasing to journalists. Backstops removed, such an action represents a lot of social risk and begs questions.
It’s an interesting perspective for the LSEG to say (paraphrasing) “we maintain a sensitive database that we gave to a third party (presumably with some amount of vetting, since the data is sensitive) and that third party did not adequately secure it, therefore this is not a security lapse on our part”
I was going to make this point. It is of course a breach of security on their part. If a company believes that the data they collect is sensitive, then they need to take great care about the partners they share information with, including their capacity to protect it - it's a matter of common sense that the easiest places to breach will be the places suffering the data leak.
If the hackers phished the customers of the third-party and used their accounts to scrape the information in some way, would you consider that a security lapse on LSEG's part?
Is there some reason why these records should not be public? Making them public would lead both to greater accuracy and their more widespread use keeps criminals out of the financial systems.
> Making them public would lead both to greater accuracy and their more widespread use keeps criminals out of the financial systems.
What about arresting criminals for their actual crimes instead of having a gigantic, worldwide, army of bureaucrats inventing sick and sicker KYC/AML rules which do nothing but cost business and honest people time and money?
Estimated worldwide KYC/AML compliance costs: $180bn. For absolutely nothing: nothing of value is produced. Pure Brazil (the movie) style redtape pointless documents, processes, code, etc. To freeze (not seize: just freeze, some of it shall be unfrozen after more pointless public servants shall waste time producing nothing of value)... $12 bn. 15x less than the estimated cost.
That's totalitarism for you: pure insanity created by sick minds and admired by sicker minds.
You know the value of measures like this is not just the money frozen but also the prevented crime which is not even attempted because people know about the measures, right? That’s like saying surveillance cameras are useless because they don’t catch thieves. Sure, but maybe they decrease theft anyways…
Because the people in question aren't necessarily criminals. You should be careful of how easily that you may be hypnotized by language, including but not exclusive to accusations.
PEPs — Politically Exposed Persons, like family of politicians. Businesses with KYC screening requirements beyond sanctions and criminal convictions might care about it, because they fear bad media coverage, for examples
I'm not seeing a problem with them going public either. The article even states that there are innocent people on the list. It would be nice to know so they can contest and clear their data off the list.
As I understand, in the finance world lists like this are considered classified because knowing you're on one, or the circumstances that put you on one could help you/others circumvent the measures. Fraud detection works like this - if you're under investigation, you won't know about it, you'll have some vague issue with your bank account.
This is where the article is insufficiently clear. Lists of people who are under investigation for fraud is definitely something banks keep quiet, for the reason you mentioned. But as a sibling comment says, sanctions lists are public, as are records of people convicted of relevant crimes in most (all?) jusrisdictions. So what kind of lists are these? Because the article's line about "individuals who were sanctioned as recently as this year" is hardly exciting - the UK sanctions list has people sanctioned today, 18 April.
Much of the data is indeed public. LSEG have analysts going around all the websites of major government entities publishing sanctions lists to update their database. If you’re politically exposed or get mentioned in the media for being convicted of fraud and it’s public knowledge, it’ll gets pulled in too.
LSEG get sued by people all the time, so they document and justify everything that goes into the file. There are very good legal reasons to do so.
LSEG is a data vendor. They don't want to make their data public because they charge for it. Much of the original raw data that they aggregate is already public.
The data goes stale after a while. The real value of World-Check, is that it’s constantly updated, and if you’re using LSEG’s KYC screening platform, you get notified in real time as soon as anybody you’ve screened gets a new hit or update in the datafile. That covers you when good customers turn bad.
True in theory but compliance is not a realtime businesses process. In my days as I remember we got updates 3 times a day which was more than enough (many if not most risk/compliance processes either run once every 24 hours overnight, or are triggered at events such as customer onboarding.)
I've integrated worldcheck for AML in financial service companies. Just like any other consultant doing this type of work, I could have walked out the door with a full copy of the DB on my laptop or a USB stick any time I wanted. Doing that might have made me a 'pirate' or a thief, but rest assured no 'hacking' would have been involved.
We used WorldCheck data at my last startup, it was the best in the business at the time. High quality groomed data, well tagged, with an actual timeline for each entity that explains why they're in there. Absolute top notch.
To use the World-Check datafile, you need decent tooling to go with it. You can either build your own, or use theirs. That said, it’s only as good as the analysts using the tools as well as the consultants configuring it. It’s a hard problem.
Source: worked as a developer on World-Check One for ten years.
so what's the big deal? (barely) every bank in the world has access to the world check database and there is no "secret data" in it. Just a collection of public records...
Readit News
People should not be de-personed because a bank thinks that they are risky. The population, in general, needs to stop pretending that anonymous "hackers" are legitimate justice advocates instead of the likely state actors that they are. Unless they want anything of the sort to be co-opted and then utilized against them.
the US Bank Secrecy act prohibits you from ever knowing the details of a SAR, or suspicious activity report. there are criminal punishments if a bank were to tell you a SAR had even been filed against you. https://en.wikipedia.org/wiki/Suspicious_activity_report
if this agency does not capitulate to the demands of hackers, then 5.3 million people would suddenly know their SAR/KYC status. it would do quantifiable harm to the prosecution of financial crimes globally.
> A 2020 Bank Policy Institute study found that American SARs elicited a response from law enforcement in a median of 4% of reports, and that a tiny subset of those responses resulted in arrest and conviction, suggesting that 90% to 95% of SARs reports were false positives of unlawful activity.[5]
Anecdotally, I've heard of many people having issues with this system.
I find the claim that "it would do quantifiable harm to the prosecution of financial crimes globally" technically true (it is quantifiable), but to be overall exaggerated as to its actual harm.
The flip side of your comment is that 1 in 60 (including minors) people in the USA are on a watch list for financial crime.
I think more worrying as a society is not the risk to prosecution of financial crimes (this list being uncovered does not erase evidence of previous or current financial crimes in progress) is how those 1 in 60 people got to be on such a list in the first place.
I did so a few years ago and found I’m on their shit list :)
I don't see anyone seriously claiming that leaking this data would deliver any sort of legitimate justice.
Because no one should be ok with the State anonymously doxxing uncharged targets, let alone people who are merely on lists as being known to have "links".
I assume that such an action would be to create both leverage and punishment, outside of what legal constraints would otherwise allow.
The nature of democracy is such that the government can't punish individual citizens via stealth practices, and the citizenry can't be ok with it.
Generally speaking, this type of thing would have been vetted by a journalist. Who would have acted as the final release valve, after verifying that the source was legitimate and not, for example, the government itself. While keeping the source confidential, and vetting the information for the ethics and justification for its release.
But today it would be foolish to trust most journalists with that process. And so the public are left with the judgement as to the possible motivations, identities, and probable legitimacy of the actions of anonymous sources who, for whatever reason, aren't first releasing to journalists. Backstops removed, such an action represents a lot of social risk and begs questions.
I’m not sure if I buy it.
What about arresting criminals for their actual crimes instead of having a gigantic, worldwide, army of bureaucrats inventing sick and sicker KYC/AML rules which do nothing but cost business and honest people time and money?
Estimated worldwide KYC/AML compliance costs: $180bn. For absolutely nothing: nothing of value is produced. Pure Brazil (the movie) style redtape pointless documents, processes, code, etc. To freeze (not seize: just freeze, some of it shall be unfrozen after more pointless public servants shall waste time producing nothing of value)... $12 bn. 15x less than the estimated cost.
That's totalitarism for you: pure insanity created by sick minds and admired by sicker minds.
Also, criminals can hide, but bank accounts are always maintained at the bank.
That can be done here:
https://www.lseg.com/en/risk-intelligence/screening-solution...
e.g.: https://ofac.treasury.gov/specially-designated-nationals-and...
> their more widespread use keeps criminals out of the financial systems.
Governments already have solved this by requiring banks to use lists like these (or similar subsets of these) where desired.
https://www.gov.uk/government/publications/the-uk-sanctions-...
LSEG get sued by people all the time, so they document and justify everything that goes into the file. There are very good legal reasons to do so.
Deleted Comment
> illegally obtained from the third party’s system
Sad! This information should be published because it's in the public's interest, not because someone didn't pay up.
Friends reported the same.
Source: worked as a developer on World-Check One for ten years.
You're not paranoid if they're actually after ya!