Last month’s news that negotiators had reached a preliminary framework agreement about Iran’s nuclear program struck many by surprise. It was a refreshing sign of optimism for many who thought the negotiations were on the verge of failure. Although the parties involved— the United States, United Kingdom, China, Russia, France, and Germany (known as the P5+1) and Iran—are still working out the details of a final agreement, the most significant parameters of the preliminary framework are fairly clear. The United States, the European Union, and the United Nations will begin to lift their economic sanctions on Iran, in exchange for concessions from Iran: limiting its enrichment levels, reducing the number of installed centrifuges, reducing its low-enriched uranium stockpiles, and dismantling the heavy water reactor at Arak.
As leaders on both sides have pointed out, this agreement will not be based on trust alone. In addition to having access to all of Iran’s nuclear facilities, inspectors will also gain access to Iran’s nuclear supply chain, in order to verify that components and materials are not diverted to a covert facility. To insure additional transparency, the preliminary framework calls for a dedicated procurement channel to approve the supply, sale, and transfer of certain nuclear-related and dual-use parts, technologies, and materials on a case-by-case basis.
This will likely remain a tricky area, however. Time and again, Iran has demonstrated extraordinary skill and resolve in skirting financial sanctions, by using a global network of front companies and intermediaries to acquire and pay for dual-use materials, technologies, and services. In this, it is not alone, of course, but Iran’s procurement rap sheet highlights the glaring necessity to establish a robust monitoring and verification regime. But who will monitor the country for proliferation-related transactions? And exactly how will they do it? It is important to consider what role banks may play in such a monitoring and verification regime, as well as the possible challenges they face—especially if we want an agreement between the P5+1 and Iran by the end of June.
The global financial system plays a key role in maintaining vigilance. To be sure, analyzing the ebb and flow of finances is only one tool in the spotting of questionable activity related to the proliferation of nuclear weapons. Monitoring the sale and shipment of export-controlled technologies, for example, has been a time-honored form of verifying compliance—if an insufficient one. According to a June 2014 report by a panel of experts established by the UN to look into the matter, many sensitive items fell below the control thresholds—meaning that they were not being accounted for. In addition, by focusing only on listed items, inspectors cannot detect illegal shipments or payments hidden behind unrelated commodities (such as agricultural products, metals, or precious stones). In such cases, monitoring the flow of other trades and finances, as well as keeping an eye out for suspicious financial transactions, acts as a safety net. Moreover, when combined with other sources of intelligence and public information, financial analysis can be a useful tool to reveal the connections between suppliers, intermediaries, and end-users in procurement networks that deal in restricted materials and technologies.
The usefulness of financial information comes in part from banks’ risk management, customer due diligence procedures, and other tasks related to compliance with anti-money laundering and sanctions rules. Over the past decade, the United States, the European Union and the UN have put in place targeted sanctions, trade embargos, asset freezes, travel bans, and export controls—all of which have given rise to a spectacular labyrinth of laws, rules, and regulations.
To be sure, banks and other financial institutions must comply with these rules; after all, these regulations are the lynchpin to global sanctions. Without compliance and enforcement, sanctions would not have their intended effect. This past May, for example, the global payment processing firm PayPal agreed to pay almost $8 million in fines for failing to detect and stop payments made by individuals who are subject to US sanctions. Between 2010 and 2015, the Office of Foreign Asset Control—the Treasury Department’s enforcement arm—imposed more than $3 billion in fines. This does not include criminal forfeitures, like the 2014 record-setting $8 billion fine against BNP Paribas, France’s largest bank.
But the private sector plays a second, and equally important role: Regulatory and enforcement agencies rely on information from them. Banks and financial institutions monitor, identify, and report suspicious transactions, and can even stop such transactions or freeze assets linked to proliferation activity.
Just what is proliferation financing? Although there is no formal legal definition, the Financial Action Task Force—the international body that sets the standards for combatting money laundering—defines proliferation financing as “… providing financial services for the transfer and export of nuclear, chemical or biological weapons; their means of delivery and related materials.”
The passage of a UN security council resolution in 2004 raised the question of financial institutions’ role in stopping the proliferation of weapons of mass destruction. Known as Resolution 1540, it requires member states to establish controls on providing funds and financial services that could be used for proliferation, and also legally binds all member states to attempt to prevent non-state actors—such as ISIS, for example—from acquiring weapons of mass destruction. But although a good first step, this resolution lacks guidance for identifying proliferation-related transactions.
In the case of Iran, further UN security council resolutions in 2006 and 2010 imposed additional sanctions, while calling on member states to maintain vigilance over the financial sector for proliferation-related activities. They also encourage members to prohibit financial services to individuals or entities, if those services contribute to Iran’s activities in the development of nuclear weapons, delivery systems, or other nuclear proliferation-sensitive activities. Unlike targeted sanctions, which apply to specific individuals and entities, these newer sanctions were far more general, and were “activity-based,” requiring banks and other financial institutions to step up their efforts to identify high-risk customers and transactions.
But these resolutions still did not provide much in the way of particulars, despite a 2008 report by the Financial Action Task Force that essentially profiled activities that could be linked to the illicit procurement and proliferation of nuclear-related material. These activities included the use of letters of credit—instruments used in international trade and commerce to reduce counter-party risk—and the use of circuitous payment methods through shell companies and financial intermediaries. The problem, however, is that these methods in themselves are not unique to proliferation, and are widely used in legitimate trade and commerce.
In 2013, the task force issued another report on financial sanctions, this time including North Korea as well as Iran. Again, however, the Financial Action Task Force’s guidance was insufficiently detailed—merely recommending a “risk-based approach” that allows banks and financial institutions more discretion than simple rule-based regulations, and calls for collecting additional information and monitoring of high-risk accounts. But the information available to financial institutions is often quite limited; details about the end-user, the purpose of the transaction, and export certifications are all easily hidden, mis-declared, or forged. Moreover, what should financial institutions do once they find something suspicious? Guidance in the United States has not fared much better. The US Treasury has mostly parroted guidance from the Financial Action Task Force.
This is especially important as procurement methods become more sophisticated. A new report by the Institute for Science and International Security details an Iranian scheme to procure microelectronic technologies of US-origin that have civilian, military, and nuclear applications. The scheme involved transshipping the items through Turkey in order to cloud the identity of the end-user. The report also mentions the methods the network used to hide its financial transactions—such as purposefully keeping transactions low to avoid banks’ suspicion.
A domestic problem too. To protect the integrity of the US financial system from fraud and abuse, Congress passed the Bank Secrecy Act, and created a watchdog agency, the Financial Crimes Enforcement Network, to regulate and enforce its provisions. Among other things, the act requires banks to report suspicious activities that may be indicative of illicit activity, such as money laundering, terrorist financing, and export violations. But just as occurs in the international arena, guidance from domestic agencies on how to identify proliferation-related transactions is limited. In a 2015 advisory, for example, the agency merely notes that financial institutions should be familiar with the financial prohibitions outlined in UN security council resolutions against Iran.
The hitch is that banks produce impressively large amounts of data. To give an idea of just how much, since the beginning of this year, the organization responsible for global financial messaging between banks processed more than 2.2 billion financial transaction messages. (The organization is known by the acronym SWIFT, which stands for the Society for Worldwide Interbank Financial Telecommunication.) Reviewing each message for evidence of all kinds of wrongdoing from money laundering to terrorist financing is a daunting task—especially when they do not know what they are looking for.
Consider the potential for fraud and abuse in the tremendous volume of everyday banking transactions. Cover payments, for example, are a common banking practice used to reduce transaction costs. (Essentially, cover payments split incoming payment messages into two outgoing messages: One message goes directly to the beneficiary’s bank, and the second cover message, which does not contain any information about the remitter, is sent to the clearing bank.) In March of this year, Commerzbank AG—Germany’s second largest lender—agreed to a $1.45 billion fine for purposefully using cover payments to hide transactions on behalf of Iran.
Nevertheless, once a bank identifies a transaction of concern, its compliance officers record the details and file a report with the Financial Crimes Enforcement Network, which makes this data available to US enforcement agencies, like the Federal Bureau of Investigation. According to the agency, US depository institutions —such as savings banks, savings and loans associations, and credit unions—generated almost 900,000 of these official documents, known as “Suspicious Activity Reports.” This does not include the reports generated by casinos, securities firms, insurance companies, and money service businesses. Unlike terrorism-related financing, however, there is no standard profile to refer to for proliferation financing. Banks’ compliance officers are left to select the next most appropriate category, which as a result, means that many reports of suspicious activity are left un-investigated.
Other compliance gaps also create stumbling blocks to strong verification and monitoring . For example, foreign-based exchange houses and money remitters (think of an overseas version of a Western Union or Moneygram) are not bound by the reporting rules of the Bank Secrecy Act. Despite a 2011 Financial Crimes Enforcement Network rule that requires overseas exchange houses that conduct significant business with the United States to register with the Treasury Department and follow our anti-money laundering reporting standards, many go unrecorded or simply do not comply. And a quick review of these exchange houses’ websites—many located in the global business hub of Dubai—clearly show that their financial services engage substantially with US markets. To date, however, not a single exchange house or money remitter in Dubai (or indeed, all of the United Arab Emirates) is registered.
These same exchange houses and money service businesses have possibly helped to keep Iran’s global payments flowing. In a 2013 statement, US Treasury Undersecretary David S. Cohen stated: “As Iran’s access to the international banking sector comes under increasing pressure, we have seen it turn increasingly to exchange houses and trading companies in its attempts to evade international sanctions and maintain its access to foreign exchange.” Without closing these gaps, an official procurement channel will remain compromised.
The P5+1 negotiations with Iran are an ideal opportunity to address these gaps and challenges. Remaining vigilant about any activity that smacks of proliferation financing should remain a concern, and therefore should be a component of any final agreement. According to the February joint statement by the EU’s high representative, Federica Mogherini, and Iran’s foreign minister, Javad Zarif: “A new UN Security Council Resolution will endorse the joint comprehensive plan of action, terminate all previous nuclear-related resolutions and incorporate certain restrictive measures for a mutually agreed period of time." This security council resolution should include concrete measures that require member states to reaffirm their commitment to maintaining vigilance over the financial sector for proliferation-related activity.
Iran should also commit to joining the Financial Action Task Force, and implement measures to fix strategic deficiencies within its own financial sector. In a recent statement, the task force called on its members “… to apply effective counter-measures to protect their financial sectors from money laundering and financing of terrorism risks emanating from Iran.” Not only will this help to increase financial transparency and strengthen the integrity of the international financial system, but it will also pave the way for Iran to clear US and international financial restrictions not related to its nuclear program. (In 2011, using the powers of the USA PATRIOT Act, the US Treasury Department designated Iran as a “jurisdiction of primary money-laundering concern," based on Iran’s support for terrorism and its pursuit of nuclear capabilities and development of ballistic missiles. Multiple Iranian banks, including the Central Bank of Iran, were included in this designation, which requires US banks to conduct enhanced due diligence, and prohibits them from opening correspondent banking relations with Iran.)
Most importantly, there are initiatives within the control of the United States, the European Union, and the United Nations that can yield substantial improvements over the current lack of guidance with respect to proliferation-related financing. There are several batches of “big data” scattered in public or private hands, but no single institution gathers them all, analyzes them, and provides feedback and guidance to government agencies and financial institutions. There is an urgent need for an honest broker (such as a non-profit organization or university unit) of financial and commercial data alongside open-source information and intelligence for systematic analysis. This would be the best way to shine light on what is now shadowy activity. Most of the illegal acts to be detected and investigated may not be proliferation-related, but discovering corruption, money laundering, tax evasion or organized crime is an added dividend from such an endeavor.
Without guidance and access to better information, banks will stay in the dark, and enforcement agencies will lose out on a valuable stream of information. Even more importantly, however, any monitoring and verification regime, so far as the procurement and supply chain is concerned, will continue to suffer from significant blind spots.