The issue of illicit financial flows is not new; however, the increasing complexity of the digital economy and fast-evolving technologies in the last few decades is changing the landscape of this problem.
The threat posed by the 21st century cybercriminal in earning money illegally and transferring it across borders with a simple mouse-click was realised when a syndicate of 26 accused persons launched one of the most ambitious cybercrime schemes ever witnessed on the continent.
According to charges filed by the state at the Accra Circuit Court, the 26 accused persons, mainly made up of Ghanaian and Nigerian nationals, plotted to attack some major banks in Ghana in July. “The attack began on the midnight of Sunday, July 22nd 2018, when the plotters hacked into the banking software of Universal Merchant Bank Limited (UMB) in Ghana.
“The accused persons succeeded in debiting UMB’s income surplus account with GH¢326,120,000 (US$70million) and posted credit to eighteen bank accounts specifically opened for the purpose of facilitating the attack,” according to the charges filed.
The Deputy Superintendent of Police, Mawunyo Nanegbe, revealed that between midnight of July 22, 2018 when the attack commenced and the morning of July 23, 2018, a total of GH¢1.9million (US$400,000) had been withdrawn from the 18 bank accounts standing in the names of the accused persons.
UMB, in a statement after the attack, insisted that the bank is “resilient and very committed to working with the security forces to clean the environment of any form of cyber miscreants”. A representative for the bank did not immediately respond to a request for comment on this report.
Meanwhile, all 12 arrested individuals have pleaded not guilty to the charges levelled against them. The case is still at the pre-trial stage, with the main trial expected to begin in 2019.
Digital Technologies and IFFs
Automation, a core enabler of the illegal digital economy, played a significant role in the attack as withdrawals of the stolen monies were made from some Automated Teller Machines (ATM) in Ghana, the United Arab Emirates and the United States using internationally-accepted credit cards, according to people familiar with the case.
In an effort to conceal their illegal profit from the source, the suspects are believed to have also split part of the monies into small amounts below the reporting threshold and transferred it to over twenty different beneficiaries via mobile money transfers. This process is often described by experts as layering and integration.
In 2016, a World Bank report found that cyberspace – with its anonymity, cross-border nature, and remoteness from the crime scene – constitutes a perfect criminal environment, especially when criminals can operate from countries that do not have proper legal frameworks and technical capabilities for digital investigations.
The anonymity cyberspace provides in gaining and transfer of illicit funds is particularly relevant in the case of the UMB cyber-attack, as 14 out of the 26 accused persons still remain at large.
Criminal Underground Economy and Cost to the State
The rise of a criminal underground economy in Ghana, which specialises in committing crimes involving digital technology and illicit profit transfers, cost the state over a US$100million as contained in the 2017 BoG report titled ‘State of Banking Sector Fraud’.
The major line of attack for these cyber criminals is the “use of malwares”, First Deputy-Governor of BoG Dr. Maxwell Opoku-Afari disclosed. Citing a recent African Union report, Dr. Opoku-Afari said that more than 400,000 malware incidents, 44 million spam incidents and 280,000 bot incidents were recorded in Ghana’s financial industry in 2016, making the country one of the top-10 most-attacked countries in Africa.
Malware is generally software intentionally designed to cause damage to a computer, server or computer network. Cybersecurity and policy expert, Henry Kyeremeh who works with the Ministry of Finance and Economic Planning (MoF), believes that malware – which usually comes in the form of viruses, trojans, key loggers and exploits kits – offers cybercriminals the flexibility to “steal and control data, to manage malicious programmes, and to run networks of interconnected computers infected with malware”.
The underground industry of cybercrime cost global economies as much as US$445billion in 2016 – up around 30 percent from just three years earlier, a global economic study found. For the government, banks and payment companies in Ghana, the fight should feel like a war — and they are expected to respond with an increasingly robust approach.
Legal and Policy Framework
The July cyber-attack on UMB however exposed the ease with which digital technologies can fuel illicit financial flows. It also exposed the laxity of the financial actors and government in Ghana in dealing with the threat.
The attack prompted the BoG to issue a directive in October 2018 requiring all banks to appoint a Cyber and Information Security Officer. A compliance-review a month later revealed that out of the over-thirty banks operating in the country, only a third had complied with the new BoG directive – demonstrating the general lethargic approach in addressing the evolving cyber threat.
Mansa Nettey, the Chief Executive Officer of Standard Chartered Bank Ghana, speaking at a Cyber Security Forum for the financial sector in late October 2018, maintained that: “Organisations must be willing to invest heavily in resources to combat cybercrime”.
According to the Standard Chartered CEO, financial institutions “could reduce cyber risks by putting in place appropriate corporate governance and compliance procedures”, and institute an “ongoing and open channel of communication with regulators” on how to approach cyber threats.
Meanwhile, Henry Kyeremeh, the policy expert with MoF, has called for a revision of Ghana’s National Cyber Security Policy (NCSP) – describing it as an “over-concentration of efforts on protecting big companies and government agencies”, leading to a “total abandonment” of equally important players such as “citizens and SMEs”.
Four years after the NCSP action plan was developed, government has failed to deliver on some key outputs including setting up a Cyber Law Review Committee with the mandate of reviewing current laws on the cyber environment and making recommendations for the amendment of national laws.
Albert Antwi-Boasiako, the National Cyber-security Advisor to government and founder of e-Crime Bureau, is of the view that despite passage of some laws including the Electronic Transactions Act (2008) and Anti-Money Laundering legislation, “these legislations are not themselves cyber-crime legislation”. Nigeria, he argued, has a Cyber-Security bill (2015), whereas Ghana’s Evidence Act was passed in 1975 – long before personal computers.
Mr. Antwi-Bosiako maintains that: “Ghana needs to scale-up our efforts to address the gaps in our national cyberspace legislation”. The big issue is that the legislation needs to be reviewed to be in line with contemporary trends, where e-evidence “becomes part of criminal proceedings” — where we can use electronic evidence “to convict people for murder, narcotics, human trafficking, fraud, tax evasion, and terrorism”.
“Ghana needs to invest in technology and policies in cyber-security, as the human factor remains the weakest link in cyber-crime cases.” By incorporating these recommendations into Ghana’s policy, we would, Antwi-Boasiako believes, be able to make a “serious case” in fighting cyber-crime and illicit financial flows.
This story was produced by iWatch Africa. It was written as part of Wealth of Nations, a media skills development programme run by the Thomson Reuters Foundation. More information at www.wealth-of-nations.org. The content is the sole responsibility of the author and the publisher.