Compliance

11:23 AM
Jonas Olsson, Graz
Jonas Olsson, Graz
Commentary
50%
50%

Does NSA’s Tracfin Risk Lives?

Financing is the Achilles heel of terrorist organizations, yet the NSA's Tracfin database doesn’t appear to be doing a very good job of it, argues Jonas Olsson, CEO of Graz.

Jonas Olsson, Graz
Jonas Olsson, Graz
In an ironically big brother-like appearance on two massive video screens, Edward Snowden spoke to thousands of attendees of South by Southwest Interactive, the technology conference in Austin, Texas, on March 10.

Snowden’s 2013 release of huge amounts of classified information – and well-timed events such as this conference – have made it nearly impossible to avoid the ongoing media and public scrutiny directed toward the National Security Agency (NSA).

This secretive government intelligence organization, created during the Cold War, is tasked with collecting and analyzing data to protect the U.S. and its interests. After 9/11, the NSA focus shifted to counterterrorism efforts, which set new strategies in motion — involving tactics that, deservedly, raised privacy and constitutional alarms.

One of the NSA’s outed surveillance tools, as confirmed last year by Der Spiegel, is Tracfin, a financial database created to monitor transactional activity across international banks and credit card companies.

Given the current landscape, the fact that a database such as Tracfin exists doesn’t surprise me. The NSA acknowledges, and I agree, that financing is the Achilles heel for terrorist organizations. Because many terrorist transactions exhibit flag-raising patterns, one of the best ways to preemptively stop an attack is to monitor funds changing hands. What does surprise me about Tracfin, though, is how it doesn’t appear to be doing a very good job at it.

Aside from questions of constitutionality, data abuse and how the NSA has gone too far, I’d like to consider Tracfin’s efficacy from the perspective as a data professional. Admittedly, our knowledge of Tracfin is limited. But based on what we do know, just how good is this database at using financial intelligence to prevent terror attacks? To me, it falls short in three big ways.

1. It’s not collecting enough data to be an effective antiterrorism tool. Tracfin has existed since at least 2006 but had only collected 180 million records as of 2011. Considering the Society for Worldwide Interbank Financial Telecommunication (SWIFT) produces 15 million records per day — with VISA and MasterCard producing far more — that number is terribly low.

In order to connect (and evaluate) the dots to take preventive action, the dots must be there in the first place. For instance, terrorists financed the 9/11 attacks with just $500,000, some of which was transferred from abroad in amounts as small as $5,000. Under Tracfin’s current narrow focus, these paltry totals wouldn’t make the data cut. The more data you have, the better you can evaluate new data.

2. It’s the wrong data. To find the proverbial needle, the NSA needs to take a look at the entire haystack, not just a small portion. According to the Der Spiegel report, 84 percent of Tracfin data is from card transactions, yet only 30 percent of the 9/11 attacks were funded by debit or credit cards. The remaining funds came from international wire transfers (40 percent) and physical transportation of cash or traveler’s checks (30 percent).

If the 9/11 financing methods are any indication, then including data from international wire transfers is an absolute necessity to improve algorithmic and analytic capabilities.

3. There’s no data enrichment. From what we know about Tracfin, there doesn’t appear to be any metadata or static data enriching raw information, something that could mean the difference between a suspicious transaction rising to the surface or falling through the cracks.

For example, several 9/11 terrorists opened private U.S. bank accounts and quickly began to funnel large funds from abroad into them. While opening a new account is not suspicious, that in combination with immediate international transfers is.

In a properly designed system, these two data points could be cross-referenced to better hone in on terror-like patterns. Tracfin, however, doesn’t appear to be creating these second data points — in this case, when the account opened. Again, you can’t connect dots that you don’t have.

What should the NSA be doing? The NSA clearly needs to gather records from more — and more relevant — sources, while also enriching raw data whenever possible. No amount of predictive analytics will fill the large data gaps that Tracfin seems to have. This lack of enrichment also leads me to believe that the NSA has not built any domain knowledge into Tracfin. For a database tasked with financial monitoring, such industry-specific insight is essential to achieving sophisticated analysis.

Additionally, the NSA should follow a “load first, model later” approach that would allow Tracfin to store semi-structured data and support nimble integration, and facilitate the contextual transformation of raw data. In turn, this would help optimize data for different analytical use cases.

I am very much a proponent of privacy, but monitoring financial transactions originating from abroad is something an intelligence agency must do. Not doing so represents a major blind spot in U.S. counterterrorism efforts, through the underutilization of an effective tool for detecting terror acts in their planning stages. So shouldn’t the public demand that the NSA does a better job of this? Since financing is one of the biggest vulnerabilities for terror organizations, improving the ability to gather and analyze financial data is an investment that will benefit us all.

Maybe there is more to Tracfin than has thus far met the public eye. Perhaps there are completely separate databases performing the functions I prescribe. Whatever the case, I believe all of Tracfin’s apparent shortcomings suggest there’s a bigger story — one that’s soon to come.

Jonas Olsson is the CEO and founder of Graz, a provider of data warehouse and business intelligence software built specifically for the needs of investment managers, insurers and banks worldwide.

Comment  | 
Print  | 
More Insights
More Commentary
Shore Up Cyber Security Now
Knowing that a data breach can and will happen at some point, asset management firms can manage new operational and regulatory risk with a layered approach to cyber security.
Is Big Data a Problem or an Opportunity?
When it comes to data, financial services firms are, as a rule, quite circumspect. They fear cyberattacks, data theft, data loss, security breaches, data privacy, and human error.
Data Integrity: A Necessity, Not an Option
Financial institutions that have taken on the data integrity task in the past now have to spend more money on hardware, software, and people just to keep up with the demand.
What Colombia’s New IT Campaign Means for Latin American Tech Investment
Colombia’s campaign is the latest example of how Latin America is trying to edge into the global technology space.
Initial Margin: When Does More Turn Out to Be Less?
Changing margin regulations are set to affect the OTC derivative market, including initial margin risk models for non-cleared OTCs.
Register for Wall Street & Technology Newsletters
White Papers
Current Issue
Wall Street & Technology - July 2014
In addition to regular audits, the SEC will start to scrutinize the cyber-security preparedness of market participants.
Video
Stressed Out by Compliance, Reputational Damage & Fines?
Stressed Out by Compliance, Reputational Damage & Fines?
Financial services executives are living in a "regulatory pressure cooker." Here's how executives are preparing for the new compliance requirements.