The issue of illicit financial flows is not new; however, the increasing complexity of the digital economy and fast-evolving technologies in the last few decades is changing the landscape of this problem.
The threat posed by the 21st-century cybercriminal in earning money illegally and transferring it across borders with a simple mouse click was realised when a syndicate of 26 accused persons launched one of the most ambitious cybercrime schemes ever witnessed on the continent.
According to charges filed by the state at the Accra Circuit Court, the 26 accused persons, mainly made up of Ghanaian and Nigerian nationals, plotted to attack some major banks in Ghana in July.
“The attack began on the midnight of Sunday, July 22nd, 2018, when the plotters hacked into the banking software of Universal Merchant Bank Limited (UMB) in Ghana.
“The accused persons succeeded in debiting UMB’s income surplus account with GHC 326, 120,000 ($70m) and posted credit to eighteen bank accounts specifically opened for the purpose of facilitating the attack,” according to the charges filed.
The Deputy Superintendent of Police, Mawunyo Nanegbe revealed that, between midnight of July 22, 2018, when the attack commenced and the morning of July 23, 2018, a total of GHC1.9 million ($400,000) had been withdrawn from the 18 bank accounts standing in the names of the accused persons.
UMB in a statement after the attack insisted that the bank is “resilient and very committed to working with the security forces to clean the environment of any form of cyber miscreants.”
A representative for the bank did not immediately respond to a request for comment for this report.
Meanwhile, all 12 arrested individuals have pleaded not guilty to the charges levelled against them. The case is still at the pre-trial stage with the main trial expected to begin in 2019.
Digital Technologies and IFFs
Automation, a core enabler of the illegal digital economy, played a significant role in the attack as withdrawals of the stolen monies were made from some Automated Teller Machines (ATM) in Ghana, the United Arab Emirates and the United States using internationally accepted credit cards, according to people familiar with the case.
In an effort to conceal the illegal profit from the source, the suspects are believed to have also split part of the monies into small amounts below the reporting threshold and transferred to over twenty different beneficiaries via mobile money transfers. This process is often described by experts as layering and integration.
In 2016, a World Bank report found that cyberspace, with its anonymity, cross-border nature, and remoteness from the crime scene, constitutes a perfect environment, especially when criminals can operate from countries that do not have proper legal frameworks and technical capabilities for digital investigations.
The anonymity cyberspace provides in gaining and transfer of illicit funds is particularly relevant in the case of the UMB cyber-attack, as 14 out of the 26 accused persons still remain at large.
Criminal Underground Economy and Cost to the State
The rise of a criminal underground economy in Ghana, which specializes in committing crimes involving digital technology and illicit profit transfers, cost the state over a $100m, as contained in the 2017 BoG report titled State of Banking Sector Fraud.
The major line of attack for these cybercriminals is the “use of malware,” First Deputy-Governor of BoG, Dr Maxwell Opoku-Afari disclosed. Citing a recent African Union report, Dr Opoku-Afari said that more than 400,000 malware incidents, 44 million spam incidents and 280,000 bots incidents were recorded in Ghana’s financial industry in 2016, making the country one of the top 10 most-attacked countries in Africa.
A malware is generally a software intentionally designed to cause damage to a computer, server or computer network. Cybersecurity and policy expert, Henry Kyeremeh, who works with the Ministry of Finance and Economic Planning (MoF) believes that malware, which usually comes in the form of viruses, trojans, keyloggers and exploits kits offers cybercriminals the flexibility to “steal and control data, to manage malicious programs, and to run networks of interconnected computers infected with malware.”
The underground industry of cybercrime costs global economies as much as US$445 billion in 2016 up around 30 per cent from just three years earlier, a global economic study found. For the government, banks and payment companies in Ghana, the fight should feel like a war — and they are expected to respond with an increasingly robust approach.
Legal and Policy Framework
The July cyber-attack on UMB however exposed the ease with which digital technologies can fuel illicit financial flows. It also exposed the laxity of the financial actors in Ghana and the government in dealing with the threat.
The attack prompted the BoG to issue a directive in October 2018 requiring all banks to appoint a Cyber and Information Security Officer. A compliance review a month later revealed that out of the over thirty banks operating in the country, only a third had adhered to the new BoG directive demonstrating the general lethargic approach in addressing the evolving cyber threat.
Mrs Mansa Nettey, the Chief Executive Officer of Standard Chartered Bank Ghana speaking at a Cyber Security Forum for the financial sector in late October 2018 maintained that “organizations must be willing to invest heavily in resources to combat cybercrime.”
According to the Standard Chartered CEO, financial institutions, “could reduce cyber risks by putting in place appropriate corporate governance and compliance procedures” and institute an “ongoing and open channel of communication with regulators,” on how to approach cyber threats.
Meanwhile, Henry Kyeremeh, the policy expert with MoF, has called for a revision of Ghana’s National Cyber Security Policy (NCSP), describing it as an “over-concentration of efforts on protecting big companies and government agencies,” leading to a “total abandonment” of equally important players such as “citizens and SMEs.”
Four years after the NCSP action plan was developed, the government has failed to deliver on some key outputs, including setting up a Cyber Law Review Committee with the mandate of reviewing current laws on the cyber environment and making recommendations for the amendment of national laws.
Mr Albert Antwi-Boasiako, the National Cyber-security Advisor to the government and founder of E-Crime Bureau, is of the view that despite the passage of some laws including the Electronic Transactions Act (2008) and Anti-Money Laundering legislation, “these legislations are not themselves cyber-crime legislation.” Nigeria, he argued, has a Cyber-Security Bill (2015), whereas Ghana’s Evidence Act was passed in 1975 – long before personal computers.
Mr Antwi-Bosiako maintains that “Ghana needs to scale up our efforts to address the gaps in our national cyberspace legislation.” The big issue is that the legislation needs to be reviewed to be in line with contemporary trends, where e-evidence “becomes part of criminal proceedings,” — where we can use electronic evidence “to convict people for murder, narcotics, human trafficking, fraud, tax evasion, and terrorism.”
“Ghana needs to invest in technology and policies in cyber-security as the human factor remains the weakest link in cyber-crime cases.” By incorporating these recommendations into Ghana’s policy, we would, Antwi-Boasiako believes, be able to make a “serious case” in fighting cyber-crime and illicit financial flows.