Table of Contents

Core Pillar #3: Facilitate collective response to disrupt malicious actors and more effectively deter future attacks.

Problem Statement: A Growing Desire for Justice

Malicious hackers have targeted financial institutions since the early days of the modern internet. In 1994, even before the dot-com boom, cyber criminals stole millions from Citibank.1 According to the U.S. Federal Bureau of Investigation (FBI), this was a time when the FBI “teamed up with Russian authorities—who provided outstanding cooperation just days after a new FBI legal attaché office had been opened in Moscow—to gather evidence.”2 Over the past quarter century, cyber criminals have remained mostly at large, stealing millions and costing billions to defend against. Over the past decade, the risk has grown as politically motivated malicious actors now operate alongside profit-driven criminals, occasionally joining forces with them. Furthermore, malicious actors rely on the financial system to launder money, purchase offensive capabilities, and convert stolen data into cash.

The escalation of fraudulent activity during the coronavirus pandemic has highlighted the continued threat that malicious actors pose to individual consumers struggling to get by, to companies trying to avoid bankruptcies, even to government agencies doing their best to channel vital resources to those in need. The trend is clearly worrisome. First, attackers are increasingly building advanced capabilities to target core banking systems. Second, attackers are becoming more aggressive in disrupting victims’ ability to respond and to recover, and they continue to find ways to collaborate through organized criminal activity that spans multiple geographies. Figure 9 provides a mapping of the various threat actors targeting financial institutions and Figure 10 details the countries whose payment systems have been attacked from 2016 to 2018.

Cyber resilience is necessary to protect against such attacks, and international laws and norms outline when an actor crosses the line. When the line is crossed, calls for justice grow louder. As the threat escalates, some governments have grown impatient and demonstrated a willingness to take action not only to protect themselves but also to respond to attacks targeting financial institutions.

Governments and the financial industry have a shared interest in countering cyber threats, and this presents an opportunity for collective response and operational collaboration. Each has unique capabilities to bring to the table. Financial institutions maintain a critical vantage point from which to observe threats because it is their technical infrastructure that is often under attack. Governments have instruments of statecraft to deter and disrupt malicious cyber activity as well as the legal authority to act within their respective jurisdictions. However, no individual government or financial institution is equipped to counter cyber threats alone.

The financial industry is uniquely capable of working with government to counter malicious cyber activity. As Matthew Noyes, Director of Cyber Policy at the U.S. Secret Service, has pointed out, financial institutions recognize “the shared interest of preserving the integrity of financial systems . . . and so when you have crimes that are related to the financial system you have a strong basis of evidence and cooperation globally to go after it.”3 Moreover, financial institutions have a high degree of cybersecurity maturity and have significant resources that can be mobilized to tackle this problem. Finally, international cooperation to combat financial cyber crime is more promising than cooperation around combating other types of cyber crime because there is a stronger international consensus around the definition of “financial crime” than around the definition of “cyber crime.”

Taken together, the financial sector plays an important role from at least three angles as governments amplify their responses to malicious cyber activity:

  • As a target of malicious cyber behavior: The threat landscape has evolved in recent years from criminal nonstate activity to an increasing number of states targeting financial institutions for political purposes (for example, Iranian DDoS attacks occurring from 2011 to 20134), as well as for profit-driven motives (for example, North Korea since at least 20155). One could also imagine financial systems coming under attack for strategic or operational purposes during times of conflict.
  • As an instrument of statecraft to impose costs: Financial sanctions have become a routine instrument of statecraft. In imposing sanctions, governments are using the financial system to deter actors from engaging in certain types of behavior, ranging from money laundering and terrorist financing, to nuclear proliferation and (most recently) “significant malicious cyber-enabled activities.”6
  • As a target in response to its use as an instrument of statecraft: Because financial institutions are used by governments to implement financial sanctions, they may also become a target for those subject to these sanctions. This additional risk may grow as governments increase the number of sanctions and accelerate the use of the financial system as a tool of statecraft.

Mapping Key Trends: Cyber Crimes, Financial Crimes, and Cyber Deterrence

Trend #1: Bridging Finance, Law Enforcement, and National Security

States can improve the systemic resilience of their financial sectors and strengthen their ability to respond to malicious threats by facilitating operational collaboration among the financial services industry, financial authorities, national cybersecurity agencies, and other government authorities. Shifting from simple information sharing to collocated daily collaboration among relevant stakeholders can build the muscle memory necessary for an effective and timely response against malicious cyber threats. This section focuses on specific innovative financial sector models that have sprung up in recent years that could be expanded, replicated, and strengthened as part of this broader push.

Innovative Models

EU Law Enforcement Emergency Response Protocol: In March 2019, in response to WannaCry and NotPetya, the Council of Europe adopted the “EU Law Enforcement Emergency Response Protocol,” which clarified roles, responsibilities, and communication procedures for EU law enforcement.7 In the fall of 2019, ENISA and Europol’s European Cybercrime Centre (EC3) organized CyLEEx19, a cyber law enforcement exercise, to test the protocol. The exercise brought together cyber crime investigators and experts from the public and private sectors and simulated a ransomware attack on the EU’s financial sector.8

Cyber Information and Intelligence Sharing Initiative: In February 2020, the chair of the ECB’s Euro Cyber Resilience Board, Fabio Panetta, announced the CIISI-EU, an information-sharing partnership connecting major financial infrastructures, Europol, and ENISA. According to Panetta, CIISI-EU will enable “the most important financial infrastructures to share vital technical information among themselves using an automated platform.”9

Financial Systemic Analysis & Resilience Center: In the United States, a consortium of the most critical U.S. financial institutions established the FSARC in 2016 with the mission to “proactively identify, analyze, assess and coordinate activities to mitigate systemic risk to the U.S. financial system.”10 The center functions as a mechanism for banks to collaborate with the U.S. national security community, including the Departments of Defense, Homeland Security, and the Treasury, as well as the FBI. FSARC’s offices are steps away from the Department of Homeland Security’s National Cybersecurity and Communications Integration Center. In 2017, FSARC began providing the U.S. Cyber Command with cyberthreat data in an arrangement called “Project Indigo.”11

Pathfinder program: This initiative is a partnership between the U.S. military, the U.S. Department of the Treasury, and the financial services sector.12 It has enabled U.S. Cyber Command to more effectively carry out discovery operations aimed at protecting the financial sector. Lieutenant General Timothy Haugh, then commander of the Cyber National Mission Force, testified that U.S. Cyber Command does not “bring the expertise in what’s critical within the financial sector,” but by partnering with the Department of Homeland Security, the Treasury, and the financial sector, “as we look overseas . . . we’re now focused on the things that are important to that sector.”13

Financial Sector Cyber Collaboration Centre: UK Finance, a major financial trade association created in 2017, announced the creation of the FSCCC in 2018, modeled after the FSARC in the United States.14 FSCCC is comprised of twenty large banks and other financial institutions working in collaboration with NCSC, UK FSAs, and the United Kingdom’s National Crime Agency.15 In 2019, the BoE reported that the FSCCC will be integrated into the United Kingdom’s financial sector crisis response framework to ensure that the “technical coordination capability [the FSCCC] provides is incorporated into the broader response landscape.”16

In addition to the models highlighted above, governments have also established national cybersecurity agencies that may function as the primary vehicle to advance systemic resilience and continuity planning.

For instance, the French government’s national cybersecurity agency, ANSSI, established cooperation mechanisms with France’s two primary financial authorities, ACPR and the Autorité des Marchés Financiers, in 2018.17 In the United Kingdom, the NCSC and Government Communications Headquarters (GCHQ) worked closely together with the UK Treasury and industry.18 Jeremy Fleming, head of the GCHQ, recounted an example of cooperation in a 2019 speech to a financial trade association: “Earlier this year we learned of a new and credible threat to the banking sector. We saw an Indian bank lose around £13m in two hours from a coordinated ATM cash scam. Within a very short period of time we pulled together more than fifty UK financial organisations, including many of you here today, to brief them on the threat and advise on specific protective measures.”19

The most important element of cross-sector collaboration of this kind is to connect the national security agency teams focusing on the financial sector with other financial authorities, companies, partnerships and emerging initiatives. Such partnerships can enable nation-wide systemic resilience as well as an international collective response.

  • Recommendation 3.1: Governments and the financial industry should consider establishing entities to bolster their ability to assess systemic risk and threats as well as to coordinate mitigating actions. Existing examples of such entities include the United States’ Financial Systemic Analysis and Resilience Center (FSARC) and the United Kingdom’s Financial Sector Cyber Collaboration Centre (FSCCC).
  • Recommendation 3.2: Governments should ensure their intelligence collection priorities include a focus on threats that could pose a risk to the financial system. In addition to nation-state and state-sponsored threat actors, sophisticated criminal actors could deliberately or (more likely) accidentally pose a risk or provide the tools and services for others’ disruptive and destructive attacks.
  • Recommendation 3.3: Governments should consider sharing intelligence about threats that pose a risk to the financial system with other allied, partnered, or like-minded countries.
    • Supporting Action 3.3.1: To facilitate such information sharing, governments should consider finding ways—from downgrading classification of intelligence to broadening the pool of security clearance issuance (for example to relevant industry professionals)—to facilitate the sharing of threat intelligence.
  • Recommendation 3.4: Financial services firms should consider joining transnational networks like the Financial Services Information Sharing and Analysis Center (FS-ISAC) and/or emulating the region-based Cyber Defence Alliance (CDA) model to create a collective space for the financial industry to share information and prioritize responses to malicious cyber incidents.

Trend #2: The Growing Importance of Cyber Crime

For the first time in more than a decade, cyber crime is receiving renewed attention among policymakers. After years when cyber warfare and nation-state activities dominated the policy discussion, tackling cyber crime is slowly reemerging as a priority. The WEF is putting in place a new international Partnership Against Cybercrime bringing together government and industry actors.20 In the United States, the nonpartisan think tank Third Way has popularized the term “cyber enforcement” and has ignited a push to move the fight against cyber crime higher on the agenda.21 U.S. President Donald Trump’s administration hopes to move the U.S. Secret Service and its cyber investigative capabilities away from the Department of Homeland Security and place them back under the Department of the Treasury.22 And at the UN, Russia obtained enough votes to create a new process advancing a global cyber crime treaty.23

  • Recommendation 3.5: Governments should not only focus on state-sponsored actors but also make the fight against cyber crime a renewed priority, focusing less on time-consuming negotiations of a new cyber crime treaty and more on direct cooperation. This is especially important given the impact of the pandemic. For example, governments could support the WEF’s Partnership Against Cybercrime and Third Way’s Cyber Enforcement Initiative.
    • Supporting Action 3.5.1: Governments should build a framework to strengthen and further institutionalize public-private cooperation to tackle cyber crime more effectively at the national, regional, and global levels. The World Economic Forum’s Partnership Against Cybercrime is a promising initiative to further advance this on the international level, and Third Way’s Cyber Enforcement Initiative is an innovative effort to develop new public policy approaches aimed at strengthening public-public and public-private cooperation to address this problem.
    • Supporting Action 3.5.2: The financial industry should throw its weight behind efforts to tackle cyber crime more effectively, for example by increasing its participation in law enforcement efforts and better integrating its financial crimes, fraud, and cybersecurity systems in order to capture latest developments.
    • Supporting Action 3.5.3: Governments should prioritize and develop law enforcement capabilities to address cyber crimes that violate international norms, namely those targeting financial institutions.
  • Recommendation 3.6: National and multilateral law enforcement agencies should help coordinate and provide negotiation expertise for financial institutions that have been infected with malware and are being held for ransom by threat actors.

“Two decades ago, a group of enterprising criminals on multiple continents—led by a young computer programmer in St. Petersburg, Russia—hacked into the electronic systems of a major U.S. bank and secretly started stealing money. No mask, no note, no gun—this was bank robbery for the technological age. . . . We teamed up with Russian authorities—who provided outstanding cooperation just days after a new FBI legal attaché office had been opened in Moscow—to gather evidence.”24 U.S. Federal Bureau of Investigation, account of a 1994 international cyber crime case.

A growing ecosystem of partnerships, task forces, and tools has emerged to help law enforcement, financial institutions, and other government bodies collectively respond to cyber crime. Many of these initiatives and tools are ripe for further internationalization. This section outlines models that have demonstrated success in combating cyber crime in the financial sector.

Joint Cybercrime Action Taskforce: Launched in 2014 and based at EC3 headquarters, the Joint Cybercrime Action Taskforce (J-CAT) is a standing operational team of cyber liaison officers from eighteen member countries. Having the team work from a single location makes international cooperation function more smoothly. J-CAT focuses on countering transnational cyber crime and has conducted highly effective operations against cyber crime in the financial sector.25 One highly successful financial sector case was Operation Imperium, in which Bulgarian and Spanish authorities dismantled a highly sophisticated criminal network harvesting financial data from ATMs and point-of-sale terminals. Other examples include the November 2014 Global Airport Action.26

Cyber Defence Alliance: The CDA is another model worth highlighting. Established in 2015 by a small number of UK-based financial institutions, the nonprofit works collaboratively with financial industry and law enforcement agencies.27 CDA members not only collaborate in the UK, where their core banking operations are based, but also extend their work to subsidiary regions, like Asian financial markets. In October 2018, CDA signed a memorandum of understanding with EC3 to formalize information sharing.28

Firm-to-firm collaboration enables CDA to act as a single voice when communicating with law enforcement. Firms can work through the organization to build intelligence reports and evidentiary packages that, cumulatively, have a higher chance of resulting in law enforcement action than they would if reported separately. CDA intentionally kept its membership small and local to leverage the existing trust among member banks that already worked together outside of CDA. This trust allows member institutions to credibly share relevant incidents, threat intelligence, and actionable recommendations on a daily basis and even during an attack on one member.

According to Cheri McGuire, former CISO at Standard Chartered, alliances like CDA “allow [financial institutions] to share information for cybersecurity purposes among financial institutions and then . . . anonymize attribution to a particular institution that can then be shared with government or law enforcement.”29 Alliances that stay small and local may benefit from a preexisting degree of trust and share similar target profiles that make future operational collaboration relevant.

Financial Services Information Sharing and Analysis Center: Established in the late 1990s, FS-ISAC is designed to facilitate information sharing among financial sector entities. Although FS-ISAC has been around since 1999, it recently launched a multiyear strategy to internationalize and broaden its organizational footprint beyond the United States “because today’s cybercriminal activities transcend country borders,” according to former CEO Bill Nelson.30

Over the past two decades, FS-ISAC’s membership has grown to nearly 7,000 members in over seventy jurisdictions.31 It now operates three hubs: the Americas hub in the United States; the Europe, Middle East, and Africa (EMEA) hub in London; and the Asia-Pacific hub in Singapore. FS-ISAC cooperates with national law enforcement and cybersecurity agencies across all of its operational regions, including Singapore’s CSA, the UK’s NCSC, and Europe’s EC3. Other international activities include regional conferences, the Summit of the Americas, the European Summit, and the Asia Pacific Summit; the annual CAPS tabletop exercise with 2,000 participants from around the world; and, hosting the CERES Forum for central banks and financial authorities from ten countries.32

Timeline of the FS-ISAC’s Expansion

  • 2016: FS-ISAC establishes the Asia Pacific Regional Analysis Centre with the MAS.33
  • 2017: FS-ISAC establishes regional hubs in two of the world’s financial centers, Singapore and London.34
  • 2018: FS-ISAC creates the CERES Forum.35
  • 2018: FS-ISAC signs a memorandum of understanding with Singapore’s CSA.36
  • 2019: FS-ISAC partners with EC3 to combat cyber crime within the European financial services sector.37
  • 2020: FS-ISAC plans to host CAPS cybersecurity exercises in the Asia-Pacific region, the Americas, and EMEA.38

Trend #3: The Pursuit of Cyber Deterrence

Over the past five years, the U.S. government has tried to strengthen its deterrence posture with respect to malicious cyber activity. In 2018, U.S. Cyber Command announced its new command vision focused on “persistent engagement.”39 The White House’s 2018 National Cyber Strategy outlined a new “Cyber Deterrence Initiative,” and the U.S. Department of State has released its “Recommendations to the President on Deterring Adversaries and Better Protecting the American People from Cyber Threats.”40 The recommendations outline “the nation’s strategic options for deterring adversaries and better protecting the American people from cyber threats.”41 In particular, the recommendations state that

“the desired end states of U.S. deterrence efforts will be (i) a continued absence of cyber attacks that constitute a use of force against the United States, its partners, and allies; and (ii) a significant, long-lasting reduction in destructive, disruptive, or otherwise destabilizing malicious cyber activities directed against U.S. interests that fall below the threshold of the use of force.”42

To deter bad actors, the recommendations focus on imposing cost together with “likeminded partners”:

The United States should prepare a menu of options for swift, costly, and transparent consequences below the threshold of the use of force that it can impose, consistent with U.S. obligations and commitments, following an incident that merits a strong response that can have downstream deterrent effects. As the United States develops these options, it should assess and seek to minimize the potential risks and costs associated with each of them. . . . The United States will explore new uses of current tools and authorities, identify ways in which existing authorities may need to be amended, and, when necessary, develop legislative proposals for new authorities.43(Emphasis added.)

In September 2019, the United States, together with twenty-six like-minded nations, issued a statement coinciding with the annual meeting of the UN General Assembly. The statement’s key message was a warning from the signatories: “When necessary, we will work together on a voluntary basis to hold states accountable when they act contrary to this framework, including by taking measures that are transparent and consistent with international law. There must be consequences for bad behavior in cyberspace.”44 In addition to the United States, the following countries signed on to the statement: Australia, Belgium, Canada, Colombia, the Czech Republic, Denmark, Estonia, Finland, France, Germany, Hungary, Iceland, Italy, Japan, Latvia, Lithuania, the Netherlands, New Zealand, Norway, Poland, the Republic of Korea, Romania, Slovakia, Spain, Sweden, the United Kingdom.

The Rise of Cyber Sanctions

Sanctions have been a long-standing tool that governments have used to influence other countries’ behavior. Governments increasingly rely on “smart” sanctions, which focus on individuals or companies instead of a country’s entire economy.45 The overall trend toward smart sanctions focuses heavily on the more effective use of financial sanctions.46

In April 2015, the U.S. government expanded its existing sanctions authorities by adopting U.S. Executive Order 13694 (“Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities”). This order paved the way for sanctions to be imposed specifically in response to cyber attacks. For such sanctions to be applied, the order stated, malicious activity must be

“reasonably likely to result in, or have materially contributed to, a significant threat to the national security, foreign policy, or economic health or financial stability of the United States and that have the purpose or effect of:

(A) harming, or otherwise significantly compromising the provision of services by, a computer or network of computers that support one or more entities in a critical infrastructure sector;

(B) significantly compromising the provision of services by one or more entities in a critical infrastructure sector;

(C) causing a significant disruption to the availability of a computer or network of computers; or

(D) causing a significant misappropriation of funds or economic resources, trade secrets, personal identifiers, or financial information for commercial or competitive advantage or private financial gain.”47

These criteria outline a fairly high threshold to be met in terms of significance and malicious intent. At the same time, such sanctions can be imposed against individuals and other entities that are not only directly responsible but may be complicit or have otherwise benefited from the malicious activity.

Past examples of sanctions in response to activity targeting the financial system include:

  • sanctions imposed in 2017 against entities and individuals linked to Iran’s Islamic Revolutionary Guard Corps responsible for DDoS attacks targeting the U.S. financial system between 2011 and 2013;48
  • sanctions imposed in 2018 and 2019 against entities and individuals linked to North Korean attacks on financial institutions for the purpose of generating revenue for the country’s weapons of mass destruction program;49 and
  • sanctions imposed in 2019 against twenty-one members of Evil Corp, a Russia-based cyber criminal organization responsible for the Dridex malware that targeted financial institutions and generated more than $100 million in stolen funds.50

Notably, the 2019 sanctions levied against members of Evil Corp included not only those who facilitated the attacks but also individuals who recruited and maintained “mule networks” and facilitated money laundering in the United Kingdom and elsewhere. The leader of Evil Corp, Maksim Yakubets, was linked to Russia’s security service but many of the other individuals sanctioned were not linked to state entities, potentially suggesting a lower threshold for using sanctions to counter transnational cyber crime.

The EU has also developed a framework to impose sanctions on malicious actors. In 2017, the Council of the European Union adopted the Cyber Diplomacy Toolbox, a framework for responding to malicious cyber activities. Most significantly for the financial sector, this tool box includes the possibility of targeted sanctions against governments, organizations, and individuals.51 On July 30, 2020, the EU and the United Kingdom exercised this new authority to impose sanctions over malicious cyber activities on a range of Russian, Chinese, and North Korean nationals and entities. In particular, sanctions were imposed on Chosun Expo, an alleged front company for North Korea’s Lazarus Group, for facilitating not only the WannaCry attacks but also for “cyber-attacks against the Polish Financial Supervision Authority . . . as well as cyber-theft from the Bangladesh Bank and attempted cyber-theft from the Vietnam Tien Phong Bank.”52


Since 2012, the U.S. government has used sanctions—a political tool to freeze the assets and block the transactions of individuals and entities—at least twenty times to punish malicious cyber actors in Iran, North Korea, Russia, China, and Nigeria. In 2019, the European Union finalized its own cyber sanctions framework,53 and in July 2020, the bloc designated targets for the first time.54 Actors that have engaged in attacks affecting the integrity of the financial system have been targets of both U.S. and European sanctions.55

Though scholars have long debated the utility of targeted financial sanctions at coercing strategic policy change,56 policymakers continue to use the tool in response to a variety of transnational threats.57 With respect to malicious cyber activity, proponents of sanctions argue that they can, among other benefits, help publicize attributions of wrongful behavior, satisfy audiences by “doing something” in response to an attack, deny actors the financial rewards of cyber crime, disrupt the financing of cyber operations, provide opportunities for international cooperation, and reinforce norms of responsible behavior.58

The U.S. government, in particular, has used sanctions hoping that, cumulatively, the repeated imposition of sanctions in response to malicious cyber attacks can deter future attacks by “increasing effort, raising risk, and reducing rewards” associated with offensive cyber behavior.59 At the same time, the high threshold for the use of sanctions by the U.S. and the EU reflects concerns that using sanctions excessively may encourage the development of alternative financial architectures that enable sanctions evasion.60

The full contours of the European Union’s cyber sanctions framework will become more apparent as the bloc expands its use of the new framework, meaning that the impact and value of sanctions as a tool against malicious cyber activity remain uncertain at this point.

To learn more, see the article “Countering Malicious Cyber Activity: Targeted Financial Sanctions,” by Natalie Thompson (forthcoming).

Trend #4: Convergence of Cyber Crimes and Financial Crimes

The financial sector is undergoing a rapid digital transformation. Banks are moving their operations and services online, implementing new financial technologies, and more frequently handling instantaneous transactions and faster risk decisions. One consequence of this changing landscape is that criminals are exploiting DFS to commit fraud and financial crime. Distinctions between cyber crime, fraud, and financial crime are disappearing as criminal activity operates at the intersection of all three. Figure 11 provides an example of such convergence.

The convergence of financial crime, fraud, and cyber crime is new enough that many law enforcement agencies and financial institutions still treat them as separate risks. Teams that were originally designed to counter paper-based fraud and financial crime are siloed from teams countering cyber threats, thereby undermining an organization’s situational awareness regarding criminals that use malicious cyber activity to commit fraud or financial crime.

Recent massive fraud of coronavirus-related unemployment insurance payments and other government payments has underscored the need to address the convergence of cyber and fraud. In May 2020, the U.S. Secret Service warned of a transnational criminal scheme that used stolen personally identifiable information to submit fraudulent claims.61

Sophisticated malicious actors can move very quickly from illicitly accessing a system to initiating fraudulent payments and cashing out. A bank’s cybersecurity team may be able to detect network intrusions, while the bank’s anti-fraud team may manage transaction controls. However, these teams are often isolated from one another, and the delay in coordinating across silos may give criminals enough time to get in and cash out. The Carbanak attacks, which used malware to target financial institutions and led to the theft of $1 billion, are a good illustration of how criminal groups exploit such gaps.

Fusing Cyber Threat Intelligence and Financial Intelligence

The convergence of financial crime, fraud, and cyber crime also presents new opportunities to disrupt malicious activity by fusing financial intelligence and cyber threat intelligence. Finding ways to leverage these capabilities could also help governments detect and respond to malicious activity targeting the financial sector.62

The U.S. Secret Service, one of the largest law enforcement agencies focused on fighting financial cyber crime, reorganized itself in July 2020 to address this convergence. The U.S. Secret Service combined its Electronic Crimes and Financial Crimes task forces into a merged network known as the Cyber Fraud Task Force. “In today’s environment, no longer can investigators effectively pursue a financial or cybercrime investigation without understanding both the financial and internet sectors, as well as the technologies and institutions that power each industry,” the U.S. Secret Service explained.63 The U.S. Secret Service also announced plans to expand its Cyber Fraud Task Force network from forty-two offices in the United States and two offices abroad to 160 offices worldwide.64

The financial sector is also recognizing the need to fuse these functions. UK Finance has argued that “only by breaking down the barriers between the cyber security, fraud and financial crime disciplines can we really hope to counter cybercrime.”65 Standard Chartered has already joined its fraud, anti-money laundering (AML), and cyber crime teams into a single center which “reduced operating costs by approximately $100 million.”66

Leveraging Financial Intelligence Units to Address Cyber Threats

In 2019, the U.S. Department of the Treasury restructured the Financial Crimes Enforcement Network (FinCEN) and established the new Cyber and Emergent Issues Section under the Strategic Operations Division.67 Aligning these intelligence sources will become even more important as financial intelligence units (FIUs) focused on AML and counter terrorist financing improve their capabilities to track and isolate digital currencies, a common money-laundering instrument used by cyber criminals:

  • Australia: Australia’s National Cybersecurity Strategy (2020) pledges that the Australian Transaction Reports and Analysis Centre’s “financial intelligence expertise will be harnessed to target the profits of cybercriminals.”
  • Canada: In 2019, FINTRAC, Canada’s FIU, expanded its cooperation with the Royal Canadian Mounted Police to counter cyber-enabled fraud.68
  • Indonesia: In 2018, the Indonesian Financial Transaction Reports and Analysis Center leveraged its new cyber crime unit to assist in a card-skimming fraud that used cryptocurrencies.69
  • France: In 2018, France’s FIU, Tracfin, established a new investigative division for financial cyber crime to “increase its expertise and expand its investigative capabilities, particularly for analysis of crypto-asset transactions.”70
  • South Africa: In 2018, South Africa’s FIU, the Financial Intelligence Centre, launched an initiative focused on countering cyber crime and cyber-enabled fraud.71

Recent actions taken by the U.S. government against FIN7, a crime ring known for cyber attacks against financial institutions, demonstrate how financial intelligence strengthens law enforcement response to cyber criminals. In addition to U.S.-led indictments and arrests, the U.S. Department of the Treasury sanctioned seventeen members of FIN7 and released “previously unreported indicators of compromise,” based on intelligence from FinCEN.72

FIUs collect the bulk of their intelligence through suspicious activity reports (SARs) or suspicious transaction reports (STRs), which are submitted by banks when they identify a transaction that raises a red flag. To improve the FIU intelligence collection process, some governments, like those of Japan,73 the United States, and the United Kingdom,74 have started to require that banks include cyber indicators in their SARs/STRs in a standardized format.

Importantly, the convergence of financial crime and cyber crime may be an opportunity for countries to overcome barriers to international cooperation. There is no international consensus on the definition of a “cyber crime”; some governments, like Russia and China, advocate for a broader definition that includes information-related harms, which is challenging to reconcile with Western values of free speech. However, there is a much stronger international consensus around definitions of financial crime, developed in part through the FATF’s work on terrorist financing and in part by countries’ mutually shared interest in maintaining the integrity of the global financial system. Governments may be more willing to cooperate to combat cyber crime targeting financial institutions if cooperation is framed through the lens of financial crime rather than cyber crime.

FIUs and other financial crime authorities already have an established rhythm of global cooperation. For example, in December 2019, law enforcement authorities from thirty-one countries, 650 banks, and seventeen bank associations cooperated for the fifth European Money Mule Action (EMMA 5), which resulted in 228 arrests, and disruption of over 3,800 money mules.75 The European Union has already begun integrating its treatment of cyber crimes and financial crimes by making cyber crime a predicate offense to money laundering through the 2018 Directive on Countering Money Laundering by Criminal Law.76

Malicious actors have so far taken advantage of gaps among cybersecurity, AML, and fraud prevention teams across financial institutions and law enforcement. Fusing these functions may not only harden the defenses of the financial system but could also improve authorities’ capacity to respond to malicious activity by tracing adversaries’ financial activity, denying their access to funds, and disrupting their financial infrastructure and mule networks.

  • Recommendation 3.7: The FATF should explore how the existing regime to detect and counter money-laundering as well as terrorist and proliferation financing could be leveraged to fight cyber attacks more effectively.


1 Saul Hansell, “Citibank Fraud Case Raises Computer Security Questions,” New York Times, August 19, 1995,

2 U.S. Federal Bureau of Investigation, “A Byte Out of History: $10 Million Hack,” accessed July 20, 2020,

3 Matthew Noyes, “Countering COVID-19 Related Fraud” (panel discussion, Center for Strategic and International Studies, June 5, 2020),

4 U.S. Department of Justice, “Seven Iranians Working for Islamic Revolutionary Guard Corps-Affiliated Entities Charged for Conducting Coordinated Campaign of Cyber Attacks Against U.S. Financial Sector,” March 24, 2016,

5 “Bangladesh Bank Heist Was ‘State-Sponsored’: U.S. Official,” Reuters, March 29, 2017,

6 U.S. Treasury, “Sanctions Related to Significant Malicious Cyber-Enabled Activities,” accessed July 20, 2020,

7 Europol, “Law Enforcement Agencies across the EU Prepare for Major Cross-Border Cyber-Attacks,” March 2019,

8 ENISA, “CyLEEx19: Inside a Simulated Cross-Border Cyber-Attack on Critical Infrastructure,” October 31, 2019,

9 Fabio Panetta, “Protecting the European Financial Sector: The Cyber Information and Intelligence Sharing Initiative,”

10 FS-ISAC, “FS-ISAC Announces The Formation Of The Financial Systemic Analysis & Resilience Center (FSARC),” Press Release, October 24, 2016,

11 Chris Bing, “Project Indigo: The Quiet Info-Sharing Program between Banks and U.S. Cyber Command,” CyberScoop, May 21, 2018,

12 Paul Nakasone, “Statement of General Paul M. Nakasone, Commander, United States Cyber Command, before the Senate Committee on Armed Services” (Hearing on United States Special Operations Command and United States Cyber Command, U.S. Senate, 2019)

13 “Cybercom Media Roundtable,” May 7, 2019,

14 Hannah McGrath, “UK Banks to Set up Cyber Security Centre,” FStech, October 19, 2018,

15 Katherine Griffiths, “Banks Man the Barricades to See off Cyberattacks,” The Times, October 2018,

16 Moody’s, “BoE Releases Findings of Cyber Simulation Exercise in Financial Sector,” Moody’s Analytics, September 2019,

17 ANSSI, “Coopération entre l’Agence Nationale de la Sécurité des Systems d’Information (ANSSI) et ;’Autorité de Contôle Prudentiel (ACPR),”

18 Anna Isaac, “U.K. Examines if Cyberattack Triggered London Stock Exchange Outage,” Wall Street Journal, January 5, 2020,

19 Jeremy Fleming, “Director GCHQ’s Speech at CYBERUK 2019,” (CYBERUK 2019, Glasgow, April 24, 2019),

20 World Economic Forum, “Recommendations for Public-Private Partnership Against Cybercrime,” World Economic Forum, January 2016,; World Economic Forum, “Partnership Against Cybercrime,” accessed July 20, 2020,

21 Third Way, “Announcing the Third Way Cyber Enforcement Initiative,” October 29, 2018,

22 Juan Zarate and Tim Maurer, “Protecting the Financial System against the Coming Cyber Storms,” Hill, May 18, 2020,

23 Joyce Hakmeh and Allison Peters, “A New UN Cybercrime Treaty? The Way Forward for Supporters of an Open, Free, and Secure Internet,” Council on Foreign Relations, January 13, 2020,

24 U.S. Federal Bureau of Investigation, “A Byte Out of History.”

25 Europol, “Joint Cybercrime Action Taskforce (J-CAT),” accessed July 22, 2020,

26 Tuesday Reitano, Troels Oerting, and Marcena Hunter, “Innovations in International Cooperation to Counter Cybercrime: The Joint Cybercrime Action Taskforce (J-CAT),” Studying Group on Organised Crime, 2015,

27 Founding institutions include Barclays, Standard Chartered, Deutsche Bank, and Banco Santander. Other members now include Bank of Ireland, Allied Irish Banks, Lloyds Banking Group, and Metro Bank. See, “Banks Join Forces to Crack Down on Fraudsters,” Financial Times, August 8 2017,

28 Europol, “The Cyber Defence Alliance and Europol Step up Cooperation in the Fight Against Fraudsters,” October 2018,

29 Cheri McGuire, A True Risk “Partner,” interview by Corporate Counsel Business Journal, March 2, 2018,

30 Bill Nelson, “FS-ISAC Testimony before the Committee on Banking, Housing and Urban Affairs” (Hearing on Cybersecurity: Risks to Financial Services Industry and Its Preparedness, U.S. Senate, 2019),

31 FS-ISAC, “About FS-ISAC,” accessed July 28, 2018,

32 FS-ISAC, “CERES Forum Marks One-Year Anniversary With 10th Country Addition,” July 10, 2019,

33 FS-ISAC and Monetary Authority of Singapore, “FS-ISAC and MAS Establish Asia Pacific (APAC) Intelligence Centre for Sharing and Analysing Cyber Threat Information,” Press Release, December 1, 2016,

34 FS-ISAC, “About FS-ISAC,” accessed July 28, 2018,

35 FS-ISAC, “CERES Forum Marks One-Year Anniversary With 10th Country Addition.”

36 FS-ISAC, “FS-ISAC and CSA Partner to Enhance Cybersecurity in Singapore,” Press Release, July 18, 2018,

37 FS-ISAC, “FS-ISAC and Europol Partner to Combat Cross-Border Cybercrime,” Press Release, September 19, 2019,

38 “About FS-ISAC,” FS-ISAC, accessed July 28, 2018,

39 U.S. Cyber Command, “Achieve and Maintain Cyberspace Superiority: Command Vision for US Cyber Command,” April 2018,

40 Executive Office of the President, “National Cyber Strategy for the United States of America,” September 2018,

41 U.S. Department of State, “Recommendations to the President on Deterring Adversaries and Better Protecting the American People from Cyber Threats,” U.S. Department of State, May 31, 2018,

42 U.S. Department of State, “Recommendations to the President on Deterring Adversaries and Better Protecting the American People from Cyber Threats,” U.S. Department of State, May 31, 2018,

43 U.S. Department of State, “Recommendations to the President on Deterring Adversaries and Better Protecting the American People from Cyber Threats,” May 31, 2018,

44 “Joint Statement on Advancing Responsible State Behavior in Cyberspace,” U.S. Department of State, September 23, 2019,

45 For more details see Uri Friedman, “Smart Sanctions: A Short History,” April 23, 2012, and John Ikenberry, “Smart Sanctions: Targeting Economic Statecraft,” September 2002,

46 Juan Zarate, Treasury’s War: The Unleashing of a New Era of Financial Warfare (Public Affairs, 2013).

47 Barack Obama, “Executive Order 13694 of April 1, 2015, Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities,” 2015,

48 U.S. Department of the Treasury, “Treasury Targets Supporters of Iran’s Islamic Revolutionary Guard Corps and Networks Responsible for Cyber-Attacks Against the United States,” Press Release, September 14, 2017,

49 U.S. Department of the Treasury, “Treasury Sanctions North Korean State-Sponsored Malicious Cyber Groups | U.S. Department of the Treasury,” Press Release, September 19, 2019,; U.S. Department of the Treasury, “Treasury Targets North Korea for Multiple Cyber-Attacks,” Press Release, September 14, 2017,

50 U.S. Department of the Treasury, “Treasury Sanctions Evil Corp, the Russia-Based Cybercriminal Group Behind Dridex Malware.”

51 Katriina Härmä and Tomáš Minárik, “European Union Equipping Itself against Cyber Attacks with the Help of Cyber Diplomacy Toolbox,” NATO Cooperative Cyber Defence Centre of Excellence (blog), accessed July 20, 2020,

52 European Union, “Implementing Regulation (EU) 2019/796 Concerning Restrictive Measures Against Cyber-Attacks Threatening the Union of its Member States,” Official Journal of the European Union, July 30, 2020,

53 “Cyber-attacks: Council Is Now Able to Impose Sanctions,” Council of the European Union, May 17, 2019,

54 “EU Imposes the First Ever Sanctions Against Cyber-Attacks,” Council of the European Union, July 30, 2020,

55 In the United States, the U.S. Department of the Treasury has taken aim at Iranian targets engaged in distributed denial of service attacks against financial institutions, North Korean actors targeting cryptocurrency exchanges and ATMs to generate revenue, and Chinese actors engaged in money-laundering on behalf of North Korean groups. The European Union’s action targeted a North Korean company for aiding in cyberattacks affecting the Polish Financial Supervision Authority, Bangladesh Bank, and Vietnam Tien Phong Bank. See, “Treasury Targets Supporters of Iran’s Islamic Revolutionary Guard Corps and Networks Responsible for Cyber-Attacks Against the United States,” U.S. Department of the Treasury, September 14, 2017,;

“Treasury Sanctions North Korean State-Sponsored Malicious Cyber Groups,” U.S. Department of the Treasury, September 13, 2019,;

“Treasury Sanctions Individuals Laundering Cryptocurrency for Lazarus Group,” U.S. Department of the Treasury, March 2, 2020,;

Council Implementing Regulation (EU) 2020/1125 of July 30, 2020, implementing Regulation (EU) 2019/796 concerning restrictive measures against cyber-attacks threatening the Union or its Member States, 2020 O.J. (246) 4,

56 Dursun Peksen, “When Do Imposed Economic Sanctions Work? A Critical Review of the Sanctions Effectiveness Literature,” Defence and Peace Economics 30, no. 6 (May 2019): 635–47,

57 For a specific overview on the use of sanctions for deterring financial motivated cyber crime, see Zachary K. Goldman and Damon McCoy, “Economic Espionage: Deterring Financially Motivated Cybercrime,” Journal of National Security Law & Policy 8, no. 3 (July 2016): 595–619,

58 This categorization builds upon the scholarship of Garrett Hinck and Tim Maurer regarding the purposes of criminal charges against malicious cyber actors. Garrett Hinck and Tim Maurer, “Persistent Enforcement: Criminal Charges as a Response to Nation-State Malicious Cyber Activity,” Journal of National Security Law and Policy 10, no. 3 (2020): 531–4,

59 Joseph S. Nye, Jr., “Deterrence and Dissuasion in Cyberspace,” International Security 41, no. 3 (Winter 2016/17): 56,; for general background, see also Daniel Drezner, “Targeted Sanctions in a World of Global Finance,” International Interactions 41, no. 4 (2015): 760–1,; Henry Farrell and Abraham L. Newman, “Weaponized Interdependence,” International Security 44, no. 1 (Summer 2019): 65–70,

60 Ibid, 76; Peter D. Feaver and Eric Lorber, “Coercive Diplomacy and the New Financial Levers: Evaluating the Intended and Unintended Consequences of Financial Sanctions,” Legatum Institute, November 2010, 46–47, “Chinese Banks Urged to Switch Away From SWIFT as U.S. Sanctions Loom,” Reuters, July 29, 2020,

61 Brian Krebs, “U.S. Secret Service: ‘Massive Fraud’ Against State Unemployment Insurance Programs — Krebs on Security,” KrebsOnSecurity (blog), May 16, 2020,

62 BAE Systems, “Follow the Money: Understanding the Money Laundering Techniques That Support Large-Scale Cyber-Heists,” 2020,

63 Shannon Vavra, “Secret Service Merging Electronic and Financial Crime Task Forces to Combat Cybercrime,” CyberScoop, July 9, 2020,

64 United States Secret Service, “Secret Service Announces the Creation of the Cyber Fraud Task Force,” Press Release, July 9, 2020,

65 UK Finance, “Staying Ahead of Cyber Crime,” April 2018,

66 Salim Hasham, Shoan Joshi, and Daniel Mikkelsen, “Financial Crime and Fraud in the Age of Cybersecurity,” McKinsey & Company, October 2019.

67 “FinCEN Realigns Division to Increase Strategic Capabilities,” Financial Crimes Enforcement Network, November 25, 2019,

68 “Public Safety Committee on Jan. 28th, 2019,” Open Parliament, January 28, 2019,

69 Fajar Pebrianto, “PPATK Probes Alleged Money Laundering in Skimming Case,” Dukung Indepensi Tempo, March 2018, 18,

70 Tracfin, “Tracfin Annual Report 2018,” Ministère de l’Action et des Comptes Publics, 2018,

71 Financial Intelligence Centre, “Annual Report 2018/19,” July 31, 2019,

72 U.S. Department of the Treasury, “Treasury Sanctions Evil Corp, the Russia-Based Cybercriminal Group Behind Dridex Malware,” Press Release, December 5, 2019,

73 National Police Agency, “Annual Report 2019,” Government of Japan, 2019,

74 Anton Moiseienko and Olivier Kraft, “From Money Mules to Chain-Hopping: Targeting the Finances of Cybercrime,” Royal United Services Institute, November 2018,

75 Anton Moiseienko and Olivier Kraft, “From Money Mules to Chain-Hopping: Targeting the Finances of Cybercrime,” Royal United Services Institute, November 2018,

76 Directive (EU) 2018/1673 of the European Parliament and of the Council on combating money laundering by criminal law, October 23, 2018,