Shostack + Friends Blog Archive


More Victims of Money Laundering Regulations

In a comment on “Atlantis Resort (Bahamas) 50,000, Hacker,” Ian Grigg explains that the reason Bahamas Casinos collected 55,000 SSNs is that the various and sundry “anti-money laundering” regulations force them to, or be labeled “naughty.” Err, ‘non-compliant.’ How’s that for NewSpeak?

There’s a pretty large steamroller behind such rules and regulations, and the push to apply them ‘uniformly’ around the world. Such regulations though, have costs, as we see here. The regulators who write the rules, however, aren’t worried about identity theft, they’re worried about money laundering and ‘illicit‘ money flows.

The ever-expanding requirements to collect this data aren’t being matched by ever-expanding requirements to protect it, leading to an increase in the marginal value of stealing it. Remarkably, as that marginal value increases, we’re seeing an increase in theft and abuse.

3 comments on "More Victims of Money Laundering Regulations"

  • allan says:

    This seems to be a fairly straightforward policy analysis problem. We know that money laundering has very real costs in terms of lost revenue and massive indirect effects from supporting illicit activities, etc. If the regulations applied broadly can effectively reduce the amount of laundry, then we must compare that with the added risk of lost SSN and personal data. I’m very skeptical that ID theft imposes a high enough social cost, although I have no expertise on the efficacy of the regulations.
    If we wanted a more nuanced discussion, we can look at incentives to halt the two ills of data loss and money laundering. Given the status quo, I imagine most governments are using as many tools as they can to keep financial flows kosher. It is easier to think of appropriate mechanisms for data safeguards or improved authentication techniques to reduce the value/success rate of impersonation fraud.

  • Adam says:

    I don’t agree. (By and large) “money laundering” is a result of governments banning voluntary transactions, and when that doesn’t work, they ban the money that people earn from those transactions. So, if I don’t agree that money laundering is an ill at all, but a result of prior bad policy decisions, then simply looking at incentives will fail to solve the problem.

  • David says:

    In the U.S., casinos must collect this information not just for anti money laundering regulations, but also to report gambling winnings to the IRS.

Comments are closed.