Counterterrorist Financing, Still a Work in Progress 20 Years After 9/11, Now a Lower Priority

By Colby Adams, Daniel Bethencourt and Valentina Pasquali

In retrospect, the 9/11 hijackers’ expenditures after they arrived in the U.S. in early 2000 until they crashed commercial jets into the World Trade Center, Pentagon and rural Pennsylvania on the morning of Tuesday, Sept. 11, 2001, 20 years ago this Saturday, still appear “unremarkable,” as congressional investigators described afterwards.

They opened accounts at Bank of America, SunTrust Bank, Bank One in Phoenix and Greenpoint Bank in New York, used debit cards at various ATMs, rented cars and acquired auto insurance, paid rent for apartments and hotel rooms in San Diego, Florida and elsewhere, shopped at Walmart, Target and Lowe’s, bought groceries at Winn-Dixie and pizza from Papa John’s, joined gyms and even visited a zoo.

Their money trail in the runup to 9/11 began in late 1999, when Khalid Sheikh Mohammed, the principle orchestrator of the attacks, gave four of the planned hijackers—Mohamed Atta, Marwan al Shehhi, Ziad Jarrah and Ramzi Binalshibh—$5,000 each to travel back to Germany from Afghanistan, where they had trained and discussed the plot with Osama bin Laden.

After landing in the U.S. at various times and from various countries in early 2000 until the days before the Sept. 11 attacks, the 19 hijackers received at least $300,000 in remittances and wires from al-Qaida facilitators in Dubai and elsewhere to cover their living expenses and flight training. They used another $200,000 to $300,000 in cash and traveler’s checks, and obtained Visa debit cards to draw on funds that their facilitators had deposited into bank accounts in the United Arab Emirates.

The money wound into and through U.S. regional lenders and several of the most prominent and recognizable banks and money services businesses worldwide, but no financial institution filed a suspicious activity report or provided investigators with any other form of financial intelligence until after U.S. officials disclosed the names of the hijackers publicly.

Why would they have? The transactions that made the plot possible did not appear illegal or even conspicuous at the time.

“The existing mechanisms to prevent abuse of the financial system did not fail,” the 9/11 Commission, a bipartisan congressional panel that compiled and published the U.S. government’s official record of the attacks, concluded afterwards. “They were never designed to detect or disrupt transactions of the type that financed 9/11.”

After the attacks, the White House declared a global war on terror with a military component, Operation Enduring Freedom, that quickly ousted the Taliban, the brutal Islamist militia that gave al-Qaida safe harbor, and later deposed Saddam Hussein in Iraq, inadvertently opening the door for a dangerous new adversary to begin a campaign of conquest.

Two decades later…

The U.S. withdrawal from Afghanistan and the Taliban’s return to power in Kabul last month, nearly 20 years after the Sept. 11 attacks and a little more than 10 years after a team of Navy Seals killed bin Laden at his compound hideout in Pakistan, brought the longest war in America’s history to an unsuccessful and tragic conclusion.

For the financial services industries of the United States, United Kingdom and European Union, the changes wrought by 9/11 appear permanent.

Starting with the U.S. Patriot Act in 2001, anti-money laundering and counterterrorist financing requirements have grown dramatically through numerous legislative measures, executive orders, rulemakings and legal interpretations over the past 20 years. As a consequence, compliance departments now generally receive larger budgets and wield more clout within their institutions.

“One thing that’s different from 10 years ago: terrorists, like everyone else, have more choices for moving money,” said Yaya Fanusie, a former economic and counterterrorism official for the CIA. “There are more companies that are involved in what you can call fintech, or mobile payments, without even getting into cryptocurrency. Take the Islamic State-inspired attack in San Bernardino, California, in 2015: one of the attackers got a loan from Prosper, a company that would not have existed 15 years ago.”

Financial investigations also changed.

In April 2002, the FBI shifted from viewing terrorist financing only as a component of a broader terrorism-related investigation by establishing the Terrorist Financing Operations Section, or TFOS, which until 2019 led federal investigations into how terrorists and their supporters raise, transfer and use funds.

Enemies new and old

As political protests in Syria gave way to civil war in 2011, a new, more hardline and brutal force than al-Qaida emerged in the Middle East.

Fueled by tens of millions of dollars from illicit sales of oil and stolen cultural artifacts, extortion and other revenue streams, the Islamic State group by 2014 had seized large swathes of Syrian territory and nearly half of Iraq.

Its conquests would have dangerous, deadly repercussions throughout the Middle East, as well as in Europe and the U.S., even after it lost the bulk of its territory in the three years that followed.

American attempts to choke off funds to the Islamic State group over the past 10 years have focused on blacklisting its leaders, penalizing entities and individuals who helped the organization reap and move profits from oil sales and kidnappings, and identifying corrupted bankers in Iraq and Syria.

Proving that the enemy of your enemy is not necessarily your friend, U.S. lawmakers passed the Hezbollah International Financing Prevention Act in 2016, thus expanding the risk of secondary sanctions and expulsion from the U.S. financial system to any bank caught knowingly processing significant transactions for parties associated with the Lebanese political and military organization.

Similar to the Islamic State group, Hezbollah, which has battled the Sunni organization and its rival, al-Qaida, in neighboring Syria, relies in part on the territories it controls in Lebanon to raise funds through “taxes.”

“As a result, they cannot completely go out of the formal financial system and need a central node to control their financial flows,” said Hans-Jakob Schindler, senior director with the Counter Extremism Project in Berlin and New York City. “That hasn’t really changed since 9/11.”

Cybersecurity began to overlap with AML, CFT and sanctions-related obligations more and more in 2014, following cyberattacks by North Korea-supported hackers against Sony Pictures and other targets and the apparently related online theft of $81 million from Bangladesh Bank in 2016.

Election interference by Russia in 2016 and the deployment of increasingly sophisticated, increasingly available malware over the past decade also turned eyes towards the digital threat.

“I’m afraid it might not be long before we see something akin to cyberterrorism,” Gilles de Kerchove, the EU’s counterterrorism coordinator, told representatives of the bloc’s 27 nations in July. “So far, terrorist organizations are not using cyber to take control of an air traffic control system, derail trains or open a dam, but I think it may happen before five years.”

Separately, nearly 15 years of efforts to curtail the use of legal entities in financial crimes and expand anti-money laundering and counterterrorist financing obligations to a broader range of businesses culminated in December 2020 with the passage of the AML Act, which directs the U.S. Treasury Department to revise its landmark customer due-diligence rule and build a database of beneficial owners.

U.S. lawmakers also directed the department’s Financial Crimes Enforcement Network to share law-enforcement feedback on suspicious activity reports, or SARs, with financial institutions, as part of the legislation.

Other FinCEN initiatives over the past decade, including plans to extend declaration requirements to prepaid cards at U.S. border crossings and other ports of entry, never reached orbit.

Maarten Rijssenbeek, former national prosecutor for terrorist financing in the Netherlands, told ACAMS that global sanctions forced al-Qaida, the Islamic State group and similarly minded terrorist organizations to turn away from centralized control to a “franchise model.”

Terrorists in Europe have carried out attacks under the banner of the Islamic State and other blacklisted organizations, but in reality attacked only as smaller cells or as lone actors with little budget and no direct relationship to those groups, said Rijssenbeek, now a partner with Deloitte’s forensic and financial crime practice in Amsterdam.

“It’s a combination of factors that has really changed the dynamics of the threat,” he said. “Because of that, investigators and financial institutions have found it extremely difficult to find the needle in the haystack, and increasingly looked to each other for greater cooperation.”

Some question whether the private sector’s focus and expenditures on terrorist financing in and of itself, and independent of government, has been worthwhile.

“A lot of recent terrorist attacks have been lone wolves, like in San Bernardino, or a small cell like in the Paris attacks,” said Jim Richards, founder and principal of RegTech Consulting in California. “I don’t know how a bank is supposed to monitor for that … so it’s really more about law enforcement providing you with targets, which is what the government did well after 9/11.”

Recent years have seen an apparent decline in counterterrorist financing efforts: U.S. banks, by far the largest suppliers of financial intelligence to the federal government, filed 50 percent fewer terrorism-related SARs in 2020 than they did in 2016.

The FBI closed its independent terrorist-financing section, TFOS, in early 2019, an act that many viewed as a shift in the bureau’s focus towards cybercrime and other threats.


Andy McDonald, who headed counterterrorism investigations at the U.K. National Terrorist Financial Investigation Unit, or NTFIU, from 2014 to 2017, told that the November 2015 terror attacks in Paris prompted U.K. officials to “formalize a rapid response capability” within the Joint Money Laundering Intelligence Task Force, or JMLIT.

JMLIT was established nine months earlier as a channel for major banks and investigators to exchange data on high-end money laundering and other financial crimes. A new, 24-hour “on-call” forum would allow counterterrorism investigators and compliance officers to share information on suspected terrorists in the event of an attack on British soil.

“Previously in case of a terrorist incident we might have got a fairly rapid response through less formal networks, typically from the big financial institutions,” said McDonald, now an independent consultant in London. “But after Paris we asked ourselves, ‘What if that happened in London? What could be done to get more information shared really quickly?'”

Two years later, Khalid Masood drove a car into pedestrians on Westminster Bridge near the Houses of Parliament in London, killing four people and injuring 50, before fatally stabbing an unarmed officer before he was shot dead by police.

Following the attack, several U.K. financial institutions contacted the NTFIU to offer assistance and allowed counterterrorism investigators to rapidly obtain a full picture of the suspect’s movements in the hours and days leading up to the attack, the Financial Action Task Force, or FATF, noted after a mutual evaluation of the United Kingdom in 2018.

Three months later, three terrorists drove a van into pedestrians on London Bridge, then exited the vehicle and ran to nearby Borough Market, where they fatally stabbed eight people and injured several others before being killed by police.

The case came to JMLIT within 12 hours of the attack, and several financial institutions subsequently identified payments linked to the hire of the van and established detailed spending patterns of the suspects.

FATF noted after the 2018 evaluation that the assistance proved “crucial in allowing investigators to conclude that the attack involved only three attackers with no broader network.”

“We’re in a better place than five years ago because we have more organizations from public and private sectors that are better enabled to securely share intelligence,” McDonald said. “But the threats haven’t gone away and are complicated. You’re not routinely dealing with organized, predictable groups, be it radical Islamists or right wing extremists.”

Stephen Reimer, a research fellow at the Royal United Services Institute, told that the fundraising methods used by Islamist terrorists who carried out attacks in Europe over the past decade stayed “quite consistent” and broadly fell into two categories: “seemingly licit” forms of income and petty crime.

Terrorists have raised money through small loans, government benefits, collecting peer-to-peer donations and selling their personal belongings. Others have peddled illicit drugs or counterfeit goods, then funneled the profits to small terrorist cells or individual terrorists to fund an attack.

“The reality is that the threat in Europe has shifted away from direct involvement [by terrorist groups] to autonomous activity, but the tools and CFT [combating the financing of terrorism] responses haven’t,” Reimer said. “There is a need to recalibrate the CFT regime to meet the new threat.”

Both individual nations in Europe and the EU as a whole have sought to identify terrorist financing methods as they emerged and tighten their controls in response, Reimer said.

The EU, for example, significantly lowered the maximum threshold to which individuals can load prepaid cards anonymously after learning that the perpetrators of the November 2015 shootings in Paris used them to pay for cars and apartments in the 48 hours preceding the attacks.

No European nation has suffered more from recent acts of terrorism than France. From January 2015 to December 2018, the country has dealt with no less than 13 terrorist attacks that left 251 dead and 1,131 injured combined.

France extended stricter vetting requirements to the cryptocurrency industry after national authorities arrested dozens of individuals in October 2020 who allegedly funneled hundreds of thousands of euros in bitcoins and cryptocurrency “coupons” to the Islamic State group and Hayat Tahrir Al-Sham, al-Qaida’s affiliate in Syria.

Several European law enforcement agencies have provided the private sector with red flags of terrorism-related “microphenomena,” including last-minute purchases of airline tickets to Turkey by foreign fighters traveling to Syria, but have not managed to do the same for lone wolf suspects, Reimer said.

Six months before the attacks in Paris, German authorities extended their ban on Hezbollah’s military component to cover the organization’s political function as well, eliminating what U.S. Ambassador Richard Grennell had previously labeled an “artificial distinction” that allowed the group to openly raise funds in Europe’s largest country and economy.

Germany’s campaign against terrorist financing and financial crime in general have improved, albeit slowly and with significant loopholes still intact, said Schindler, who previously investigated terrorism on behalf of Germany’s federal government.

“German law still allows for a certain legal business structure, the GBR, which can be created very quickly and does not require public disclosure of any information concerning beneficial owners or financial data,” he told “It is not a coincidence that almost all violent far-right organizations in Germany use this type of structure for their financial activities.”

But the perceived threat of Islamist terrorism has dwindled in Europe as other national security concerns, including extremist right-wing violence and hostile state activity in the form of cyberattacks, have risen to the top of the agenda in European capitals alongside election interference from abroad.

Election interference, illicit use of cryptocurrency and the alleged intersection between the two crimes have also drawn notice in the United States, where in July 2018 a team of federal prosecutors led by Special Counsel Robert Mueller accused 12 Russian intelligence agents of using bitcoins to buy computer servers, domain names and other IT infrastructure to influence the 2016 U.S. presidential elections.

Next steps

Over the next decade, the U.S. and EU will continue seeking to enhance interagency and international cooperation in combating the financing of terrorism, identifying and freezing terrorism-related assets and denying blacklisted groups access to new funding sources.

The rapid expansion of disruptive finance and the financial technology-centric companies, or fintechs, that have grown rapidly amid the phenomenon has thrown a gauntlet in front of financial institutions and governments alike.

In the waning days of 2020, FinCEN proposed requiring banks, exchanges and other money services businesses to flag individual and related cryptocurrency payments of at least $10,000 in value in a single day to or from unhosted digital wallets, or to and from any wallet in Burma, Iran or North Korea.

The intractable problem of terrorism and illicit finance associated with Afghanistan, including financial crimes associated with the country’s robust opium industry, shows no signs of abating.

“One area that is going to be interesting going forward is CFT tools, and sanctions in particular, being deployed against organizations like the Taliban that are either part of a government or coming into control of one,” said Katherine Bauer, a former senior policy advisor in Treasury’s Office of Terrorist Financing and Financial Crimes. “Typically, humanitarian exemptions don’t apply under counterterrorism designations, so how do you navigate that?”

Despite U.S. President Joe Biden’s position that the U.S. military will maintain an “over the horizon” capability to strike terrorists in Afghanistan, American and EU officials have warned that the loss of the nation—and the re-ascension of the Taliban to the halls of power—increases the likelihood that terrorists will expand their foothold in the region.

Such an outcome makes large-scale attacks against the West more possible, if not probable, even as terrorist financing has seemingly fallen behind online theft, cybersecurity, COVID-19-related fraud schemes, complex money-laundering operations and other financial crimes as a priority.

“Unfortunately, yes, each large-scale attack has speeded up reforms that were already necessary,” said Dan Benisty, head of AML and CFT compliance for Western Union’s operations in northern Europe. “Any reform of the rules provokes endless debates and blockages, but it only takes one catastrophe to unblock it, and then the partisan divisions fade away very quickly.”

Topics : Anti-money laundering , Counterterrorist Financing , Sanctions
Source: U.S.: Department of Justice , U.S.: Department of Treasury , European Union
Document Date: September 10, 2021