We're sorry but this page doesn't work properly without JavaScript enabled. Please enable it to continue.
Feedback

Financial surveillance

00:00

Formal Metadata

Title
Financial surveillance
Subtitle
Exposing the global banking watchlist
Title of Series
Number of Parts
167
Author
License
CC Attribution 4.0 International:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Identifiers
Publisher
Release Date
Language

Content Metadata

Subject Area
Genre
Abstract
Faced with new responsibilities to prevent terrorism and money laundering, banks have built a huge surveillance infrastructure sweeping up millions of innocent people. Investigative journalists Jasmin Klofta and Tom Wills explain how, as part of an international collaboration, they exposed World-Check, the privately-run watchlist at the heart of the system.
Keywords
7
Thumbnail
30:34
12
Thumbnail
55:26
43
61
Thumbnail
1:05:55
78
Thumbnail
1:01:42
83
92
Thumbnail
33:27
110
Thumbnail
31:25
141
Thumbnail
31:11
147
Thumbnail
31:30
Multiplication signLagrange-MethodeElectronic mailing listPhysical systemMassMereologyAdaptive behaviorData miningRoundness (object)Multiplication signWordSocial classSelf-organizationForcing (mathematics)Observational studyCollaborationismPosition operatorArithmetic meanSet (mathematics)SoftwareBroadcasting (networking)DatabaseLeakDemo (music)Computer animationUML
LoginVector potentialThermoelectric effectDatabase transactionBit rateCartesian coordinate systemElectronic mailing listSelf-organizationPhysical systemJSONUMLComputer animation
Source codeProduct (business)Thermoelectric effectDreizehnIntegral domainDatabasePersonal digital assistantPosition operatorIdentifiabilityLocal ringElectronic mailing listDatabasePhysical lawWordSource codeRegulator geneMultilaterationOnline helpSlide rulePublic domainInformationAuthorizationProcess (computing)Profil (magazine)PressureOrder (biology)Domain nameTotal S.A.Multiplication signBitRootXMLComputer animation
DatabaseThermoelectric effectPersonal digital assistantIntegral domainGroup actionState of matterEnterprise architectureMathematical analysisFocus (optics)Client (computing)Maß <Mathematik>File formatSoftware maintenanceAssociative propertyDependent and independent variablesWorkloadProfil (magazine)Multiplication signPersonal digital assistantSource codePhysical lawProcess (computing)Electronic mailing listDatabaseService (economics)Content (media)InformationXMLComputer animation
Power (physics)SpacetimeEntire functionState of matterOrder (biology)MereologyDatabaseClient (computing)Physical systemDecision theoryCategory of beingComputer animation
LeakAbelian categoryDatabaseCategory of beingVotingWindows RegistryInformationThermoelectric effectRevision controlMereologyWeb pagePauli exclusion principleSource codePosition operatorMUDStatisticsComa BerenicesCone penetration testIEC-BusMathematical analysisNumberLeakInformation securityPasswordInternetworkingInstance (computer science)DatabaseRule of inferenceType theoryPosition operatorCollaborationismPauli exclusion principleSlide ruleTheory of relativityMereologyDifferent (Kate Ryan album)Term (mathematics)Multiplication signLevel (video gaming)Content (media)FamilySource codeAuthorizationNumberPhysical systemMathematical analysisElectronic mailing listRevision controlInformationField (computer science)BitComputer programmingKey (cryptography)Traffic reportingLink (knot theory)AliasingGreen's functionParsingComputer fileCategory of beingProfil (magazine)IntranetLine (geometry)Decision theoryWordResultantService (economics)Order (biology)Row (database)10 (number)Table (information)Office suiteArithmetic meanCASE <Informatik>Right anglePresentation of a groupState of matterSelf-organizationSpacetimeUniform resource locatorSurfaceComputer animationMeeting/Interview
Multiplication signConnected spaceLocal ringRow (database)Self-organizationPower (physics)Position operatorCategory of being
Generic programmingDigital photographyNeighbourhood (graph theory)Product (business)Source codeProcess (computing)Time domainLocal GroupState of matterVideoconferencingDisk read-and-write headControl flowWebsiteView (database)Local ringNumberForm (programming)Source codeElectronic mailing listThread (computing)Link (knot theory)Multiplication signRule of inferenceBasis <Mathematik>Traffic reportingState of matterElectronic GovernmentInformationWordCivil engineeringBitSelf-organizationWeb pageGroup actionTheory of relativityOrder (biology)Service (economics)DatabaseWebsiteRow (database)Intrusion detection systemProfil (magazine)Fiber (mathematics)Internet forum1 (number)XMLComputer animation
WebsiteCorrelation and dependenceSource codeAbelian categoryInferenceNegative numberFormal verificationMultiplication signSource codeComputer fileInformationTraffic reportingMereologyElectronic mailing listBit rateWeightDatabaseState of matterProfil (magazine)HypermediaEvent horizonGroup actionComputer animation
Group actionProcedural programmingState of matterDisplacement MappingElement (mathematics)Office suiteMultiplication signWordMeeting/Interview
Electronic mailing listIncidence algebraMereologyInformationVideo gameCASE <Informatik>Similarity (geometry)DatabaseFlow separationInformation privacyWebsiteDependent and independent variablesDifferent (Kate Ryan album)Wave packetBitSource codeState of matterComputer animationMeeting/Interview
CASE <Informatik>Vector potentialService (economics)Standard deviationControl flowProcess (computing)Basis <Mathematik>Mathematical analysisSession Initiation ProtocolSheaf (mathematics)Functional (mathematics)MereologyRule of inferenceTime evolutionUniqueness quantificationDilution (equation)Address spaceSoftware maintenanceRegulator geneComputer programCASE <Informatik>Dependent and independent variablesMereologyDescriptive statisticsDatabasePhysical systemProcess (computing)Profil (magazine)Source codeHypermediaInformation privacyPoint (geometry)Group actionInformationInclusion mapRow (database)Content (media)EmailElectronic mailing listOptical disc driveMultiplication signPosition operatorProduct (business)BlogIntegrated development environmentDecision theoryPrice indexMetropolitan area networkRight anglePressurePhysical lawStatement (computer science)Sheaf (mathematics)Information technology consultingElectronic visual displayMilitary baseoutputGreatest elementWeb pageXMLSource codeComputer animation
MereologyRule of inferenceTime evolutionStandard deviationUniqueness quantificationAddress spaceRegulator geneSoftware maintenanceComputer programTerm (mathematics)Parameter (computer programming)Group actionContext awarenessLine (geometry)Information securityDifferent (Kate Ryan album)GirderPressureXMLUML
Physical systemSource codeInformationRight angleOpen sourceHeat transferFingerprintEmailAddress spaceElectronic mailing listRight angleProfil (magazine)Category of beingSource codeDatabaseInformationDependent and independent variablesComputer configurationSelf-organizationSelectivity (electronic)Physical systemMereology1 (number)3 (number)NumberMathematicsPoint (geometry)Multiplication signPresentation of a groupInternetworkingBitOpen sourceWebsiteProcess (computing)Sign (mathematics)Row (database)Physical lawDirection (geometry)Traffic reportingFlagSpacetimeSheaf (mathematics)Entire functionDisk read-and-write headRadiusQuicksortPrincipal idealCellular automatonState of matterComputer virusDegree (graph theory)Form (programming)Moment (mathematics)HypermediaWordCASE <Informatik>Student's t-testSoftware developerStatement (computer science)Computer animation
FingerprintEmailAddress spacePhysical systemSource codeInformationRight angleOpen sourceHeat transferMixed realityBlock (periodic table)Multiplication signElectronic mailing listLevel (video gaming)MereologyBounded variationNumberPhysical lawInformation privacyRegulator geneGame controllerWebsiteOpen setInformationTheory of relativityRight angleVector spaceDimensional analysisTrailTelecommunicationRange (statistics)LeakTerm (mathematics)Computer-assisted translationDirection (geometry)QuicksortCASE <Informatik>Confidence intervalMassDatabasePhysical systemSource codeView (database)Presentation of a groupLimit (category theory)Form (programming)Self-organizationDependent and independent variablesCategory of being1 (number)Decision theoryState of matterCovering spaceP (complexity)AdditionProfil (magazine)System callAuthorizationDisk read-and-write headSlide ruleDifferent (Kate Ryan album)Computer animation
Physical systemSource codeInformationRight angleOpen sourceHeat transferFingerprintAddress spaceEmailRow (database)Point (geometry)Right angleProcess (computing)Electronic mailing listState of matterCASE <Informatik>Disk read-and-write headNumberMechanism designRoundness (object)Physical systemProfil (magazine)InformationGame controllerSource codePerfect groupDatabaseGroup actionCondition numberGoodness of fitDependent and independent variablesSet (mathematics)Procedural programmingClient (computing)PressureSimilarity (geometry)Multiplication signMereologyInternetworkingChecklist2 (number)Mögliche-Welten-SemantikDecision theoryInstance (computer science)Slide ruleOffice suiteLogicTraffic reportingEndliche ModelltheorieSolomon (pianist)Denial-of-service attackComputer animation
MedianSound effectComputer animationJSONXMLUML
Transcript: English(auto-generated)
Welcome, everybody, to our next talk, financial surveillance, exposing the global banking
watch list. I think everybody in this room would agree that mass surveillance is a very bad idea, and that, of course, also goes for financial surveillance. And our next two speakers are two investigative journalists who have uncovered how this system of financial surveillance works, and I'm pretty sure that you are just as excited as me
to find out what they have found out, so please give them a warm round of applause. I think the headset doesn't work.
Audio? Well, you know, there's always a little thing that doesn't work, whatever it is. For the talk we just had before, there was a live demo. It was very well planned, still something went wrong.
I think everybody in the audience had a lot of empathy because nobody wants to be in that position, but I think we just fixed the problem. Is it fixed? Is it about to be fixed? I will try a little bit, yes. There we go. Round of applause. Now we go. We can start.
So, it's nice to see you all. So happy that so many people came. I want to introduce to you, this is Tom, he's a data journalist working on investigations at the Times of London, and he specialises in a set of techniques such as data mining, which can reveal wrongdoing and lead to stories that benefit the public.
And this is Yasmin. She's an investigative journalist working in Hamburg for Panorama at the broadcaster NDR, which is part of the ARD network, and she focuses on politics, the digital economy, and surveillance. We're going to tell you tonight about the findings of an investigation we conducted this year as part of an international collaboration, and our colleagues were Evelyn, Stefania,
Lars, and Cora. And Yasmin? Yes. And together we investigated the leaked database and published in June this year our stories in the UK, in Germany, in the US, Netherlands, Belgium, and Italy.
So what was our story? We investigated that innocent people around the world have been wrongly added to a watch list of terrorists and criminals. This watch list of high-risk people and organisation is compiled by Thomson Reuters, a British firm, and sold to almost all the world's major banks, as well as police forces,
intelligence agencies, and non-government organisation. It's called WorldCheck. And the leak gave us the opportunity to review the entire database for the first time.
So what exactly is WorldCheck? Well, if you want to open a bank account, we know that the bank might check your credit rating to see if you are a reliable borrower, but how does the bank know if you're a criminal or a terrorist or a potential money launderer? One of the checks that most banks will do is run your name against the WorldCheck watch list, and they might log in here.
If your bank finds your name on the list, they might refuse your application, or they might subject your financial transactions to extra scrutiny, or if you're an existing customer, they might even close your account. So Thomson Reuters says about the list that it is to find hidden risk.
The list is of heightened risk people and organisations such as terrorists, fraudsters, or senior public officials who might try to use the account to handle corrupt funds. So they want to be kind of an early warning system for hidden risk.
And banks are even forced to use these kinds of lists by regulation. They have to take steps to comply with sanctions and international and domestic law against money laundering and terror financing. And of course, we all want less terrorism and of course we want less money laundering, that's clear.
And to put it in WorldCheck's words, it's to help identify relationships or risk by providing highly structured intelligence profiles and heightening risk individuals and entities globally. But since 9-11, governments have to put more and more pressure on banks to identify terrorists
and money launderers among their customers. So Thomson Reuters's advertisers even WorldCheck with warnings about recent fines and settlements against banks for violating sanctions. Maybe you know this one story, HSBC had a historic $1.9 billion payment to US authorities
to settle a money laundering allegation in 2012 and that's one of the most famous examples that the banks of course fear very much. So if you look for information, how the information is collected, Thomson Reuters says
it compiles the list using hundreds of thousands of reputable sources in the public domain. You've got to remember that slide and especially the word reputable sources because we will come back to that a little bit later. So how do they collect this information?
Well, Thomson Reuters's researchers look into public sources ranging from EU sanction lists to local newspapers in order to find names to add to the database. In total, Thomson Reuters says that WorldCheck contains profiles on over 2 million entities and that it's adding 20,000 profiles a month and updating 40,000.
So the list is growing all the time. Now, this is a job advert for a position as a WorldCheck researcher in Washington DC and it states that among the many responsibilities, you need to write more than 220 highly structured
and sourced biographical intelligence profiles every month. I think it's really nice of them to be so upfront about the workload and that's about one hour per profile if you're working full time. So it must be quite a challenge if you are the assistant research associate to maintain accuracy and quality under that kind of workload.
So not many people had heard of this list until recently but it's one of the biggest of its kind. According to a WorldCheck data sheet, the service is used by over 300 intelligence and government agencies, 9 out of world top 10 law firms and 49 of the world's 50 largest banks.
So overall, more than 6,000 customers from 170 countries are reportedly on the customer list. So the content of the list is secret because Thomson Reuters doesn't tell people when it adds them to the list and banks are forbidden from passing on the information.
Access is only granted after a vetting process. So the user has to sign a non-disclosure agreement and also using the database is quite expensive. A year's access can cost up to 1 million euro.
So in recent years, there have been some excellent investigations by other journalists who've highlighted some possible issues with WorldCheck. So the BBC had been investigating why HSBC closed the account of Finsbury Park mosque in London without any explanation and the BBC researchers found that the mosque had been listed in WorldCheck
in the terrorism category. So that may have been part of the bank's decision. And advice news was also able to view some of the entries in WorldCheck through a client of Thomson Reuters and they discovered more examples of questionable entries. So we knew that there was something potentially going on with this database
but it mostly remained confidential and nobody had been able to view the entire database in order to find out whether there were wider issues with the system. But then there was a leak. In summer 2016, this security researcher, Chris Vickery, was doing what he very much likes to do.
He was scanning the internet for CouchDB instances exposed to the world without any username or password. Well, you can imagine what comes next. So he would contact the owners to encourage them to secure their data
but he found something really interesting and that was the copy of the WorldCheck database from 2014. And with him finding it, the question came up in his head. He asked, I have a terrorism blacklist. I have a copy, should it be shared?
Chris posted on Reddit to say that he was facing a dilemma about whether to release the entire database or not. Because on the one hand, the database was apparently compiled from public sources so what's the problem with publishing public sources? And the WorldCheck is a system that is used to make decisions about people's lives and secrets
so maybe transparency would be in their interest. But on the other hand, it contained personal data relating to millions of people who might suffer harm if the information was disclosed. So since it is not so easy to ask the two million people
if he's allowed to publish it, he was asking himself, so what now to do? And thanks to the previous work of the BBC and Vice, we as journalists had reason to believe it would be in the public interest to review this data. So we made contact with Chris and before viewing the leaked data,
we considered of course the ethical, legal and security implications. So we had a chance to fully reveal how the system works for the first time and this is what the file looked like. So we agreed with Chris that we would use the data
to do responsible journalism but not to publish the data itself. So we can't show you the full database in this presentation. When we received the data, it was a 4GB JSON line delimited file with no documentation. So the first thing I had to do was write a parser in Python.
Well, I decided to flatten this JSON file into a CSV file and then we had a 4GB CSV file and I loaded that into Postgres in order that we could do some analysis of the contents of this database. So this is an abridged version of the field list showing you the really key pieces of data on each of these profiles.
So we've got an ID, we've got an entity type, so that was, is this a person or an organisation? For people, there were first names, surnames, aliases. Position would be, if you're a politician, this would say what your position is in the government.
Categories were really interesting because these might be that you're a politician, as mentioned, or it might be that you're in the terrorism category or the financial crime category. We've got dates of birth and countries and nationalities. Obviously, those are really important so that banks can identify the customers correctly.
Information text was possibly the most interesting part of the data. And then we had various links to other profiles. The source URLs, which turned out to be really crucial, and the dates on which the records have been created and updated. So some of these fields were self-explanatory,
but we really needed to see what this database looked like to the end user to understand how this information would be interpreted. So like any good investigative journalist, we of course turned to Google. And after a bit of experimentation, we discovered the magic words, searching for quotes,
you are strictly prohibited from disclosing or copying the content of this service. And sure enough, we find some examples of profiles from WorldCheck, which people may or may not realise are on the internet and accessible through Google.
Some of these are from the Panama Papers, so obviously the person who put that one there knew what they were doing. The first example in this result is interesting, though, because we have the word intranet in the URL, and we should perhaps tell this company that their intranet is not an intranet. Maybe they found out by themselves.
They know now, hopefully. So this example is actually from a magazine in Brazil, which published a WorldCheck profile that they obtained as part of an investigation. So this was really useful because we could see exactly what the data looked like to the end user. And this profile belongs to Eduardo da Cunha,
who was the former leader of the Brazilian Chamber of Deputies, and as I say, it was published by the magazine. So we can see here the category that he's been assigned. In this case, he's a political individual, and he's a PEP. PEP stands for Politically Exposed Person, and this is a term in anti-money laundering legislation
that means this person is in senior public office, and they are potentially in a position to take bribes and launder corrupt funds. It doesn't mean necessarily that they've done anything wrong, but the money laundering rules say that banks have to scrutinise these people very carefully. So if you are a politician, you might be called up by your bank,
and they would say, we need to interview you about your sources of income in order to establish what the legitimate level of income is, and if you exceed that level, you'll be reported to the authorities. The definition of PEP also includes the immediate family of the public officials, and we'll see that on the next slide.
So when we scroll down, after the age and date of birth, we've got these links to other profiles. So these are the Brazilian politicians, immediate family members who have their own profiles, and then further down, we've got the reports.
So in this case, this politician was actually accused of doing something wrong. It wasn't just that they're a politically exposed person. There's a report of an allegation of corruption there, and since this profile was published, it's turned out that he was convicted of corruption. So this is an example of a profile of somebody who turned out to be guilty.
So now that we understood what a profile looked like, we started to analyse the scope of the database. So this table shows for each country how many people were profiled in WorldCheck as it stood in 2014, which was the date of the copy of the database that Chris Vickery found online.
So we're showing here for each country with at least 5,000 entries, the number of non-PEPs, so that could be people in the terrorism or the crime category, or it could be various other things, the number of PEPs, so we would expect them to be senior public officials,
but it's interesting that there are a lot of countries where there are tens of thousands of PEPs, and so that suggests that perhaps they've cast the net quite wide there, and we're also giving numbers of relatives of PEPs. So we spent a lot of time browsing the data for our countries and querying the database to understand
the different types of people who'd been included. And then everyone in our collaboration started finding people who really didn't belong on the list, and we started to ask, how did these innocent people end up on this watch list? So we were, for example, really surprised to find green piece,
16 green piece activists on the list who were arrested for peacefully protesting the Star Wars missile defense program in 2001, and they were listed under the general category crime. And that was a bit weird, because they did plead guilty to criminal trespass
but never served time for this minor charge, but 12 years later, they would be still on that list. So this is another example, this time from the UK, from a town called Chelmsford in the south of England, and this woman is Jackie Arnott,
and she was listed in the politically exposed persons category, along with a record of all her civic activities. So here she is at work volunteering for an organization called Harvest for the Homeless. This is a local campaign in Chelmsford that was collecting food for people in need.
Jackie Arnott is not a senior public official, as you might expect a politically exposed person to be. In fact, her only connection to power seemed to be that her husband, Alan, had been the mayor of Chelmsford, which is a ceremonial position.
And now to a different town in the south of England. This is Leafy, Kingston-upon-Thames. This is a view of the town hall. It's all very genteel, and this is one of Kingston's local politicians, Yogan Yoganathan. You can see the letters MBE, member of the British Empire after his name.
He was given an honor by the Queen for his services to local government and community relations in Kingston-upon-Thames. And among his activities, he was a peace campaigner. He campaigned for peace in Sri Lanka, and that led to him being listed in WorldCheck and being linked to,
allegedly, the Tamil Tiger terrorist organization, which is an extremely serious and very upsetting claim to have made about you, not least if you're a peace campaigner. And the WorldCheck database gave the source for this allegation as a Sri Lankan government website, which in 2007, at the height of the civil war in Sri Lanka,
had said, these guys in London organizing peace protests about Sri Lanka, they're all Tamil Tiger terrorists. And that allegation had made its way into the WorldCheck database. And Mr. Yoganathan said that he was very hurt by this allegation, and this was completely untrue
and completely without any other basis, in fact. So remember when we said you should remember this slide because of the beautiful words, reputable sources. If you read a little bit further, Thomson Reuters says, researchers are bound to comply with strict research criteria
and must remain objective at all time. Well, that seems that the research team was a little bit flexible on these rules. The reason why innocent people showed up on the list were very often the problem of these reputable sources
and handling them. So now we would like to show you some of the sources and we put together a little ranking for you. You might all know that one. Yeah, Wikipedia. We thought we give number five to Wikipedia.
In thousands of profiles, WorldCheck uses Wikipedia as a source. Well, here you still might think, okay, it's only for general information, so maybe it's fine. What about the next one? Well, at number four we have conspiracy sites. This one is called cyberclass.net,
and it has all the educational resources you might need on alternative accounts of the 9-11 attacks. WorldCheck researchers also cited it in a profile of a British businessman, which of course was used by the banks. Number three, also really interesting, we found state-run sites,
or state-run propaganda, you must say, also used as sources. For example, China Daily. It's the biggest newspaper in China and state-owned, and even though it's not an official organ of the Chinese Communist Party, it's considered to be a quasi-party newspaper.
So because of this commentary that you see on the right side, it's saying that there's a terrorist group, the Tibetan Youth Congress, the prominent diaspora organization, is listed as a terrorist group on WorldCheck. And what we found, pretty, I don't know how to say it,
the research team used this article as the only source for this profile recording the Chinese government's accusations. So at number two we have a website that unfortunately you might have heard of. Hundreds of listings referenced reports on Breitbart,
and at the time, Breitbart was selectively reporting on what it called black crime, and there was a whole tag page for what they called black crime, and there were hundreds of listings that referred to reports that had been carried on Breitbart. But number one. Our number one.
We have Stormfront, which if you haven't heard of it, it's a forum for white supremacists. It was founded in 1995 by a former Ku Klux Klan member, and there were several listings that referred to Stormfront, among them listings for two black British people containing links to a discussion thread on the forum.
So the problem really is that WorldCheck uses all the sources that they can find, which is fine, but it seems that they don't differ between a new site, a propaganda site, extremist sites, whatever site, and all the sources and information that they collect
but they don't weight it or rate it or assess the information. So for example, if a state attorney accuses a person or if a competitor blackens somebody in a media report, the information gets into the WorldCheck database without any filtering, and there is no final verification of this
or any accusation. So WorldCheck found an interesting way to deal with this problem of unreliable sources or potentially unreliable sources. In the profiles, they've added this general legal notice. And here they mention that everyone who views this database
should carry out independent checks to verify the information. And they later added a further disclaimer saying, if this profile contains negative allegations, it should be assumed that such allegations are denied. So this is an interesting legal concept
that you can carry these extremely damaging accusations that people are linked to terrorist groups, but of course you can tell your customers to assume that the allegations are denied and to check the information out themselves. We found many people on lists that had encountered difficulties with their banks,
and that raises the question of whether some banks and users of the list were able to heed this warning and launch their own investigations after seeing adverse claims in WorldCheck. In fact, somebody I spoke to as part of my research who works for a bank said that they were under such pressure that if they found an adverse listing in WorldCheck,
it would be extremely difficult for them to disprove it, you know, given the time that it was available. So this is one issue. But besides the problems with the sources and the lack of verification of the information,
there is another reason why innocent people have ended up in this watch list. Our research showed that the database carries entries for people who are merely accused or investigated over possible crimes without being charged or convicted. Reports of minor convictions are kept on file for years after the event, as we saw with Greenpeace,
and sometimes people had been cleared of their charges, but their entries hadn't been updated to reflect that information. So innocent people just kept being guilty in the world of the database. For example, like him. So please meet the terrorist, Andre Holm, or at least that's what WorldCheck suggested
for a couple of years. Holm, maybe some of you know him, is a very well-known sociologist, and later he was a short time, in German, it's Baustadze Greteer, maybe in English it's something like housing secretary in the Berlin state government. And he was targeted by the federal prosecutor's office
10 years ago. The suspicion was membership in a terrorist group. So he was arrested at the end of July 2007 and detained for three weeks. So Holm had obviously been investigated because he had been critical of the displacement of poorer people in cities, and he wrote it in a very similar way,
or so similar words, to a left-wing extremist group active at that time. But in the end, the suspicion that he could be a member himself proved totally unfounded. And in 2010, all procedures against Holm were discontinued.
So he was even compensated for his imprisonment. So in the end, for the state and justice, Holm was innocent. But when Holm wanted to become a customer at Norris Bank two years later in 2012, the institute refused to open its bank account.
And that even without any explanation. And that was when Holm still did not know that he was on the watch list of world check. When we told him and we talked to him, he said, I have a bad feeling when my life is recorded there
without me being aware of it or having any influence on it. So even years later, such an entry can permanently make life significantly more difficult. But apparently there are institutions that rely on world check or similar databases. When we talked to the Norris Bank,
they said that the nameless screening, that's what it's called, was an essential part of fulfilling the legal requirements for combating financial criminality. It's about preventing money laundering, they said. And the due diligence check would use many different databases as data sources.
And I found it a little bit funny that they wouldn't talk about at all about the case from Mr. Holm, and they said they cannot give any information because of data protection reasons. So we saw in the marketing brochure
that Thomson Reuters say that 49 of 50 of the world's biggest banks use world check. So we had a pretty strong idea that most of the big name banks would be using it. But for my UK audience, I wanted to confirm that the high street names that my readers would be familiar with had used this database.
So I had information that the cooperative bank, among several other big names, had used world check. And I asked them to confirm that that was the case. And this is what they said. I can confirm that the cooperative bank doesn't use and has not used world check. Well, this was an interesting response.
I went back to Google, and I did a site search on LinkedIn for world check and the cooperative bank. And this is what I found. This is Michael. He is a, well, he says he is a high risk case analyst at the cooperative bank.
And his previous position in 2015, he was an anti-money laundering analyst. And this gives a description of his responsibilities. And at the bottom there, you can see that that included exiting customers where necessary if they were found outside the bank's risk appetite, which is a euphemism for he can close your account
if you're too risky. So this was quite obviously a considerable responsibility. And then further down in the job description, he says that he used systems including world check to make these decisions. So I went back to the cooperative bank press spokesperson
and sent them an attachment to see what they had to say about this. And the reply came, I can confirm that we do not use world check and that any access to that database that the bank had was in excess of five years ago. So they admitted that they had used the database, but they're now saying that they don't use it anymore.
And I think this is an indication of exactly how much secrecy there is on the part of the banks and resistance to any kind of accountability. They're questioned by a journalist from a national newspaper. They give completely inaccurate information about whether they had used this system
and only admitted it when they were confronted with evidence to the contrary. And if you're a cooperative bank customer, you really ought to have a right to know what is being done with your data and how decisions about you are being made. This is all enshrined in data protection law, and this seems to be at odds with all of those principles.
So we put all of the findings from the different countries to Thomson Reuters, and they didn't really come back to us on any of the specific cases, but they gave us a statement. One of the things they said was that individuals can contact us
if they believe any of the information held is inaccurate, and we would urge them to do so. This is quite tricky if your bank is not allowed to tell you why your account has been closed. The bank is certainly not allowed to show you your listing and world check. We have to admit that you can submit
a subject access request to Thomson Reuters if you have a hunch that you might be on the list, and then you can find out, and then obviously you could challenge your information, but whether that would be acted upon is another question. Thomson Reuters said they provide identifying information such as dates of birth,
and this will be verified with reputable and official sources. On some of the unreliable sources, they said if blog content appears, it is only as a supporting source for that secondary information and is clearly identified as such. We don't know if they've made improvements to the database since 2014,
so it may be that things are different from the snapshot we saw, but that's what they said. And then they said in conclusion, it's important to point out that inclusion in world check does not imply guilt of any crime, and every record states if this profile contains negative allegations, it should be assumed that such allegations are denied.
The accuracy of the information found in the underlying media sources should be verified with the profile subject before any action is taken. And one final point they made is that there are competing databases to world check, so LexisNexis and Dow Jones also produce watch lists, and we don't know if there are similar problems
with those lists. So why has this happened? We mentioned that banks are under huge pressure from governments to weed out terrorists and money launderers among their customer bases, and what's the environment in which this has come about?
We don't have a full answer to this question, but I want to show you one email that gives a sense of the atmosphere and the paranoia that has led to the current regime. So this email is from a man who says he's the world check's general counsel. It was sent in 2002 to a US Treasury consultation,
and so this is a public document. And he declares his interests. He says he works for a company that sells a product to help financial institutions conduct money laundering checks. And obviously this is a short time after 9-11, and he argues that under the Patriot Act,
financial institutions must be proactive about tackling money laundering. He exerts considerable moral pressure, even going so far as to suggest that the banks were helping the terrorists by their lack of action. So he writes, the US is in a war on terror, and the front lines of the war are at the doorsteps of every US financial institution. US financial institutions are inadvertently
aiding and abetting domestic terror against American citizens. So this is just one company's viewpoint. I'm sure the US Treasury took in lots of different viewpoints when they were forming this legislation, but I think this gives a nice sense of the kinds of arguments that were being made.
And if you want more on the wider context of this, there's a really good book called Speculative Security by Marica de Gerda, which goes into this in more detail. So can the system be improved or repaired? Again, we don't give an answer to this question, but some thoughts have occurred to us.
There could be better selection of sources used to compile this kind of list. Perhaps you would narrow it down a bit more to the official sanctions lists and people who are actually convicted of crimes, those kinds of categories of sources, maybe news reports in reputable outlets,
perhaps news reports that are confirmed by more than one outlet, that kind of thing. You could also indicate the quality of the information. So if you're going to insist on republishing the fact that the Sri Lankan government has accused a person of terrorism, maybe you would flag up that the Sri Lankan government
certainly at that time did not have a good record for a liability on who it was accusing of being terrorists. You could also give rights of reply to people. So on your credit history, you can go to a credit reference agency, see what is said about you, and reply to the criticisms of you that are made there. They could think about doing that.
There is an initiative to make an open source sanctions watch list at opensanctions.org, which of course brings lots of advantages and everyone can see what is said about them on the list. And I think there's also the wider question of whether we actually want banks to have this responsibility of predicting and foreseeing crime among their customers.
Do we want the private sector to do that job or do we want that responsibility to be squarely on the judicial system or on the criminal justice system? So with that, go on. No, go on. We'll be very happy to take your questions and these are our contact details.
So thank you very much for your attention. Thank you very much for this super interesting talk. I have good news for all of you. We have about 20 minutes time for Q&A,
so please pile up at the microphones if you have any questions, of which I'm sure there are many. We are going to start with one question from the internet. Considering the database is still online, has it undergone changes to conform to GDPR?
I don't think we have any information on that, sorry. All right, thanks. Let's start with another question from microphone number one. Thank you. He was the General Counsel for the World Check Company. At what point was it acquired by Thomson Reuters or was it already part of Thomson Reuters?
It wasn't at that point. It was some years later. An interesting point actually about his job title is that if you go on his LinkedIn page, he does have a law degree, this guy, but his job title at World Check in 2002 was not General Counsel, but Head of Business Development. I don't know if that's just a mistake
on his LinkedIn, maybe. Thanks, another question from microphone number three. Yeah, so I want to know if I make a request to access my data, will that put me on the list? And that's not my actual question. My actual question is where did they get the names from? Because essentially the analyst
that does 220 profiles a day, does he get to pick the names? Yes. So if you put a request to World Check, your name will not be on the list afterwards. So you can do it if you want. And this is how it works. The research team goes through the internet and looks for articles and picks out names and puts them in.
Okay, so they should pick people who don't go on Stormfront essentially to pick names. Because is that what's happening? Like they hire people and they go on Stormfront all day and randomly pick names? No, but seriously. I don't know if they do it like that, but somehow they came up with the source, yes.
Okay, thanks. Microphone number four. Hey, thank you for the talk. You've mentioned a few people that were on there, wrongfully, but what percentage are actually wrongfully on there of profiles that you've viewed? We don't have a percentage. I mean, we think it's a minority.
There are lots of people who did do bad things and get onto the list. But of course it undermines the credibility of the entire database when there are many, many examples that we were able to find, you know, without even, it's not like we read all two million profiles, so who knows? But yeah, obviously it's a very good question.
I think it's an excellent question, but I have to admit that we didn't review all the 2.2 million profiles. All right, mic number two, please. I'd like to thank you for your work on this really important subject. I myself ended up on that list and lost my bank for two years because of it.
With how essential banking is in the modern world, to get paid, to pay your bills, to do anything, what options do people who have had their banks or organizations like Finsbury Park, that have had their banks closed and are on these lists have, especially with their list being so ubiquitous
amongst all of the major banks? Well, Finsbury Park mosque went to court and they sued Thomson Reuters successfully. And after that Thomson Reuters changed the listing and admitted that they had been wrong to list them in the terrorism category. Obviously that's not an option that's available to everybody.
I think the first step is to request your data from Thomson Reuters to see exactly what's being said about you and then go from there. But it's very difficult. But for example, Mr. Hall, he didn't get an account at Norris Bank, but he ended up in another bank that didn't use WorldCheck
and that was the Berdina-Sparkhasse. That's why I have to do it. Really? All right, I think it's the internet's turn again to ask a question. Would you agree that the purpose of such a list is to protect not only the banks from rotten customers, but also the public from terrorism or other bad businesses that could harm us?
And if yes, isn't that sacrificing a few for the benefit of many? I think you shouldn't sacrifice a few for the many because it would be so easy to make it better. We saw that these sources were so obviously weird and wrong and so I think it wouldn't be necessary
if they would check the list a lot better. Mic number one, please. Hi, great presentation. Did you find any evidence of banks and such organisations
on disclosing information about their customers towards Thomson Reuters? I don't think we saw any sign of that. It does look like the stick to the public sources. There were various entries that had three-letter acronyms next to them, like CIA and various things,
but I think in all of those cases, it turned out that the CIA or whoever had said something publicly about that person, so it didn't seem that there was any covert cooperation between in either direction. Mic number three, please. Thank you for your work. Obviously it's disheartening to see such sites
as Stormfront and Breitbart being cited as sources. In your work, did you find how much of the data was supported by these so-called reputable sources, these extremist sites as the category? How many?
It depended on the site, so I think Breitbart was hundreds of entries. They were focused around a particular country, which it wasn't the US, it was another country, which suggested to us that potentially it had been a researcher who had a particular fondness for Breitbart who had decided to use that as a source.
So there seemed to be a lot of variation between different countries in the mix of sources that have been used. Mic number four, please. Hi, thanks. I work on cryptocurrency stuff, so I obviously have a longstanding interest in financial privacy and openness. So there was a really interesting,
although terribly written book, I would not recommend it, but it was written by someone who was at US Treasury and crafted kind of post-9-11 policy around sanctions. And one of the things he said in the book was immediately after 9-11, they were willing to put people on the sanctions list and block you from the entire international
financial system at a 80% surety level. So if they're about 80% confident that you are somehow related to terrorism, they would just kick you out. So I was wondering if, because I know a lot of the interest in preventing mass surveillance is all about making it more expensive so as to force people
to target it more specifically. I was wondering if you had any thoughts on kind of what direction people should be thinking about going in terms of forcing more targeting of these kinds of preventing people from international financial access instead of allowing it to be so broad and controlled by so few.
Use cash? These were already so good thoughts. I mean, I think we should ask our governments for accountability on this kind of surveillance
as we would with communications surveillance or any other kind of surveillance. And I think we've only just looked at one part of this system. We've looked at this one watch list. But this is part of a whole range of stuff that's going on. So I think we should continue to look at financial surveillance alongside
other forms of surveillance. All right, mic number two, please. Thank you very much for your talk. I have a question concerning the Financial Action Task Force, which is an intergovernmental organization compromising both European Union countries and GCC. Have you confronted them with the work that Thompson and the banks are doing?
I didn't. We haven't been to them directly. But one of the really useful things that we picked up from the Financial Action Task Force is that their definition of politically exposed person talks about senior public officials. And this database seems to go way further than that.
So there seems to be an interesting discussion going on about where the limits of this kind of surveillance should be drawn. And you might take the view that heads of state, there's not really any problem with surveilling their financial activity. But when you start to cast the net wider,
then this kind of thing seems to have more worrying implications. Internet, if you got a question, fire away. It looks like Thompson's writers basically says, you can't disclose the information you find in our system because we have the copyright on it. So are there any jurisdictions that have a law
that would require banks to report what information was used to determine that someone was considered a risk? No, there's no law that the banks has to say it. But as Tom mentioned before, the people that think that they are on a list, they can confront world check with us. And I think in some jurisdictions,
there are exemptions from subject access request rights for anti-money laundering purposes. I'm not sure exactly how big a part that plays, but that may be part of the reason why banks think that they can just deny people any answers to why these decisions have been made.
Mic number one, please. Thank you for the excellent talk. You mentioned that legal regulations require that banks use some kind of blacklist. Do you know what criteria this regulation cite? So, quality control doesn't seem to be among them. Could you start your own list and sell it to banks?
You're right, quality control seems not to be part of it. But so the regulation is, for example, the, I don't know the English word, the Zorgweitsflicht for the customer. You have to make sure that the customer is not a criminal or a terrorist or, and there are many regulations asking for it.
For example, the EG money laundering law from starting in 91 and then it got newer done in 2001, 2005. So, that's mainly the part that we focused on because it's the part that's important for the WorldCheck database.
All right, mic number three, please. Thanks for the talk. You did find a lot of people who are on the list wrong, fully, and I'm curious if you informed them that they are on the list, or if you informed the company that they had these people on the list and they shouldn't be there. And especially I'm interested what happened
to the Greenpeace activists you mentioned. Have you any information if they are still on the list or not? All the cases that we showed to you, all the ones we talked to, we confronted them and we asked them if we can publish their case. And all of them went to WorldCheck
and asked if they are on the list and asked also to delete them on the list. And I think in almost all the cases, the people actually were deleted on the list. Yeah, I think in some of them at least.
And as Yasmin said, we were very careful only to publish people's names if they had given their consent for us to do that. The response I got from Jackie Arnot, who was the woman in pink who you saw in the presentation, was that the last time she had any adverse attention
from the authorities was when she went on holiday in the 80s to the Eastern Bloc and she got a phone call from the British Foreign Office to say, what are you doing going over there? And this was what came to her mind when we told her about her listing in WorldCheck. Thanks, mic number four, please.
Thanks. In the LinkedIn profile you showed, there were a few other systems, I think Dow Jones and one other, do they suck as badly as WorldCheck? Well, we did check them, there was no leak yet. But if there will be, maybe we can tell you next year. All right, mic number two.
Hi, thank you. Can you go one slide back? One slide back. Thank you. I was wondering because you said that, for example, that the sources were like terribly wrong and weird. And I was wondering if we assume that they're not wrong and weird, but that they're working perfectly well and that all of these questions,
like the answer to all of these questions was, it's working perfectly well. Who would be the people it's working perfectly well for and who especially is targeted here? And is there any possibility of action in that scenario, in this possible world
in which this was working perfectly well? As it is, that's the question, right? I think maybe there are two different answers for the politically exposed persons and for the people accused of terrorism and so on. I think politically exposed persons, to me, you can make quite a strong case that senior public officials should be subject
to financial surveillance. If you are a prime minister and suddenly you have millions of pounds flowing through your bank account, maybe that's a legitimate. Sorry, I think this is a misunderstanding. I was not asking what are the perfect normative conditions under which this would function. I was asking, given that the state of things as it is now
was the perfect way of working, who would it be perfect for? Like who is the real beneficiary of this wrong and weird way of working? That's my question. Well, I don't think it benefits the public
because I don't think this is a real serious way of stopping terrorism and I'm not even sure that it's a real serious way of stopping political corruption because actually we looked into some of the cases that came out through the Panama Papers and similar things which showed sometimes that banks had looked
at a person's world check listing and seen that they were in the watch list but said this is actually a very lucrative client so we're going to keep banking them. And so there are two sides to it and I think that's a very important question. Internet, it's your turn again. Tom, considering the proprietor of your newspaper,
Rupert Murdoch, was there any kind of pressure as to what you published about them? About world check? Oh, that's a question from the internet, isn't it? No. All right, microphone number one, please. Yeah, two questions. The first is about deletion. Did I get it right that there's no established mechanism
or process as well as it's known for deletion of data sets in that database? So they claim how many thousands of records they add and they update that. There is some procedure for reading
but none for deletion. It's obviously weird. And the second is about asking them what they have in their records. If they have a record about me, for example, could I just ask them and they should answer me
and there are some conditions, are there codes for it? And while maybe guessing how would they react if say some 15,000 people would ask us a question. About the deletion of data, you're totally right.
There seems to be no process in reviewing the data that way that all the data that shouldn't be in there is still not in there anymore. So that's the problem because as we know, everybody has the right to be forgotten in the internet and to this second question, you can ask them,
you can go there and write them an email and ask them if you were included in the database but what they say if 15,000 people would ask them, I don't know, maybe you can ask them that. Remember, they're very productive. They could do 220 profiles in a month just writing them.
So truly they can handle 15,000 requests, I think. Mic number three, please. Hi, have you found any evidence that the customers were pushing sources on WorldCheck that some of the customers might have used them just as a filtering mechanism and push sources that wouldn't be normally checked?
We don't have any evidence of that but you do raise an important point that some of the banks said, well, we use lots of sources and some of the banks said, of course, we wouldn't just go on a WorldCheck listing
but again, it's very difficult to know exactly what was the information that HSBC considered when they closed the mosques account because that is all subject to secrecy. Mic number four, please. Can I please also ask you to go to the previous slide? Of course.
I think the problem is we are focusing too much on the list itself and I have difficulties imagining that we can control all these lists which are circulating, which are being created by different companies. I think the problem arises when they are used so I don't know if we can really achieve
through legislation or through some kind of control better sources, better information quality or whatever and maybe it should be at the point where they are used i.e. in banks where there should be really the legislative mechanism, the kind of legal mechanism
to solve this. I'm imagining, for instance, if the bank uses sources like these and denies the person to open an account or the same case with all these lists which exist for phone companies
and there are lots of lists like that in different sectors. If that person is denied the account opening, there could be a mechanism by which the person would force the bank or the institution to disclose the sources and to initiate some kind of legal procedure which would mean that if the
Excuse me, would you be so kind as to develop a question because a lot of other people still have questions and we have only a few minutes left. Thank you very much. The question is, do you think it should be rather that we focus on the banks or the points where this information is used rather than talk about the companies which make these lists?
I think that's a really good question because it's actually a question of who takes the responsibility for a decision and the funny thing is that Wallcheck puts all the weird sources in it but still says, oh, general legal sentences, you have to check by yourself and then the bank says, no, in Wallcheck, there was a list
and this name was on the list. So right now we have the scenario that people don't feel responsibility and I think that's the problem. All right, we have time for exactly one last questions and I hope you don't mind if I give it to the internet because everybody else has the chance to catch the speakers later. So if there's one, please fire away.
Are there any high profile politicians on the list? Yes, I mean the politicians that you would expect to be on the list, heads of state were on the list. So I guess at least that part of the system is working. All right, so please give another huge round of applause to our speakers for this super informative talk.
Thank you so much. Thank you.