5AMLD is the successor to the EU’s Fourth Anti-Money Laundering Directive (“4AMLD”) which has been operative since June 26, 2017. 5AMLD is perceived as being the EU’s reaction to the terrorist attacks which occurred across Europe in 2016.
Anti-Money Laundering (AML) rules refer to the process of detecting and reporting suspicious activity related to offenses of money laundering and terrorist financing (i.e. securities fraud and market manipulation). All financial firms must comply with the Bank Secrecy Act and its Anti-Money Laundering rules.
Created in 1974, the Commodity Futures Trading Commission (CFTC) is an independent agency of the U.S. government responsible for regulating the U.S. derivatives markets including futures, swaps, and options.
Compliance refers to the process of being in accordance with established guidelines or legal specifications based upon where your business operates.
A compliance audit is a comprehensive review of an organization’s adherence to regulatory guidelines. Independent auditors evaluate the overall strength and thoroughness of compliance preparedness and execution, reviewing security policies, user access controls, and risk management procedures, amongst others.
Compliance burden, also called regulatory burden, is the administrative cost of a regulation in terms of dollars, time and complexity.
A compliance framework is a structured set of guidelines that details an organization’s processes for maintaining accordance with established regulations, specifications or legislation.
Compliance risk is exposure to legal penalties, financial forfeiture, and material loss an organization faces should it fail to act in accordance with industry laws, regulations, internal policies or prescribed best practices.
Corporate governance is a term that refers broadly to the rules, processes or laws by which businesses are operated, regulated and controlled. The term can refer to internal factors defined by the officers, stockholders or constitution of a corporation, as well as to external forces such as consumer groups, clients and government regulations.
The financing of terrorism involves providing direct finances, or financial support, to individual terrorists or non-state actors. Some countries maintain a list of terrorist organizations and have money laundering laws, which are also used to combat providing finance for those organizations. This dynamic process is referred to as Counter Terrorism Financing (CTF).
The Dodd-Frank Act (officially known as the Dodd-Frank Wall Street Reform and Consumer Protection Act) is a U.S. federal law that places regulation of the financial industry in the hands of the government. The legislation, enacted in July 2010, aims to prevent another significant financial crisis by creating new financial regulatory processes that enforce transparency and accountability while implementing rules for consumer protection.
Founded in 1989 by the G7, the Financial Action Task Force (FATF) is an intergovernmental organization responsible for developing policies to combat money laundering.
The Foreign Corrupt Practices Act (FCPA) is a federal law enacted in 1977 to prohibit companies from paying bribes to foreign government officials and political figures for the purpose of obtaining business.
The Financial Crimes Enforcement Network (FinCEN) is a bureau of the U.S. Department of the Treasury that collects and analyzes information about financial transactions in order to combat domestic and international money laundering, terrorist financing, and other financial crimes.
General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) is a legal framework that sets new guidelines for the collection and processing of personal information of individuals within the European Union (EU). The GDPR lays out the principles for data management and the rights of the individual, while also imposing fines that can be revenue-based. The GDPR applies to all organizations that deal with EU citizen data, making it a critical regulation for corporate compliance officers at banks, insurers, and other financial organizations.
HIPAA is the acronym for the Health Insurance Portability and Accountability Act that was passed by Congress in 1996.
HHS initiated 5 rules to enforce Administrative Simplification: (1) Privacy Rule, (2) Transactions and Code Sets Rule, (3) Security Rule, (4) Unique Identifiers Rule, and (5) Enforcement Rule. The HIPAA Privacy Rule regulates the use and disclosure of protected health information (PHI) by “covered entities.”
Know Your Customer (KYC) is the process of a business verifying the identity of its clients and assessing their suitability, along with the potential risks of illegal intentions towards the business relationship.
Open-source intelligence (OSINT) is data collected from publicly available sources to be used in an intelligence context. In the intelligence community, the term “open” refers to overt, publicly available sources (as opposed to covert or clandestine sources).
The Office of Foreign Assets Control (OFAC) is a financial intelligence and enforcement agency of the U.S. Treasury Department. It administers and enforces economic and trade sanctions in support of U.S. national security and foreign policy objectives.
Regulatory compliance is an organization’s adherence to laws, regulations, guidelines and specifications relevant to its business. Violations of compliance regulations often result in legal punishment, including federal fines.
Sarbanes-Oxley Act (SOX)
The Sarbanes-Oxley Act of 2002 (S)X) is legislation passed by the U.S. Congress to protect shareholders and the general public from accounting errors and fraudulent practices in the enterprise, as well as improve the accuracy of corporate disclosures. The U.S. Securities and Exchange Commission (SEC) administers the act, which sets deadlines for compliance and publishes rules on requirements.
Suspicious Activity Report (SAR)
A Suspicious Activity Report (SAR) is a tool provided under the Bank Secrecy Act (BSA) for monitoring suspicious activities that would not ordinarily be flagged under other reports (such as the currency transaction report). The SAR is the standard form to report suspicious activity.
An activity may be included in the SAR if the activity gives rise to a suspicion that the account holder is attempting to hide something or make an illegal transaction.
A Bank Secrecy Act (BSA) rule [31 CFR 103.33(g)]—often called the “Travel” rule—requires all financial institutions to pass on certain information to the next financial institution, in certain funds transmittals involving more than one financial institution.
Virtual Asset Service Provider (VASP)
FATF defines a Virtual Asset Service Provider (VASP) as any natural or legal person who is not covered elsewhere under the Recommendations, and as a business conducts one or more of the following activities or operations for or on behalf of another natural or legal person:
exchange between virtual assets and fiat currencies;
exchange between one or more forms of virtual assets;
transfer of virtual assets;
safekeeping and/or administration of virtual assets or instruments enabling control over virtual assets;
and participation in and provision of financial services related to an issuer’s offer and/or sale of a virtual asset.
Adware can be defined as a bundle of programs that is designed to bombard users with advertisements. The main aim behind it is to redirect the user’s search requests to advertising websites and collect marketing data.
Adware tracks user’s online activity, slow down the device’s performance, displays customized ads and gets malware downloaded at the back end and also eats lots of data costs.
A botnet is a bunch of several Internet-connected devices such as PCs, mobiles, servers and IoT devices that are infectious and are controlled by a specific type of malware.
A blend of two terms, robot and network, botnets are networks of robots that are used to commit crimes in the cyber world.
Clickfraud happens when artificially created bogus clicks are used to manipulate Pay-Per-Click (PPC) advertising. The idea behind this practice is to increase the number of payable clicks, in order to generate revenue to advertisers.
Cyber espionage describes the practice of spying on someone to gain illegal access to confidential information. Often the prime targets of this type of cybercrime are large institutions and government organizations, although individuals are also vulnerable.
Cyber security is the body of technologies, processes and practices designed to protect networks, computers, programs and data from attack, damage or unauthorized access.
The dark web is just a small portion of deep web that has thousands of dark sites where a large majority of illegal activities are executed.
The dark web is characterized as the part of the Internet that is not visible to regular users, and as a small part of a vast network of websites and portals that are not categorized by search engines.
End-to-end encryption is a method of protecting and securing communication that hinders third parties from accessing data when it is transferred from one device to another.
An evil twin is a fake Wi-Fi hotspot or access point that poses to be original and safe, but it’s actually set up to snoop on another wireless network or device.
Exploit kits are packages of automated threats that are used by attackers to launch exploits against vulnerable programs. Exploits are designed to cause unexpected behaviors that an attacker can take advantage of to perform harmful actions.
A firewall is a defensive technology that is focused on keeping bad guys out of one’s network. It acts as a virtual barrier that protects both internal and external cyber-attacks that might attack your personal computer.
It keeps a check on all unauthorized access to or from a private network and also determines which entry should be allowed, or not, to interact with your computer.
A gateway acts as a bridge between two networks that connect using different protocols.
Hashing is an encryption algorithm that converts the plaintext password into hashes. It’s a form of cryptographic security method that is used to transform strings of characters into shorter fixed-length value that proxies as the original string.
The process by which two information systems establish a communication channel, handshaking begins when one device sends content to another device for identifying, syncing, and authenticating.
Sometimes also referred to as identity fraud, identity theft involves the unauthorized theft of someone’s personal information and then using it in an illicit way to gain some benefit, often of monetary value.
An intrusion detection system is a software or device that functions to monitor network traffic for malicious activity. These detection systems help in identifying suspicious activity, logging relevant information, and attempting to block and report such activity.
IP spoofing, or IP address forgery, is a hijacking technique in which a bad actor poses as a trusted host to disguise someone’s identity, hijack browsers, or gain access to a network.
Though it’s not an illegal act of its own to spoof an IP Address, it is a technique often used in committing illegal activities.
Often referred to as keystroke logging, a keylogger is a computer program that keeps a log of your keystrokes on your keyboard. The entire log is saved in a log file which is encrypted and can be shared with different receivers for different purposes.
It can track all the sensitive information like passwords and PIN (Personal Identification Number) in real-time and can be used for hijacking your personal accounts.
Malware is a troupe of all malicious programs like viruses, Trojan horses and spyware. It is a malicious program that reaches a target computer and runs the scripts which take complete control over all computing functions of the target computer. For example, malware can hijack all sensitive information stored on the target device, or it can encrypt files and hold this information ransom.
mobile banking trojans
Mobile banking trojans refer to the practice of a bad actor overlaying a Trojan interface onto a legitimate mobile banking app interface, allowing the bad actor to intercept the end user input credentials used to login to his/her banking account.
Pharming is a malicious mechanism which redirects a user to a fake site or service that appears identical to the authentic site or service. A victim user will enter all relevant credentials into the duplicate site considering it to be the legitimate one, compromising all affiliated information in the process.
Phishing is the fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers.
Ransomware can be any malicious software that encrypts data found on an individual’s or enterprise system. Once the data is encrypted, the bad actor responsible for the malware will demand a ransom in order to decrypt (unlock) the data being held hostage.
Most often, the ransomware payment is denominated in bitcoin as it is highly liquid and accepted in nearly all parts of the world.
In software testing, reverse engineering aids testers’ understanding of viral and other malware code. In software security, reverse engineering is widely used to ensure that the system lacks any major security flaws or vulnerability. It helps to make a system robust, thereby protecting it from hackers and spyware.
Social engineering, in the context of information security, is the psychological manipulation of people into performing actions or divulging confidential information.
A Trojan horse, or Trojan, is a type of malware that is often disguised as legitimate software. Trojans can be employed by cyber-thieves looking to gain access to users’ systems. Users are typically tricked by some form of social engineering into loading and executing Trojans on their systems.
A zero-day vulnerability is a computer-software vulnerability that is unknown to, or unaddressed by, those who should be interested in mitigating the vulnerability. Until the vulnerability is mitigated, hackers can exploit it to adversely affect computer programs, data, additional computers or a network.
An examination performed by an independent third party that verifies the guidelines outlined by a regulatory body.
The acknowledgement of understanding and abidance to policies, procedures or training.
Analyzing your data year over year by comparing one’s own business processes and performance against the industry standard to reveal compliance program effectiveness and to determine needed improvements.
An incentive given, or offered, to a person or organization to encourage that person/organization to take an action that benefits the giver.
chief privacy officer
A chief privacy officer (CPO) is a corporate executive charged with developing and implementing policies designed to protect employee and customer data from unauthorized access.
chief risk officer
The chief risk officer (CRO) is the corporate executive tasked with assessing and mitigating significant competitive, regulatory and technological threats to an enterprise’s capital and earnings. The position is sometimes called chief risk management officer, or simply risk management officer.
code of conduct
An organization’s code of conduct is its policy of all policies. It’s a central guide and reference for users in support of day-to-day decision making. It is meant to clarify an organization’s mission, values and principles, linking them with standards of professional conduct. As a reference, it can be used to locate relevant documents, services and other resources related to ethics within the organization.
The decisions, choices, and actions we make that reflect and enact our values.
To intentionally lie or cheat to get something to which one is not rightfully entitled.
The act, process, or power of exercising authority or control in an organizational setting
governance, risk and compliance (GRC)
Governance, risk and compliance (GRC) is a combined area of focus within an organization that developed because of interdependencies between the three components. GRC software products, available from a number of vendors, typically facilitate compliance with legal requirements, such as those specified in the Sarbanes-Oxley Act (SOX) or occupational health and safety regulations.
Gramm-Leach-Bliley Act (GLB)
Federal legislation enacted in the U.S. to control the ways that financial institutions deal with the private information of individual users.
A common reporting system giving anonymous telephone access to employees seeking to report possible instances of wrongdoing.
Making choices that are consistent with each other and with the stated and operative values one espouses. Striving for ethical congruence in one’s decisions.
An internal control is a business practice, policy or procedure that is established within an organization to create value or minimize risk.
Risk assessment is the process of identifying variables that have the potential to negatively impact an organization’s ability to conduct business.
risk assessment framework (RAF)
A risk assessment framework (RAF) is a strategy for prioritizing and sharing information about the security risks to an information technology (IT) infrastructure.
Risk exposure is a quantified loss potential of business. Risk exposure is usually calculated by multiplying the probability of an incident occurring by its potential losses.
Transparency, in a business or governance context, is honesty and openness. Transparency and accountability are generally considered the two main pillars of good corporate governance.
The core beliefs we hold regarding what is right and fair in terms of our actions and our interactions with others. Another way to characterize values is that they are what an individual believes to be of worth and importance to their life.
A whistleblower is a person who voluntarily provides information to the general public, or someone in a position of authority, about dishonest or illegal business activities occurring at an organization. This organization could include a government department, a public company or a private organization.
An address is an alphanumeric string of letters and numbers that is unique to a wallet. It is what is used to route digital assets across the network to a particular destination. Different coins have unique address formats.
New tokens are sometimes given to a number of users that have assets on a particular blockchain. Essentially, when the new tokens are distributed, they are “airdropped” to the holders on the blockchain.
Algorithms solve problems using calculations and data processing. Most modern software depends on functioning algorithms.
Cryptocurrencies that came to be after Bitcoin are referred to as altcoins.
ASIC is the abbreviation for “application-specific integrated circuit.” They are created specifically for a certain use rather than to be multi-use. ASIC miners work best for mining digital assets.
A block is a file where transaction data is recorded in the blockchain.
Block explorers display on-chain transaction data.
The block height is the number of blocks separating the current block and the genesis block.
The ledger that tracks digital asset transactions into sequential order.
New digital assets awarded to a miner for participating in the mining process.
Cold storage is any kind of crypto storage that is not online at all times. There are two types of wallets that may be considered cold storage:
Hardware wallets – A physical device that is only online when it is hooked up to a secondary device such as a laptop or desktop.
Paper wallets – A physical piece of paper that is a physical representation of owned crypto.
In terms of cryptocurrencies, a coin is a digital token.
Confirmations are necessary for a successful transaction. The number of confirmations is based on the number of times that the network has accepted the transaction. The more confirmations, the more likely the transaction is to be legitimate. If there are only a few confirmations, the likelihood of coins being double-spent increases.
A contract address is an address that utilizes a smart contract. This is specific to Ethereum and ERC-20 tokens.
“DAO” stands for “decentralized autonomous organization”. These organizations are operated and governed through smart contracts.
To move power away from a specific authoritative body.
A deposit address is where someone deposits their digital assets.
Destination tags are a short numeric string specific to Ripple (XRP). Most Ripple wallets will require a destination tag for the funds to be routed to the correct recipient.
Public-key cryptography sometimes uses data storage based on the algebra behind elliptic curves. This is because this type of data storage detects common corruption issues.
An ERC-20 token piggybacks off of the Ethereum network, but for an ERC-20 token to be accepted, the token must meet a certain set of rules. “ERC” itself stands for “Ethereum Request for Comments”, and it is meant to improve the Ethereum network.
An exchange is any service that allows someone to trade one digital asset for another.
The rate that a digital asset is exchanged for another, or in some cases, fiat.
Fiat currencies are centralized currencies, such as the U.S. Dollar or the Euro.
A fork is when a digital asset splits into two different cryptocurrencies. Examples include BTC and BCH, and ETC and ETH.
Gas is what is used to send ethereum and ERC-20 tokens across the network. A small amount of ethereum is necessary for a transaction to process, and this is referred to as “gas”. If a transaction does not have enough gas, it may not confirm.
A genesis block is the very first block on the blockchain.
GPU stands for “graphics processing unit”, but they do not only process graphics. GPUs are also used to mine digital assets, as they can make computations as well.
HODL is a term that refers to holding a specific digital asset. It originated when someone mistyped the word “hold”. It is now often used to mean “Hold on for Dear Life”.
A hot wallet is a wallet meant to hold digital assets in a way that keeps them online and liquid at all times. Hot wallets are less secure than alternatives since they are always online.
The input is where a transaction is being sent from, or where a transaction starts.
A key pair is the pairing of a public and private key.
A legacy address is an older address format that begins with a “1” in terms of BTC.
“Market cap” is short for “market capitalization”, or the value of an asset being traded on the market. In the crypto space, it is referring to coin market capitalization.
The “memory pool” of unconfirmed Bitcoin transactions.
Mining is the act of confirming transactions on the blockchain using a series of advanced computations.
A miner fee is crypto that is provided to reward miners for enabling transactions to be sent across the network.
multiple output transaction
Any transaction that has several outputs is a multiple output transaction.
Multisignature allows several users to digitally sign the same document for a valid transaction.
Nodes are used to pass block data throughout the network. These nodes are able to validate transactions.
out of gas
When an ETH transaction runs out of gas, it has done so because not enough gas was provided for a transaction to fully process on the blockchain. This error is common with smart contracts.
This is where a digital asset transaction was sent.
An offline, paper representation of digital asset ownership.
A privacy coin strongly focuses on anonymity and lack of traceability. A few examples of privacy coins are Monero (XMR), Zcash (ZEC) and Dash (DASH).
A private cryptographic key that should only be known to the user. This key can be used to decipher encrypted messages created by the public key.
A cryptographic key that can be used by anyone to encrypt messages that are decipherable by the private key.
A replay attack is when one blockchain forks into two and results in an equal amount of coins existing on both blockchains.
A satoshi is a small amount of bitcoin. One bitcoin is equal to 100,000,000 satoshis.
Satoshi Nakamoto is the screen-name of the founder of Bitcoin.
SegWit stands for “Segregated Witness”, which is a newer form of address. It is forward compatible, meaning that no software updated need to take place for it to work.
SHA-256 is the cryptographic hash algorithm. It works by generating a 256-bit signature.
A smart contract creates a certain set of conditions that a digital asset transaction must meet to be successful.
A transaction fee is a fee that allows an entity to profit each time that a transaction is made.
The TXID (transaction ID) or the hash is the alphanumeric string that labels each transaction within the coin’s blockchain.
A UTXO stands for “unspent transaction output”. These occur to validate transactions via nodes on the network.
A wallet is a digital wallet, either hot or cold, that stores digital assets.
A whitepaper is written by those that are launching a new digital coin. It explains everything about the coin that someone may want to know.
A withdrawal address is an address that a user provides to receive digital assets from an exchange. It may also be referred to as a “destination address”.