The new era in sanctions compliance: the growing risk of terrorist financing

Financial crime used to be divided into distinct areas of compliance. Once there were experts who focused on money laundering, on fraud, on tax evasion. Law firms, accountancy firms, banks and financial institutions could take a relatively straightforward approach to their regulatory compliance systems. The main risk factors were drug cartels, black bags of hard cash or wire transfers from suspicious locations.

But the world of financial crime changed radically after the terrorist attacks of September 11, 2001. Following this, US government officials declared that the fight against financing Al Qaeda was as critical as fighting Al Qaeda itself. Officials understood that cutting off terrorist financing was critical to preventing them carrying out mass casualty attacks. 

Since then, the regulated sector, and in particular banks, law firms and financial institutions, have found themselves at the forefront of tackling terror financing. Not only is this a money laundering issue, but it also impacts sanctions compliance. With billions of dollars under the control of sanctioned terrorists, understanding how to counter the risk of terrorist financing is crucial to a comprehensive sanctions compliance framework. 

How was 9/11 financed?

The plot to attack the US on 9/11 cost Al Qaeda in the region of $400,000 – $500,000. The hijackers received money deposited into US bank accounts from overseas wire transfers. They also accessed foreign funds in the US with ATM and credit cards. The hijackers were sent cash from facilitators in Germany, the United Arab Emirates, and directly from Khalid Sheikh Mohammed (known as KSM). KSM was the principal mastermind of the 9/11 attacks and confessed to personally murdering journalist Daniel Pearl.

It is believed that around $300,000 used to finance the 9/11 attacks passed through the hijackers’ US bank accounts, with the money spent for flight training, travel and housing. There is believed to have been little to no financing from within the United States itself. 

The terrorists did not hide their financial operations, either. An extensive paper trail links them to their facilitators in Germany and the UAE. AML controls at the time were largely focused on drug trafficking, and were not intended to detect or disrupt the relatively small and benign transactions in which the hijackers engaged. 

Al Qaeda and Osama Bin Laden were not themselves personally wealthy. They fundraised for their terrorist efforts, diverting cash from Islamic charities and using well-placed financial facilitators to gather money from both willing and unwitting donors. 

There is no evidence that Al Qaeda engaged in drug trafficking, conflict minerals, or raised significant cash from foreign governments. Money was transferred from individual donors through money mules and cash couriers to Afghanistan, where Bin Laden used the cash to train operatives in terrorist camps and used the cash to support the families of Jihadists. 

The US did sanction Bin Laden, and pushed the UN to enact sanctions against him and other Al Qaeda funders and operatives, but the efforts to create an international coalition against terrorist financing proved difficult. Both Saudi Arabia and the UAE selectively applied sanctions and resisted cooperation. The CIA estimated that on the eve of 9/11, Al Qaeda had a secure and steady stream of financing from private donors that was not disrupted or sanctioned by governments.

The impact of 9/11 on terror financing

Following 9/11, the Financial Action Task Force (FATF) turned its attention to encourage member states to tackle terrorist financing with the same actions used to counter money laundering. The FATF issued eight Special Recommendations on Terrorist Financing. 

In the more than two decades since then, terrorist financing has become of significant concern and action across the world.

Both money laundering and terrorist financing seeks to exploit vulnerabilities and weaknesses in the economy which allow for the cleaning of illicit cash, and the financing of error. Prior to 9/11, Know Your Customer regulations were practically on the way out, but following the terror attacks, the US led significant efforts to tackle terrorist financing through national legislation and international alliances. 

How did terror become big business?

Terrorist financing has changed dramatically since Al Qaeda launched its terror attacks in 2001. Al Qaeda leaders lived in relative poverty, hiding out in caves in Afghanistan and running their operations on a shoestring budget. But today, international terrorist groups. Today, terrorist groups, and in particular Hezbollah and Hamas, are worth billions. 

Hamas is believed to be the second richest terror group in the world, after Iranian-backed Hezbollah in Lebanon. Hamas has an annual budget of around $2 billion. Where does its money come from?

Hamas undertook a coup in the Gaza Strip after claiming victory in 2006 elections held in the Strip – the last elections which were held. Because of the international recognition conferred on Hamas, the Palestinian Authority transfers to Hamas around 33% of its annual budget, at least $1.1 billion a year. 

The Iranian regime is also a significant funder of Hamas, estimated at around $250 million a year since 2014, with Hamas receiving significant weapons, training and support from the regime in Tehran. Iran is believed to be the main funder of the Hamas atrocities of October 7.

Since 2018, the Qatari state has been sending up to $400m per year to Hamas, as part of a strategy of funding terror organisations including Al Qaeda, Islamic State and the Taliban. Funding terrorist groups like Hamas has been a key foreign policy strategy of the Qatari ruling family, allowing them to target rivals in the Gulf and wider Middle East, while raising the profile of Qatar as a mediator and power player.

The terror group collects hundreds of millions of dollars from Hamas-linked charities around the world. Around $260 million of tax-deductible charitable donations to Hamas have come from the United States.

Research by blockchain analytics firm Elliptic showed that Hamas had potentially received more than US$7.3 million worth of crypto by July 2021, holding funds in Bitcoin, Tether stablecoin, Ether, Dogecoin and other cryptoassets.

Sanctions on Hamas

The US designated Hamas as a terror organisation since 1997, however their leaders have generally avoided the type of sanctions used against Al Qaeda leaders. Until relatively recently.

In May 2022, OFAC placed under sanction Hamas financiers as well as six companies that generated revenue for the terrorist group through management of an international investment portfolio. The Hamas Investment Office held assets of more than half a billion dollars, including in companies operating across North Africa and the Middle East.

Since October 7, there have been several rounds of coordinated sanctions on Hamas leaders, alongside new sanctions on Iran to hold them to account for their support of Hamas.

OFAC, along with the UK, EU, Australia and Japan have imposed sanctions on a number of Hamas terrorists and financial facilitators in countries including Sudan, Türkiye, Algeria, and Qatar. Actions have targeted Hamas terror operatives involved in managing assets in a secret Hamas investment portfolio, along with a Qatar-based financial facilitator with significant ties to Iran.

Key Hamas commanders both in Gaza and outside, along with Gaza-based virtual currency exchanges have all been sanctioned.

Hamas, along with Palestinian Islamic Jihad (PIJ) are under asset freezes and arms embargoes by the UK government. Membership in these groups or expressing support for them is a criminal offence in the UK, punishable by up to 14 years in prison. This is also the case in the US, EU, and other countries which have designated Hamas and PIJ as terror organisations.

The use of charities to fund terror

Fundraising and news outlets sanctioned for supporting terror

The US and UK sanctioned a media channel ‘Gaza Now’ alongside several individual executives of the channel, and accused them of providing direct financial support to the organisation. 

UK Treasury minister Baroness Vere said: “The UK and its partners are committed to cutting off funding sources to Hamas, [the Palestinian Islamic Jihad] PIJ and any others supporting terrorist activity that prevents sustainable peace in the Middle East.”

One of the issues highlighted by the sanctions was Gaza Now’s exploitation of the British and American financial system to support terrorism. The entity had received tens of thousands of dollars in cryptoasset donations, with the sanctioned individuals seeking to raise more cash for terrorism through crypto. Worryingly for sanctions compliance, most donations were under $500, with 40% under $100.  

Al Haramain Islamic Foundation 

Al Haramain Islamic Foundation was a Saudi-based charity dedicated to promoting a conservative form of Islam throughout the world. At its peak, al Haramain had a presence in at least 50 countries with estimates of its total annual expenditures ranging from $30 to $80 million, with support from the Saudi government. US intelligence had evidence of Al Haramain’s financing of terrorism, including donations to Al Qaeda, with members of the charity also directly involved in terrorism.

In 2004, the founder of the charity was sanctioned by the UN, along with fourteen branches of the charity who were found to be financing Al Qaeda. They were subject to asset freezes and travel bans.

The US seeks to break the Hamas financial network

With echoes of international action to tackle terrorist financing in the wake of 9/11, the US is leading efforts to bring similar strength of action to disrupt Hamas’ financial network. The US is offering up to $10 million for information on five Hamas financiers or anything leading to the disruption of the Palestinian terror group’s financial mechanisms. The five Hamas financial facilitators under this reward offer are named as Abdelbasit Hamza Elhassan Khair, Amer Kamal Sharif Alshawa, Ahmed Sadu Jahleb, Walid Mohammed Mustafa Jadallah, and Muhammad Ahmad ‘Abd Al-Dayim Nasrallah.

Abdelbasit Hamza Elhassan Khair, known as Hamza, is based in Sudan and has managed many companies in Hamas’s portfolio. He was previously involved in the transfer or close to $20 million to Hamas and is tied to former Sudanese president Omar Bashir as well as Islamist groups undermining stability in Sudan, the State Department said.

Alshawa, Jahleb and Jadallah are part of Hamas’s investment network in Turkey.
Nasrallah, who as of October was based in Qatar, is a longtime Hamas member with close ties to Iranian entities who has been involved in the transfer of tens of millions of dollars to Hamas, including to the Izz al-Din al-Qassim Brigades, Hamas’s military wing.


The rewards will be provided for any information on any source of revenue for Hamas, Hamas donors or financial facilitators, businesses owned or controlled by Hamas, front companies that procure dual-use technology for the group and criminal schemes that involve Hamas members or supporters that financially benefit the organisation.


Funds such as those managed by these individuals were likely key to Hamas’s preparations for the terror organisation’s October 7 atrocities.

These reward offers join a rash of recent sanctions by countries around the world including the US, Britain, and Japan on Hamas, Hamas members and their financial enablers. These come in addition to more than 16,000 sanctions currently in place against Russian individuals and entities as well as over 3,000 active sanctions by the US, UN, EU and other countries against Iran and Iranian entities and associated individuals.

How to stay compliant with the new era of sanctions

When an entity or individual is sanctioned, financial institutions and other persons that engage in certain transactions or activities with sanctioned entities and individuals may expose themselves to sanctions or be subject to an enforcement action, including criminal prosecution. The prohibitions include the making of any contribution or provision of funds, goods, or services by, to, or for the benefit of any designated person, or the receipt of any contribution or provision of funds, goods, or services from any such person. 

Regularly Review Sanctions Lists:

Stay informed about sanctions imposed by various countries and international bodies. Regularly review updated lists to ensure that your organisation does not inadvertently engage with sanctioned individuals or entities.

Risk Assessment: 

Conduct a thorough risk assessment of the countries in which your firm operates or conducts business. This assessment should consider various factors, including political stability, economic conditions, legal and regulatory environment, corruption levels, and the presence of high-risk industries or sectors.

Enhance Due Diligence Procedures:

Strengthen your due diligence processes to identify any potential exposure to sanctioned individuals or entities. This includes robust screening of clients, partners, and suppliers against relevant sanctions lists.

Invest in Employee Training:

Educate employees on the importance of sanctions compliance and provide training programs to enhance their understanding of the regulatory landscape. This will empower them to recognise and report any suspicious activities.

Update Compliance Policies:

Regularly review and update your organisation’s compliance policies to reflect changes in sanctions regimes and regulatory requirements. Ensure that policies are accessible to all employees and that they understand their responsibilities.

Engage Legal Counsel:

Consult with legal experts to navigate complex sanctions regulations. Having legal counsel can help your organisation interpret and implement compliance measures effectively.

Utilise Technology Solutions:

Leverage technology solutions such as compliance software and screening tools to automate and streamline the process of identifying and mitigating potential risks.

Mitigating the risk of terrorist financing in sanctions compliance

International actions to tackle Hamas’ financial network have significant echoes of actions taken in the wake of 9/11. Billions of dollars worth of property, cash and crypto have come under sanction since October 7, with nation-states and international agencies, including the UN, implemented in terrorist financing.

Organisations should use this moment to assess their own compliance measures and take proactive steps to navigate the increasingly complex field of international economic sanctions. By staying informed, implementing robust compliance strategies, and engaging with legal expertise, businesses can position themselves to operate responsibly and ethically in the new year.

Free webinar: Sanctions – complying with international restrictions

Wednesday, 18 September 2024 at midday UK time

Sanctions affect every business in every industry. Committing an offence under a sanctions regime can be as simple as making an honest mistake, and the penalties can be severe.

In this webinar, we will be reviewing the different types of sanctions, where they come from and their purpose. We’ll explore key issues such as sanctions on Iran and North Korea, financial sanctions on individuals, and how to ensure everyone in your organisation is aware of sanctions and how to comply. 

We’ll also consider how to report on a possible breach, best practice workflows for sanctions tracking and screening, and important red flags across different industries. Understand how to conduct a sanctions risk assessment and key methods to reduce the risk of a sanctions breach.

This webinar will cover:

  • The purpose of sanctions and their different sources
  • How to conduct a sanctions check
  • Navigating sanctions risks through screening 
  • When and how to report a possible sanctions breach
  • Best practice for training on sanctions and increasing awareness
How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

“In a world older and more complete than ours they move finished and complete, gifted with extensions of the senses we have lost or never attained, living by voices we shall never hear.”

Picture of James

James

VinciWorks CEO, VInciWorks

Spending time looking for your parcel around the neighbourhood is a thing of the past. That’s a promise.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.