Financial Dynamics of Insecurity in Mozambique and Nigeria

International perspectives on insecurity prioritise understandings of terrorism and organised criminality, and the nexus between the two, which are ‘top-down’ – that is, typically based on the knowledge of experts in Western capitals or the headquarters of development agencies. Local level understandings are underappreciated, despite frequently offering unique insights or nuances that are inaccessible from the dominant top-down point of view. The same applies to the financial dynamics of (or money behind) insecurity, including terrorism financing (TF) and the profit-driven activities of organised and petty criminality, as well as actors taking part in extortive corruption practices.

Dominant narratives convey that established terrorist organisations use organised criminal activity to raise funds for their violent political projects. Such narratives reinforce the concept of mutually exclusive and exhaustive categories of ‘terrorism’ and ‘organised crime’,1.  each with distinct financial motivations (for terrorism, fundraising is essential for bankrolling violence – while for organised crime, it is for personal enrichment). In reality, the financial dynamics of insecurity, including financial incentives and the funding behind conflict and insecurity, are far more complex, overlapping and nuanced. To yield a more accurate assessment, terrorism (as the use of violence and ideological pretence to control and wield power) or organised crime (as the use of illegal methods to generate wealth for various purposes) are better understood as behaviours that may be adopted by a variety of different threat actors.

Further, national level security responses to these financial dynamics are presently unimaginative and often bounded by established and Westernised notions of TF, money laundering, corruption and illicit finance. In this environment, many information sources on the financial dealing of threat actors – typically classified as financial intelligence (FININT) – are underexplored and this information is ignored by public authorities in their responses to a range of nuanced security threats.

Prioritising local perspectives in surveying the financial dimensions of security threats is important, as they point to additional opportunities for disruption. In this way, analysis of insecurity from a threat finance perspective may offer a novel approach for understanding threats and designing effective countermeasures, which to date have been dominated by approaches from the counterterrorism (financing) and counter-organised crime agendas.

This Policy Brief is based on research on Mozambique and Nigeria carried out between February 2022 and February 2024. The research relied on in-country interviews, a targeted review of existing literature and validation workshops. The purpose of the brief is to offer policy implications for addressing the underassessed financial dynamics of insecurity in the two countries. As such, it does not allow for a complete review of the sizeable literature on crime and terrorism, the ‘crime–terror nexus’ or the security landscapes in the two countries.

After briefly introducing the concept of counter-threat finance, the brief outlines local perceptions of the financial dynamics of insecurity in three broad categories: corruption, racketeering and extortion; kidnap for ransom; and violent insurgency. It then highlights opportunities for disruption, based on how FININT could be better used to counter those threats.

Threat Finance and Financial Intelligence

Counter-threat finance involves ‘examining how a threat actor generates, moves, uses and stores value [which provides] insight into a threat actor’s capability and modus operandi, as well as its potential financial vulnerabilities’. Deriving what can be learned about a threat actor based on their financial profile, and then using that understanding to either further map threat actor networks or to plan disruption operations, is at the heart of a counter-threat finance approach to security. The security provision orientation of counter-threat finance is notably distinct from the financial crime prevention orientation of the anti-money laundering/countering the financing of terrorism (AML/CFT) regime, whereby the private sector is conscripted by the public sector to prevent criminal and/or terrorist abuse of the financial system. FININT is one information source that may be drawn on to plan counter-threat finance operations. Financial institutions hold an abundance of data on their clients, including records of financial transactions, the amount, timing and location of an ATM withdrawal, or personal information taken from a client for purposes of Know Your Customer (KYC) or Customer Due Diligence checks. When this data is analysed in a security context, it can yield operationally relevant FININT for use in financial crime investigations, but potentially also in pursuit of counter-threat finance operations against a plurality of threat actors.

Financial Dynamics of Insecurity: Local Perceptions

From the local perspective, individuals or groups threatening personal or community security – denoted here broadly as ‘threat actors’ – are multitudinous and diverse, as are local people’s interactions and relationships with individuals or groups that are, nominally, intended to provide security – denoted here broadly as ‘security actors’. In reviewing some of the many drivers of local level insecurity elucidated by the research, as well as their financial dynamics, this section does away with artificial distinctions between ‘terrorists’ and ‘criminals’ as actors, instead giving primacy to the behaviours of various threat actors and security actors, to better understand how those behaviours drive local level perceptions of insecurity.

Corruption, Racketeering and Extortion

For many people at the local level, access to security is often impeded in situations where local security actors expect payment for the provision of their services, such as to report a crime at a local police station or to have police report to a call. Even a decade ago, it was observed that traffic police in some regions had adapted their practices to begin accepting bribes via mobile money, deemed to be more discreet than cash payments. For example, some cases would involve an alleged offender of a traffic offence being instructed by a corrupt officer to initiate a cash withdrawal from a specified mobile money agent who could be far from the site of the infraction. The cash funds for the bribe would be collected later. In Nigeria, for example, point of sale (PoS) machines have appeared in police stations in recent years, presenting new opportunities to collect bribes.2.  PoS operators have also been known to collect funds from alleged suspects or their relatives around the vicinity of police stations in Lagos state, ready to accept extortion payments demanded by police.

In both Mozambique and Nigeria, as a result of security threats, communities felt compelled to enlist the services of vigilante groups or community protection squads, offering small donations to these actors to provide security against threats, including terrorism-linked actors, bandits or other street-level gangs.3.  However, what was often witnessed was a mutation of this arrangement, whereby voluntary financial contributions to community protection actors became mandatory, with the groups demanding payment in the form of racketeering. In other words, ‘security actors’ are perceived to have become ‘threat actors’. While difficult to measure, where voluntary (admittedly under pressure and presented with limited alternatives) protection payments mutate into extortion payments, they should be meaningful in any counter-threat finance analysis.

Kidnap for Ransom

Revenue generation via kidnap for ransom (K4R) was seen as prominent in both Mozambique and Nigeria. Different individuals take part in each level of the practice, including informants involved in identifying potential victims in their own community, as well as those involved in abducting victims, transporting victims, storing victims, negotiating with families, facilitating ransom payments and returning victims. Such deconstructed culpability in K4R operations offers some explanation of why individuals take part in the crime and possibly why (because they may be involved in just one part of it) they may not perceive themselves to be involved in a harmful crime. Aside from being highly profitable, K4R offers a low barrier to entry and plentiful opportunities to engage anywhere along the K4R ‘supply chain’. This explains why kidnapping rates continue to increase, making the practice a top security threat from the local perspective.

From the perspective of local researchers in Nigeria’s Borno state, a shift from selective to opportunistic target selection for K4R explains how more lucrative (in other words, richer) potential victims have invested in more private security to reduce their vulnerability to being kidnapped. In Mozambique, local perceptions indicate the involvement of the Serviço Nacional de Investigação Criminal (SERNIC, National Criminal Investigation Service), who are on the front line in investigating kidnapping cases, in the crime itself; other evidence suggests that even the FININT instruments of the national financial intelligence unit, as well as financial institutions and telecommunications providers and mobile money operators, have been used to research prime targets for K4R.4.  

Ransoms are typically made in cash, although in Nigeria circumstances were described where digital payments would be involved, such as where family members are required to raise a ransom quickly and resort to online crowdfunding. Typically, solicitations are made through social media and communications platforms, instructing donors to transfer funds to a specified bank account.5.  Ransoms paid in mobile money are uncommon, arising only under certain conditions involving strict  time pressures or the unavailability of sufficient banknotes, though there are recorded cases of ransoms payments being deposited into a victim’s account and forcibly withdrawn by kidnappers using PoS terminals. Nonetheless, during the period of a chronic banknote shortage in Nigeria in 2023, when the central bank invalidated all old banknotes, K4R cases were perceived to reduce drastically. 

In addition to ransoms, victims are expected to pay a ‘freedom tax’ to kidnappers to guarantee their future safety and that  of their families, but (crucially) also to guarantee their silence and ensure victims do not report to police. In Mozambique, proceeds of K4R are often reinvested into the enterprise, including paying off informants and others for non-interference.6.  

Violent Insurgency

During the ongoing insurgency in Mozambique’s northern province of Cabo Delgado, the activities of Islamist insurgents aligned with the Islamic State have left indelible financial footprints. For example, local researchers found wives and sisters of fighters to be in receipt of large mobile money transfers sent to them from fighters in the far north of Cabo Delgado and intended as payment for a year’s worth of accommodation in Pemba, the largest city in the region. It is highly unusual for someone to be able to afford this substantial upfront cost in the local context; this ought to raise a red flag of suspicion. Without a gender analysis revealing this relationship between the sender (the Islamic State-affiliated combatant) and the recipient (his wife or female relative), the transaction’s association with the insurgency would not be self-evident.7.  Further, mobile money operators have identified patterns in their own transaction record they believe reveal a covert communications system between insurgents,8.  whereby small but precise transaction amounts between accounts carry coded messages. For example, a transfer of exactly 14 Mozambiquan meticals might be a way of saying that an operation has been called off, a highly valuable source of security-relevant FININT.

Interviewees from Pemba, a site of direct attacks by insurgents, noted drivers of insecurity stemming from the ongoing counterterrorism operation in the region itself. In exacerbating instability, ongoing counterterrorism operations have intensified conflict between communities and clans, and between local and foreign interests, in monetising Cabo Delgado’s bountiful natural resources – including minerals, forestry and energy. That environment, which is conducive to organised and opportunistic crime,9.  features foreign entrepreneurs driving illicit economies and trade in natural resources, often enlisting local youth to aid in trafficking.10.  Those illicit economies also serve to benefit national elites.11.  As the province has become ‘internationalised’ – in a security sense through the introduction of an international military force to expel what is perceived as the Islamic State’s local outfit, and in an economic sense through the exploitation of resources by foreign intermediaries in illicit economies alongside formal developers like France’s Total Energy – local communities perceived enhanced violence perpetrated by various insecurity actors, all while losing out to foreign actors for the attention and protection of police.12.

In this convoluted context, labels matter in locals’ perceptions of insecurity. According to one interviewee, ‘terrorism doesn’t have a face’,13.  reflecting a state of persistent insecurity whereby communities suspect the involvement of nearly anyone in the behaviour of ‘terrorism’ – including security actors such as local police, who accept bribe payments from captured threat actors in exchange for their release.14.

Local voices from Angoche in Nampula province, just south of Cabo Delgado, describe insurgency in the north as ‘terrorism’ because of the heightened degree of violence they have witnessed, which outstrips more ‘normal’ violence levels stemming from previous organised crime activity.15.  Many see their communities as recruitment centres and forward operating bases for the violence they see being carried out further north,16.  fearing the replication of such violence in their own communities should large deposits of natural gas also be discovered in Nampula, as they have in Cabo Delgado.17.

Similar dynamics appear in Nigeria, where the Islamist insurgent threat that has dominated the security landscape in the northeast is increasingly blurred with an emerging crisis of insecurity in the northwest driven by so-called ‘banditry’. Fundamentally, little separates the practices of banditry and terrorism in northern Nigeria. Both feature tactics of K4R, extortion, robbery and are known for attacks and operations conducted via motorbike. Although, in lacking supposed ties with transnational jihadist aims and ideology, banditry has come to be seen as a distinct threat. Some members of bandit groups have defected from Islamist insurgent groups in the northeast, looking for new opportunities to put criminal/terrorist skillsets to work for bandit groups in the northwest.18.  Here, threat actors appear to adopt and shed interchangeable identities to suit their interests in the moment. For example, bandits have been known to present themselves as Boko Haram insurgents in ransom negotiations to improve their negotiating position with families and the state. By designating two major bandit groups, the Yan Bindiga and Yan Ta’adda groups, in 2021 as terrorists, the Nigeria government appeared to pay heed to local voices calling for the banditry crisis to be treated as a national priority.

Policy Implications and Opportunities for Disruption

Experiences of insecurity at the local level highlight the transferability of terrorist ‘brands’ between actors and groups as and when profitable, and often seemingly ideologically vague or apolitical insecurity actors (such as petty criminals or bandits) pose more of an immediate threat to personal security than attention-grabbing brands such as ‘Islamic State’. At the same time, the CFT powers and tools of the AML/CFT regime can only be deployed against groups and actors formally designated as terrorists by national or supranational authorities (such as the UN Security Council). This creates an artificial barrier between threat actors that can and cannot be targeted using these financial tools. Where Nigerian authorities have chosen to designate some bandit gangs as terrorist groups, they ‘unlock’ for themselves CFT capabilities, such as criminalisation of financial support for those threat actors.

For the financial institutions involved in monitoring customer transactions, threat awareness and preparedness is often victim to such strict categorisation. At the same time, when mobile money operators spot FININT that indicates community unrest or another insecurity event, this is often tagged as an ‘organised crime’ incident, which carries a much lower prioritisation than a clear-cut ‘terrorism financing’ incident.19.  But most often, ‘terrorist’ cases are initiated by public authorities themselves, who only then request FININT from the private sector to aid their investigation. The potential to use FININT proactively to spot crises, regardless of the identity or the insecurity actors involved, is often undermined.

Policy Implication 1

The ability of both public and private sectors to respond to insecurity is negatively affected by siloed frames of reference, particularly the distinction drawn between ‘terrorist’ and ‘criminal’ threats. Reorientation of government structures and policy around a concept of threat finance could open institutions and practitioners to the inherent nuance in the threats they are facing. For example, national financial intelligence units (FIUs) could engage with financial institutions and solicit financial information not only for meeting AML/CFT obligations, but also for unleashing the potential for FININT to be used to investigate, for example, K4R incidents, regardless of the identity or ‘brand’ of the perpetrators.

Multicountry and national studies on the impact of digital payments on corruption point to a negative relationship, owing largely to the enhanced financial transparency of digital payments over cash transactions. Given how corruption and extortion are perceived as drivers of insecurity at the local level in this brief and in other papers within the Organised Crime, Terror and Insecurity in Africa (OCTA) project, the enhanced transparency of digital financial transactions (in other words, FININT) has a clear positive impact on security. But for FININT’s potential to be unleashed, authorities need enhanced capacity to absorb the vast quantity of security-relevant data that financial institutions can offer. Cross-institutional bridges and public–private information sharing partnerships (and legal frameworks to underpin these to ensure information exchange is legal and guarded against abuse or misuse) are therefore needed for national authorities to further draw on FININT sources.

And yet, many state interventions aimed at the financial dynamics of insecurity, such as blanket bans on fundraising vectors, actually close off FININT opportunities. Worse than being ineffective, some policies such as banning rural livelihoods, including fishing, farming or herding, for fear these enterprises may be taxed by threat actors,20.  have opened new opportunities for corruption by security actors. For example, a cattle market may be closed to mitigate a TF risk, only to be reopened and covertly operated by security actors who manage access through tolls and checkpoints.

In Nigeria, policies including outlawing ransom payments, banning PoS machines within police stations, and banning mobile money transactions within police stations have not solved the problem. PoS terminals are easy to acquire from financial institutions to carry out agency banking services for customers and to take regular payments, and are associated with an individual’s KYC details, including their unique bank verification number. Given the novel FININT opportunities stemming from PoS transactions, it could be argued that financial activity linked to insecurity ought to be permitted, as the FININT collection opportunities may yield more impactful disruption opportunities in the long run.

Policy Implication 2

Valuable FININT sources are broadly overlooked in the security context. Assuring the proactive involvement of a diverse range of private sector actors who hold FININT on threat actors (while resisting ineffective policies that cut off FININT opportunities entirely) will lead to more and better disruption opportunities.

At present, donors’ approaches to countering the financial dynamics of insecurity are largely ineffective. Where donor programming has prioritised enhancing beneficiaries’ FININT collection and processing capabilities, this often takes the form of trainings and seminars for law enforcement agents, who are often rotated out of their positions. Further, programming is overly focused on meeting international expectations, such as the AML/CFT standards of the Financial Action Task Force (FATF). While a helpful motivator to improve states’ FININT capabilities, programming designed around FATF compliance typically uses good FATF marks as evidence of programme success, rather than empirical improvement in the use of FININT to counter security threats.

Policy Implication 3

Existing donor programmes overemphasise FININT and financial investigation for preventing financial crime and meeting international AML/CFT standards. Donors can invest more into countering salient financial dynamics of insecurity by building authorities’ capabilities to use FININT to provide security. Long-term programmes should build up institutional capacity over short-term investment in training individual security actors.

Conclusion

Although merely perceptions – and a far cry from empirical truths – investigating financial dynamics of insecurity at the local level yields important insights for designing disruption measures. A threat finance approach to security, making use of underexploited FININT opportunities to track the activities of a variety of threat actors, opens opportunities for disruption previously reserved for CT and CTF alone.

At the same time, implementing these policy implications should be done with caution to prevent abuse. The FININT capabilities of one national FIU – plus their influence and power over financial institutions and the account information they hold – were perceived to have been captured by corrupt authorities to facilitate a K4R campaign against the state’s own citizens, whereby bank account balances were gathered to identify lucrative ‘candidates’ for kidnapping. In expanding the remit of FININT beyond AML/CFT, as is desirable for mitigating threats elucidated by local perceptions, state institutions must be scrutinised and held to account for abuses of their FININT capabilities.