Investigator-Centric Approach to Financial Crime: Back to the Future or Back to Basics?

By Samantha Sheen

Investigator centric approach

    Get the latest news and insights sent straight to your inbox

    In November 2021, Blackdot Solution’s Head of Community, Charles Brown, hosted a webinar featuring Nick Lewis, Group Head, Financial Crime Intelligence, Investigations and Government Relations, Standard Chartered Bank. The focus of the webinar was on how the use of an investigator-centric approach (ICA) could improve the efficiency and effectiveness of anti-financial crime controls.

    The webinar followed an earlier event, the Cambridge International Symposium on Economic Crime (CISEC) in September 2021, where the former Executive Secretary of the FATF David Lewis (no relation to Nick), spoke about how the role of an intelligence-led risk-based approach, was key to improving the efficiency and effectiveness in detecting and preventing financial crime.

    The comments made by David Lewis were based on an observation which is all too familiar to most financial crime compliance teams: Somewhere in the evolution of their approach towards detecting financial crime, financial institutions have taken their eye off the ball, so to speak, and allowed their focus to be redirected towards the management of alerts generated by automated transaction monitoring tools (TM Technology). More effort is invested in working out how to move through the enormous volume of alerts being generated by the TM Technology than on which alerts should be reviewed, the presence of any connections between them and the quality of investigation undertaken.

    Back to the Future – The Unintended Consequences of a Rules-Based Approach

    This intelligence-led approach described by David Lewis could be viewed as going back to the future, in that it revisits the original reason why financial institutions are required to have controls in place to alert them to possible unusual customer activity.

    Anyone who has recently received a questionnaire from their AML supervisor or undergone an AML examination will be all too familiar with the questions concerning their transaction monitoring processes and TM Technology. Historically, the information requested has focused primarily upon the number of alerts generated, reviewed and the proportion dismissed as false positives or escalated for further investigation. Similar metrics are requested concerning the number of internal suspicious activity reports (SARs) received the proportion of originating from transaction alerts and the number converted into disclosures made to the local FIU. Additional information is also often requested concerning the rules or algorithms used to generate the alerts, the thresholds or sensitivity set and whether “below the line testing” is undertaken to ensure that no anomalous behaviour is left undetected.

    These questions are intended to help the supervisor assess whether a financial institution has implemented an effective monitoring system to detect unusual customer transaction behaviour. However, they have had the unintended consequence of focusing attention more on the numbers and not on the substance underlying those alerts and whether the way they are managed generates useful intelligence.

    During the webinar, Nick Lewis noted that when financial institutions first began operationalising the risk-based approach of their financial crime prevention programmes, they also began to introduce rules-based monitoring for customer transactions. Their TM Technology began to generate a huge number of alerts. When this happened, it was assumed that this must be indicative of something untoward, thus requiring that all alerts needed to be reviewed to some extent, regardless of whether the financial crime risk indicated was low, high, likely or remote.  Nick Lewis noted that while some of the alerts were connected to anomalies or patterns that could be identified as possible criminal activity, many of them were not so obvious. Concerned to ensure that alerts were being processed in a complete and efficient way, financial institutions were submitting SARs to the local FIU even though a suspicion was not immediately obvious. The default position came to be adopted that it would be left to the FIU to determine whether something nefarious underlined the reported transaction. In many cases, FIUs were not provided with any additional information to contextualise the transaction or understand whether it was associated with previous similar conduct by the customer or a pattern of activity across connected actors.

    This, in turn, led to a larger volume of SARs that needed to be generated. To try and manage this increase in workload, some financial institutions resorted to creating standardised SAR templates that include template descriptions for certain types of predicate offences. Ultimately, in an effort to meet deadlines set for the assessment of alerts, and the investigation and submission of SARS, the focus was taken away from undertaking an effective investigation of actual suspected illicit activity.

    These unintended consequences are illustrated in one recent case in the United States.

    New call-to-action

    SARs: A Cautionary Tale of Form over Substance 

    In May 2021, The US Securities and Exchange Commission (SEC) settled charges with GWFS Equities Inc (GWFS) a registered broker dealer, who agreed to pay a fine of almost $1.5 million. The settlement related to controlling failures involving GWFS’ SAR process. The SEC found that the company failed to file approximately 130 SARs. This related to instances where external actors were gaining or attempting to gain access to retirement accounts of participants in an employer sponsored retirement plans that GWFS serviced. The suspected activity was detected by GWFS that took place over a three-year period. GWFS became aware of increasing attempts by external actors to impersonate retirement plan participants, access their accounts via their online portal and redirect retirement funds to accounts which they controlled. The external actors had come into possession of the login information of several participants including their usernames, email address and passwords, obtained from various cybercrime activities.

    GWFS had submitted nearly 300 SARs to the FIU concerning these activities. However, these reports were considered materially deficient. The SARs failed to include essential information GWFS knew about the suspicious activity and external actors. This included cyber-related data such as URL addresses and IP addresses linked to the external actors’ attempts to access the accounts. Other information omitted from the SARs included when and how the actors tried to take over the accounts and connections GWFS had identified between bank account details and IP addresses that were common across different participants’ accounts.

    In short, while GWFS had the data to contextualise the suspicious activity being detected, they failed to ensure that a proper analysis and summary of that analysis was provided to the FIU with the reports it had filed. In some cases, SARs were simply never submitted.

    The information shortcomings related to the SARs appear to have been the result of a well-intended effort to ensure that reports were being submitted to law enforcement in a timely way. To expedite this process, GWFS had introduced a template narrative which prepopulated the reports. The narrative read as follows:

    “The participant’s account was taken over by an unauthorized individual who used all of their personal information to authenticate as the participant.

    It is unknown whether or not there is any related litigation with this [customer].

    It is unknown whether or not foreign nationals are involved in this activity. It is unknown whether or not the IRS has been contacted.

    All information is contained in this report.”

    In short, this was an example of form over, or perhaps, at the cost of substance. This case also highlights the need for financial institutions to work with their regulators to bring about a new approach to investigating financial crime risks. As David Lewis mentioned in his speech to the CISEC, banks should “be incentivised and rewarded for providing more useful information to law enforcement agencies and not just filing SARS for the sake of ticking the regulatory compliance box…” 

    The GWFS case Is a timely illustration of why financial institutions’ approach towards transaction monitoring needs revisiting. Even with relevant data at its disposal, and with connections across different participants being found, the process applied came at the cost of undertaking a comprehensive investigation. And at a human level, the consequences were serious. Some participants were defrauded of their retirement proceeds which were never recovered.  This case does make for interesting food for thought as to whether a different approach towards investigating these events, may have resulted in earlier intervention by law enforcement.

    Achieving the Balance Between Man and Machine

    Nick Lewis noted that we are now beginning to see the pendulum swing back towards taking less of a responsive approach to all alerts and more of an investigator-centric approach, providing an opportunity to place investigators in a different place along the continuum of responses. 

    Nick Lewis also pointed out that any TM Technology system is very quickly gamed by bad actors who know how to manipulate and change their behaviour to avoid the alert rules. It is very hard to keep pace with those actors if the response to such changes is trapped in a rigid rules-based process. 

    The key to the investigator centric approach is that it moves away from having TM systems serving as the sole trigger for detecting, investigating and reporting on potentially suspicious activity. Instead, an investigator-centric approach uses and absorbs the outcomes of TM Technology as one of the sources of intelligence upon which an investigation can be triggered, but does it does not stop there. It empowers an investigator to a broad range of sources of information to identify potential financial crime risk. This intelligence might come from leaks data (Panama Papers etc), from reports issued by national FIUs or other financial intelligence agencies, information shared within financial intelligence sharing partnerships (FISPs), or from data analysis that is focused on identifying anomalies in customer behaviour beyond those typically baked into the rules fed into TM and customer screening systems.

    Nick Lewis explained that this approach empowers investigation teams to respond more effectively to higher risk events and allows judgement to be exercised by drawing on a wide range of information sources and not simply a single transaction or a single piece of information. According to Nick Lewis, there is also a balance evolving between harnessing the benefits offered by technology, such as artificial intelligence, machine learning, and leveraging professional judgement and analysis undertaken by investigators. 

    But at the same time, said Lewis, we must ensure that is not the case of using technology OR human judgment. We should aim to glean the value of both approaches whereby algorithmic accuracy and human judgement allows better understanding of the context in which the alerts are generated.

    That human judgment, according to Lewis, should include the ability to consider data beyond the transaction that generated an alert, or the KYC held about the customer in question. Lewis explained that an investigation-led model involves a review of a wider body of evidence, including open-source information (OSINT) and past investigations. Ultimately, this leads to more accurate detection of suspicious activity, more relevant and accurate SARs and ultimately supports law enforcement’s efforts to detect and prevent financial crime. 

    Paving the Way Towards More Effective Investigations – Back to Basics

    The financial crime prevention community is starting to observe a sea change in the approach taken towards the investigation of suspicious activity. The unintended consequences of adopting a strict rules-based approach to screening and monitoring results have spurred calls to revisit how financial institutions’ approach the assessment and escalation of unusual customer activity. Ultimately, the investigator-centric approach supports the classic ethos of working smarter and not just harder, to achieve the ultimate goal common across all financial crime professionals, to prevent and disrupt illicit actors from laundering the proceeds of crime and terrorist financing.

    And surely, that can’t be a bad thing.

    New call-to-action

    More insights