In this episode, Matthew Stibbe interviews Louie Vargas, founder of the Network for Financial Crime Prevention (NFCP). They discuss the importance of Open Source Intelligence (OSINT) in financial crime investigations, the challenges of time pressure in compliance, and the need for better training and resources for compliance officers. Louie shares his journey into OSINT, the founding of NFCP, and the organisation's mission to educate the community on financial crime prevention. They also explore the potential of AI in OSINT and the importance of governance in its application.
Matthew Stibbe (00:01) Welcome to From the Source, the Blackdot podcast. I'm your host Matthew Stibbe and today I'm talking to Louie Vargas who is founder of the Network for Financial Crime Prevention. Great to have you on the show, Louie.
Louie Vargas (00:14) Thanks for having me.
Matthew Stibbe (00:15) So I want to start… just dive right in. Right now, what's baking your noodle, tickling your fancy about OSINT? What are you thinking about right now?
Louie Vargas (00:29) OSINT is a great, obviously a great tool and a great way for investigators to really delve deeper into whatever they're investigating and get down to the true source of the matter. ⁓ What really, I guess, like you said, is on top of mine is how for the financial crime prevention side, it's...
not used, I think, as appropriately as it should be in different areas. And what I mean by that is that, you know, during my training as an early compliance officer and even now when we talk about OSINT or doing research, what's mostly used is Google and Google alone is not OSINT, as you know. So I think we need to have a clearer focus on providing tools to our analysts where OSINT can be a true help.
And then obviously, you know, we can't boil the ocean and get that deep into every investigation. You know, there's other teams for that and we'll kind of get into that later. But, I think there needs to be a better baseline approach to when we talk about OSINT.
Matthew Stibbe (01:39) And how do you train people or encourage people to go beyond Google?
Louie Vargas (01:44)
Yeah, that's a tricky one, especially, you know, when you're in the sanctions transaction review team where, you know, you have seconds sometimes to review some of these transactions. And sometimes Google is your best friend. But when you're doing a Google search, as you know, it depends on how you're asking Google to review information. Sometimes what you really need is on the second or third page of that, you know, search summary.
So, know, in the sanctions specific case or in the fin crime space, you know, what we try to say is try to have more than one source of the truth, right? Or if you have different sources, but they don't align, that's part of the story. You could say it doesn't make sense for whatever reason based on this, that we can't find the connection that, you know, they are the same... in the same industry, or they're owned by the same person. And I feel if there was more of a baseline approach to OSINT in these areas, of course, adapting it to the timeliness of our investigations, I think that it will prove that we could come to better conclusions and have a better rationale at the end of the day.
Matthew Stibbe (03:03) There's something you said there that made me curious. The story I hear on my learning about OSINT as part of these interviews is quite often the story of painstaking and lengthy investigations. And you said we have sometimes to make decisions in seconds. And I'd love for you to expand a little bit on this time factor in financial crime.
Louie Vargas (03:30) Yeah, sure. You know, we're talking about sanctions compliance specifically. The time pressure can be quite tough just because we're looking at stuff pre-transaction. So what that means is if you're thinking about transaction monitoring on an anti-money laundering (AML) practice, that's in post-transaction. So obviously there's SLAs in place where they would need to put together research or decisions at a certain time. But when you're talking about sanctions, it's real time.So that's part of the time pressure.
Matthew Stibbe (04:02)
Meaning tied to a transaction going through the system?
Louie Vargas (04:05) Exactly. Yeah, so we're stopping it pre transaction. So the the customer has already sent the transaction. It might have stopped in our filter for a certain reason and now we were holding it until we could address the potential match and we hold it until we've figured out if it's, you know, not a potential… if we've confirmed there's not a match then we release it and transaction goes through, everything's fine. If sometimes we need more time and we have to send out requests for information to the to our counterparties… the different… And now you're holding up a transaction, it could be a few hours to a few days. And in worst-case scenario it could even be a few weeks. So where I see OSINT being a big part of this is that maybe, and not in some of these less complicated areas, but where we need to dig deep, so maybe one that we could put on hold and have a bit longer time to look at it. Because not all transactions are alike, I would say, or are the same, so there are some that you could quickly discount and say these are false matches, we could let go, or these are clear matches, we have to adjudicate them in the appropriate way, depending on the jurisdiction you're in.
But yeah, so there's a kind of a balance we have to play there and you know we do have the opportunity to have more time and place it on hold but, you know, we have to be mindful of when we do that because now the customer is waiting for funds to be moved or companies waiting to receive those funds and we're in the middle of an investigation, and I guess…
Matthew Stibbe (05:41) Presumably, if there's a delay, you've also tipped your hand to some extent. They know that you're looking at it.
Louie Vargas (05:45) Exactly. Especially… exactly that. You know, if they do ask, what's the delay? We can't say, well, we have the sanctions, potential sanctions matter. We just say, OK, we're working through it. We have some questions because, again, we don't want to tip them off. So that's a great point there. And also, you know, when you when you're thinking about it, what we're trying to also do is have, you know, I guess, in the best way, we want to reduce customer impact. So we're trying to not delay it so long, especially if you're talking about trade finance deals. There might be some instances if you hold it too long, then now you have to pay interest. So it could also be costly to the bank or the financial institution. So you have to be mindful of all these things. But I think a lot of it comes down to experience, right? You have somebody who's experienced at reviewing transactions or reviewing customer data… sometimes they could see the pattern and know, okay, there's no risk here. We could proceed accordingly. Or the risk is not clear, but I have a feeling that there's risk here. I'm gonna take a little bit more time to look at it. So again, that's what I mentioned before. It can't be for all cases. And sometimes it just comes down to experience when to take that extra step and do that a bit more due diligence to ensure that you're covering all the risk.
Matthew Stibbe (07:10) Now Louie, tell me how you came to found NFCP and, sort of, what is the purpose and mission of it?
Louie Vargas (07:20) Yeah, it's definitely been a passion project for sure. NFCP is a nonprofit organisation that started in November of 2024. So we're just a few months old. But it's really to focus on the community that we have, right? As compliance officers, whether you're in risk or compliance, crime, wherever. I mean, we're focusing on fin crime now just to have some sort of grounding. But if our community wants us to delve into other topics and deeper in different ways, we're happy to do so.
And it's all about the community because, when I first moved to the Nordics from the US, I noticed that people were afraid of sharing how they have addressed problems, afraid of benchmarking because they thought it was kind of... you were sharing customer information. And of course that's not allowed. But I was like, there's no customer data. We all have the same issue. Why? Because we have the same regulation. We have the same guidelines, generally speaking, you know, obviously every institution has their own nuanced approach but from a larger level we're facing the same request from the local competent authorities or the regulators, so why not talk about this why not share how we're addressing certain issues? So, that was really the driving force behind creating NFCP and I'm happy to say, you know, within the few months we've been around our LinkedIn following is already over thousand followers and, yeah, looking for ways to continue to provide thought leadership content so that our community continue to learn and grow together. We're also working on different events. We had two earlier this year, working on one potentially in Oslo for later this year. But yeah, it's a nonprofit. So sometimes it's tough because I'm looking for sponsors for these events.
So in the meantime, it's all about just getting the content out there and also just asking the community what's top of your mind, what are issues you're facing, how can we help? And I guess to quickly sum up, we also wanna take it a step further. We want to see how we could take these learnings to the community, right? So what I mean by that is let's talk about fraud. Fraud is prevalent in every jurisdiction. And who are the top people that could be affected by this? The elderly, you could say, right? Because they're retired, so they get a phone call, or maybe they're online, they get a request. So we want to help educate also the society at large eventually, which is talking, like I mentioned, to the elderly about scams, talking to the youth about money mules, and how to avoid these being involved in these nefarious activities because sometimes they don't recognise the red flags, right? So, yeah, so in addition to to the day job I would eventually like to not only help our community of compliance officers but help the community at large… our society… because I think then we have a better ecosystem and that will make also our jobs a little bit… that much easier because the community is that much more educated and aware of these red flags.
Matthew Stibbe (10:51) And if someone is listening to this and they want to learn more about NFCP, where do they go?
Louie Vargas (11:33) Yeah, sure. So we have a website, nfcp.info. And we also have a LinkedIn page that we post all of our content, recordings, and everything like that. So yeah, those will be the two great sources to look after. And also, you could reach out to me. Connect with me on LinkedIn. I'm very happy to make connections there. So that could also be another way if you can't find us.
Matthew Stibbe (11:57) Fantastic. Now I'd like to talk a little bit about you and your background and what brought you to the world of open source research and open source intelligence. Tell me about your journey.
Louie Vargas (12:09) Yeah, sure. When it comes to OSINT, as I mentioned, when I first started my career in compliance, I was working on my resume, updating it, and somebody said, oh, you should just put the keyword OSINT in there. I was like, what's that? And they're like, oh, it's where we do searches. And I'm like, OK, but...
So originally I kind of accepted that, okay, maybe I do know OSINT, but as I went further in my career, I realised that it's a practice. It's definitely more than just the Google search as I mentioned earlier on. And so then I started doing my own research. What's OSINT? Kind of... What are the tips and tricks of the trade? And luckily there's a big community within OSINT on LinkedIn. So I was able to connect with a few people that were very happy to share their experience in OSINT. Some even do free training, free sharing quizzes and stuff like that, which I think is great because obviously they don't have to do this. This is a part, separate and apart from their daily work. But yeah, that's how I started to learn more about OSINT and what it really meant. I'm definitely not an expert yet. I have a lot more to work on and I strive to do that.
Yeah, and you know when I started working for one of the the Nordic banks they used, you know, resources like Blackdot and others that helped in this approach. So that helped me, again, say, okay, this is now… I'm really getting into OSINT, finally, not in my days of, you know, just looking at OSINT, sorry, looking at Google or other web searches. It's like, okay, this is the real deal.
Matthew Stibbe (13:59) And for someone like me who is a newcomer to this world, what are some good resources to learn a little bit more about it?
Louie Vargas (14:11) Yeah, there's quite a few people on LinkedIn that I would say are really good resources. One of them that stands out, her name is Sofia Santos, and spelled with an F, not a PH. But there's others out there like her, but she's very prominent, at least in my network. The other ways I would say is be curious and put that keyword into LinkedIn, put that keyword into different web browsers. You know, when I started my compliance career, ChaGPT or other similar AI tools weren't around. Now you could, you know, pop in that into one of those tools and it'll give you, kind of, a, you know, overall sense of what it means. Obviously you still have to dig deeper, but at least you have a base to start with a bit easier than when I started.
Matthew Stibbe (15:09) And tell me what is the role of, how are people using OSINT in financial crimes and sanctions? What kind of use cases are there?
Louie Vargas (15:19) Sure, I think it's still quite limited in the financial crime and sanctions world, especially within the team itself, just because we don't have one, as I mentioned already, the specific training on how to do it, but also limited on time and resources. A lot of financial institutions that I've worked for have a separate team that does most of these investigations and deep dives. I still think there's a bit of a gap between who knows about these dedicated teams and not.
But the specific use cases would be geopolitical issues. You know, from the geopolitical issues we're seeing today, we can predict to a high percentage if sanctions are going to be levied on another company, country, regime. Also with… when we're talking about horizon scanning. So when regulations come out or are about to come out, we could use sometimes, you know, these investigative techniques to dig deeper, find more material behind it, or more sources that could then help us better identify, okay, is this really going to happen? Is this not? Should we keep this in mind and so forth? But yeah, as I mentioned, also within investigations, if we're into a customer or a transaction we're looking at, you know, we can delve deeper into finding, because, I'm sure you might have heard already that, you know, Russians are really good, really good at, become really good at obscuring their ownership structure, especially when they're trying to hide if they're owned by a sanctioned person or not. So sometimes we need this, these investigative tools, to dig deeper, to see who's actually the beneficial owner or tie the dots together to see, okay, it's owned by one sanctioned person, is owned by another sanctioned person. Does this add up?
You know, make it now over the line where we consider this, where we can consider them sanctioned.
But yeah, I would say those are kind of the quick wins or use cases for the sanctions world. But as mentioned before, there's sometimes dedicated teams that really dig in and have this ability. So it's knowing that they exist and the right avenues to communicate with them and even prioritise it, right? Because they might be busy doing investigations for other parts of the company. So it's figuring out how, do we really need to utilise them to do this deep digging? Use their OSINT knowledge to help us… or is it something we could keep internally or, you know, maybe we don't have to dig that deep but, yeah, those are all the things that kind of you have to consider.
Matthew Stibbe (18:16) And how well understood is OSINT's potential in the financial world?
Louie Vargas (18:24) That's a good question. I think that it's limited scope, I would say. I think, you know, in some areas, maybe in mergers and acquisitions and maybe investment opportunities, it's maybe more well known there. But in other areas, especially in the area that I work in, crime, I think is still quite limited. We use them from time to time, but I don't think most of the team members would know that this team is there to support them when needed. So I still think that it's...
Yeah, I mean it all boils down to the return on investment, when you work, any industry you work on, but especially a financial industry, right? So even though we're trying to do the right thing as compliance officers, but we're limited on resources at times. Sometimes it's just a prioritisation game. And even these investigative teams that have these dedicated individuals, they also, depending on the institution, don't have an army of people, right? Be a very kind of small tight-knit group so that's why I think it's very key to kind of figure out the right balance.
Matthew Stibbe (19:38) And how can professionals in the OSINT world educate, communicate, infuse stakeholders who may not be as familiar with what you can do?
Louie Vargas (19:45)
Yeah, go on a road show I would say. If you're on one of these teams and you notice that there are other use cases that are not being explored, maybe it's time to educate your fellow colleagues around the institution. Do some webinars, do some, maybe, a short, in-person session. Nowadays, I feel like we're still relying on virtual meetings, but we could be in the same office. We could be sitting next to each other.
So in-person is great. So yeah, you know, have a quick presentation and just you know, take it… take it to them, say hey, we're doing this great work here. We see that there's a potential use case for you guys in this unit and if you would like to discuss it further. Let's just chat about it. If not, you know, no harm, no foul. Or maybe, you know, you don't feel like you could use it specifically to do certain things. Maybe we could upskill some of your people to do some of this within your own unit. So there's various ways but I think the best way is definitely talk directly to your colleagues because that's the best way.
Matthew Stibbe (21:03) The OSINT Roadshow, yeah, I like that idea a lot.
We're sort of coming towards the end of our conversation now, but there's one last area I want to explore with you. And of course, it's the elephant in the room for everybody at the moment, AI in OSINT. And I'm curious about your take on what are the challenges and opportunities.
Louie Vargas (21:18) Mm-hmm.
Yeah, AI is the buzzword of the day. I think what we first have to start off with when you're talking about anything in AI is level setting, because depending who you're speaking to, they could have a different interpretation or different definition. And also, there's many components of AI. AI is just an umbrella term for it, but there's different parts like machine learning (ML), large language models (LLMs), everything like that.
So I think we have to, maybe, instead of using the umbrella term all the time, try to talk about specific parts because that's where it would be particularly applicable to you. When you're talking about anything AI, of course, you also have to consider governance. Now we have the EU AI Act, which is great because it gives us some of that structure that we so needed. It labels what could be high risk, medium risk and low risk type of AI setups. And I think that has to be considered especially in the OSINT realm because if you're using customer data or potential customer data, right, that could elevate your risk rating. If you're just scraping the internet for negative media, that could be a bit lower. So it all depends. We have to figure out where exactly you fit.
But yeah, I think it definitely has a use case within the OSINT world. It could help, you know, provide information quicker, provide even comparisons quicker. So, you know, just like in everything else, I think there is a way to harness the power of AI in the way that could really make our lives as investigators and compliance officers easier. But we also need to consider the governance that needs to be in place to ensure there's no biases, to ensure that, you know, you have a constant overview of an oversight of how your model is working so that, and you know, of course, you know, nothing is perfect, but you could try to ensure that the model is working as you intended it to work. But yeah, I think, you know, the possibilities are endless, but I think the biggest thing would be that it would be able to analyse information a lot quicker than a human can and can, you know, kind of highlight where now the analyst can go, which saves time on both ends, right? For the analyst to compile all this data and analyse it, but also returning it to and providing that report to whoever requested it.
Matthew Stibbe (24:04) I think it's a fascinating, fast-moving and exciting and scary thing at the same time, isn't it? So that, I think, brings this conversation, this episode to a close. Louie, thank you very much. It's been fascinating and thought-provoking. Great to have you on the show.
Louie Vargas (24:11) Yeah.
Thank you again, it was fun and hope to talk to you again soon.
Matthew Stibbe (24:27) And for more information about the Network for Financial Crime Prevention, please visit their website nfcp.info or check out Louie's LinkedIn page and the network's page. And if you'd like more information about OSINT, about Blackdot or their software, Videris, please visit blackdotsolutions.com. And thank you very much for listening. Goodbye.