In the law enforcement (LE), national security and private sector anti-money laundering (AML) world, the word “proactive” is used frequently. However, what is often called proactive in financial services is actually not that proactive at all. Within many institutions, the proactive approach consists of a major case team that responds to global-scale matters to determine the exposure to the bank.
A truly proactive approach is detecting risk to the bank that no one knew existed. The objective should not be to identify a hidden risk here or there occasionally; rather, the goal should be to develop a systemic process that is ongoing and sustainable to identify hidden risks across the firm. In doing so, you encourage the consistent development of new intelligence that benefits your overall AML program. This proactive identification of AML risks and threats is a complement to the regulatorily required typology-based transaction monitoring. In general, proactive monitoring is straightforward and this article will lay out the steps that are necessary in a successful proactive monitoring process:
- Intelligence
- Initial indicators
- Secondary indicators
- Implementation
- Scenario development
The Intel
Proactive monitoring requires quality intel, experienced analysts to further develop this intel, data analytics to identify who/what across the client base is matching the intel, and AML investigations to work cases to determine whether suspicious activity reports (SARs) should be filed. The hardest part is the intel. The response to the attacks of 9/11 and the build-out of the first terrorist financing-focused operation in the Federal Bureau of Investigation (FBI) is a classic example of the intel issue. To analyze the enormous volume of terrorist financing intelligence that was flowing into FBI headquarters, a relational database was brought in from an outside entity. (Remember this was 2001). The database worked impressively, but the intel from leads being covered by the 56 FBI field offices was not being vetted prior to being uploaded. For that reason, the link charts that ultimately resulted from the data analytics were more confusing than productive and showed results such as that Osama Bin Laden was living in the U.S. That is a true story. The headline here is that the intel, although gathered with good intent, was faulty and not vetted before it was loaded into the data analytical tool.
So, where do you get good intel? The answer is that it comes from sources that make the most sense: LE, the intelligence community, industry partners, nongovernmental organizations (NGOs), your own analysts, open source or spinoff investigations. It can also be from several of those sources, taking pieces of intel and combining them into the right set of indicators to detect the risk or threat about which you are concerned.
Initial Indicators
The next step is to pull insightful and bank-relevant indicators from the intel. It often takes few indicators, or sometimes just one indicator, for banks to be able to identify potential bad actors, especially if the indicators are transactional in nature. When attempting to detect potential child sexual abuse material (CSAM), a key transactional data point provided by LE and a well-respected NGO was a specific file hosting company. The entire project started with identifying customers who were transacting with that file hosting company. Once we had the results from that query, we had a starting place for identifying customers who might be involved in CSAM/child exploitation.
An initiative that was targeting Islamic State (IS) group funding in Syria focused on intel from the U.S. intelligence community that indicated that IS was funding its operations through several means, including extortion, kidnapping, antiquities sales and oil production, and that the terrorist group had amassed millions of dollars in cash. There was additional information that IS was bulk cash smuggling across the Turkish border, depositing the cash into shell company bank accounts and then wiring those funds to China to purchase combat supplies. The intel also indicated that the supplies were being trucked into Syria across the Turkish border.
From a banking standpoint, what information could be used to proactively identify customers and transactions that fit the indicators? The answer is not that much. You might be able to detect wires to China for certain types of items that could be used in combat. Assuming your bank has relevant correspondent relationships with Turkish banks, you might be able to identify accounts that sent wires to China from newly opened accounts that appear to be shell companies into which large amounts of cash were being deposited. The rest of the intelligence regarding antiquities, oil, extortion, trucking, etc., was extremely interesting information, but not particularly usable in detecting IS terrorism financing from a U.S. banking standpoint.
Secondary Indicators
It is usually not enough to open AML investigations, file SARs or exit relationships simply because customers are transacting with one entity that intel has indicated may be of concern. Secondary indicators are needed to filter the original data results and focus on customers who can be said with more certainty are suspected of being engaged in illicit activity. Secondary indicators come from the same place the original intel came from that started the proactive monitoring project: LE, industry partners, our own experience, NGOs, etc. In the CSAM initiative mentioned previously, some of the secondary indicators were accounts that had no regular day-to-day activity, appeared to be set up solely for the concerning activity, consistent peer-to-peer (P2P) payments in smaller round-dollar amounts to unrelated third parties, specific streaming sites, additional cloud storage expenses, amusement parks, significant and specific gaming activity, toy stores, etc. Once these secondary indicators were applied to the initial results, the resulting dataset made sense in identifying the clients on whom deeper dives were needed to determine whether SARs would be filed for potential CSAM or child exploitation.
The results from the data analytics should also make sense from a real-world point of view. Your bank does not have 5,000 terrorists in it. You should not have thousands of hits based on that type of intelligence.
There are certain situations based on your bank’s business model that may get you plenty of accurate results, maybe more than you would expect. In a human trafficking (HT) project that was focused on payments to commercial sex advertising websites as the initial transactional indicator, the websites and billing intel came from LE. The identified websites were known to be used by HT networks for sexual exploitation. The initial results identified several clients transacting with those sites, which was a surprise result for the initiative. This is where secondary indicators are so important. Payments to commercial sex advertising sites are not on their own enough to open AML cases. However, insightful secondary indicators (P2P payments to sex workers, local hotel expenses, account funding through P2Ps from unrelated third parties, sole-use accounts, etc.) filtered that number down to customers who are most likely engaging in illegal activity or potentially involved in running or supporting HT networks.
Implementation
For the proactive monitoring program to be most efficient, it requires a dedicated team, reliable intelligence streams, unique skill sets and tools to develop initiatives and strong relationships with data analytics teams. A dedicated team, independent of day-to-day case production, allows the team to remain solely focused on intel development and projects. This is crucial as it removes production stress and allows the proactive monitoring analysts freedom to think creatively and fully explore new concepts. Equally important is ensuring that the proper tools are made available to the team. Proactive monitoring requires new systems not commonly used within AML Investigations, including data analysis, network build-out and cyber-related systems. Doing so enables proactive monitoring to independently test out and further develop new ideas.
As proactive monitoring’s intel becomes further developed, the importance of a strong relationship between the proactive monitoring team and the data analytics team becomes apparent. In the end, the implementation of new intel into ongoing monitoring routines will rest with the data analytics team (assuming that team does not sit within the proactive monitoring operation). There will likely be numerous tweaks on various aspects of those data runs, such as the dollar thresholds, periods of review, which secondary indicators are productive or not, etc. Having a strong relationship between the two teams will speed up the time it will take to run the initiatives but will also lead to valuable insights and suggestions that the analytics team can and should provide. Close coordination between the two groups allows for the most efficient implementation of new transaction monitoring scenarios that come with proactive monitoring initiatives.
Proactive monitoring projects provide a highly targeted approach to a specific risk that creates a significantly lower false positive rate compared to typical transaction monitoring routines. This targeted approach allows for an agile and effective response to the intel, culminating in a manageably sized yet highly effective batch of cases. Proactive monitoring has been found to produce cases with significantly higher SAR rates (often 40% and above) than traditional transaction monitoring scenarios (velocity, layering, change in behavior, etc.), all while receiving more interest from LE through supporting document requests, subpoenas and keep open letters. These are valuable metrics for any AML program.
Transaction Monitoring Scenario Development
AML programs can use proactive monitoring and its targeted, intelligence-driven alerts to reduce their dependency on generic transaction monitoring routines. These more generic monitoring routines— usually based on simplistic transactional indicators—can be tedious and time-consuming endeavors through which investigators must work. Traditional transaction monitoring scenarios may lead to valuable SARs, but the overall false positive rate is historically high given the simplistic logic behind the monitoring routines. A program can transition from depending on high-volume “generic” alerts to utilizing lower-volume proactive monitoring alerts, all while increasing its overall SAR output. Ultimately, AML programs can continually develop successful proactive monitoring projects into new and successful transaction monitoring scenarios.
The new type of scenarios can be more transactionally based (transactions with specific, real-world entities) or more behavior- or demographic-based (behavioral indicators such as certain types of recurring transactions or demographic indicators such as geographic location, employment, etc.). A good example of a more transactionally based scenario is the CSAM/file hosting company initiative. A more behavior-based example would be customers who fund their accounts solely through hundreds of low-dollar P2P credits from seemingly unrelated third parties, followed by those funds leaving the account through a few large transactions such as wires, automated clearing house payments, P2P, etc.
A highly productive proactive monitoring initiative focused on customers who opened U.S.-based consumer accounts but all, or almost all, of the log-on activity was from a very high-risk jurisdiction (HRJ) due to the customers’ use of virtual private network masking. This behavior indicated that the account holder lived in the HRJ or the account had been handed off to someone who lived in that HRJ. Additional behavioral indicators were that every transaction in the account was a P2P credit in and P2P debit out. Obviously, new transaction monitoring scenarios can include both behavioral and transactional indicators depending on the type of risk or threat that is being targeted.
Personnel Benefits
A significant by-product of having a proactive monitoring team is the positive impact it generates across the broader investigations team. From an investigator’s perspective, the mundaneness of working hundreds of transaction monitoring alerts that rarely have any value takes its toll. It is a needle-in-a haystack mentality. From a leadership standpoint, it may present difficulties in keeping the team engaged to combat team dissatisfaction. Introducing the broader team into the life cycle of the proactive monitoring projects significantly increases team morale and the professional development of the entire investigations team. Team morale is the foundation upon which productivity, collaboration and innovation thrive. In addition, investing in continuous learning and the skill enhancement of the investigators benefits the individuals by developing their expertise while also strengthening the overall capability of the organization.
Conclusion
Proactive monitoring is just a version of an intelligence cycle that LE or the intelligence community would run to disrupt potential threats, especially counterterrorism and other national security threats. Graphic 1 below provides a simple visual of the proactive monitoring intel cycle.
Graphic 1: Proactive Monitoring Intel Cycle
Source and illustration by Ross Duncklee, Brian Filbert and Andrew Vasquez, Ally Bank
Proactive monitoring complements traditional monitoring routines and is designed to detect AML/terrorist financing risk that is hidden within a customer’s footprint at the bank. While this approach yields high SAR rates, detects the most significant types of risks (HT, terrorist financing, etc.) and provides higher quality intelligence to LE partners, the ultimate goal is to develop new, more productive and ongoing transaction monitoring scenarios that in the long term will identify and keep bad actors out of the client base.
Ross Duncklee, JD, CAMS, director, AML Investigations, Ally Bank, rossdavid.duncklee@ally.com
Brian Filbert, JD, sr. director, AML Investigations/Enhanced Due Diligence, Ally Bank, FBI (ret.), brian.filbert@ally.com
Andrew Vasquez, CAMS, manager, AML Proactive Monitoring, Ally Bank, andrew.vasquez@ally.com