Embed Size (px)
Citation preview
IBM Security
1
Highlights:
• A high level view of the problem: Money
Laundering is the final link in a sinister chain
• The need for advanced Anti-Money
Laundering (AML) solutions enhanced with an investigations approach
• How an AML investigations team operates
and use investigation techniques in the three stages of AML
• Real world examples of investigation
solutions being used to discover Money Laundering
• Where to next?
Using an IBM i2 Solution to Investigate Money Laundering Crimes While concealment is the weapon of choice for Money Launders, an IBM i2 solution removes this layer of invisibility by quickly uncovering hidden connections and patterns in data. Introduction Money launderers’ goals are simple but sinister as they attempt to make illegally gained revenue have a legitimate appearance. This illegally gained revenue can come from criminal activities such as human trafficking, illegal arms selling, black market narcotics and bribery, and quite often the proceeds go back into organized crime or terrorist financing. Financial institutions are morally and regulatorily compelled not to be connected in any way to the process of money laundering. It is the motivation for institutions to have an Anti-Money Laundering Special Investigation Unit ((SIU). Who should read this paper ? This document is intended for analysts and business managers alike who realize that money laundering has reached levels of sophistication that traditional rules-based systems alone cannot detect. A deeper understanding using visual analytics is needed to uncover the full picture on How, What, Who are the real moving parts to suspicious monitory transactions. This white paper will focus on the investigation elements of an Anti-Money Laundering (AML) solution. These investigation elements are required to surface concealed activities by early discovery of patterns which will lead to the significant improvements in speed, efficiency and effectiveness of the AML operations.
IBM Security
2
This needs to work in seamless conjunction with rules engines based in tiers, which are explained but not covered in depth later in this white paper. Money Laundering is the final link in a sinister chain Monies obtained from illegal activities are usually collected in physical cash. Organized crime rings (OCRs) will have large ‘dealer’ networks made up of individual members who in turn will collect large amounts of physical cash. This cash will be channelled to the top members of the crime organization, which will require these monies to be made legitimate. As fraud and financial crimes continue to grow, which in turn generates illegal revenue, so will the need for more sophisticated means of money laundering those funds for their criminal benefactors. The good news is that money laundering transactions have a digital footprint with virtual and physical connections. The bad news is that organized crime will invest heavily in sophisticated processes to ensure that these remain concealed and appear like normal transactions. This is where human-led, machine-assisted investigations will give the asymmetric advantage back to Special Investigation Units (SIUs) in finding and stopping these illegal money laundering activities, as traditional rules engines struggle with the sophistication of the ever evolving methods. A view of the problem Financial crime has become a significant and prevalent challenge in today’s markets. Even though an organization’s current solution approach may offer protection from today’s penetration techniques, it does not create a long-term solution for guarding against fraudulent criminal activities. Fraudsters have become more and more sophisticated over the last decade. They have transformed from one-off and small groups focusing only on low hanging fruit with unsophisticated penetration techniques to large business-like organizations who recruit top talent to be able to deliver sophisticated, pointed attacks across all industries.
Starting with the U.S. Patriot Act of 2001, institutions that deal with monetary accounts are required to verify the identification of account ownership at the time of account. Through the years the regulations have gotten much more complicated to the point of now demanding an institution be able to get an understanding not only of the identity of account ownership but beneficial ownership, as well as to validate the identity of all individuals tied to account ownership. The onus is on the institution to make sure they are compliant with all current regulations. These evolving money laundering methods can require retooling of existing technologies or creating the need for new solutions specifically focused on the new vector of penetration. Both of these options can be cost intensive as well as time intensive, leaving the institution vulnerable during solution deployment. The underlying issues of the traditional rule-based solutions is that they are deployed to stop the fraudsters on historical events, trends and known previous money laundering methods, while the fraudsters constantly look for ways to circumvent these rules by evolving their deception methods. It is now essential for a solution to move faster than the speed of threat. Keeping their fraud concealed by blending it into normal operations or transaction types is the fraudsters most powerful weapon. Simply put, concealment is their normal modus operandi, but once fully discovered, investigators can neutralize the fraudster’s illicit activities. This is easier said than done, as SIUs are now facing many unknown method types and manipulators. Why is there a need for advanced Anti-Money Laundering solutions? Many organizations make understandable mistakes about AML solutions. Here are 4 commonly held myths of traditional solutions:
1. Rules engines are sufficient to stop all money laundering activities.
2. The use of Internal data is sufficient to find all money laundering activities.
IBM Security
3
3. Using spreadsheets with filters and pivot tables is a sufficient approach to investigating money laundering.
4. Advanced AML solutions are expensive and difficult to maintain and staff.
This white paper will address these myths, recognizing there are compelling reasons for an institution’s need for advanced AML solutions. Impacts from the 4 Rs The main revenue streams for financial institutions are via transactional charges and using deposited funds for investments. Technically, revenue is generated from concealed money laundering via these streams, yet the impacts far outweigh these gains. The impacts are defined by 4 Rs. 1. Regulatory fines: Recently, financial regulators have been imposed massive fines to global financial institutions who have not adequately dealt with money laundering activities in their operations. 2. Reputation loss: Financial institutions that deal with criminal and illegal funds stand to lose customers, as they do not want to be associated with such organizations that deal with organized crime. 3. Revenue loss: Regulatory fines and reputation loss can significantly impact the profit and loss of a financial institution. It can also have major effects on its stock price and its ability to raise investment capital. 4. Running operations: The operational cost of running an AML team is an expense to an organization. Ensuring the most efficient and effective solution is implemented will help optimize this cost to the organization. When considering a full end-to-end AML solution, a seamless integration of all vetting, monitoring, detection and investigation must be underpinned by other key elements, including policies, processes, people and
products, which are addressed later in this white paper. Money laundering is not only connected to banks but can affect many other industries who can be held accountable by financial regulators. Other financial services can be targeted by money laundering operations, such as: Money transfer companies Moving money from an individual in a global location to another individual can be provided by service providers via simple walk-up to counters. As this service allows funds to be transferred easily, it can also be abused by organized crime rings. These money transfer companies also must obey the rules set out by financial regulators and are liable to fines if in breach of these regulations. Similar to what is done with banks, organized crime rings will try to send money from one location to another without being detected. High luxury goods As luxury goods are purchased and gifted to others, there exist a monetary value. The retailer must ensure that funds used for goods purchased have come from a reliable source. ‘Know your customers’ vetting will indeed help here. For a cash purchase for goods valued over a certain amount, a background check may be required. In some cases, goods can be returned using a gift receipt and the value moved to a different credit card. Unfortunately, in these cases, the retailer may facilitate money transfer between two parties. Online betting / gaming The need to transfer money between parties without causing any suspicious triggers is the prime motivation for using online betting and gaming as a money laundering platform. Groups of organized crime rings can manipulate betting games and control who plays. If all the players are managed by a single individual and play is below the level of money laundering limits, at a specific time these players will go all-in as controlled losing hands to a certain individual. The individual will take the winning pot, but more importantly has a legitimate reason to explain how the funds were obtained.
IBM Security
4
Cyber currency As cyber currency (a.k.a. cryptocurrency), operates above regional regulators and uses anonymized trades, it has started to become a new money laundering opportunistic space. There are a number of attributes that still discourage organized crime rings teams from pivoting hard into this financial platform as a means to money laundering, including:
1. Purchasing and recovery of cryptocurrencies into hard currencies can still trigger suspicious alerts.
2. It is easy to buy-in into large quantities of cryptocurrencies but not easy to sell-out of large quantities of cryptocurrencies.
3. Cryptocurrencies are still very volatile, and the organized crime rings can experience large currency losses on trade prices, which they do not like.
4. Cryptocurrencies exchanges fall under financial regulation.
Hedge funds As an investment fund that is a collection of capital from a group of investors who have invested in a variety of assets, often in a varied, complicated portfolio construction, money launders can hide inside legitimate fellow investors and have dividends and payouts routed back to themselves or others acting for them, making them beneficial owners of the fund and the beneficiaries. As these financial constructs have many moving and diverse parts, it can be very difficult to find illegal concealment by traditional methods. Overview of an AML solution with the inclusion of an investigations approach As discussed above, there are many ways organized crime rings can launder their funds via concealed methods. Regardless of the industry, an end-to-end solution for the prevention of money laundering should utilize these 4 tiers of active elements:
• Tier 0: Scoring and on-boarding • Tier 1: Transaction monitoring • Tier 2: Correlational rules
• Tier 3: Investigations
The key elements of an anti money laundering solution Tier 0: Scoring and on-boarding This tier is the vetting of any potential new customers via a risk score that has been assigned to them via a scoring engine. Additional, deeper investigations may be needed to discover associations with others who may have a high risk score, such as beneficial ownership that can extend out to 1, 2 or 3 degrees of separation from the original individual under investigation.
Visual analytics can easily find connections of individuals across many data sources during a vetting process. This data can come from various sources, such as internal watch lists, external commercially available information, news sites, external watchlists, etc. Vetting checks can follow general rules like the following:
• Review the application for an account and risk-score the applicant to ensure they meet application criteria.
• Validate the applicant is not on any watch list.
• Check the application parameters conform to business controls and compliance.
structured, unstructured – public, private Data
Work Flow and Compliance
Management
Executive Dashboard
Tier One
Tier Two
Tier Three Reviewer
Threat Reports
Information sharing
Background
Political Exposure
Shareholding Info
Sanctions
Social Reputation
Source of Wealth
Tier Zero
IBM Security
5
• Validate beneficial ownership of the account.
If the scoring is inconclusive, the case can be escalated to the investigation team where additional information can be fused together to investigate any suspicious markers connected to the entity under review. ‘Know your customer’ monitoring should be part of the on-boarding process, yet also needs to be part of the continual monitoring process should any customer’s attributes change that may cause an alert. Common alerts could be that an entity goes bad or has been taken over by an organized crime ring (mule accounts). The SIU team stands ready to do a deeper dive, if an alert is raised. Tier 1: Transaction monitoring As entities (users) have been on-boarded, they will be approved to use an organization’s services. The users now have the ability to deposit, transact, transfer and withdraw their funds. These transactions will undergo automated monitoring via rule engines to ensure that they are legitimate and lawful. The focus here is using real-time transaction monitoring against a defined set of known rules. An alert could be generated when a deposit is made over a certain value with little knowledge of the entity making the deposit. As these are real-time rules, the amount and complexity of the rules can be limited as not to effect normal business processes. Other examples of real time alerts can include: the applicant has newly appeared on a watchlist and the account transactions are outside the normal activity levels traditionally associated with the account or business type.
IBM Safer Payments is an example of a real time tier 1 transactional monitoring solution.
Tier 2: Correlational rules Tier 2 rule engines look across the enterprise and correlate transactions to set off an alert. They are more complex than tier 1 rules and may not be real time as they can operate over batch data. An example of a correlation rule is looking at multiple deposits made from many accounts yet all sharing the same lP address. This may not be unusual as a family of 5 members may have 5 separate bank accounts, but all use the same home IP. Additional advanced rule sets can be utilized to help identify these types of false positives. In Tier 2 rule engines the following attributes may be checked:
• Determine the actual state of a false positives
• Account transactions outside normal activity levels traditionally associated with the account or business type
• Accounts have repetitive deposits / withdraws with equal amounts.
IBM Financial Crimes Alerts Insight with Watson is an example of a tier 2 correlational rules solution.
Tier 2 correlational rule engines can be supplemented with AI (artificial intelligence) and machine learning functions. If suspicious transactions are detected without a conclusive result, the case can be escalated to the investigation team. Typically, when this happens, there is cause for concern but the reasoning is still not fully understood. Tier 3: Investigations Not all applications reviewed during onboarding or transactions being monitored can deliver a conclusive result. In those cases, additional investigations are needed. In some cases, suspicious activities may not
IBM Security
6
even have been detected by the internal rule engines. 4 triggering points to start investigations There are 4 trigger points that can be used to start and money laundering investigation: 1. Rules engines
An alert from tier 1 or 2 is inconclusive or suspicious will trigger an investigation.
2. OSINT monitoring OSINT (open source intelligence) from external sources such as from a watch list or media feeds can point to suspicious activities connected to the institution.
3. An investigator hypothesis An investigator is testing a hypothesis they have developed against a data set.
4. See-something-say-something An employee has raised a concern by seeing something out of the ordinary.
During the 3 stages of money laundering (Placement / Layering / Extractions), escalations to the investigation teams can be made in attempt to obtain the full picture of what is happening if any of the above trigger points has been raised. A deeper investigation can identify the method and accounts involved, using an evidence-based approach. This will produce actionable intelligence (a.k.a. SAR, Suspicious Activity Report) for other stakeholders and MLRO’s (Money Laundering Reporting Officer’s) office. The above tiers of a full end-to-end AML solution needs to be enabled and supported by the following underlying attributes:
1. Policies All financial institutions have obligations to their financial regulators to combat illegal money laundering activities that use their platforms, including:
• European Banking Authority (EBA) Their mission is to ensure financial stability in the EU and to safeguard the integrity, efficiency and orderly functioning of the banking sector.
• Bank Secrecy Act (BSA)
The primary U.S. anti-money laundering regulator to ensure national banks have the necessary controls in place and provide the requisite notices to law enforcement to deter and detect money laundering.
Each country with a recognized banking system will also have their own financial regulators. They will mandate what constitutes money laundering, what steps must be taken to prevent money laundering, what are the necessary compliant criteria for prevention of money laundering and what reporting structures are needed to show compliance or report an event. This is the starting point for any solution and its operational processes. AML SIU teams must never lose sight of the fact that they are not building a solution to appease the regulators but to stop the criminals. In fact, building to the level of regulation compliance can often be far below what is needed to insure an effective solution against money laundering. 2. Processes As stated, an institution must design systems that comply with their financial regulators, which is the minimum legal requirement. As noted above, the 4 tiers must be seamlessly connected together. A robust, flexible solution is needed to address the constantly evolving money laundering methods. Therefore, a full end-to-end AML solution should be designed with continual process improvement built in.
Feed newly discovered money laundering methods back to be coded into the rule engines. How this should work:
• As alert triggers are used to start investigations, any discoveries made during these investigations should be codified into tier 1 or 2 as new rules for continual process improvement.
• Actionable intelligence needs to be generated for the intervention teams
Tier One Tier Two Tier Three
Progression from transactional to sophisticated
Intelligence & Investigation Transactional Rules Correlation Rules
Automated Detection ExploratoryEvents Connections
Continual Process Improvement
IBM Security
7
when money laundering activities have been discovered.
• The whole process should have a single backbone based on a case management / workflow solution.
As an end-to-end AML solution is an active fluid process, it is critical it can be quantified in terms of KPIs (key process indicators) and trend data on BI (business intelligence) dashboards. Some examples are:
• WIP (Work in Progress): How many cases are currently being monitored, assessed, investigated, open / closed, etc.? These can have sub-KPIs such as for severity, trigger point, etc.
• CT (Cycle Time): What is the duration of resolution time from identification of the money laundering to successful closure and prevention? It can have sub-KPIs based on time taken to resolve, time taken to report, time taken to update rule engines for continuous process improvement.
• Capacity Utilization: The available % capacity (full end-to-end AML team) that is being used to support current demands of threats being monitored, detected, investigated and reported.
• Customer Satisfaction Index: The level of satisfaction that the internal customers (HR, MLRO, COO, etc.) have with the actionable intelligence being generated by the SIU.
• Threatscape Activity: Externally monitored data that shows trends in money laundering activity that could be potentially harmful to the financial institution.
3. People Financial institutions will have many stakeholders currently involved in their AML solutions. The following stakeholders are additional ones that should be considered as part of tier 3 and supporting functions. Investigators: Tier 3 needs a certain type of individual who can understand the mindset of
a fraudster. This skill can be learned but having an ex-member of a law enforcement / national security organization can easily bring this capability to a SIU team. Process Flow Designers: Organized crime rings will take their time to plan their money laundering method even before an institution is aware of the deception. This means that the AML teams are playing catch-up. To ensure the end-to-end AML solution teams can get ahead of the money laundering activities a robust control process should be put in place. Process design, configuration and validation is a specific skill, therefore, Lean Six-Sigma Black Belts should be considered here. KPI / BI Designers: KPIs and BI reporting are ineffective unless the individuals and processes they represent can affect their results by their actions. Selecting and designing effective KPIs and BI is a skill similar to process designers and should not be overlooked. Not knowing that a process is heading out of control is as dangerous as not having a process. OSINT Experts: OSINT is data that resides outside the institution, which can be massive. Knowing what data is most relevant to an investigation and where it can be found is another skill that can enhance investigations. C-Level Sponsor: Money laundering fines can have disastrous effects on an institution, therefore of an effective solution ownership must lie with a C-level executive. Contactors or partners: Not all the roles and skills need to come from inhouse. Many can be supplied by contractors or partners. Considering the nature of the topic and the data sensitivity many institutions opt to keep their teams under their own roof. 4. Products Proper product selection to support an organization’s policies, goals and processes is also a significant step in building out an end-to-end AML solution. Starting with a clean slate may not always be possible, but optimization of current products combined
IBM Security
8
with new ones is key. Products should be selected to support the following elements:
• Tier 0: Uses real-time comparison rules engines that decide to keep or kill an on-boarding application.
• Tier 1: Uses real-time rules engines
of single normal or abnormal transactions.
• Tier 2: Uses near real-time or batch
processing of interconnecting rules. This can also contain machine learning or artificial intelligence (AI).
• Tier 3: Involves human / machine
assisted investigations, such as an IBM i2 solution, as discussed later in this white paper.
• Workflow / Case Management:
Used to ensure smooth and timely transition from tier to tier, passing upwards to discover the scope of money laundering and downwards to codify the new discoveries.
• Threat Reports / OSINT: Used to harness the power of externally available data.
• BI and KPI dashboards: Used for
reporting on the completion of cases, with results and evidence gathered passed on to other key stakeholders, MLRO, intervention team, regulators, etc. The need for seamless information transfer is a must and a regulatory requirement.
• Information Sharing: Money
laundering activities will need to be shared with stakeholders. This can be in a simple BI dashboard or via a full link analysis chart. A key point is that information is shared and in a format that is of most benefit to the receiver.
Not covered in this white paper, but threats can come from many other places as well such as, cyber, insider, account take overs, wire fraud, etc. When considering a full, end-
to-end AML solution, many elements and products can also be used to support a full threat management solution. How an Anti-Money Laundering Investigation operates The Special Investigations Unit (SIU) / Fraud Investigations Unit (FIU) is at the operational heart of Intelligence Analysis. It is staffed by a head of intelligence unit with analysts of various seniorities, supervisors, investigators / case managers, and potentially researchers. The primary value add of these SIUs / FIUs within financial organizations is to produce actionable intelligence for key decision makers. The following description flow will outline a simple, money laundering investigation from a trigger point to a final status summary.
On a trigger point via a tip-off, a case is opened and escalated to the SIU to initiate the investigation. The SIU may only have the smallest string of information to start with, but by accessing various data sources they will begin to remove the layers of invisibility to uncover hidden connections and patterns.
A “tip-off” email used as a trigger point.
The initial case information is captured and the case is assigned to an investigator.
A case is set up and assigned.
IBM Security
9
The tip-off reported a telephone number was discovered to be connected to organized crime and may also be connected to a money laundering operation. Using all-source data, an owner associated to the telephone is discovered.
The telephone as an owner attribute.
The investigator now focuses on the owner of the telephone as a person of interest, their known attributes are expanded and start to yield more information about this person, such as address, email, vehicle details, family members and more importantly, any account with the institution.
The phone’s owner has attributes.
The account is seen to be connected to a very suspicious network of transactional activities.
A visual view of concealed interconnectivity of accounts.
With the initial investigation started, the central nodes (accounts / people of interest) can be expanded and enriched by many other data sources.
Information can be simultaneously displayed as a link chart and heatmap.
The investigator can start to isolate these areas and apply additional money laundering filters to locate controlling hubs or accounts.
Transactional networks can be exposed by money laundering filters to isolate controlling elements.
Using IBM i2 solution’s built-in, powerful and intuitive functions, the investigator can continue to refine their investigations down to a final controlling network.
Uncover the deep concealed money laundering controlling network.
Transactional network charts can be difficult for stakeholders outside the SIU to understand, so IBM i2 software has built-in
IBM Security
10
functions that allow charts to be automatically redrawn into an easy to follow logical representation, allowing notational notes to be added for additional insights.
View of user friendly layouts charts.
On completion of an investigation, the actionable intelligence is ready to be stored and is automatically updated to the other stakeholders via the case management / workflow solution.
Actionable intelligence is stored in the case management solution.
The final step in the process is to update the institution’s management by using the fore mentioned KPIs and BI. This can provide a high level summary of the AML activities and status.
Threat management KPI & BI dashboard example.
In the above example, one question raised is where is data found to build these link charts
during an investigation. The answer is simple: investigations rely on connecting data from many different data sources.
Example of seamless connection to an external commercial data supplier.
The model below outlines “4 Quadrants of Data” which helps defines these data source types. Using an IBM i2 solution with data from these various quadrants, an investigator can merge and analyze patterns of activities. This can be achieved with many powerful functions that include visual temporal, geographical and computational conditional filters.
The 4 Quadrants of Data.
1. Owned / Structured Data: Highly structured data stored in the organization’s data bases that can contain financial transactions, customer information, historical activities, etc.
2. Owned / Unstructured Data: Enterprise information can be stored across the organization in many unstructured documents such as, csv, Acrobat Adobe pdf, Microsoft docs, emails, etc. Analysis of this overwhelming data can reveal hidden
Owned Non-Owned
Stru
ctur
ed
Unst
ruct
ured
IBM Security
11
insights that would otherwise be missed. The link analysis solution can access information from these file types across the entire organization.
3. Non-Owned / Structured Data: Located in the deep / dark web, a very large percentage of the Internet is not indexed or its contents are accessible by search engines. There exists a wealth of structured information in non-owned locations. Many commercial companies offer subscriptions to these information stores. Also, fraudulent activities can exist in the dark web. Identifying these activities by key words or phrases enables the link analysis solution to anticipate possible incoming frauds.
4. Non-Owned / Unstructured Data: Social media sites may offer linkages between people and events that are not known by the organization. Additional network analytics can be supplemented by social media data, i.e. who’s connected to who.
Investigation techniques that can support the 3 Stages of AML (Placement / Layering / Extractions) Investigations of Money Laundering Placement patterns Staying below the alerting level of a risk scoring engine and rule engines which are designed to alert on suspicious deposits is the first task a money launderer must achieve. Here are some obvious money laundering red flags that can be alerted in tiers 1 and 2:
• Deposits of a large amount of cash with little known about the depositor or origin of the cash.
• Deposits of small cash amounts with high frequency.
• Deposits of cash amounts that are not consistent with the business that is generating them.
• Deposits of cash to many accounts from individuals who have known connections.
• Deposits of cash from known individuals on a watchlist.
Also, as physical cash is very often used in placement, the intuition of the teller can be used to trigger a see-something-say-something alert. With all these initial alert triggers, the money launders must become creative to ensure their placement activities do not set off any alerts. Since, if detected, their assets could be confiscated by the criminal assets bureau. Therefore, organized crime rings must try to deceive by disguising their transactions with these type of activities:
Mule accounts: Individuals who are prepared to sell their bank accounts to organized crime to use as a deposit method. They are usually sold by students or low-income individuals. These accounts have certain advantages, such as not being previously tagged as suspicious on any watchlists, having no direct connection to the buyer of the account and/or having been setup by legitimate owners before being sold. Non-operational business channels: Businesses that have been closed or ceased trading are purchased by organized crime rings and then funds are channelled into financial institutions under the pretence the business is still fully operational and generating revenue. Existing business channels: This is where legitimate businesses that are generating cash are used to channel additional funds into financial institutions, e.g. a taxi firm of 100 vehicles yet producing revenue of a similar taxi company that has 500+ vehicles. Fake or shelf companies: These companies are hidden inside other businesses and produce revenue with little or no operational structure. They are a company in name only.
Finding these placement methods requires validation of account holders to ensure there is no synthetic IDs or falsification, thus ensuring any linkages have logical and
IBM Security
12
legitimate connections. If there is evidence that placement concealment exists, escalation to the SIU is a logical next step. Accounts with unusual deposits can be investigated to identify any identity resolution; this could be accounts owned by a single owner but masquerading as many owners.
Identity resolution is automatically checked on all entities and identities via background processing. Looking for deposit account connections means looking deep inside the account’s attributes, e.g. IP address / contact phone number / place of work. They can also have connections across data sources, i.e. A knows B, B knows C, therefore A and C have a connection of 2 degrees of separation.
Example of 2,3 and 4 degrees of separation of connections in a visual format.
Heatmaps of deposits can also show repetitive patterns that are unusual and require additional investigations.
Uniformity of new accounts openings or deposit pattrens across many branches can be seen.
If the placement detection and investigation defences have been circumvented, then the money launderer now needs to camouflage their monies by mixing it with other legitimate funds, in the process called Layering. Investigation of Money Laundering Layering patterns As with placement, at the layering stage, the money launderer will try to remain undetected by the rules engines in tier 2. This can be achieved by these types of activities:
• Flipping: Quickly moving monies from account to account to try to shake off a rule’s engine.
• Loading: Moving monies into other accounts that generate a profit, mixing it with legitimate business monies to make it look clean by association.
• Smurfing: Breaking monies it up into smaller accounts by moving it below the rule’s engine alerting levels.
• Betting: Betting on markets / casinos / hedge fund with short odd bets. This means accepting a percentage loss but using bias odds to receive clean winnings.
The layering process uses the financial institutions own platforms against them, as the organized crime ring’s monies move fast and frequently, each time becoming harder to follow but becoming more concealed and ‘clean’. This process can be very complex and will try to hide in plain sight looking like normal transactions. Even if a rules engine alert detects an abnormal transaction, it may lose the trail as the money transactions keep rotating and pivoting. This is where an investigations solution can latch on to an alert and start to follow the low-level digital footprint as the monies move, so as to build out the network and get in front of the organized crime ring’s money laundering methods. This is what is meant by the phrase “moving faster than the speed of threat”.
IBM Security
13
When suspicious activities are detected or reported inside the institution’s transactional process and escalated to the SIU, the following investigation methods can be used. It starts by identifying the account and all associated accounts inside the transactional systems – this can easily be charted for a visual understanding and analysis.
Isolating and visualizing a small money laundering network in the noise of normal transactions. Next look for attributes of money laundering such as flipping, i.e. move-in (50%), move-out (50%) of monies to an account with no net change in account balance. IBM i2’s conditional formatting can list these types of accounts, in order of a defined preference. List and link charts can be displayed together.
IBM i2’s conditional filters can easily identify money laundering’s flipping account patterns across a massive transactional data set. As stated monies can flip, pivot at speed and frequency, making it impossible for a rules engine to address all the permutations and combinations. IBM i2’s link analytics has been designed with this type of computational requirements and can easily and quickly find the path that funds have travelled.
Example of IBM i2 find path function that stays on the tails of a fast moving transfer pattern in a massive network. No rules engine is infallible and should be constantly updated with new discoveries that highlight a detection gap. Visual analytics by its very nature can show these gaps and be used as a method to supply Tiers 1 and 2 with insights to be used as rules updates.
A simple visualization can pick up on detection gaps not considered in Tiers 1 and 2, e.g. two companies share an IP address which is highly suspicious and is most likely a shelf company construct.
In another example, a ~20 year old man is being sent $1.7M+ in account transfers, this is highly suspicious and is most likely a mule account. If the organized crime ring has been able to clean their monies by outwitting the financial institution, it’s time to move to the next stage of money laundering. This is the extraction stage. Take the money and run.
IBM Security
14
Investigations of money laundering Extraction patterns This is the final stage of a money laundering process and is the removal of the “cleaned’ funds without drawing attention to the withdrawer. In the extraction stage, money will start to cluster and move towards an extraction point. This is where powerful network analytics will come into play, as analyzing the behavior of the money flow transactions requires the ability to pivot and turn fast. Visual analytics using IBM i2 software allows an investigator to apply money laundering extraction detection filters, such as:
• K-Core: The ability to find strong interlinked networks in massive networks.
• Authority nodes: Identify entities that have a strong influence on the network.
• Closeness: Identify entities who have the best access to the most active parts of the network.
• Gate Keeper nodes: Discover entities that control the flow in a network.
Money launders will keep the monies moving until they are ready for the extraction stage. When ready, they will activate the final extraction accounts. These extraction accounts can also exhibit strange behaviors, including change in account ownership, activation of a dormant account, loading of an account with transactions that do not align with the account’s description, etc. These are the telltale signs that will get an investigator to ask the question why. Commonly used investigation techniques that are used in an extraction stage include looking for accounts / transactions that seem to be consolidating into a final network. A common pattern is that it has transactions of similar size and amounts all heading in one direction.
Visualization of a extraction money laundering network inside a business as usual network. Once this network has been identified, it can be isolated from normal transactions for deeper investigations. As the IBM i2 solution is based on real time collaboration, workload sharing across teams of investigators can be divided up as needed.
Isolation of a suspicious network of extraction money laundering. As the extraction money laundering network is now isolated, the vast array of visual analytics can now point to the controlling nodes.
Visual analytics functions can pinpoint controlling nodes of an extraction money laundering network. When the most influential and controlling nodes are listed, new data sources from the 4 quadrants of data can be used to enhance what is known about the owners.
IBM Security
15
Listing of the most influential and controlling nodes. Starting with an institution’s customer reference information about these accounts, the investigator will cross-connect with other data sources through multi-degrees of separations (a.k.a. hops), leading to a fuller picture of the beneficial ownership.
Attaching attribution to the suspicious accounts. When the completed picture of the extraction money laundering network is obtained this can then be handed off to the intervention and reporting teams. In Summary Speed, accuracy, skill and readily accessible data is key to making sure that organized crime rings’ monies do not leave financial institutions cleaned and ready to be reinvested into sinister activities. Should the organized crime rings be successful with their money laundering activities and their money is made legitimate, it may be subject to taxes, bank charges, exchange rates and other charges. This overhead is the cost of doing money laundering business. The money launderer will have to accept a certain level of shrinkage to their initial funds, as setting up sophisticated Placement / Layering / Extraction operations will have a cost. This shrinkage cost is much less then
losing 100% of their funds by law enforcement confiscation. It is the main driving factor for the level of money laundering sophistication the organized crime rings are willing to pay. Therefore, faced with the risk of confiscation of their monies if caught, it is no wonder that money launderers will employ highly expert and professional people to help them evade detection and overheads in cleaning their illicit funds. Real world examples of investigations solutions that were used to discover Money Laundering
1. Organized crime rings using mule
accounts in domestic banking What Happened: As explained previously, the undetected placement of funds into financial institutions is the first stage of money laundering. Using as many unrelated accounts as possible and keeping the deposit transactions below the alerting rule engines (currently $10K) is a common process used by the organized crime rings’ money laundering operations to remained concealed. Recently a gang of cyber criminals targeted small to medium size enterprises with ransomware attacks as their cyber defenses were of a limited nature. There ransom was 1 bit coin (worth $5K at that time). Targeting small companies and demanding small ransomware bounties kept them out of the interest of national crime agencies. They quickly amassed $15M that then needed to be laundered. The gang started to recruit low paid workers and their family members. The gang then
IBM Security
16
started to bring these people to banks and open up legitimate bank accounts. They then paid them off ($1K) per mule account and took full control of the account via ATM cards and online banking. The gang then started loading these hundreds of accounts with deposits just shy of the alerting clip level amount. As there was many separate accounts open by individuals with no track records of criminal activities, and coupled with the deposits being a modest amount, the organized crime rings could remain concealed during the very active Placement stage. The gang then moved the monies through legitimate business accounts at high speed (flipping) so as to confuse the transaction monitoring rules engines. This Layering of monies in and out of business accounts started to ‘clean’ the cash as it looked like revenues generated by business accounts. Once “laundered” new business accounts were used as collection points, being supplied from the initial hundreds of mule accounts and the flipped accounts. From there it was ready to be Extracted by the organized crime ring gangs, disguised as profit share dividends, loan repayments, performance bonuses, etc. These final accounts would be owned by individuals who were connected to the real organized crime rings (beneficial ownership), i.e. family members. Potential Impacts: This specific fraud utilized the 3 stages of money laundering on the financial institution’s platform. If this had been discovered by the financial regulator, significant regulatory fines or suspension of their banking license could have been a very real outcome. The institution would have also been impacted by reputational damage for being associated with organized crime rings. Method used to discover:
• Investigation of Placement patterns by looking for concealed connection between the deposited accounts.
• Investigation of Layering patterns by looking for flipping transactions or transactions that move with abnormal reasons.
• Investigation of Extraction patterns by looking at accounts that seem to control the transaction flows inside a complex interconnected transaction network.
Solution Summary: Of course, it is hoped that the rules engines in tiers 0, 1, and 2 would have alerted to abnormal transactions, but this example shows the ingenuity that the organized crime ring used to evade been detected. They designed their process to remain under the clip level of the rules engines. IBM i2 software was used to investigate these patterns when a tip off came from a bank teller, that there seemed to be accounts being opened up by people who were being “helped” by a certain individual at the counter and this had happened more than once (i.e. trigger point 4 , see-something-say-something). An IBM i2 solution allowed the analyst to quickly find the links between these mule accounts, as many had the same mobile number listed for 2nd factor authentication and also had the same IP for using online banking. From there the deception started to become very clear to visualize.
2. Luxury good returned to high-end retailer
What Happened: Many high-end price goods were purchased by different credit cards from a luxury retailer. A “goods returning customer” went to the returns desk in the store and asked to return the goods using the gift receipt. The store clerk asked if they wanted the goods refunded on the purchasing credit card or another. The “returning customer” asks that the refund be placed on another card. This return transaction was happening with many goods being returned, happening many times, on many days and in many stores. Depending on
IBM Security
17
the value of the amount of returned goods and the frequency of returns, the organized crime ring was able to move significant amounts of monies from one account to another via a legitimate means. As the purchase and return payment was performed by a reputable retailer’s platform, no alerts were set off. Potential Impacts: The retailer was instrumental in helping the organized crime ring launder their monies, and were at risk of regulatory fines or suspension of their trading license. Method Used to Discover: This type of money laundering can happen very fast as it has a single goal of moving monies from one location to another by using a trusted intermediary who is above suspicion. As organized crime rings will try to use as many customer service desks as possible, data from credit cards, goods returned, time and location must all be fused together via link analytics to identify abnormal patterns. Solution Summary: Using visual analysis and link analytics to help find abnormal patterns will allow the retail fraud rules engines to evolve as they are coded with these new patterns.
3. Online gaming, Texas hold’em
What Happened: Money laundering is the abuse of a process used to move illegal monies through a platform to make the pay-out legitimate. Unfortunately, online gaming platforms can be abused to support this illegal process. Organized crime rings will spread illegal funds over many managed players. These players will purchase “gaming chips”, staying below the money laundering alert levels, typically
below $10K (Placement). At a certain predetermined time, these managed players will join a Texas hold’em table and start playing simple hands so as not to set off any monitoring alerts (Layering). At a given time, a code word in the chat bar will trigger the managed players to go “all-in” against a certain player “W”. They will all lose their pot which could be 6+ players with $10K per player, total $60K. Player “W” will win the hand and walk away from the table (Extraction) and now will have legitimate proof on how they are now $60K richer. Potential Impacts: As the online gaming platform has been instrumental in helping the organized crime ring launder their illegal monies, this could lead to regulatory fines or suspension of their gaming license. This may also lead to reputational damages as other legitimate players believe that the online gaming platform is corrupt as it facilitates organized crime rings, therefore they are reluctant to use the platform. Method used to discover: Placement: players will have attributes such as credit cards, names, log in IPs, time and date, table selected, always joining with a certain group, etc. These patterns over time or by association can be easily visualized and isolated. Once the games starts (Layering), gaming patterns and chat triggers can be visualized on timelines or seen via pattern filtering analytics. As the “W” player cashes out (Exploitation), find path analytics can associate them to the other team members. Game manipulation is the only thing that is not left to chance and has been designed to achieve its goal of processing illegal funds by very sophisticated money laundering gaming patterns. Solution Summary Using visual analysis to help discover hidden patterns and using advanced analytics like find path to “connect the dots” allows online betting and gaming organizations to uncover money laundering schemes.
IBM Security
18
4. Money Transfer Companies What Happened: Person-to-person money transfer is a worldwide business that allows money to be moved over international borders. As money transfer systems are primarily money-in and transfer-out, they can be abused to support a money laundering process, making them very attractable to organized crime rings. Money deposited for transfer (Placement) can have very similar attributes as in the betting example above. These can include IDs with different name derivatives or insider collusion by counter staff. Money can be transferred from account to account, (called flipping, which is another form of Layering), so making it impossible for rules engines to keep up. The money can be finally Extracted at different points by connected individuals. Potential Impacts: Any financials intuitions that breaks AML rules are liable for regulatory fines. Methods Used for Discovery: A money transfer company’s business model is that , a person can deposit a sum in one location and it is transferred to another person in another location, the money transfer company charges for this service. To discover if this is a money laundering operation the above rules and investigation solutions can be used. Looking for abnormal transactions or patterns across all the transactions. Solution Summary: As above use rules and visual analysis to help discover hidden patterns schemes.
Where to Next ? Anti-money laundering, full end-to-end solutions are not easy, due to the costly changing and evolving methods used by money laundering organized crime rings. This is coupled with privacy and data protection laws. It is worth noting that such regulations do not exempt financial institutions from their obligations to the AML rules set out by their financial regulators. Financial institutions are still obliged to put in place the necessary solutions to stop money laundering, financing of terrorism and sanction list breakers. What is permissible is covered in the various privacy and data protection laws. Hopefully, this paper has explained that the sophistication and professionalism of the money launders is not to be underestimated. For organized crime rings to access their ill-gotten gains they need to “clean it”, meaning that their money laundering efforts will not go away but continue to evolve. Therefore, the 4 Rs risk to organizations will also continue. To mount a credible and effective defense against the money laundering threats, financial organizations must continue to evolve and want to “move faster than the speed of threat”. The seamless integration of compliance checking, rules engines, AI, blockchain, investigations, process management, OSINT ingestion, reporting and continual process improvement is critical to achieve this objective. In addition, the FIUs and SIUs must be a adequately funded and supported by C-level management, with their AML team seen as key, core operations to the business. AML is not the only threat to a business, as insiders, sanction list breakers, transactional fraudsters and cyber-attackers will all pose a threat. Defense of these, at least the investigations portion of it, should all fall under the same business unit. The logic to making this claim is that the data and operations needed to find concealment of fraudulent activities are from the same cross-enterprise data sources.
IBM Security
19
The investigation (human in the middle) element can be quite often over looked, but is an essential part to address and discover sophisticated concealment. The team at IBM can help set out a roadmap of how to address and defend against these threats. Finally, organized crime rings will utilize very intelligent resources to abuse financial institution operations but they are not foolish or wasteful in their efforts. They will look for the path of least resistance steering clear of organizations that are able to mount the best defense and have the ability to uncover concealed money laundering activities. If the organized crime rings believe the risk of being discovered and funds confiscated is high, they will consider other easier targets. This is a double upside as the better an organization’s defenses, the more likely the organization will not be targeted. Simply put “the more effective an organization is in defeating financial crimes, the less attractive the organization becomes to the fraudsters and financial criminals.” Bottomline, START, get SMART, and become STRONG. IBM i2 solutions can help. Finally, when investigating the three stages of money laundering, always remember:
• WHY: 4 Rs of impacts • HOW: 4 tiers of money laundering vet,
monitor, detect and investigate • WHAT: 4 trigger points to start an
investigation • WHERE: 4 quadrants of data.
Consider reading the other IBM white papers in this series:
• Using an IBM i2 Solution to Investigate Fraud and Financial Crimes
• Why Private Sector Enterprises are Adopting Threat Hunting to Investigate and Stop Sophisticated Fraud
• IBM i2 Cyber Threat Hunting, a solution brief.
For more information To learn more about IBM i2 solutions for fighting sophisticated fraud threats, visit www.ibm.com/security/intelligence- analysis/i2
© Copyright IBM Corporation 2019. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. Any statement of direction represents IBM's current intent, is subject to change or withdrawal, and represent only goals and objectives. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM does not warrant that any systems, products or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party.
