Posted by Brian Monroe - bmonroe@acfcs.org 08/25/2021
Special ACFCS Report: The Front Lines – The Investigations Series: ‘OSINT Investigations’ Part 2 of 2, negative news, SARs and controlling the narrative
The skinny:
- ACFCS unveils a new series, “The Front Lines,” by Erin O’Loughlin, Senior Director of Training for ACFCS. She is a former front-line investigator and manager for multiple large financial institutions, a crypto currency exchange, as well as a former intelligence officer for the U.S.
- Here she will tackle issues that directly affect your everyday work life, with the goal of offering practical, tactical takeaways that can immediately help you think differently, analyze more fully and act and react more quickly looking at historical and emerging challenges through the lens of an experienced investigator.
- In this latest piece, O’Loughlin takes a second crack at open-source intelligence (OSINT) and a related potential monster risk metric: negative news or adverse media screening. She also answers key questions to help the community: How do I address OSINT results within the narrative of the SAR template? Is OSINT the same as evidence for law enforcement purposes?
By Erin O’Loughlin – Senior Director of Training for ACFCS – former front-line investigator and manager for multiple large financial institutions, a crypto currency exchange and a former intelligence officer for the U.S. Government.
August 25, 2021
Welcome to The Front Lines – a publication for the front-line investigator, risk officer, and compliance professional.
Here, ACFCS will discuss issues that directly affect your everyday work life, with the goal of offering practical, tactical takeaways that can immediately help you think differently, analyze more fully and act and react more quickly looking at historical and emerging challenges through the lens of an experienced investigator.
Last month, The Front Lines tackled key aspects of Open-Source Intelligence (OSINT), also known as Publicly Available Information (PAI) within your investigation. To read the full story, click here.
This month, we are back to finish the job.
Now that you are armed with the initial steps to take to begin your investigation and particularly, your OSINT portion of your investigation, this month will address the next issues surrounding the use of OSINT:
- What is Negative News?
· How do I address OSINT results within the narrative of the SAR template?
· Is OSINT the same as evidence for law enforcement purposes?
What is Negative News?
When last we left you, we were discussing effective ways to search for names or other terms associated with the subject/s of your investigation.
Now that you have pulled up multiple pages of results from your desired search engine, the next step – step seven – is to think critically: “What am I looking at and why?”
Within the course of a potential financial crime investigation, you are seeking to discover information that could lead you to better understand what you are analyzing within your case and if it rises to the level of reportable suspicious activity – a threshold that is very subjective and can be subjected to regulatory second-guessing.
This leads the investigator to ask: What is online that makes this customer risky to bank?
Definition: Negative news is adverse media or any kind of unfavorable information across a wide variety of news sources.
This seems a relatively straightforward endeavor. But as any investigator or researcher worth their salt will tell you: it most assuredly is not.
The challenge: How to engage in the delicate dance of balancing the need for broad searches that are comprehensive enough to uncover risks and appease regulators but precise enough to divine accurate details that could cause dramatic shifts in risks requiring immediate financial crime control responses.
To help you understand what negative news and adverse media is, it might help to first get a sense of what it isn’t – a critical foundational step in the information age with the Internet expanding seemingly to infinity, and beyond.
A quick tip to help guide you: Negative news doesn’t mean all news and information.
So a bank doesn’t have to worry about the latest trending political vitriol spewing in a Twitter feud, viral Facebook post about the tactics and tantrums of a terrible neighbor or have to drop a profitable account due to a saucy burn in a Yelp review about a ritzy restaurant with more snooty than rooty, tooty, fresh and fruity.
Being that we live in an online, interconnected metaverse, it’s easy to find something negative about someone or something – a company, a restaurant, a movie, a product – in short that someone finds something they don’t like and wants to rant about it, with a bevy of outlets at their disposal.
Fincrime compliance investigators must be cognizant of this – lest they spin their wheels and take too much time and produce too little in terms of actionable, relevant intelligence for law enforcement.
Institutions don’t have to worry about feeding the trolls when trying to find material indicators of risk regulators would find relevant – and give cause to look more extensively at specific bank AML controls or doubt the “safety and soundness” of the overall program.
That clearly falls more in the realm of opinion and is not from what you would consider a reputable news site.
The overriding ethos should be to hew toward effectiveness, rather than thoroughness – a nod to recent changes made to U.S. fincrime compliance rules.
In historic U.S. AML updates, FinCEN focuses on negative news forays, results
How banks engage in negative news searches, and how long they take, is also on the mind of top U.S. regulatory bodies, like the U.S. Treasury’s Financial Crimes Enforcement Network (FinCEN).
In two recent initiatives, one a historic effort passed by Congress – the Anti-Money Laundering Act (AMLA) and another in a FinCEN advanced notice of proposed rulemaking (ANPR), they pushed tectonic shifts in the foundation of the country’s financial crime compliance defenses.
They were part of a multipronged approach by the U.S. government to strengthen fincrime compliance countermeasures, shift the needle toward “effectiveness” and create richer and more relevant intelligence to law enforcement.
In all, FinCEN engaged in a broad overhaul, shifting more toward creating “effective and reasonably designed” programs that produce filings with a “high degree of usefulness” to law enforcement, according to the September notice.
The updates are informed by overarching efforts by global watchdog and private sector groups to prioritize “effectiveness” over technical compliance, at both the country, law enforcement and financial institutions levels, including the Paris-based Financial Action Task Force (FATF), the Wolfsberg Group, the Egmont Group of Financial Intelligence Units (FIUs) and others.
To read the full notice in the Federal Register, click here.
FinCEN stated much of the changes came from discussions with industry, including compliance professionals, regulators and investigators who are part of the Bank Secrecy Act Advisory Group (BSAAG), going on as part of a subcommittee since mid-2019, dubbed the Anti-Money-Laundering Effectiveness Working Group (AMLE WG).
The tacit conclusions: regulators need to allow financial institutions subject to AML duties to “place greater emphasis on providing information with a high degree of usefulness to government authorities based on national AML priorities, in order to promote effective outputs over auditable processes,” FinCEN stated.
How to free up AML analyst resources? More precision-guided negative news dives
Part of the FinCEN ANPR specifically touched on “negative news” and “adverse media” searches.
The BSAAG highlighted that such searches can eat up bank monitoring, analyst and investigator resources, noting that regulators should sharpen their expectations around the depth and breadth of scrutiny tied negative news on clients or those who are, or were, considered politically exposed persons (PEPs).
At issue is that if banks are constantly scouring the Internet, public and bespoke databases for news that may or may not raise the risk of certain customers, such efforts can draw significant AML resources, with few results.
Similarly, if banks must consider all PEPs – foreign and domestic – as high risk, along with relatives and close associates, these are groups that will tuned more closely in transaction monitoring systems and be generating significantly more alerts than other customers, again, siphoning sparse investigative resources.
Some of the suggestions from the working group included:
- Retooling risk assessments, negative news dives: Clarifying current requirements and supervisory expectations with respect to risk assessments, negative media searches, customer risk categories, and initial and ongoing customer due diligence; and
- Managing PEPs, models: Revising existing guidance or regulations in areas such as Politically Exposed Persons and the application of existing model-risk-management guidance to AML systems, in order to improve clarity, effectiveness, and compliance.
- How far to SAR, keep open accounts for law enforcement: Clarifying expectations and updating practices for keep-open letters and suspicious activity monitoring, investigation, and reporting, including SARs based on grand jury subpoenas or negative media.
And without further ado: OSINT seventh heaven
As a quick recap, in part one of this series, we covered six key steps tied to OSINT intersections with several areas of your AML program, including in the areas of risk ranking, investigations, decision-making and the filing of reports on suspicious activity.
We noted that such tactics can be used offensively to better calibrate customer fincrime risks and defensively to see what vulnerabilities already exist in the ether of cyberspace that fraudsters, hackers, ransomware rapscallions and organized criminal groups can use against you – in recent years to devastating effect.
Now we go further.
Step seven: Now that you have multiple pages of information on your customer, via the search engine of your choice (discussed in step three of the July OSINT part one post).
A rule of thumb for investigators to follow is to skim the results of – at least – the first three pages of a search engines results. You are looking for terms within the description of the site that may give you a clue as to what you have obtained.
Finding a mainstream news article, such as a New York Post, New York Times, Wall Street Journal, Washington Post, USA Today, or anything from the Associated Press or Reuters, as we noted above, will lend credibility to your investigation.
Now, what do these mainstream articles say about your customer?
If they are simply talking about your customer’s company and its earnings, in no particular manner, this is not negative news. If they are reporting on former arrests or convictions of your customer or federal charges brought against a customer’s company (which they own), this would meet the criteria for a negative news article.
But what if I find a blog that talks about someone’s personal interactions with my customer?
Be wary of these findings on the internet because anyone with access to a computer and the means to create a website or even to post anything to a public online chat board or comment section can write anything they wish about your customer – as we noted, there is a difference between material facts, conjecture, rumors and opinion.
This is where your critical thinking skills come to play.
Step eight: Critical thinking: What is the true risk of what the author is writing about your customer?
If the risk is that your financial institution is banking someone with multiple arrests and/or convictions, this may be too high a risk for your employer and thus you may need to recommend closure of said accounts.
If the posting you have discovered talks about a personal interaction by the author that describes your customer as “being a jerk” then you as the investigator must decide what the risk is.
Does a federal law enforcement agent care whether their suspect – AKA your customer – is a jerk? More than likely not. Sticking to facts found within your OSINT search will help law enforcement to follow their own digital breadcrumbs as well.
OSINT and SAR writing
Now that you have gathered the news articles that have surmised to be illustrative of risky behavior, how do you capture that within the text box of the Suspicious Activity Report (SAR)/Suspicious Transaction Report (STR)?
Step nine: Label your paragraphs within your narrative.
By creating a template on a word document, starting with a standard introduction, this will cut down on time as well as to keep you organized.
The template should have the following paragraph headers:
- Introduction: Why the case is being written and how it was created, i.e., and internal alert or law enforcement request
- Know-Your-Customer (KYC) information provided
- Account information of said customer/s
- Transaction information, specifically what makes the transactions suspicious and the dollar amounts
- Open-Source Research
- Conclusion
These headers also make it easier for your audience to ingest your report.
Step ten: When reviewing your Open-Source research section, stick to the facts. An example of a standard OSINT sentence can read as follows:
“per open source searches, John Doe appears to have been arrested on 1 January 2001, and charged with 11 counts of embezzlement and money laundering, per (insert website link here)”
By pasting the link within the narrative this helps any law enforcement officer to quickly analyze if that site could help their case and corroborates your findings.
Is OSINT intelligence or evidence?
Evidence must meet specific legal standards for it to be accepted as evidence.
Intelligence, on the other hand, rarely tries to meet any legal standard and its main purpose is to give information. Evidence has one main goal: to solve a crime -prove a case.
Your main objective as a financial crime investigator for a financial institution is to provide information about your customers to the regulators of your jurisdiction, thus this information is vital to determining if law enforcement can bring it into their case.
While this is not an exhaustive guide on how to understand OSINT and how to bring it into your narrative, hopefully these two posts can get you on the right track to speedy, efficient, and effective OSINT hunting.
Negative News Snapshot: Beyond known, journalistic news agencies, what are other sources of adverse media that could impact AML risk?
Apart from OSINT searches, vendor databases and even prior filed SARs, banks can employ an incredible array of sources when it comes to capturing negative news on entities, but the name of the game is creativity.
Here are some sources to consider:
- Patriot Act Sections 314(a) and 314(b): The 2001 Patriot Act is the seminal law in the field ushered in after the Sept. 11, 2001 terror attacks. Two key portions of this regulation give banks and law enforcement more ammunition to counter criminals.
- Section 314(a): Allows law enforcement to query the whole of the financial sector related to certain entities, with banks replying if there is, or isn’t a hit. Investigators then follow-up with formal subpoenas. If the bank has a high-profile hit, it would be wise to see what negative news is on the entity as well.
- Section 314(b): Allows banks to share information with each other on individuals and companies engaging in potential illegal activity that could be money laundering, fraud or terror financing, thought institutions can’t reveal if they filed a SAR. If a bank uncovers through these interbank discourses a customer could be dirty, a critical next step should be a negative news check.
- Law enforcement subpoenas: Banks get requests from law enforcement all the time, but some have failed to connect these requests with their AML risk assessments, leading to risk gaps and regulatory knuckle-wrapping.
- Database leaks: It’s no wonder some in compliance circles say we are living in the age of transparency. Fueling that sentiment is the explosion of leaks from law firms and other professional services agencies catering to the secretive, wealthy and elite.
- These leaks, including the Panama and Paradise Papers, just to name a few, including searching databases revealing the individuals behind shell companies with impenetrable beneficial ownership structures.
- Early Warning Services: This firm is one of the earliest to use Patriot Act 314 (b) safe harbor privileges to help multiple banks swim their customer data together so institutions could see risks outside their bank before a suspected criminal or fraudster walked in the door.
- Open Source Intelligence (OSINT) searches: We touched on this in part one of this series. This is a collection of sites that help reveal hidden details on an array of companies and individuals One example: OpenCorporates.
- Billing itself as “the largest open database of companies in the world,” OpenCorporates allows easy searching of company information and corporate officers in 105 jurisdictions. The information available on companies isn’t always particularly detailed, but the size and scope of searchable corporate entities included is expansive.
- Social media: Want to employ the thought leader of hundreds, or even thousands, of AML professionals to augment the negative news gathering, risk weighting and decision-making of your own AML team – and most cost you nothing? Social media sites can help with that.
- One example is professional group LinkedIn. Apart from the ability to connect directly to professionals that may have more insight that your own bank, you have the ability through Linkedin groups to connect to whole communities dedicated to AML and other financial crime risks. One example is the AML group on Linkedin, which currently has nearly 13,000 members.
Flavors of negative news: watch for watchdogs, look for leaks
Splicing together OSINT searches and negative news forays have the potential to uncover more obscured and buried risks your institution could miss.
For instance, negative news could also mean a federal or state regulator enforcement action against a financial institution – one your bank may have direct correspondent connections.
It could also come from an international watchdog group, like FATF, which sets global AML guidelines, chastising a company or country.
In that same vein, adverse media could come in the form of a powerful tycoon or politically-exposed person (PEP) appearing in a transparency leak, like the Panama Papers, as the puppeteer behind a shell game of shell companies – looking like they have something to hide.
With so much to weigh and analyze, simply going to these sites, or even Google and other Internet search engines, and putting in the name of a medium or higher risk customer or company wouldn’t satisfy examiner expectations that a bank did their due diligence.
Bottom line: the bank has to do more, either manually or with the help of third-party “negative news” providers with bespoke databases and advanced filtering algorithms.
The real way to look at negative news is through a holistic risk lens with a wide aperture, but keeping a keen eye out for details.
As we noted above, think of negative news screening as a delicate dance – a balance of the accuracy of information, the relevance of the information, how the information affects the risk assessment of a customer, company or jurisdiction and how institutions should respond.
One thing to always remember is that financial institutions should be putting negative news results into action.
These searches should help resolve issues including how can the changes in risk be used to improve your AML program and prove to regulators you have adequate depth, breadth and details to ensure news screening protocols are not missing anything major – and you are not stretching your limited investigative resources too thin.
In short, financial institutions should be looking at a wide selection of open source avenues where individuals and corporates could be formally sanctioned by regulatory and other enforcement bodies or have been tied by reputable journalistic or investigative sources to potential illicit activity.
If you have any suggestions for what you would like The Front Lines to discuss – For the Investigator, by the Investigator – please submit them to thefrontlines@acfcs.org.
About the author:
Erin O’Loughlin comes to ACFCS with deep-rooted experience gained working inside the financial crimes/compliance industry in a variety of roles, including AML investigations for Bank of America, scouring dark web markets to identify proactive risk on the TOR network for Western Union, and supervising crypto fraud and money laundering investigations for Coinbase.
Prior to entering the private sector, O’Loughlin served as an operations officer in the Central Intelligence Agency for ten years.
She was posted in both overseas and domestic positions, specializing in Counter Terrorism, conflict resolution, mediation, and due diligence.